Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding.

Requirements

1. Azure administration access.
   
2. Lumu Universal SIEM SecOps Integration
   
3. A Docker-enabled host. This will be used for setting up the Lumu Universal SIEM integration tool.
   

Configure your Azure Subscription

Create an Entra ID application

To create an Entra ID application, follow these directions using an administrator user:

1. On the Entra ID Active Directory menu in the Azure portal, select App registrations > New registration.

2. Give the application a name and change the tenancy scope if the default isn't appropriate for your environment. A Redirect URL isn't required.

3. After registration, you can view the details of the application. Note the Application (client) ID and the Directory (tenant) ID. You'll need these values later in the process.

Create an application client secret

1. Under the application window, select Certificates & secrets > New client secret. Give the secret a name to identify its purpose and select the expiration time.

The recommended expiration time is 12 months. Feel free to use a different time according to your organization’s security policies. Remember, you need to renew it when it expires.

2. Click on Add to save the secret. Take note of the secret value.

Ensure that you record this value because you can't recover it after you move away from this page. Use the same security measures as you would for safekeeping a password because it's the functional equivalent.

Create a Data Collection Endpoint (DCE)

1. Go to the Monitor menu in the Azure portal. Click on Data Collection Endpoints and then select Create.

2. Provide a name for the DCE. Make sure it's in the same region as your Analytics Workspace. Click on Create.

3. After the DCE is created, click on it to view its properties. Take note of the Logs ingestion URL, this will be needed later.

Create a new table in Sentinel’s Log Analytics Workspace for Lumu events

Lumu events will be stored in a table. To create a new table, follow these steps:

1. Go to the Log Analytics workspaces menu in the Azure portal and select Tables. The tables in the workspace will appear. Select Create > New custom log (DCR based). Specify a name for the table.

2. Click on Create a new data collection rule to create the DCR that will be used to send data to this table. If you have an existing DCR, you can choose to use it instead. Specify the Subscription, Resource group, and Name for the DCR that will contain the custom log configuration.

3. Select the DCR that you created. Click on Next.

Define parsing rules and filter sample data

The next step is to define the parsing rules required by the Data Collection Rule (DCR). Follow these steps to do it:

At the bottom of this article, you can download the example_sentinel.json file needed in order to proceed any further.

1. Click on Upload sample file under the Schema and Transformation screen.

2. Upload the example_sentinel.json file when asked.

The warning “There was no timestamp field found in the sample provided…” is expected. This will be fixed in the next steps.

3. Click on the Transformation editor. Copy and paste the following Kusto Query Language (KQL) into the editor window.

Copy the following KQL query:

source
| extend TimeGenerated = now()
| extend IncidentData = iif(isnotnull(IncidentMuted), IncidentMuted,
iif(isnotnull(IncidentUnmuted), IncidentUnmuted, iif(isnotnull(IncidentClosed),
IncidentClosed, iif(isnotnull(IncidentUpdated), IncidentUpdated,
iif(isnotnull(NewIncidentCreated), NewIncidentCreated, parse_json(''))))))
| extend EventType = iif(isnotnull(IncidentMuted), 'IncidentMuted', iif(isnotnull(IncidentUnmuted), 'IncidentUnmuted', iif(isnotnull(IncidentClosed), 'IncidentClosed', iif(isnotnull(IncidentUpdated), 'IncidentUpdated', iif(isnotnull(NewIncidentCreated), 'NewIncidentCreated', '')))))
| project
    TimeGenerated,
    EventType,
    url,
    incident=IncidentData.incident,
    comment=IncidentData.comment,
    contactSummary=IncidentData.contactSummary,
    reason=IncidentData.reason,
    companyId=IncidentData.companyId

4. Click on Run. You will see the transformation results in the Logs screen. Click on the Apply button to save the query.

5. Click on the Next button. Review the configuration details. Click on the Create button to finish.

Collect information from the Data Collection Rule

You need to collect the information of the created DCR. Follow these steps to do so:

1. On the Monitor menu in the Azure portal, click on Data Collection Rules and select the Data Collection Rule (DCR) you created. Click on JSON View in the Overview window.

2. Copy the immutableId and the dataFlows:outputStream. The outputStream string is the one ending in _CL.

Assign permissions to the Data Collection Rule

You need to assign to your Azure Application permissions over the Data Collection Rule (DCR) you created. Follow these steps to do it:

1. Click on Access Control (IAM) under the Data Collection Rule screen. Click on the Add role assignment button.

2. Search for the Monitoring Metrics Publisher job function role and select it. Click on Next.

3. On the Members tab, set the Assign access to option to User, group, or service principal. To add a member, click on Select members. Search for and select the application created before. Click on Select.

4. Click on Review + assign. Review the details before you save your role assignment.

Lumu Universal SIEM Integration tool

Now, it’s time to configure and deploy the Lumu Integration tool. Follow these steps to do it.

You can check the Docker image used for deploying the Universal SIEM  Integration tools here.

Usage

1. Prepare the container (replace VALUE with proper values):

docker create \
        -e CUSTOM_OUTPUT="azure_log_ingestion" \
        -e INCLUDE_MUTED_UPDATES=VALUE \
        -e APP_VERBOSE=VALUE \
        -e COMPANY_KEY=VALUE \
        -e AZURE_CLIENT_ID=VALUE \
        -e AZURE_CLIENT_SECRET=VALUE \
        -e AZURE_DCE_ENDPOINT=VALUE \
        -e AZURE_DCR_IMMUTABLEID=VALUE \
        -e AZURE_DCR_STREAM_NAME=VALUE \
        -e AZURE_TENANT_ID=VALUE \
        --restart unless-stopped \
        --name lumu-universal-siem \
        --log-opt tag=lumu-universal-siem \
        --log-opt max-size=1030m \
        --log-opt max-file=13 \
        lumutools/universal-siem:latest

2. Run it:

docker start lumu-universal-siem

      Parameters

1. COMPANY_KEY: Lumu integration key.
   
2. INCLUDE_MUTED_UPDATES: Set this to true if you want to include contacts of muted incidents, false otherwise (default is false)
   
3. APP_VERBOSE: Change logging level to DEBUG (default INFO)
   
4. AZURE_CLIENT_ID: Azure Client ID.
5. AZURE_CLIENT_SECRET: Azure Cient secret value (not the Azure client secret ID).
   
6. AZURE_DCE_ENDPOINT: Azure Data Collection Endpoint URL (Example: https://[DCE_ENDPOINT_ID].[AZURE_AVAILABILITY_ZONE].ingest.monitor.azure.com).
   
7. AZURE_DCR_IMMUTABLEID: Azure Data Collection Rules Immutable ID.
   
8. AZURE_DCR_STREAM_NAME: Azure Data Collection Rules Stream Name
   
9. AZURE_TENANT_ID: Azure Tenant ID.
   
   

Further steps

If your environment has low or no detections, you will need to trigger a test detection to see data.