Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding.

Requirements

1. A FortiSIEM deployment running on FortiSIEM OS 7.0.2+
   
2. FortiSIEM administrator access
   
3. Lumu Universal SIEM SecOps Integration
   
4. A Docker-enabled host. This will be used for setting up the Lumu Universal SIEM integration tool.
   

This method works on FortiSIEM OS 7.0.2+. For other versions, please refer to the vendor documentation.

This article details the configuration process to allow Lumu Logs to be processed by your SIEM deployment solution. Before starting, make sure you’ve completed the steps detailed in the Custom HTTP Generic SIEM Lumu Deployment article.

Configure your FortiSIEM deployment

Create a FortiSIEM user

To receive and process Lumu events into your FortiSIEM deployment, you need to identify the component where you want to receive the events. This component is usually a Collector.

Make sure you have access to this component through SSH.

SSH to the collector and run this command:

htpasswd -b /etc/httpd/accounts/passwds <user> ‘<password>’

If the password contains special characters, it is encouraged to encode it in single quotes.

You can visit Ingesting JSON Formatted Events Received via HTTP(S) POST for more details.

Save the user and password values for later steps.

Configure the headers and query parameters

Headers file

1. If you have access to a Unix device
   

echo <user>:<password> | base64

[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("<user>:<password>"))

APP_HEADERS=’
{
    "Content-Type": "application/json",
    "Authorization": "Basic <Base 64 encoded text>"
}’

Replace <Base 64 encoded text> with the result from the steps above.

Queries file

APP_QUERIES='{
    "vendor":"Lumu",
    "model": "SecOps Integration",
    "reptIp": "<Reporting IP>",
    "reptName": "<Reporting hostname>"
 }'

Lumu Universal SIEM Integration tool

Now, it’s time to configure and deploy the Lumu Integration tool. Follow these steps to do it.

You can check the Docker image used for deploying the Universal SIEM  Integration tools here.

Usage

1. Prepare the container (replace VALUE with proper values):

docker create \
    -e CUSTOM_OUTPUT="custom_http" \
    -e COMPANY_KEY=https://VALUE/rawupload \
    -e INCLUDE_MUTED_UPDATES=VALUE \
    -e APP_VERBOSE=VALUE \
    -e CUSTOM_FULL_URL=https://VALUE/rawupload \
    -v $(pwd)/.env_headers:/app/.env_headers \
    -v $(pwd)/.env_queries:/app/.env_queries \
    --restart unless-stopped \
    --name lumu-universal-siem \
    --log-opt tag=lumu-universal-siem \
    --log-opt max-size=1030m \
    --log-opt max-file=13 \
    lumutools/universal-siem:latest

2. Run it:

docker start lumu-universal-siem

      Parameters

1. COMPANY_KEY: Lumu integration key.
   
2. INCLUDE_MUTED_UPDATES: Set this to true if you want to include contacts of muted incidents, false otherwise (default is false)
   
3. APP_VERBOSE: Change logging level to DEBUG (default INFO)
   
4. CUSTOM_FULL_URL: Receiver URL given by the SIEM. In the command above replace VALUE by the FortiSIEM’s Collector IP or hostname.

Further Steps

To check the Lumu events in your FortiSIEM deployment, go into your FortiSIEM console to the Analytics menu. Run a search filtering by the used reporting IP or other relevant identifiers.