Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding.

Requirements

1. A Sumo Logic deployment with administrative access
   
2. Lumu Universal SIEM SecpOps Integration
   
3. A Docker-enabled host. This will be used for setting up the Lumu Universal SIEM integration tool.
   

Configure your Sumo Logic deployment

Create a new source for Lumu new events

To receive Lumu logs in Sumo Logic, you need to add a new data source. To do so, follow these steps:

1. Using your Sumo Logic console, go to Manage Data > Collection.

2. In the Collection window, click on the Add… link near to one of your Installed Collectors. Click on the Add Source option.

3. In the Select Source for Collector window, click on the Syslog option under the Platform Sources section.

4. Fill in the required data in the Syslog window. In the Advanced Options for Logs, set the Ignore timezone from log file and instead use option to UTC. Click on the Save button.

Create a Field Extraction Rule (FER)

Field extraction rules in Sumo Logic allow for the processing of Lumu logs and the extraction of the most relevant fields. You can add a Field Extraction Rule in your Sumo Logic deployment following these steps:

1. In your Sumo Logic console, go to the Manage Data > Logs option.

2. In the Logs window, go to the Field Extraction Rules tab, and click on the + Add Rule button.

3. In the Add Field Extraction Rule window, fill in the required data. The Applied At parameter must be set to Ingest Time, and the Scope to Specific Data. Choose the _sourcecategory field to the value given to the Lumu source.

In the Parse expression section, copy and paste the following expression.

parse regex " - \{\"(?<eventType>[^\"]+).*(?:\"id\"|\"incidentId\"): \"(?<incidentId>[^\"]+)\"" | parse "companyId\": \"*\"" as companyId | parse "adversaryId\": \"*\"" as adversaryId nodrop | parse "description\": \"*\"" as description nodrop | parse "endpointName\": \"*\"" as endpoint nodrop | parse "name\": \"*\"" as label nodrop | parse "url\": \"*\"" as url nodrop | parse "endpointIp\": \"*\"" as sourceIp nodrop

Click on the Save button.

Lumu Universal SIEM Integration tool

Now, it’s time to configure and deploy the Lumu Integration tool. Follow these steps to do it.

You can check the Docker image used for deploying the Universal SIEM  Integration tools here.

Usage

1. Prepare the container (replace VALUE with proper values):

docker create \
   -e CUSTOM_OUTPUT="syslog_proto" \
    -e INCLUDE_MUTED_UPDATES=VALUE \
    -e COMPANY_KEY=VALUE \
    -e APP_VERBOSE=VALUE \
    -e OUTPUT_SERVERS=VALUE \
    -e SYSLOG_RFC=VALUE \
    --restart unless-stopped \
    --name lumu-universal-siem \
    --log-opt tag=lumu-universal-siem \
    --log-opt max-size=3100m \
    --log-opt max-file=31 \
lumutools/universal-siem:latest

2. Run it:

docker start lumu-universal-siem

      Parameters

1. COMPANY_KEY: Lumu integration key.
   
2. INCLUDE_MUTED_UPDATES: Set this to true if you want to include contacts of muted incidents, false otherwise (default is false)
   
3. APP_VERBOSE: Change logging level to DEBUG (default INFO)
   
4. OUTPUT_SERVERS: Syslog server information (PROTO:IP_HOSTNAME:PORT)
   
5. SYSLOG_RFC: RFC to use for forwarding events. Select between 3164 or 5424
   

Further steps

To check your Lumu events in your Sumo Logic deployment, go into your Sumo Logic console, click on the + New button in the tab bar, and click on the Log Search option.

Run a search to query events from the Source Category defined at the time the Lumu source was created. Your Sumo Logic deployment can process the following fields from Lumu events.

• eventtype
• incidentid
• companyid
• adversaryid
• description
• endpoint
• label
• url
• sourceip