To integrate Lumu with your Splunk deployment you need:
1. Log in to your Lumu account through the Lumu Portal and navigate to the integrations screen.2. Locate the Splunk integration in the available apps area. Add the integration using the corresponding option to view more details. Familiarize yourself with the integration details available in the app description. Begin the activation process by clicking on the Activate button.3. Fill in the name of the integration. Then, click on Create.4. Once you create the integration, you will get the required information to configure the Lumu Splunk Add-on.
After adding the integration, you need to set up the Lumu Add-on for Splunk. Follow these steps to do it.
First, you need to install the Lumu Add-on for Splunk. To do so, you have these alternatives:
1. Find and download the add-on from the Splunkbase App portal. Install the package in your Splunk deployment.
2. Use the Find more apps menu from the Apps in your Splunk deployment.
For further reference check the About installing Splunk add-ons documentation.
Familiarize yourself with the Lumu Splunk Add-on interface before proceeding.
The navigation bar has the following menus:
After installing the Lumu add-on for Splunk, you need to add a new Input. Within the Lumu CCA app, click on the Inputs tab. Then, click on the Create new input button. Finally, fill in the requested data following these indications.
Based on the detections raised by Lumu and the configured events, your new input will be populated with data. To check the events collected by the Lumu add-on, you can use the Search & Reporting app in your Splunk console or the Search tab in the Lumu Add-on. Run the following search to check all the events processed by Splunk related to Lumu.
After configuring your Lumu add-on for Splunk and generate events, you will have the following results:
The Lumu Dashboard will allow you to check at a glance all the information related to Lumu detections collected by the new input. Find it in the Lumu Dashboard tab under the Lumu CCA.
In this dashboard you can change:
You can use the Search tab in the Lumu CCA application to run searches and work with collected events. You can use the following fields to analyze all the collected events.
Field | Description |
adversary | Adversary name |
comments | Incident comments (from events like Muted incident, Comment, and Closed) |
company_id | Lumu company/tenant identification |
description | Adversary description |
dest | Destination host |
dest_ip | Destination IP (if available) |
label | Related label according to your Lumu configuration |
reason | Selected reason for muting an incident |
src | Source host of the detected activity |
src_ip | Source IP of the detected activity |
status | Incident status |
url | URL to consult detailed information of the incident |
id | Incident identification in Lumu |
threat_type | Threat types related to the incident |
If you run a search indicating the available fields, you will obtain the following result.
Here, you will find common scenarios found in the operation of your Lumu Splunk add-on.
If you are not seeing any event data in your Splunk deployment, you can run the following in the Search & Reporting app:
If you need to increase the verbosity level, please modify the Log level under the Configuration tab in the Lumu CCA app.
In this log, you can identify specific issues with data collection, wrong credentials, and related.
If your deployment is receiving data but the Lumu dashboard does not show updated charts, you may be using a dedicated index to store Lumu events and your user does not have it included in the default indexes.
To check this, follow these steps:
1. Using the Search window, run the following search.
sourcetype=lumuThe result must look as follows:2. Run this new search.index=* sourcetype=lumuYou will see events in your search console:3. Check the index name expanding one of the events. Keep this in mind for the next configuration steps.4. Modify the user roles to include the identified index in their defaults. Go to Settings > Roles menu, using an administrator user. Select the role you need to edit.
5. In the Edit Role window, go to the 3. Indexes tab Look for the required index in the list, and make sure the field Default is enabled for the index record. Save the changes.
After running these steps, go back to the Lumu dashboard. You will be able to see data.
After the integration process is done, you can define your own rules and dashboards. You can use the raw data from events to define alerts and so on based on your specific needs.
In the following table, you can see the event your Splunk deployment supports after installing the Lumu add-on:
Event name | Description |
---|---|
NewIncidentCreated | This event is generated when Lumu detects a new incident. |
IncidentUpdated | This event is generated when Lumu detects a new adversarial contact related to an existent incident. |
IncidentMuted | This event is generated when a user mutes an incident within Lumu portal. |
IncidentUnmuted | This event is generated when a user unmutes an incident within Lumu portal. |
IncidentClosed | This event is generated when a user closes an incident within Lumu portal. |
IncidentMarkedAsRead | This event is generated when a user reads a new incident within Lumu portal |
IncidentCommentAdded | This event is generated when a user comments an incident within Lumu portal |
IncidentIntegrationsResponseUpdated | Auxiliary event. Indicates updates in the response process if you have Lumu Defender tier |