Lumeta Spectre amplifies the value of your security stack by correlating the comprehensive and authoritative data about your network with integrated data connectors. The following table shows the Integrations available with Spectre along with their overview and how to verify their configurations. Integrations are available at Settings=>Integrations menu item
Integrations | Description | Configuration Input | How to test if feed is accessible | Tables Populated | Dashboards/Reports |
---|---|---|---|---|---|
Open Source Feeds: | |||||
Emerging Threats | http://rules.emergingthreats.net/blockrules/compromised-ips.txt provides you with a list of IPs that have been compromised. Spectre ingests this list and compares it to your discovered devices. | Polling Interval | Go to the emerging threats URL and verify that you can view the results | threat_feed_ip (_source: openthreat)
| Breach Detection => Zombie Devices |
Tor | Enabling Tor feed helps you find if any of your organization’s trusted network assets are behaving as TOR relays or exit addresses. URLs that Spectre gets the TOR relays and exit addresses from are: https://onionoo.torproject.org/summary?type=relay https://check.torproject.org/exit-addresses
| Polling Interval | Go to the TOR URLs and verify that you can view the results | tor | Breach Detection => Tor Nodes and Tor Flow Charting |
ISC | https://isc.sans.edu/services.html provides Spectre with a list of ports that have been compromised. Spectre ingests this list and compares it against the open ports of your discovered devices. | Polling Interval | Go to ISC URL and verify that you can view the results | portlookup | Breach Detection => Nefarious Ports Summary |
Subscription Feeds: | |||||
Emerging Threats Pro | With a valid customer key, http://rules.emergingthreatspro.com provides Spectre with a list of IPs that have been compromised. Spectre ingests this list and compares it with your discovered devices. | Polling Interval Customer Key | Go to Emerging Threats Pro URL and verify that you can view the results | threat_feed_ip (_source: emergingthreat) | Breach Detection => Zombie Devices |
iDefense | Verisign iDefense is a closed-source threat intelligence feed available to all Spectre customers. This feed correlates iDefense IPs against your network's IPs to produce actionable lists of zombie devices and threat flows in your network. | Polling Interval Customer Key | Go to https://api.intelgraph.verisign.com/rest/threatindicator/v0 and login with your username/password and verify that you can view the results | threat_feed_ip (_source: idefense)
| Breach Detection => Threat Flow Charting |
Other Solutions: | |||||
Gigamon | Spectre uses NetFlow data to identify threat conversations between your network and external adversaries. This NetFlow data comes to Spectre as a result of its integration with a Gigamon solution. | Enable Netflow Packet Capture Service | Once you enable netflow, make sure nfcapd files are created under /var/spool/netflow directory. Gigamon (GigaSMART engine) can create only one type of record – either IPFIX, v9 or v5. We have tested Spectre with v9 only. As per our Development team, IPFIX is not supported.
| Not tables under /var/spool/netflow directory, you will see nfcapd files | Breach Detection => Threat Flow Charting |
Carbon Black | The integration of Carbon Black Endpoint Detection and Response capabilities to Spectre enables you to know whether hosts on your enterprise network are either unmanaged by Carbon Black, unmanaged by Spectre, or managed by both. | Polling Interval Customer Key Server Name |
| managed_hosts_v (_source: bit9) bit9_managed_hosts_regex | Endpoint Management |
McAfee | Lumeta Spectre fetches McAfee ePO-managed data, compares it to Spectre-discovered data within the same network space, and then pushes the findings back to the ePO server. This ensures on a continual basis that ePO has the complete set of networks and devices to manage. | Polling Interval Server Name Username Password |
| managed_hosts_v (_source: epo) epo_managed_hosts
| ePO Management |
Infoblox | This integration reconciles data between Spectre and Infoblox (an IP address management solution) and enables you to export an IP list with which to update the IP assets managed on Infoblox. | Polling Interval Server Name Username Password |
| managed_hosts_v (_source: infoblox) infoblox_managed_hosts | IP Address Management |
