Some enterprises may already be using defense solutions such as Endpoint Detection and Response (EDR) or network monitoring tools as part of their pipelines to centralize their logs. Lumu gives the option to deploy custom collectors to send your network metadata to Lumu. To know more about collectors options, consult our deployment and integration guide.
Lumu’s Custom Collector API allows sending network metadata captured from third-party platforms/services/appliances to Lumu for Continuous Compromise Assessment. It can also be used as an alternative for obtaining greater visibility in cases where the enterprise network restricts the use of Virtual Appliances.
Custom Collector API general deployment architecture.
This article is a quick guide on managing the Custom Collector API for integrating third-party solutions to the Lumu metadata-ingestion engine.
A unique key handles the authentication of the Lumu Custom Collector API. The company’s account key is found in the corresponding area of the Lumu Portal (1). Each custom collector also has a unique ID.
Custom Collector API management area - Lumu Portal.
Note : The revocation process generates a new Custom Collector API key.
This action cannot be undone and will cause Lumu to stop storing and processing data for all current custom collectors. This option should be used in specific scenarios such as when your current key is compromised due to security policies, etc. In case a key is revoked, you need to
update all current custom collectors configurations with the new API key.
Manage Custom Collectors
To create a custom collector, navigate to the Collectors > API menu of the Lumu Portal and click to add a collector.
When creating a custom collector, you are required to provide the following information:
- Name: a name for your custom collector.
- Description: an optional brief description for the custom collector.
- Default Label: the label with which all the captured metadata will be associated by default. You can later specify grouping rules for a more granular classification.
- Type: the type of metadata you want this custom collector to process.
Custom Collector creation screen - Lumu Portal. On the custom collector details page, you are going to find the following sections:
- Custom collector details include its name, id (unique identifier), labels, description, and data collection statistics.
- Custom collector management options: edit and delete.
- Links for the documentation.
- Records view of the custom collector for the last 30 days.
- Data group rules to add and edit rules (labels) for traffic categorization.
Custom Collector details screen - Lumu Portal. To edit a custom collector, select the option to edit it and apply the desired changes (name, default label, description, etc.).
Be aware that any edit made to an existing collector affects only the data collected after the changes are made and does not apply to any data already collected.
In this area, you also have the option to delete a collector.
The deletion process cannot be undone and should be used to remove the collector permanently. In case a custom collector is deleted, you need to update the API configurations with the new collector ID.
Working With Grouping Rules
On the Lumu Portal, you have the option to create rules for individual assets or groups of assets to label the custom collector’s metadata.
Rules are based on CIDRs (Classless Inter-Domain Routing). When you create a rule, all activity coming from a device in which the IP address matches the CIDR will be labeled accordingly to the assigned label. If no match is found in the custom collector rules, the default label is applied.
Labels give you the power to categorize and filter your traffic by geography, network segment, device, domain, critical assets, or as needed. Labels include a business relevance option to help you make faster, data-supported decisions. To know more about labels,
consult our documentation.
To manage rules for a custom collector, go to the Lumu Portal and select the corresponding option (1).
Custom Collector rules management - Lumu Portal. You can add, edit, or remove labels for specific IP addresses or a group of IPs.
Be aware that any edit made to an existing collector affects only the data collected after the changes are made and does not apply to any data already collected.
Custom Collector API Specifications
To understand the API methods available to send your infrastructure metadata to be analyzed by Lumu, see our documentation.