Datadog and Lumu Universal SIEM

Datadog and Lumu Universal SIEM

Alert Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding.
Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a Datadog deployment leveraging its HTTP Custom log forwarding feature.

Requirements

  1. A Datadog deployment with administrator access
  2. Lumu Universal SIEM SecpOps Integration

Configure your Datadog deployment

Follow these steps to configure your Datadog deployment to receive and process Lumu events. Create an API key following the Add an API key or client token document from Datadog and create an API key for the integration. Keep note of your API key. You will need it later.


Configure the headers and query parameters

Create the .env_headers and .env_queries files following these indications:

Headers File

Create the .env_headers file and fill it with the following content:

  1. APP_HEADERS='
    {
    "Accept": "application/json",
    "Content-Type": "application/json",
    "DD-API-KEY": "DD_API_KEY"
    }’

Replace DD_API_KEY with the API key created above.

Body File

Create the .env_body file and fill it with the following content:
  1. APP_BODY='{
    "ddsource": "lumu",
    "ddtags": "product:lumu,type:secops",
    "hostname": "<LUMU HOST>",
    "message": "{{LUMU_EVENT}}",
    "service": "lumu-secops"
    }'
    APP_ESCAPE_LUMU_EVENT=1
    APP_REPLACE_LUMU_EVENT=1

Replace the value <LUMU HOST> according to your Datadog deployment.

Lumu Universal SIEM Integration tool

Now, it’s time to configure and deploy the Lumu Integration tool. Follow these steps to do it.

Notes
You can check the Docker image used for deploying the Universal SIEM  Integration tools here.

Usage

1. Prepare the container (replace VALUE with proper values):
docker create \
    -e CUSTOM_OUTPUT="custom_http" \
    -e COMPANY_KEY=VALUE \
    -e INCLUDE_MUTED_UPDATES=VALUE \
    -e CUSTOM_FULL_URL=VALUE \
    -e EVENTS=VALUE \
    -v $(pwd)/.env_headers:/app/.env_headers \
    -v $(pwd)/.env_queries:/app/.env_body \
    --restart unless-stopped \
    --name lumu-universal-siem \
    --log-opt tag=lumu-universal-siem \
    --log-opt max-size=30m \
    --log-opt max-file=3 \
    lumutools/universal-siem:latest

2. Run it:
docker start lumu-universal-siem

      Parameters

  1. COMPANY_KEY: Lumu integration key.
  2. INCLUDE_MUTED_UPDATES: Set this to true if you want to include contacts of muted incidents, false otherwise (default is false)
  3. CUSTOM_FULL_URL: The URL depends on your Datadog site. Check the Getting Started with Datadog Sites document to identify your URL. These are some examples of how the URL changes depending on the site:
    1. US1 site -> https://http-intake.logs.datadoghq.com/api/v2/logs
    2. US5 site -> https://http-intake.logs.us5.datadoghq.com/api/v2/logs
    3. EU site -> https://http-intake.logs.datadoghq.eu/api/v2/logs
  4. EVENTS: comma-separated list of events to send to the Syslog server. You can skip this parameter if you want to send all the events. Use the available values: NewIncidentCreated, IncidentUpdated, IncidentUnmuted, IncidentMuted, IncidentClosed, IncidentIntegrationsResponseUpdated, IncidentBuiltInResponseUpdated, IncidentActionAdded, IncidentMarkedAsRead, IncidentCommentAdded. If this variable is not set, all message types are accepted.

Lumu event reference

Use this table to build the comma-separated string to include Lumu events of interest in the Universal SIEM component configuration.

Event Code Description
NewIncidentCreated Lumu reported a new detection
IncidentUpdated Lumu reported a new event related to an existing detection
IncidentClosed A Lumu detection was manually or automatically closed
IncidentMuted A Lumu detection was muted by an analyst
IncidentUnmuted A previously muted detection was re-activated
IncidentIntegrationsResponseUpdated External integrations acknowledged/responded to the incident
IncidentBuiltInResponseUpdated Lumu's built-in response mechanisms (e.g. agent) were applied
IncidentActionAdded A manual action (e.g. sharing a report) was performed on the incident
IncidentMarkedAsRead The Lumu detection was read.
IncidentCommentAdded A comment was recorded on the Lumu detection

For example, if you are interested in new detections and new events on existing detections, you must use the following:

"NewIncidentCreated,IncidentUpdated"

If you want to add the status change to the Lumu-reported events, you must use the following:

"NewIncidentCreated,IncidentUpdated,IncidentMuted,IncidentUnmuted,IncidentClosed"

Further Steps

To check the Lumu events in your Datadog deployment, go to your Datadog console to the Logs menu. Run a search filtering by source: lumu. Check the collected events.








      Get an AI Summary

          • Related Articles

          • Sumo Logic and Lumu Universal SIEM

            Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding. Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a Datadog deployment leveraging its HTTP Custom log forwarding feature. ...
          • Universal SIEM Out-of-the-Box SecOps Integration

            The Lumu Universal SIEM Out-of-the-Box integration allows you to centralize Lumu detections and operating events in your SIEM deployment. With this information in your SIEM, you will be able to use Lumu input as a pivot for: Incident response ...
          • FortiSIEM and Lumu Universal SIEM

            Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding. Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a FortiSIEM deployment using HTTP(S) POST requests. This article details the ...
          • Lumu Out-of-the-box Integrations

            For getting started with Lumu integrations with third-party solutions, consult our Integrations guide. Lumu's Out-of-the-box (OOTB) integrations are a seamless and convenient way to integrate Lumu with other solutions in your cyberdefense stack to ...
          • GLPI Custom SecOps Integration

            This article shows how to leverage GLPI API and Lumu Defender API to enhance your SecOps capabilities, pushing Lumu incidents into a GLPI deployment as Service Tickets, and syncing both systems. Requirements A GLPI active server and Web access. An ...