Datadog and Lumu Universal SIEM

Datadog and Lumu Universal SIEM

Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding.
Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a Datadog deployment leveraging its HTTP Custom log forwarding feature.

Requirements

  1. A Datadog deployment with administrator access
  2. Lumu Universal SIEM SecOps Integration
  3. A Docker-enabled host. This will be used for setting up the Lumu Universal SIEM integration tool.

Configure your Datadog deployment

Follow these steps to configure your Datadog deployment to receive and process Lumu events. Create an API key following the Add an API key or client token document from Data doc and create an API key for the integration. Keep note of your API key. You will need it later.


Configure the headers and query parameters

Create the .env_headers and .env_queries files following these indications:

Headers File

Create the .env_headers file and fill it with the following content:

  1. APP_HEADERS='
    {
        "Accept": "application/json",
        "Content-Type": "application/json",
        "DD-API-KEY": "DD_API_KEY"
    }’
Replace DD_API_KEY with the API key created above.

Body File

Create the .env_body file and fill it with the following content:
  1. APP_BODY='{
      "ddsource": "lumu",
      "ddtags": "product:lumu,type:secops",
      "hostname": "<LUMU HOST>",
      "message": "{{LUMU_EVENT}}",
      "service": "lumu-secops"
    }'
    APP_ESCAPE_LUMU_EVENT=1
    APP_REPLACE_LUMU_EVENT=1

Replace the value <LUMU HOST> according to your Datadog deployment.

Lumu Universal SIEM Integration tool

Now, it’s time to configure and deploy the Lumu Integration tool. Follow these steps to do it.

You can check the Docker image used for deploying the Universal SIEM  Integration tools here.

Usage

1. Prepare the container (replace VALUE with proper values):
docker create \
    -e CUSTOM_OUTPUT="custom_http" \
    -e COMPANY_KEY=VALUE
    -e INCLUDE_MUTED_UPDATES=VALUE \
-e APP_VERBOSE=VALUE \
    -e CUSTOM_FULL_URL=VALUE \
    -v $(pwd)/.env_headers:/app/.env_headers \
    -v $(pwd)/.env_queries:/app/.env_body \
    --restart unless-stopped \
    --name lumu-universal-siem \
    --log-opt tag=lumu-universal-siem \
    --log-opt max-size=3100m \
    --log-opt max-file=13 \
    lumutools/universal-siem:latest



2. Run it:
docker start lumu-universal-siem

      Parameters

  1. COMPANY_KEY: Lumu integration key.
  2. INCLUDE_MUTED_UPDATES: Set this to true if you want to include contacts of muted incidents, false otherwise (default is false)
  3. APP_VERBOSE: Change logging level to DEBUG (default INFO)
  4. CUSTOM_FULL_URL: Use the one included in the command above, https://http-intake.logs.datadoghq.com/api/v2/logs.

Further Steps

To check the Lumu events in your Datadog deployment, go into your Datadog console to the Logs menu. Run a search filtering by source: lumu. Check the collected events.







    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • FortiSIEM and Lumu Universal SIEM

          Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding. Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a FortiSIEM deployment using HTTP(S) POST requests. Requirements A FortiSIEM ...

        • Sumo Logic and Lumu Universal SIEM

          Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding. Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a Datadog deployment leveraging its HTTP Custom log forwarding feature. ...

        • Universal SIEM Out-of-the-Box SecOps Integration

          Universal SIEM is the recommended way to integrate SIEM solutions with Lumu. The Lumu Universal SIEM Out-of-the-Box integration allows you to centralize Lumu detections and operating events in your SIEM deployment. With this information in your SIEM, ...

        • Microsoft Sentinel and Lumu Universal SIEM

          Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding. Lumu Universal SIEM can be used to deliver Lumu detections and operating events to Microsoft Sentinel deployment leveraging Azure Log Analytics Data Collection ...

        • Chronicle SIEM Custom SecOps Integration

          The Chronicle SIEM Custom SecOps integration allows you to receive Lumu detections and related operating events. In this article, you will find out how to configure your Chronicle SIEM instance and its Lumu integration to enhance your current ...