At the core of Lumu’s Continuous Compromise Assessment model lies a single fact: Maintaining continuous visibility of network traffic is fundamental to identifying and mitigating threats in real-time. To accommodate any infrastructure, Lumu offers a wide variety of deployment options to collect your organization’s network traffic, from Gateways and Virtual Appliances to Third-party integrations.

However, this visibility is only valuable if it remains uninterrupted. To ensure that the collection of network metadata is never interrupted, Lumu offers the Deployment Monitoring feature. This feature proactively notifies your organization when a collector or integration experiences a failure and goes offline, guaranteeing the operational resilience of the Continuous Compromise Assessment model.

This feature transforms the management of security infrastructure from reactive to proactive. By alerting immediately to any interruption in data collection, the platform ensures there are no blind spots in your organization’s network, safeguarding the continuity of threat analysis, and maximizing the return on investment in the Lumu architecture.

Monitoring Coverage

Lumu maintains direct visibility over the following components. If they stop transmitting data or fail internal health checks, Lumu will automatically generate an alert.

• Virtual Appliances      
  
• Log Forwarders  
  
  Virtual appliances and Log Forwarders will be alerted upon total inactivity or failure of an individual embedded collector.
• Hardware Appliances
• Gateways
• Agent Collectors
  
• Custom collectors
• Out-of-the-box integrations with the following considerations        
  • All Response integrations are monitored and alerted
  • For SecOps integrations, Lumu monitors and alerts Google Chat, Slack, Microsoft Teams and Microsoft Sentinel.
  • For Data Collection integrations, Lumu monitors and alerts AWS, Umbrella, Google Cloud Platform, Netskope, Gmail, Outlook

Check out the Lumu Deployment and Integration Overview to learn more about Lumu’s metadata collection process.

Tools that operate entirely within your local infrastructure and outside of Lumu’s direct control. As a result, Lumu does not monitor or generate alerts for these systems. For these specific architectures, your internal SIEM or third-party platform is fully responsible for tracking health status and notifying your team if data transmission stops.

How it works

Monitoring and alerting logic follows depending on the components, so the behavior is different for network collectors and third-party integrations. Whenever one of these components fails, your organization will be able to view its status in the Lumu Portal and an automated alert email is sent.

This is how the alerting system works depending on the component: Collectors and Appliances

• Alert trigger: The alert for these types of collectors is generated when a collector does not send any data to the Lumu server for 3 consecutive hours.
• Recovery: The system recognizes that a collector has recovered when it transmits data for 2 consecutive days.

Third-party integrations

• Alert trigger: Lumu performs an internal credential and connection verification for every integration. If this verification fails 6 consecutive times, the integration is marked as offline, and an alert is sent.
• Recovery: Unlike network collectors, integrations do not have a 2-day recovery window. The moment the integration successfully reconnects, it is considered recovered and alerts cease immediately.

If a collector or integration remains offline, reminder alerts are sent at the 3-day and 10-day marks.

Deployments status

You can view your organization’s deployments status from the Lumu Portal. From the Overview page, you will be alerted if there are deployments that require your attention and you can check the overall Deployment Status of your organization.

Your deployments and integrations can have the following statuses in the Lumu Portal:

• Online: The deployment or integration is working as expected.
• Alerted: The system stopped receiving data indicating there is something wrong.        
  Virtual appliances and Log Forwarders will show an alerted status with one or more of its embedded collectors is not sending data.
• Offline: The deployment or integration has completely stopped sending data and its status.        
  Virtual appliances and Log Forwarders will show an offline status when the full set of collectors stopped working.
• Not Activated: This status is only available for network collectors, integrations do not have this status. It is shown when the collector has not been fully configured.

Notification recipients

Emails alerting of the failure are automatically sent to the following stakeholders:

• Enterprise Accounts: Emailed to all users holding the Admin role within the Lumu portal.
• MSP (Managed Service Provider) Accounts: Emailed to all Admins (who receive alerts for all tenants) and Tenant Supervisors (who receive alerts strictly for the specific companies under their supervision).

Email Structure

Recipient will receive an email that looks as follows:

           

1. Data and time the collector or integration stopped working
2. Collector or integration information
3. Direct access to the failing collector or integration in the Lumu Portal.
   

Check out our Troubleshooting guide to learn about the most common cases for deployment failures.