Cisco PxGrid | The Cisco pxGrid integration enables you to exchange context with Cisco products to retrieve endpoint, identity group, security group, and session data from a Cisco ISE server. To make use of this integration, your network must be running the Cisco pxGrid agent and be monitored by Lumeta Spectre. | Server Name Username Keystore File Keystore Password Truststore File Truststore Password
|
| cisco_ise_endpointprofile cisco_ise_identity_group cisco_ise_securitygroup cisco_ise_session | Search=>Devices=> Pxgrip IP Sessions |
Qualys | Spectre helps your Qualys Enterprise server work better by comparing Qualys-subscribed and Qualys-scanned IPs with Spectre-indexed hosts in the same network space. Qualys receives a list of endpoint data information from Spectre at every polling interval, enabling Qualys to add the endpoints to its network space, thereby eliminating any gaps in coverage and ensuring the comprehensive provision of vulnerability management to Qualys customers. | Polling Interval Server Name Username Password Auto-Subscribe
|
| qualys_scanned_ips_raw qualys_subscribed_ips qualys_subscribed_ips_v | Vulnerability Management |
Integration Feeds (Data Pulled) | Integration Feeds (Data Pulled and Pushed) |
|
Lumeta Spectre Extension to McAfee ePO
The Lumeta Spectre extension to McAfee ePO server is fully certified by McAfee. Both "fetch" and "push" extensions make use of a polling interval you configure.
- Login to McAfee Server
- Browse to Software => Extensions and click on Install Extensions
- Install the Lumeta extension: LumetaRemoteCommandPush.zip (ask SA to provide you with this file)
Granting Permissions to Use the Lumeta Spectre Extension
An ePO user without Admin privileges can be granted permissions to use the Lumeta Spectre extension as follows:
- On the McAfee ePO server, click Hamburger icon > Permission Sets.
Notice the new permission set created for this installed extension called "LumetaRemoteCommandPush."
- Select My Organization and click Save.
- Select Lumeta Spectre Remote Command and click Edit.
- Select "Activate permission to run remote command for Lumeta Spectre extension " and click Save.
- Click Hamburger icon > Users.
- Select the user that will be using the Spectre extension and click Actions > Edit.
- Select the LumetaRemoteCommandPush permission set and save the user.
Now this particular user can configure the Lumeta Spectre extension in McAfee without admin permissions, and can get and post data to, from, and into ePO.
How data is pulled and pushed for McAfee ePO
- Pull the list of Hosts/devices managed by ePO
- Determine the list of devices not managed by ePO (potentially considered rogue)
- Push devices that are not managed by ePO into ePO server and add them to Rogue Detection Systems.
- McAfee Server => Dashboards => RSD Summary displays Rogue Systems.
For further Information:
Lumeta Spectre Extension to McAfee ePO => https://support.lumeta.com/confluence/display/SPEC/Lumeta+Spectre+Extension+to+McAfee+ePO
Qualys and Vulnerability Management
- This integration will run at scheduled feed interval.
- Each time this integration is run, it will check for asset group LUMETA_ESI_DISCOVERED and update this asset group with latest data (As oppose to IPSonar where each time a report is generated, a new asset group is created)
- Currently, we overwrite asset group with updated ips each time we run a feed
- Please make sure that the user configured on Settings=>Integrations=>Qualys Integration page has Manager access on Qualys server.
- Spectre gets two lists from Qualys: IPs subscribed by Qualys and IPs scanned or managed by Qualys (this list is generated from LUMETA_ESI_DISCOVERED Asset group)
- User-enabled Qualys Integration
- Subscribed IPs are ingested from Qualys server into qualys_subscribed_ips table.
- ALL IPs currently scanned by Qualys are ingested into qualys_scanned_ips_raw table.
- When autosubscribe is ON:
- Push back to Qualys subscribed list "IPs Unmanaged by Qualys"
- Create a list of IPs that are in Qualys subscribed List but not in Qualys managed list.
- When autosubscribe is OFF:
- Find a list of IPs common between Qualys managed list and ESI discovered list.
- Create a list of IPs currently in subscribed list which is not in above list.
- Create an asset group: LUMETA_ESI_DISCOVERED
- Push the above list in Asset Group.