Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a FortiSIEM deployment using HTTP(S) POST requests. This article details the configuration process to allow Lumu Logs to be processed by your SIEM deployment solution.
Requirements
- A FortiSIEM deployment running on FortiSIEM OS 7.0.2+
- FortiSIEM administrator access
- Lumu Universal SIEM SecOps Integration
- A Docker-enabled host. This will be used for setting up the Lumu Universal SIEM integration tool.
This method works on FortiSIEM OS 7.0.2+. For other versions, please refer to the
vendor documentation.
Follow these steps to configure your FortiSIEM deployment to receive and process Lumu events.
Create a FortiSIEM user
To receive and process Lumu events into your FortiSIEM deployment, you need to identify the component where you want to receive the events. This component is usually a Collector.
Make sure you have access to this component through SSH.
SSH to the collector and run this command:
htpasswd -b /etc/httpd/accounts/passwds USER ‘PASSWORD’
If the password contains special characters, it is encouraged to encode it in single quotes.
Save the user and password values for later steps.
Create the .env_headers and .env_queries files following these indications:
To create and fill the .env_headers file, first, you need to calculate the base 64 header value. To calculate it, use a console access and run one of these commands:
- If you have access to a Unix device
echo USER:PASSWORD | base64
- If you have access to a Windows device (using Powershell)
[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("USER:PASSWORD"))
Replace <user> and <password> values accordingly. Save the resulting string for later use.
Now, create the .env_headers file with the following content:
APP_HEADERS=’
{
"Content-Type": "application/json",
"Authorization": "Basic Base-64EncodedText>"
}’
Replace Base-64EncodedText with the result from the steps above.
Queries file
Create the .env_queries file and fill it with the following content:
APP_QUERIES='{
"vendor":"Lumu",
"model": "SecOps Integration",
"reptIp": "ReportingIP",
"reptName": "ReportingHostname"
}'
Replace the values ReportingIP and ReportingHostname according to your FortiSIEM deployment.
Now, it’s time to configure and deploy the Lumu Integration tool. Follow these steps to do it.
You can check the Docker image used for deploying the Universal SIEM Integration tools
here.
Usage
1. Prepare the container (replace VALUE with proper values):
docker create \
-e CUSTOM_OUTPUT="custom_http" \
-e COMPANY_KEY=COMPANY_KEY
-e INCLUDE_MUTED_UPDATES=VALUE \
-e APP_VERBOSE=VALUE \
-e EVENTS=VALUE \
-e CUSTOM_FULL_URL=https://VALUE/rawupload \
-v $(pwd)/.env_headers:/app/.env_headers \
-v $(pwd)/.env_queries:/app/.env_queries \
--restart unless-stopped \
--name lumu-universal-siem \
--log-opt tag=lumu-universal-siem \
--log-opt max-size=10m \
--log-opt max-file=13 \
lumutools/universal-siem:latest
2. Run it:
docker start lumu-universal-siem
Parameters
- COMPANY_KEY: Lumu integration key.
- INCLUDE_MUTED_UPDATES: Set this to true if you want to include contacts of muted incidents, false otherwise (default is false)
- APP_VERBOSE: Change logging level to DEBUG (default INFO)
- CUSTOM_FULL_URL: Receiver URL given by the SIEM. In the command above replace VALUE by the FortiSIEM’s Collector IP or hostname.
- EVENTS: comma-separated list of events to send to the Syslog server. You can skip this parameter if you want to send all the events. Use the available values: NewIncidentCreated, IncidentUpdated, IncidentUnmuted, IncidentMuted, IncidentClosed, IncidentIntegrationsResponseUpdated, IncidentBuiltInResponseUpdated, IncidentActionAdded, IncidentMarkedAsRead, IncidentCommentAdded. If this variable is not set, all message types are accepted
Lumu event reference
Use this table to build the comma-separated string to include Lumu events of interest in the Universal SIEM component configuration.
| Event Code | Description |
| NewIncidentCreated | Lumu reported a new detection |
| IncidentUpdated | Lumu reported a new event related to an existing detection |
| IncidentClosed | A Lumu detection was manually or automatically closed |
| IncidentMuted | A Lumu detection was muted by an analyst |
| IncidentUnmuted | A previously muted detection was re-activated |
| IncidentIntegrationsResponseUpdated | External integrations acknowledged/responded to the incident |
| IncidentBuiltInResponseUpdated | Lumu's built-in response mechanisms (e.g. agent) were applied |
| IncidentActionAdded | A manual action (e.g. sharing a report) was performed on the incident |
| IncidentMarkedAsRead | The Lumu detection was read. |
| IncidentCommentAdded | A comment was recorded on the Lumu detection |
For example, if you are interested in new detections and new events on existing detections, you must use the following:
"NewIncidentCreated,IncidentUpdated"
If you want to add the status change to the Lumu-reported events, you must use the following:
"NewIncidentCreated,IncidentUpdated,IncidentMuted,IncidentUnmuted,IncidentClosed"
Further Steps
To check the Lumu events in your FortiSIEM deployment, go into your FortiSIEM console to the Analytics menu. Run a search filtering by the used reporting IP or other relevant identifiers.