Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding.
Create the .env_headers file and fill it with the following content:
APP_HEADERS='
{
"Accept": "application/json",
"Content-Type": "application/json",
"DD-API-KEY": "DD_API_KEY"
}’
- APP_BODY='{
"ddsource": "lumu",
"ddtags": "product:lumu,type:secops",
"hostname": "<LUMU HOST>",
"message": "{{LUMU_EVENT}}",
"service": "lumu-secops"
}'
APP_ESCAPE_LUMU_EVENT=1
APP_REPLACE_LUMU_EVENT=1
Now, it’s time to configure and deploy the Lumu Integration tool. Follow these steps to do it.

1. Prepare the container (replace VALUE with proper values):docker create \
-e CUSTOM_OUTPUT="custom_http" \
-e COMPANY_KEY=VALUE \
-e INCLUDE_MUTED_UPDATES=VALUE \
-e CUSTOM_FULL_URL=VALUE \
-e EVENTS=VALUE \
-v $(pwd)/.env_headers:/app/.env_headers \
-v $(pwd)/.env_queries:/app/.env_body \
--restart unless-stopped \
--name lumu-universal-siem \
--log-opt tag=lumu-universal-siem \
--log-opt max-size=30m \
--log-opt max-file=3 \
lumutools/universal-siem:latest2. Run it:docker start lumu-universal-siem
Use this table to build the comma-separated string to include Lumu events of interest in the Universal SIEM component configuration.
| Event Code | Description |
| NewIncidentCreated | Lumu reported a new detection |
| IncidentUpdated | Lumu reported a new event related to an existing detection |
| IncidentClosed | A Lumu detection was manually or automatically closed |
| IncidentMuted | A Lumu detection was muted by an analyst |
| IncidentUnmuted | A previously muted detection was re-activated |
| IncidentIntegrationsResponseUpdated | External integrations acknowledged/responded to the incident |
| IncidentBuiltInResponseUpdated | Lumu's built-in response mechanisms (e.g. agent) were applied |
| IncidentActionAdded | A manual action (e.g. sharing a report) was performed on the incident |
| IncidentMarkedAsRead | The Lumu detection was read. |
| IncidentCommentAdded | A comment was recorded on the Lumu detection |
For example, if you are interested in new detections and new events on existing detections, you must use the following:
If you want to add the status change to the Lumu-reported events, you must use the following:
To check the Lumu events in your Datadog deployment, go to your Datadog console to the Logs menu. Run a search filtering by source: lumu. Check the collected events.