FortiSIEM and Lumu Universal SIEM

FortiSIEM and Lumu Universal SIEM

Warning
Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding.
Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a FortiSIEM deployment using HTTP(S) POST requests. This article details the configuration process to allow Lumu Logs to be processed by your SIEM deployment solution.

Requirements

  1. A FortiSIEM deployment running on FortiSIEM OS 7.0.2+
  2. FortiSIEM administrator access
  3. Lumu Universal SIEM SecOps Integration
  4. A Docker-enabled host. This will be used for setting up the Lumu Universal SIEM integration tool.

Notes
This method works on FortiSIEM OS 7.0.2+. For other versions, please refer to the vendor documentation. 

Configure your FortiSIEM deployment

Follow these steps to configure your FortiSIEM deployment to receive and process Lumu events.

Create a FortiSIEM user

To receive and process Lumu events into your FortiSIEM deployment, you need to identify the component where you want to receive the events. This component is usually a Collector.

Notes
Make sure you have access to this component through SSH.
SSH to the collector and run this command:
htpasswd -b /etc/httpd/accounts/passwds <user> ‘<password>’

Notes
If the password contains special characters, it is encouraged to encode it in single quotes.

Notes
Save the user and password values for later steps.

Configure the headers and query parameters

Create the .env_headers and .env_queries files following these indications:

Headers file

To create and fill the .env_headers file, first, you need to calculate the base 64 header value. To calculate it, use a console access and run one of these commands:
  1. If you have access to a Unix device
echo <user>:<password> | base64
  1. If you have access to a Windows device (using Powershell)
[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("<user>:<password>"))
Replace <user> and <password> values accordingly. Save the resulting string for later use.

Now, create the .env_headers file with the following content:
  1. APP_HEADERS=’
    {
        "Content-Type": "application/json",
        "Authorization": "Basic <Base 64 encoded text>"
    }’

Replace <Base 64 encoded text> with the result from the steps above.

Queries file

Create the .env_queries file and fill it with the following content: 
  1. APP_QUERIES='{
        "vendor":"Lumu",
        "model": "SecOps Integration",
        "reptIp": "<Reporting IP>",
        "reptName": "<Reporting hostname>"
     }'

Lumu Universal SIEM Integration tool

Now, it’s time to configure and deploy the Lumu Integration tool. Follow these steps to do it.

Notes
You can check the Docker image used for deploying the Universal SIEM  Integration tools here.

Usage

1. Prepare the container (replace VALUE with proper values):
docker create \
    -e CUSTOM_OUTPUT="custom_http" \
    -e COMPANY_KEY=COMPANY_KEY
    -e INCLUDE_MUTED_UPDATES=VALUE \
    -e APP_VERBOSE=VALUE \
    -e CUSTOM_FULL_URL=https://VALUE/rawupload \
    -v $(pwd)/.env_headers:/app/.env_headers \
    -v $(pwd)/.env_queries:/app/.env_queries \
    --restart unless-stopped \
    --name lumu-universal-siem \
    --log-opt tag=lumu-universal-siem \
    --log-opt max-size=1030m \
    --log-opt max-file=13 \
    lumutools/universal-siem:latest

2. Run it:
docker start lumu-universal-siem
      Parameters
  1. COMPANY_KEY: Lumu integration key.
  2. INCLUDE_MUTED_UPDATES: Set this to true if you want to include contacts of muted incidents, false otherwise (default is false)
  3. APP_VERBOSE: Change logging level to DEBUG (default INFO)
  4. CUSTOM_FULL_URL: Receiver URL given by the SIEM. In the command above replace VALUE by the FortiSIEM’s Collector IP or hostname.

Further Steps

To check the Lumu events in your FortiSIEM deployment, go into your FortiSIEM console to the Analytics menu. Run a search filtering by the used reporting IP or other relevant identifiers.




    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • Universal SIEM Out-of-the-Box SecOps Integration

          Universal SIEM is the recommended way to integrate SIEM solutions with Lumu. The Lumu Universal SIEM Out-of-the-Box integration allows you to centralize Lumu detections and operating events in your SIEM deployment. With this information in your SIEM, ...

        • Datadog and Lumu Universal SIEM

          Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding. Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a Datadog deployment leveraging its HTTP Custom log forwarding feature. ...

        • Sumo Logic and Lumu Universal SIEM

          Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding. Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a Datadog deployment leveraging its HTTP Custom log forwarding feature. ...

        • Chronicle SIEM Custom SecOps Integration

          The Chronicle SIEM Custom SecOps integration allows you to receive Lumu detections and related operating events. In this article, you will find out how to configure your Chronicle SIEM instance and its Lumu integration to enhance your current ...

        • GLPI Custom SecOps Integration

          This article shows how to leverage GLPI API and Lumu Defender API to enhance your SecOps capabilities, pushing Lumu incidents into a GLPI deployment as Service Tickets, and syncing both systems. Requirements A GLPI active server and Web access. An ...