OR
Allow all the traffic to the following hosts. These are required for the operation of this integration:
Please, consult the Chronicle SIEM Regional Endpoints documentation for more details about these hosts.
Please, contact your Chronicle representative to request a Google Developer Service Account credential. You will receive a Service Account file in JSON format. It looks as follows:
- {
"type": "service_account",
"project_id": "malachite-nfr…",
"private_key_id": ".....",
"private_key": "-----BEGIN PRIVATE KEY-----\n...\n...\n-----END PRIVATE KEY-----\n",
"client_email": "nfr…-...@malachite-nfr….iam.gserviceaccount.com",
"client_id": ".....",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/nfr…-...%40malachite-nfr….iam.gserviceaccount.com",
"universe_domain": "googleapis.com"
}
Please, contact your Chronicle administrator or your Chronicle representative to identify the region where your deployment belongs. You can use the information from Chronicle Regional Endpoints as a guide.
To get your Customer ID, use your Chronicle SIEM console:
1. Click on the Settings menu in the left navigation panel.2. Click on the Profile menu.3. Copy the Consumer ID string found in the Profile window under the Organization Details section.
The integration set-up process needs you to collect this information from Lumu portal:
Log in to your Lumu portal and run the following procedures to collect these data.
To collect the Lumu Defender API key, refer to the Defender API document.
To collect your Lumu company UUID, log in to your Lumu portal. Once you are in the main window, copy the string below your company name.
There are 2 environment options to deploy the script, select the one that best fits your current infrastructure.
Whichever alternative you select, you need to first unpack the integration package shared by our Support team.
Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <app_lumu_root>.
Save the credentials file collected from your Chronicle representative in the integration root path <app_lumu_root>.
To set up the integration, you need to add and edit a configuration file. This file contains all the parameters needed to run properly. The configuration file looks as follows:
- -
lumu:
uuid: "<COMPANY-ID>"
defender_key: "<DEFENDER-KEY>"
app:
customer_id: "<CHRONICLE-CUSTOMER-ID>"
# Use one of the following region strings:
# Dammam, Europe Multi-Region, Frankfurt, London, Mumbai, Singapore, Sydney, Tel Aviv, United States Multi-Region, Zurich
# Default: United States Multi-Region
region: "<CHRONICLE-INSTANCE-REGION>"
api:
ingest_auth_file_path: "<CHRONICLE-INGEST-API-AUTH-FILE-PATH>" # Credential File
-
COMPANY 2
-
COMPANY 3
-
…
To deploy the integration as script, you need to run the install.sh script inside the integration package.
To run the installation script, locate yourself in the app_lumu_root folder, then execute this line through CLI.
The installation script will set up the Python environment and an auxiliary cron job.
To use the script, you must locate yourself on the path selected for deployment (<app_lumu_root>). Use the following command to show all options available for the package:
usage: chronicle_lumu [-h] [--config CONFIG] [-v] [-l {screen,file}] [--hours HOURS]
Options | Description |
---|---|
-h, --help | show this help message and exit |
--config CONFIG | CONFIG FILE PATH of the integration(s). (Default: integrations.yml) |
--logging {screen,file} | Logging option (Default screen) |
--verbose, -v | Verbosity level (Default INFO) |
Run the following command to run the integration, collect Lumu events and push them to Chronicle SIEM.
To redirect all the output from the execution process to a file, use the --logging file argument. The integration output will be stored in a file called lumu.log.
It’s recommended to set this flag. The script runs as a daemon process. The information stored in the file lumu.log is useful for tracing progress or troubleshooting.
The script is intended to be used as a daemon process. It is recommended to use it using complementary tools like nohup. Use the following line as an example:
If you are using a Python virtual environment
If you are NOT using a Python virtual environment
To identify failures on the script execution, use the -v flag to activate DEBUG logs.
The application runs one instance at a time. The script will block multiple attempts to run the same integration if one is already running. If this is the case, the following message appears.
Stopping the integration 3084245, it might have another older instance running, check if is feasible or not
older pid: 3078797 - cwd: /home/lumu/Documents/repos/lumu-chronicle - since: 2023-10-30 11:39:24.840000
cmdline: /home/lumu/Documents/repos/lumu-chronicle/venv310/bin/python /home/lumu/Documents/repos/lumu-chronicle/chronicle_lumu.py
If you have a Docker environment, you can select this option to run the integration as a Docker process. To deploy and run your integration as a docker container, locate yourself in the <app_lumu_root> folder, and follow these instructions:
1. To build the container, run the following command. Change all the flags based on the reference given in the script section above.
docker build [--build-arg APP_CONFIG='integrations.yml'] --tag python-lumu-chronicle .Do not forget the dot "." at the end of the line2. To run the container, run the following command:
docker run -d --restart unless-stopped --name lumu-chronicle python-lumu-chronicle
For troubleshooting purposes, you can run the following commands:
To log in to your container using an interactive shell:
To collect integration logs:
After at least one event was transmitted to a Chronicle instance you can see the record in the UDM Search section on the Chronicle Web Instance.
After ingesting Lumu detections and operating events, you can create your own rule to raise Lumu detections within your Chronicle SIEM deployment. You can use the following YARA-L rule to raise detections based on the destination and the incident ID, grouping all events related to new incidents and new contacts into a single detection, and within a timeframe.
- rule Lumu_detections {
// This rule matches Lumu-related events
meta:
author = "Lumu Technologies, Inc."
description = "Rule to detect new contacts based on Lumu ingested events"
version = "1.0"
events:
// Let's select the events based on the Vendor name, and product event type
// Then, calculate the destination and incidentId fields. These will be used for grouping events into detections
$e.metadata.vendor_name = "Lumu"
$e.metadata.product_event_type = /NewIncidentCreated|IncidentUpdated/
strings.coalesce($e.target.hostname, $e.target.ip) = $destination
$e.metadata.product_log_id = $incidentId
match:
// Group detections based on the destination and incidentId values collected in the previous step
// Let's group them within a 2 hours timeframe
$destination, $incidentId over 2h
outcome:
// Define additional conditions. These will be used for the alerting section
$risk_score = max(50)
condition:
$e
}
After setting up your detection rule, you can see a detection dashboard like this: