FortiSIEM and Lumu Universal SIEM

FortiSIEM and Lumu Universal SIEM

Warning
Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding.
Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a FortiSIEM deployment using HTTP(S) POST requests. This article details the configuration process to allow Lumu Logs to be processed by your SIEM deployment solution.

Requirements

  1. A FortiSIEM deployment running on FortiSIEM OS 7.0.2+
  2. FortiSIEM administrator access
  3. Lumu Universal SIEM SecOps Integration
  4. A Docker-enabled host. This will be used for setting up the Lumu Universal SIEM integration tool.

Notes
This method works on FortiSIEM OS 7.0.2+. For other versions, please refer to the vendor documentation. 

Configure your FortiSIEM deployment

Follow these steps to configure your FortiSIEM deployment to receive and process Lumu events.

Create a FortiSIEM user

To receive and process Lumu events into your FortiSIEM deployment, you need to identify the component where you want to receive the events. This component is usually a Collector.

Notes
Make sure you have access to this component through SSH.
SSH to the collector and run this command:
htpasswd -b /etc/httpd/accounts/passwds USER ‘PASSWORD’

Notes
If the password contains special characters, it is encouraged to encode it in single quotes.

Notes
Save the user and password values for later steps.

Configure the headers and query parameters

Create the .env_headers and .env_queries files following these indications:

Headers file

To create and fill the .env_headers file, first, you need to calculate the base 64 header value. To calculate it, use a console access and run one of these commands:
  1. If you have access to a Unix device
echo USER:PASSWORD | base64
  1. If you have access to a Windows device (using Powershell)
[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("USER:PASSWORD"))
Replace <user> and <password> values accordingly. Save the resulting string for later use.

Now, create the .env_headers file with the following content:
  1. APP_HEADERS=’
    {
    "Content-Type": "application/json",
    "Authorization": "Basic Base-64EncodedText>"
    }’

Replace Base-64EncodedText with the result from the steps above.

Queries file

Create the .env_queries file and fill it with the following content:
  1. APP_QUERIES='{
    "vendor":"Lumu",
    "model": "SecOps Integration",
    "reptIp": "ReportingIP",
    "reptName": "ReportingHostname"
    }'

Replace the values ReportingIP and ReportingHostname according to your FortiSIEM deployment.

Lumu Universal SIEM Integration tool

Now, it’s time to configure and deploy the Lumu Integration tool. Follow these steps to do it.

Notes
You can check the Docker image used for deploying the Universal SIEM  Integration tools here.

Usage

1. Prepare the container (replace VALUE with proper values):
docker create \
    -e CUSTOM_OUTPUT="custom_http" \
    -e COMPANY_KEY=COMPANY_KEY
    -e INCLUDE_MUTED_UPDATES=VALUE \
    -e APP_VERBOSE=VALUE \
    -e EVENTS=VALUE \
    -e CUSTOM_FULL_URL=https://VALUE/rawupload \
    -v $(pwd)/.env_headers:/app/.env_headers \
    -v $(pwd)/.env_queries:/app/.env_queries \
    --restart unless-stopped \
    --name lumu-universal-siem \
    --log-opt tag=lumu-universal-siem \
    --log-opt max-size=10m \
    --log-opt max-file=13 \
    lumutools/universal-siem:latest

2. Run it:
docker start lumu-universal-siem
      Parameters
  1. COMPANY_KEY: Lumu integration key.
  2. INCLUDE_MUTED_UPDATES: Set this to true if you want to include contacts of muted incidents, false otherwise (default is false)
  3. APP_VERBOSE: Change logging level to DEBUG (default INFO)
  4. CUSTOM_FULL_URL: Receiver URL given by the SIEM. In the command above replace VALUE by the FortiSIEM’s Collector IP or hostname.
  5. EVENTS: comma-separated list of events to send to the Syslog server. You can skip this parameter if you want to send all the events. Use the available values: NewIncidentCreated, IncidentUpdated, IncidentUnmuted, IncidentMuted, IncidentClosed, IncidentIntegrationsResponseUpdated, IncidentBuiltInResponseUpdated, IncidentActionAdded, IncidentMarkedAsRead, IncidentCommentAdded. If this variable is not set, all message types are accepted

Lumu event reference

Use this table to build the comma-separated string to include Lumu events of interest in the Universal SIEM component configuration.

Event CodeDescription
NewIncidentCreatedLumu reported a new detection
IncidentUpdatedLumu reported a new event related to an existing detection
IncidentClosedA Lumu detection was manually or automatically closed
IncidentMutedA Lumu detection was muted by an analyst
IncidentUnmutedA previously muted detection was re-activated
IncidentIntegrationsResponseUpdatedExternal integrations acknowledged/responded to the incident
IncidentBuiltInResponseUpdatedLumu's built-in response mechanisms (e.g. agent) were applied
IncidentActionAddedA manual action (e.g. sharing a report) was performed on the incident
IncidentMarkedAsReadThe Lumu detection was read.
IncidentCommentAddedA comment was recorded on the Lumu detection

For example, if you are interested in new detections and new events on existing detections, you must use the following:

"NewIncidentCreated,IncidentUpdated"

If you want to add the status change to the Lumu-reported events, you must use the following:

"NewIncidentCreated,IncidentUpdated,IncidentMuted,IncidentUnmuted,IncidentClosed"

Further Steps

To check the Lumu events in your FortiSIEM deployment, go into your FortiSIEM console to the Analytics menu. Run a search filtering by the used reporting IP or other relevant identifiers.


      Get an AI Summary

          • Related Articles

          • Universal SIEM Out-of-the-Box SecOps Integration

            The Lumu Universal SIEM Out-of-the-Box integration allows you to centralize Lumu detections and operating events in your SIEM deployment. With this information in your SIEM, you will be able to use Lumu input as a pivot for: Incident response ...
          • Datadog and Lumu Universal SIEM

            Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding. Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a Datadog deployment leveraging its HTTP Custom log forwarding feature. ...
          • Sumo Logic and Lumu Universal SIEM

            Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding. Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a Datadog deployment leveraging its HTTP Custom log forwarding feature. ...
          • GLPI Custom SecOps Integration

            This article shows how to leverage GLPI API and Lumu Defender API to enhance your SecOps capabilities, pushing Lumu incidents into a GLPI deployment as Service Tickets, and syncing both systems. Requirements A GLPI active server and Web access. An ...
          • Bitdefender Custom Response Integration

            Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...