If by any chance you are looking for the Lumu Qradar Custom App, it is strongly suggested to start using this Out-of-the-box Integration instead.
To learn more about Out-of-the-box Integrations and their benefits, please refer to
this article. The QRadar Out-of-the-Box SecOps Integration allows you to poll and push adversary-related events to your QRadar deployment. After configuring the integration, your QRadar deployment will automatically create a new Lumu-type log source. By using it, you will be able to see adversarial activity detected by Lumu, giving more visibility to your Security Operations team.
Requirements
To integrate Lumu with your QRadar deployment you will need:
- An active Lumu Insights or Defender subscription.
- A Lumu Integration key.
- QRadar deployment v7.3.3FP6+ or v7.4.1FP2+
Add Integratrion
1. Log in to your Lumu account through the Lumu Portal and navigate to the Integrations screen. Locate the QRadar integration in the available apps area and click to add, then click to view details.
2. You may want to familiarize yourself with the integration details available in the app description and click on the button below to activate the integration.
3. Add a distinguishable description and create the integration.
4. You can now see the details of the created integration, including the Integration Key which we will need later on.
To integrate Lumu with QRadar, follow these steps:
1. Go to Admin > Apps > Lumu. Select the option that allows you to configure your Lumu Integration.
2. The configuration page will open. Please enter your Lumu Integration key, which we generated in the previous section of this article.
3. Before saving your configuration, test the parameters by using the Test button. The test results will be shown in an alert box on the upper side of the configuration screen.
4. After testing your configuration, make sure to save it using the corresponding option.
To automatically create the log source, wait for your QRadar deployment to receive enough Lumu events. If you do not have enough detections, you can accelerate the process by muting and unmuting some incidents, or reading unread ones.
Operate Lumu QRadar OOTB Integration
After configuring your Lumu integration and generating enough events to deploy the automatic creation of a Lumu log source, you will have the following results:
Log Source View
The
QRadar Log Source view shows basic information about how this data source is configured, its identifier, description, operation parameters like
Coalescing Events, and if the event payload must be stored.
Dashboard View
The QRadar Lumu Monitoring dashboard provides a quick view of Lumu Operations, top detected adversaries, overall events, and top affected endpoints. This is useful for Security Operators to prioritize their efforts.
In some scenarios, the results in the dashboard may show as blank. This happens when the widgets are not accumulating data.
You can quickly fix this by following these steps:
- Edit the dashboard widget and click the Capture Time Series Data radio button.
- Click Save and follow the onscreen instructions.
Log Activity View
The QRadar Log Activity view for the Lumu log source shows all the relevant information for each detection.
With data ingested from Lumu, you can run your custom log activity searches and even include Lumu events in your own correlation rules.
The Lumu overall events search shows a summary of incidents triggered in the last 24 hours:
The Lumu Top adversaries search shows the top 10 adversaries contacted by your infrastructure in the last 24 hours:
The Top 10 affected endpoints search shows Lumu incidents detected in the last 24 hours grouped by endpoint. This view can be very helpful to act on the endpoints that require action urgently.
The Top affected labels search shows Lumu incidents detected in the last 24 hours grouped by label. This view can be helpful to identify labeled assets that require action urgently.
Additional configuration
After creating your integration, you can define your own rules and dashboards. It is recommended to allocate the Lumu log source into a group based on your needs.
Supported events
In the following table, you can see the supported events that can be injected by the application to your QRadar deployment:
|
|
|
This event is generated when Lumu detects a new incident.
|
|
This event is generated when Lumu detects a new adversarial contact related to an existent incident.
|
Incident within Lumu portal marked as Read
|
This event is generated when a user reads an incident within the Lumu portal.
|
Incident within Lumu portal marked as Muted
|
This event is generated when a user mutes an incident within the Lumu portal.
|
Incident within Lumu portal marked as Unmuted
|
This event is generated when a user unmutes an incident within the Lumu portal.
|
Incident within Lumu portal marked as Closed
|
This event is generated when a user closes an incident within the Lumu portal.
|