Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Integration

Description

Configuration Input

How to test if feed is accessible

Tables Populated

Dashboards/Reports

Open Source Feed èEmerging Threats

http://rules.emergingthreats.net/blockrules/compromised-ips.txt provides you with a list of IPs that have been compromised. Spectre ingests this list and compares it to your discovered devices.

Polling Interval

Go to the emerging threats URL and verify that you can view the results

threat_feed_ip

(_source: openthreat)

 

Breach Detection è Zombie Devices

Open Source Feed è Tor

Enabling Tor feed helps you find if any of your organization’s trusted network assets are behaving as TOR relays or exit addresses.

URLs that Spectre gets the TOR relays and exit addresses from are:

https://onionoo.torproject.org/summary?type=relay

https://check.torproject.org/exit-addresses

 

Polling Interval

Go to the TOR URLs and verify that you can view the results

tor

Breach Detection è Tor Nodes and Tor Flow Charting

Open Source Feed è ISC

https://isc.sans.edu/services.html provides Spectre with a list of ports that have been compromised. Spectre ingests this list and compares it against the open ports of your discovered devices.

Polling Interval

Go to ISC URL and verify that you can view the results

portlookup

Breach Detection è Nefarious Ports Summary

Emerging Threats Pro

With a valid customer key, http://rules.emergingthreatspro.com provides Spectre with a list of IPs that have been compromised. Spectre ingests this list and compares it with your discovered devices.

Polling Interval

Customer Key

Go to Emerging Threats Pro URL and verify that you can view the results

threat_feed_ip

(_source: emergingthreat)

Breach Detection è Zombie Devices

iDefense

Verisign iDefense is a closed-source threat intelligence feed available to all Spectre customers. This feed correlates iDefense IPs against your network's IPs to produce actionable lists of zombie devices and threat flows in your network.

Polling Interval

Customer Key

Go to https://api.intelgraph.verisign.com/rest/threatindicator/v0 and login with

your username/password and verify that you can view the results

threat_feed_ip

(_source: idefense)

 

Breach Detection è Threat Flow Charting

Gigamon

Spectre uses NetFlow data to identify threat conversations between your network and external adversaries. This NetFlow data comes to Spectre as a result of its integration with a Gigamon solution.

Enable Netflow Packet Capture Service

Once you enable netflow, make sure nfcapd files are created under /var/spool/netflow directory.

Gigamon (GigaSMART engine) can create only one type of record – either IPFIX, v9 or v5.

We have tested Spectre with v9 only. As per our Development team, IPFIX is not supported.

 

Not tables

under /var/spool/netflow directory, you will see nfcapd files

Breach Detection è Threat Flow Charting

Carbon Black

The integration of Carbon Black Endpoint Detection and Response capabilities to Spectre enables you to know whether hosts on your enterprise network are either unmanaged by Carbon Black, unmanaged by Spectre, or managed by both.

Polling Interval

Customer Key

Server Name

  • Verify that you can login to your Carbon Black Server with your username and password
  • Verify that you have port 443 open
  • Verify that you have IPs in your network with CB sensor installed

managed_hosts_v

(_source: bit9)

bit9_managed_hosts_regex

Endpoint Management

McAfee

Lumeta Spectre fetches McAfee ePO-managed data, compares it to Spectre-discovered data within the same network space, and then pushes the findings back to the ePO server. This ensures on a continual basis that ePO has the complete set of networks and devices to manage.

Polling Interval

Server Name

Username

Password

  • Verify that you can login to your McAfee ePO Server with your username and password
  • Verify that you have port 443 open
  • Verify that you have IPs in your network licensed for McAfee

managed_hosts_v

(_source: epo)

epo_managed_hosts

 

ePO Management

Infoblox

This integration reconciles data between Spectre and Infoblox (an IP address management solution) and enables you to export an IP list with which to update the IP assets managed on Infoblox. 

Polling Interval

Server Name

Username

Password

  • Verify that you can login to your Infoblox Server with your username and password
  • Verify that you have port 443 open
  • Verify that you have IPs in your network licensed for Infoblox

managed_hosts_v

(_source: infoblox)

infoblox_managed_hosts

IP Address Management

Cisco PxGrid

The Cisco pxGrid integration enables you to exchange context with Cisco products to retrieve endpoint, identity group, security group, and session data from a Cisco ISE server. To make use of this integration, your network must be running the Cisco pxGrid agent and be monitored by Lumeta Spectre.

Server Name

Username

Keystore File

Keystore Password

Truststore File

Truststore Password

 

  • Verify that you can login to your Cisco PxGrid Server with your username and password.
  • Verify that your Cisco pxGrid agent is running.
  • Verify that Spectre can discover your Cisco pxGrid agent.
  • Verify that you have port 443 open

cisco_ise_endpointprofile

cisco_ise_identity_group

cisco_ise_securitygroup

cisco_ise_session

Search=>Devices=> Pxgrip IP Sessions

Qualys

Spectre helps your Qualys Enterprise server work better by comparing Qualys-subscribed and Qualys-scanned IPs with Spectre-indexed hosts in the same network space. Qualys receives a list of endpoint data information from Spectre at every polling interval, enabling Qualys to add the endpoints to its network space, thereby eliminating any gaps in coverage and ensuring the comprehensive provision of vulnerability management to Qualys customers.

Polling Interval

Server Name

Username

Password

Auto-Subscribe

 

  • Verify that you can login to your Qualys Server with your username and password
  • Verify that you have port 443 open
  • Verify that you have IPs in your network licensed for Qualys

qualys_scanned_ips_raw

qualys_subscribed_ips

qualys_subscribed_ips_v

Vulnerability Management

 

Integration Feeds (Data Pulled)

Integration Feeds (Data Pulled and Pushed)

  • Emerging Threats
  • ISC
  • TOR
  • Emerging Threats Pro
  • iDefense
  • Carbon Black
  • Cisco pxGrid
  • Gigamon NetFlow
  • Qualys
  • Infoblox
  • McAfee ePO

 

 

Lumeta Spectre Extension to McAfee ePO

...