Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a FortiSIEM deployment using HTTP(S) POST requests.
Requirements
- A FortiSIEM deployment running on FortiSIEM OS 7.0.2+
- FortiSIEM administrator access
- Lumu Universal SIEM SecOps Integration
- A Docker-enabled host. This will be used for setting up the Lumu Universal SIEM integration tool.
This method works on FortiSIEM OS 7.0.2+. For other versions, please refer to the
vendor documentation.
This article details the configuration process to allow Lumu Logs to be processed by your SIEM deployment solution. Before starting, make sure you’ve completed the steps detailed in the Custom HTTP Generic SIEM Lumu Deployment article.
Follow these steps to configure your FortiSIEM deployment to receive and process Lumu events.
Create a FortiSIEM user
To receive and process Lumu events into your FortiSIEM deployment, you need to identify the component where you want to receive the events. This component is usually a Collector.
Make sure you have access to this component through SSH.
SSH to the collector and run this command:
htpasswd -b /etc/httpd/accounts/passwds <user> ‘<password>’
If the password contains special characters, it is encouraged to encode it in single quotes.
Save the user and password values for later steps.
Create the .env_headers and .env_queries files following these indications:
To create and fill the .env_headers file, first, you need to calculate the base 64 header value. To calculate it, use a console access and run one of these commands:
- If you have access to a Unix device
echo <user>:<password> | base64
- If you have access to a Windows device (using Powershell)
[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("<user>:<password>"))
Replace <user> and <password> values accordingly. Save the resulting string for later use.
Now, create the .env_headers file with the following content:
APP_HEADERS=’
{
"Content-Type": "application/json",
"Authorization": "Basic <Base 64 encoded text>"
}’
Replace <Base 64 encoded text> with the result from the steps above.
Queries file
Create the .env_queries file and fill it with the following content:
APP_QUERIES='{
"vendor":"Lumu",
"model": "SecOps Integration",
"reptIp": "<Reporting IP>",
"reptName": "<Reporting hostname>"
}'
Now, it’s time to configure and deploy the Lumu Integration tool. Follow these steps to do it.
You can check the Docker image used for deploying the Universal SIEM Integration tools
here.
Usage
1. Prepare the container (replace VALUE with proper values):
docker create \
-e CUSTOM_OUTPUT="custom_http" \
-e COMPANY_KEY=
https://VALUE/rawupload \
-e INCLUDE_MUTED_UPDATES=VALUE \
-e APP_VERBOSE=VALUE \
-e CUSTOM_FULL_URL=
https://VALUE/rawupload \
-v $(pwd)/.env_headers:/app/.env_headers \
-v $(pwd)/.env_queries:/app/.env_queries \
--restart unless-stopped \
--name lumu-universal-siem \
--log-opt tag=lumu-universal-siem \
--log-opt max-size=1030m \
--log-opt max-file=13 \
lumutools/universal-siem:latest
2. Run it:
docker start lumu-universal-siem
Parameters
- COMPANY_KEY: Lumu integration key.
- INCLUDE_MUTED_UPDATES: Set this to true if you want to include contacts of muted incidents, false otherwise (default is false)
- APP_VERBOSE: Change logging level to DEBUG (default INFO)
- CUSTOM_FULL_URL: Receiver URL given by the SIEM. In the command above replace VALUE by the FortiSIEM’s Collector IP or hostname.
Further Steps
To check the Lumu events in your FortiSIEM deployment, go into your FortiSIEM console to the Analytics menu. Run a search filtering by the used reporting IP or other relevant identifiers.