Splunk Out-of-the-Box SecOps integration
Requirements
To integrate Lumu with your Splunk deployment you need:
- Lumu Insights or Defender tier.
- Splunk 8.2+ or Cloud edition.
- The Lumu Add-on app from Splunkbase
Add integration
1. Log in to your Lumu account through the Lumu Portal and navigate to the integrations screen.2. Locate the Splunk integration in the available apps area. Add the integration using the corresponding option to view more details. Familiarize yourself with the integration details available in the app description. Begin the activation process by clicking on the Activate button.3. Fill in the name of the integration. Then, click on Create.4. Once you create the integration, you will get the required information to configure the Lumu Splunk Add-on.
Setting Lumu Splunk Add-on
After adding the integration, you need to set up the Lumu Add-on for Splunk. Follow these steps to do it.
Installing Lumu Splunk Add-on
First, you need to install the Lumu Add-on for Splunk. To do so, you have these alternatives:
1. Find and download the add-on from the Splunkbase App portal. Install the package in your Splunk deployment.
2. Use the Find more apps menu from the Apps in your Splunk deployment.
For further reference check the About installing Splunk add-ons documentation.
Familiarize yourself with the Lumu Splunk Add-on interface before proceeding.
The navigation bar has the following menus:
- Lumu dashboard: Presents the collected events as widgets
- Search: Shows a search module to operate with Lumu events
- Inputs: Allows you to manage the different Lumu sources you have in your Splunk deployment
- Configuration: Presents different global parameters: proxy and logging level.
Adding a new Lumu input
After installing the Lumu add-on for Splunk, you need to add a new Input. Within the Lumu CCA app, click on the Inputs tab. Then, click on the Create new input button. Finally, fill in the requested data following these indications.
- Name: Give a distinctive name to the source. If you deploy different sources, you can name each source as the related company/tenant from the Lumu portal
- Interval: Set the time in seconds you want to run the integration script. The recommended interval is 30 seconds
- Index: Define the index you want to use to store the indexed events
- API key: Paste here the integration key from previous steps
- Events of interest: Select the events you want to process for the created input. It’s recommended to use the default value.
- Include muted updates: You can choose if you want to process updates received from muted incidents. By default, these messages are ignored.
Based on the detections raised by Lumu and the configured events, your new input will be populated with data. To check the events collected by the Lumu add-on, you can use the Search & Reporting app in your Splunk console or the Search tab in the Lumu Add-on. Run the following search to check all the events processed by Splunk related to Lumu.
Operate Lumu add-on for Splunk
After configuring your Lumu add-on for Splunk and generate events, you will have the following results:
Lumu Dashboard
The Lumu Dashboard will allow you to check at a glance all the information related to Lumu detections collected by the new input. Find it in the Lumu Dashboard tab under the Lumu CCA.
In this dashboard you can change:
- Global Time Range: modify the effective time range for the search
- Tenant: If you have more than one input, you can select specific tenants. All tenants option is selected by default
Search tab
You can use the Search tab in the Lumu CCA application to run searches and work with collected events. You can use the following fields to analyze all the collected events.
| Field | Description |
| adversary | Adversary name |
| comments | Incident comments (from events like Muted incident, Comment, and Closed) |
| company_id | Lumu company/tenant identification |
| description | Adversary description |
| dest | Destination host |
| dest_ip | Destination IP (if available) |
| label | Related label according to your Lumu configuration |
| reason | Selected reason for muting an incident |
| src | Source host of the detected activity |
| src_ip | Source IP of the detected activity |
| status | Incident status |
| url | URL to consult detailed information of the incident |
| id | Incident identification in Lumu |
| threat_type | Threat types related to the incident |
If you run a search indicating the available fields, you will obtain the following result.
Troubleshooting
Here, you will find common scenarios found in the operation of your Lumu Splunk add-on.
Data is not visible in Splunk
If you are not seeing any event data in your Splunk deployment, you can run the following in the Search & Reporting app:
If you need to increase the verbosity level, please modify the Log level under the Configuration tab in the Lumu CCA app.
In this log, you can identify specific issues with data collection, wrong credentials, and related.
Lumu dashboard not showing any data
If your deployment is receiving data but the Lumu dashboard does not show updated charts, you may be using a dedicated index to store Lumu events and your user does not have it included in the default indexes.
To check this, follow these steps:
1. Using the Search window, run the following search.
sourcetype=lumuThe result must look as follows:2. Run this new search.index=* sourcetype=lumuYou will see events in your search console:3. Check the index name expanding one of the events. Keep this in mind for the next configuration steps.4. Modify the user roles to include the identified index in their defaults. Go to Settings > Roles menu, using an administrator user. Select the role you need to edit.
5. In the Edit Role window, go to the 3. Indexes tab Look for the required index in the list, and make sure the field Default is enabled for the index record. Save the changes.
After running these steps, go back to the Lumu dashboard. You will be able to see data.
Further Steps
After the integration process is done, you can define your own rules and dashboards. You can use the raw data from events to define alerts and so on based on your specific needs.
Supported events
In the following table, you can see the event your Splunk deployment supports after installing the Lumu add-on:
Event name | Description |
|---|---|
| NewIncidentCreated | This event is generated when Lumu detects a new incident. |
| IncidentUpdated | This event is generated when Lumu detects a new adversarial contact related to an existent incident. |
| IncidentMuted | This event is generated when a user mutes an incident within Lumu portal. |
| IncidentUnmuted | This event is generated when a user unmutes an incident within Lumu portal. |
| IncidentClosed | This event is generated when a user closes an incident within Lumu portal. |
| IncidentMarkedAsRead | This event is generated when a user reads a new incident within Lumu portal |
| IncidentCommentAdded | This event is generated when a user comments an incident within Lumu portal |
| IncidentIntegrationsResponseUpdated | Auxiliary event. Indicates updates in the response process if you have Lumu Defender tier |
Related Articles
QRadar Out-of-the-Box SecOps Integration
If by any chance you are looking for the Lumu Qradar Custom App, it is strongly suggested to start using this Out-of-the-box Integration instead. To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. The ...Universal SIEM Out-of-the-Box SecOps Integration
Universal SIEM is the recommended way to integrate SIEM solutions with Lumu. The Lumu Universal SIEM Out-of-the-Box integration allows you to centralize Lumu detections and operating events in your SIEM deployment. With this information in your SIEM, ...Datto Autotask Out-of-the-box SecOps Integration
Requirements An Autotask PSA Essentials or above subscription An Active Lumu Insights or Lumu Defender subscription Configure Autotask To setup the integration, you will need to create an API username/password in Autotask to give Lumu access and the ...Connectwise PSA (formerly Manage) Out-of-the-Box SecOps Integration
To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. The ConnectWise PSA (formerly Manage) Out-of-the-Box Integration allows you to manage incidents detected by Lumu in your preferred ConnectWise PSA ...Palo Alto Cortex XSOAR Out-of-the-Box SecOps Integration
The Palo Alto Cortex XSOAR Out-of-the-box SecOps integration with the Lumu Content Pack for Cortex XSOAR allows you to operate all of your Lumu detections as Cortex incidents. After installing and configuring a new instance of the Lumu Content Pack ...