Lumeta Spectre amplifies the value of your security stack by correlating the comprehensive and authoritative data about your network with integrated data connectors. The following table shows the Integrations available with Spectre along with their overview and how to verify their configurations. Integrations are available at Settings=>Integrations menu item.
How to test if feed is accessible
Open Source Feeds:
http://rules.emergingthreats.net/blockrules/compromised-ips.txt provides you with a list of IPs that have been compromised. Spectre ingests this list and compares it to your discovered devices.
Go to the emerging threats URL and verify that you can view the results
Breach Detection => Zombie Devices
Enabling Tor feed helps you find if any of your organization’s trusted network assets are behaving as TOR relays or exit addresses.
URLs that Spectre gets the TOR relays and exit addresses from are:
Go to the TOR URLs and verify that you can view the results
Breach Detection => Tor Nodes and Tor Flow Charting
https://isc.sans.edu/services.html provides Spectre with a list of ports that have been compromised. Spectre ingests this list and compares it against the open ports of your discovered devices.
Go to ISC URL and verify that you can view the results
Breach Detection => Nefarious Ports Summary
Emerging Threats Pro
With a valid customer key, http://rules.emergingthreatspro.com provides Spectre with a list of IPs that have been compromised. Spectre ingests this list and compares it with your discovered devices.
Go to Emerging Threats Pro URL and verify that you can view the results
Breach Detection => Zombie Devices
Verisign iDefense is a closed-source threat intelligence feed available to all Spectre customers. This feed correlates iDefense IPs against your network's IPs to produce actionable lists of zombie devices and threat flows in your network.
Go to https://api.intelgraph.verisign.com/rest/threatindicator/v0 and login with
your username/password and verify that you can view the results
Breach Detection => Threat Flow Charting
Spectre uses NetFlow data to identify threat conversations between your network and external adversaries. This NetFlow data comes to Spectre as a result of its integration with a Gigamon solution.
Enable Netflow Packet Capture Service
Once you enable netflow, make sure nfcapd files are created under /var/spool/netflow directory.
Gigamon (GigaSMART engine) can create only one type of record – either IPFIX, v9 or v5.
We have tested Spectre with v9 only. As per our Development team, IPFIX is not supported.
under /var/spool/netflow directory, you will see nfcapd files
Breach Detection => Threat Flow Charting
The integration of Carbon Black Endpoint Detection and Response capabilities to Spectre enables you to know whether hosts on your enterprise network are either unmanaged by Carbon Black, unmanaged by Spectre, or managed by both.
Lumeta Spectre fetches McAfee ePO-managed data, compares it to Spectre-discovered data within the same network space, and then pushes the findings back to the ePO server. This ensures on a continual basis that ePO has the complete set of networks and devices to manage.
This integration reconciles data between Spectre and Infoblox (an IP address management solution) and enables you to export an IP list with which to update the IP assets managed on Infoblox.
IP Address Management
The Cisco pxGrid integration enables you to exchange context with Cisco products to retrieve endpoint, identity group, security group, and session data from a Cisco ISE server. To make use of this integration, your network must be running the Cisco pxGrid agent and be monitored by Lumeta Spectre.
Search=>Devices=> Pxgrip IP Sessions
Spectre helps your Qualys Enterprise server work better by comparing Qualys-subscribed and Qualys-scanned IPs with Spectre-indexed hosts in the same network space. Qualys receives a list of endpoint data information from Spectre at every polling interval, enabling Qualys to add the endpoints to its network space, thereby eliminating any gaps in coverage and ensuring the comprehensive provision of vulnerability management to Qualys customers.
Spectre targets on extending McAfee integration to such that events will be published to DXL message bus.
Broker Chain certs
Unique Broker Id
No tables created
RedSeal integration will only include ingesting RedSeal managed hosts into Spectre
Integration Feeds (Data Pulled)
Integration Feeds (Data Pulled and Pushed)
Lumeta Spectre Extension to McAfee ePO
The Lumeta Spectre extension to McAfee ePO server is fully certified by McAfee. Both "fetch" and "push" extensions make use of a polling interval you configure.
- Login to McAfee Server
- Browse to Software => Extensions and click on Install Extensions
- Install the Lumeta extension: LumetaRemoteCommandPush.zip (ask SA to provide you with this file)
Granting Permissions to Use the Lumeta Spectre Extension
An ePO user without Admin privileges can be granted permissions to use the Lumeta Spectre extension as follows:
- On the McAfee ePO server, click Hamburger icon > Permission Sets.
Notice the new permission set created for this installed extension called "LumetaRemoteCommandPush."
- Select My Organization and click Save.
- Select Lumeta Spectre Remote Command and click Edit.
- Select "Activate permission to run remote command for Lumeta Spectre extension " and click Save.
- Click Hamburger icon > Users.
- Select the user that will be using the Spectre extension and click Actions > Edit.
- Select the LumetaRemoteCommandPush permission set and save the user.
Now this particular user can configure the Lumeta Spectre extension in McAfee without admin permissions, and can get and post data to, from, and into ePO.
How data is pulled and pushed for McAfee ePO
- Pull the list of Hosts/devices managed by ePO
- Determine the list of devices not managed by ePO (potentially considered rogue)
- Push devices that are not managed by ePO into ePO server and add them to Rogue Detection Systems.
- McAfee Server => Dashboards => RSD Summary displays Rogue Systems.
For further Information:
Qualys and Vulnerability Management
- This integration will run at scheduled feed interval.
- Each time this integration is run, it will check for asset group LUMETA_ESI_DISCOVERED and update this asset group with latest data (As oppose to IPSonar where each time a report is generated, a new asset group is created)
- Currently, we overwrite asset group with updated ips each time we run a feed
- Please make sure that the user configured on Settings=>Integrations=>Qualys Integration page has Manager access on Qualys server.
- Spectre gets two lists from Qualys: IPs subscribed by Qualys and IPs scanned or managed by Qualys (this list is generated from LUMETA_ESI_DISCOVERED Asset group)
- User-enabled Qualys Integration
- Subscribed IPs are ingested from Qualys server into qualys_subscribed_ips table.
- ALL IPs currently scanned by Qualys are ingested into qualys_scanned_ips_raw table.
- When autosubscribe is ON:
- Push back to Qualys subscribed list "IPs Unmanaged by Qualys"
- Create a list of IPs that are in Qualys subscribed List but not in Qualys managed list.
- When autosubscribe is OFF:
- Find a list of IPs common between Qualys managed list and ESI discovered list.
- Create a list of IPs currently in subscribed list which is not in above list.
- Create an asset group: LUMETA_ESI_DISCOVERED
- Push the above list in Asset Group.