To receive Lumu logs in Sumo Logic, you need to add a new data source. To do so, follow these steps:
1. Using your Sumo Logic console, go to Manage Data > Collection.2. In the Collection window, click on the Add… link near to one of your Installed Collectors. Click on the Add Source option.
3. In the Select Source for Collector window, click on HTTP Logs & Metrics under the Platform Sources section.
We encourage you to migrate to the HTTP Log collection model if you have an existing Syslog-based collector configured.
4. Fill in the required data in the HTTP Logs & Metrics window. In the Advanced Options for Logs, leave it as you see in the image, for the Source Category field set the text security/lumu, this helps to take apart the Lumu events on the logs view. Then, click Save.
5. Once the URL is created by Sumologic, copy the Predesigned URL and save it, it will be used for the integration component.
Field extraction rules in Sumo Logic allow for the processing of Lumu logs and the extraction of the most relevant fields. You can add a Field Extraction Rule in your Sumo Logic deployment or follow the JSON auto parsing by as show below:
1. In your Sumo Logic console, go to the Manage Data > Logs option.
2. In the Logs window, go to the Field Extraction Rules tab, check that the JSON Auto Parsing - All Sources rule exists and is enabled.
Now, it’s time to configure and deploy the Lumu Integration tool. Follow these steps to do it.
1. Prepare the container (replace VALUE with proper values):docker create \
-e CUSTOM_OUTPUT="custom_http" \
-e COMPANY_KEY=VALUE\
-e INCLUDE_MUTED_UPDATES=VALUE \
-e CUSTOM_FULL_URL=VALUE \
-e EVENTS=VALUE \
-v $(pwd)/.env_headers:/app/.env_headers \
--restart unless-stopped \
--name lumu-universal-siem \
--log-opt tag=lumu-universal-siem \
--log-opt max-size=30m \
--log-opt max-file=3 \
lumutools/universal-siem:latest2. Run it:docker start lumu-universal-siem
Use this table to build the comma-separated string to include Lumu events of interest in the Universal SIEM component configuration.
| Event Code | Description |
| NewIncidentCreated | Lumu reported a new detection |
| IncidentUpdated | Lumu reported a new event related to an existing detection |
| IncidentClosed | A Lumu detection was manually or automatically closed |
| IncidentMuted | A Lumu detection was muted by an analyst |
| IncidentUnmuted | A previously muted detection was re-activated |
| IncidentIntegrationsResponseUpdated | External integrations acknowledged/responded to the incident |
| IncidentBuiltInResponseUpdated | Lumu's built-in response mechanisms (e.g. agent) were applied |
| IncidentActionAdded | A manual action (e.g. sharing a report) was performed on the incident |
| IncidentMarkedAsRead | The Lumu detection was read. |
| IncidentCommentAdded | A comment was recorded on the Lumu detection |
For example, if you are interested in new detections and new events on existing detections, you must use the following:
If you want to add the status change to the Lumu-reported events, you must use the following:
To check your Lumu events in your Sumo Logic deployment, go into your Sumo Logic console, click on the + New button in the tab bar, and click on the Log Search option.
Run a search to query events from the Source Category defined at the time the Lumu source was created and you will see a result similar to the following.