Requirements
- A Datadog deployment with administrator access
- Lumu Universal SIEM SecOps Integration
- A Docker-enabled host. This will be used for setting up the Lumu Universal SIEM integration tool.
Configure your Datadog deployment
Follow these steps to configure your Datadog deployment to receive and process Lumu events. Create an API key following the
Add an API key or client token document from Data doc and create an API key for the integration. Keep note of your API key. You will need it later.
Configure the headers and query parameters
Create the .env_headers and .env_queries files following these indications:
Headers File
Create the .env_headers file and fill it with the following content:
APP_HEADERS='
{
"Accept": "application/json",
"Content-Type": "application/json",
"DD-API-KEY": "DD_API_KEY"
}’
Replace DD_API_KEY with the API key created above.
Body File
Create the .env_body file and fill it with the following content:
- APP_BODY='{
"ddsource": "lumu",
"ddtags": "product:lumu,type:secops",
"hostname": "<LUMU HOST>",
"message": "{{LUMU_EVENT}}",
"service": "lumu-secops"
}'
APP_ESCAPE_LUMU_EVENT=1
APP_REPLACE_LUMU_EVENT=1
Replace the value <LUMU HOST> according to your Datadog deployment.
Lumu Universal SIEM Integration tool
Now, it’s time to configure and deploy the Lumu Integration tool. Follow these steps to do it.
You can check the Docker image used for deploying the Universal SIEM Integration tools
here.
Usage
1. Prepare the container (replace VALUE with proper values):
docker create \
-e CUSTOM_OUTPUT="custom_http" \
-e COMPANY_KEY=VALUE
-e INCLUDE_MUTED_UPDATES=VALUE \
-e APP_VERBOSE=VALUE \
-e CUSTOM_FULL_URL=VALUE \
-v $(pwd)/.env_headers:/app/.env_headers \
-v $(pwd)/.env_queries:/app/.env_body \
--restart unless-stopped \
--name lumu-universal-siem \
--log-opt tag=lumu-universal-siem \
--log-opt max-size=3100m \
--log-opt max-file=13 \
lumutools/universal-siem:latest
2. Run it:
docker start lumu-universal-siem
Parameters
- COMPANY_KEY: Lumu integration key.
- INCLUDE_MUTED_UPDATES: Set this to true if you want to include contacts of muted incidents, false otherwise (default is false)
- APP_VERBOSE: Change logging level to DEBUG (default INFO)
- CUSTOM_FULL_URL: Use the one included in the command above, https://http-intake.logs.datadoghq.com/api/v2/logs.
Further Steps
To check the Lumu events in your Datadog deployment, go into your Datadog console to the Logs menu. Run a search filtering by source: lumu. Check the collected events.