Sumo Logic and Lumu Universal SIEM

Sumo Logic and Lumu Universal SIEM

Warning
Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding.
Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a Datadog deployment leveraging its HTTP Custom log forwarding feature.

Requirements

  1. A Sumo Logic deployment with administrative access
  2. Lumu Universal SIEM SecpOps Integration
  3. A Docker-enabled host. This will be used for setting up the Lumu Universal SIEM integration tool.

Configure your Sumo Logic deployment

Follow these steps to configure your Sumo Logic deployment to receive and process Lumu events.

Create a new source for Lumu new events

To receive Lumu logs in Sumo Logic, you need to add a new data source. To do so, follow these steps:

1. Using your Sumo Logic console, go to Manage Data > Collection.


2. In the Collection window, click on the Add… link near to one of your Installed Collectors. Click on the Add Source option.


3. In the Select Source for Collector window, click on HTTP Logs & Metrics under the Platform Sources section.


Notes We encourage you to migrate to the HTTP Log collection model if you have an existing Syslog-based collector configured. 

4. Fill in the required data in the HTTP Logs & Metrics window. In the Advanced Options for Logs, leave it as you see in the image, for the Source Category field set the text security/lumu, this helps to take apart the Lumu events on the logs view. Then, click Save.

5. Once the URL is created by Sumologic, copy the Predesigned URL and save it, it will be used for the integration component.


JSON Auto Parsing - Field Extraction Rule (FER)

Field extraction rules in Sumo Logic allow for the processing of Lumu logs and the extraction of the most relevant fields. You can add a Field Extraction Rule in your Sumo Logic deployment or follow the JSON auto parsing by as show below:

1. In your Sumo Logic console, go to the Manage Data > Logs option.


2. In the Logs window, go to the Field Extraction Rules tab, check that the JSON Auto Parsing - All Sources rule exists and is enabled.



Configure the headers and query parameters

Create the .env_headers file and fill it with the following content:

CONSOLE:APP_HEADERS='
{
 "Accept": "application/json",
 "Content-Type": "application/json"
}’

Lumu Universal SIEM Integration tool

Now, it’s time to configure and deploy the Lumu Integration tool. Follow these steps to do it.

Notes
You can check the Docker image used for deploying the Universal SIEM  Integration tools here.

Usage

1. Prepare the container (replace VALUE with proper values):
docker create \
    -e CUSTOM_OUTPUT="custom_http" \
    -e COMPANY_KEY=VALUE\
    -e INCLUDE_MUTED_UPDATES=VALUE \
    -e CUSTOM_FULL_URL=VALUE \
    -e EVENTS=VALUE \
    -v $(pwd)/.env_headers:/app/.env_headers \
    --restart unless-stopped \
    --name lumu-universal-siem \
    --log-opt tag=lumu-universal-siem \
    --log-opt max-size=30m \
    --log-opt max-file=3 \
    lumutools/universal-siem:latest

2. Run it:
docker start lumu-universal-siem

      Parameters

  1. COMPANY_KEY: Lumu integration key.
  2. INCLUDE_MUTED_UPDATES: Set this to true if you want to include contacts of muted incidents, false otherwise (false is the default).
  3. CUSTOM_FULL_URL: Use the URL generated by Sumologic.
  4. EVENTS: comma-separated list of events to send to the Syslog server. You can skip this parameter if you want to send all the events. Use the available values: NewIncidentCreated, IncidentUpdated, IncidentUnmuted, IncidentMuted, IncidentClosed, IncidentIntegrationsResponseUpdated, IncidentBuiltInResponseUpdated, IncidentActionAdded, IncidentMarkedAsRead, IncidentCommentAdded. If this variable is not set, all message types are accepted

Lumu event reference

Use this table to build the comma-separated string to include Lumu events of interest in the Universal SIEM component configuration.

Event Code Description
NewIncidentCreated Lumu reported a new detection
IncidentUpdated Lumu reported a new event related to an existing detection
IncidentClosed A Lumu detection was manually or automatically closed
IncidentMuted A Lumu detection was muted by an analyst
IncidentUnmuted A previously muted detection was re-activated
IncidentIntegrationsResponseUpdated External integrations acknowledged/responded to the incident
IncidentBuiltInResponseUpdated Lumu's built-in response mechanisms (e.g. agent) were applied
IncidentActionAdded A manual action (e.g. sharing a report) was performed on the incident
IncidentMarkedAsRead The Lumu detection was read.
IncidentCommentAdded A comment was recorded on the Lumu detection

For example, if you are interested in new detections and new events on existing detections, you must use the following:

"NewIncidentCreated,IncidentUpdated"

If you want to add the status change to the Lumu-reported events, you must use the following:

"NewIncidentCreated,IncidentUpdated,IncidentMuted,IncidentUnmuted,IncidentClosed"

Further steps

To check your Lumu events in your Sumo Logic deployment, go into your Sumo Logic console, click on the + New button in the tab bar, and click on the Log Search option.

Run a search to query events from the Source Category defined at the time the Lumu source was created and you will see a result similar to the following. 







      Get an AI Summary

          • Related Articles

          • Universal SIEM Out-of-the-Box SecOps Integration

            The Lumu Universal SIEM Out-of-the-Box integration allows you to centralize Lumu detections and operating events in your SIEM deployment. With this information in your SIEM, you will be able to use Lumu input as a pivot for: Incident response ...
          • FortiSIEM and Lumu Universal SIEM

            Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding. Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a FortiSIEM deployment using HTTP(S) POST requests. This article details the ...
          • Datadog and Lumu Universal SIEM

            Remember to add the Universal SIEM Out-of-the-Box SecOps Integration before proceeding. Lumu Universal SIEM can be used to deliver Lumu detections and operating events to a Datadog deployment leveraging its HTTP Custom log forwarding feature. ...
          • Lumu Out-of-the-box Integrations

            For getting started with Lumu integrations with third-party solutions, consult our Integrations guide. Lumu's Out-of-the-box (OOTB) integrations are a seamless and convenient way to integrate Lumu with other solutions in your cyberdefense stack to ...
          • Lumu Integrations

            In today's digital landscape, cybersecurity threats are constantly evolving, making it imperative for organizations to have robust cybersecurity schemes in place to protect their networks and data. For this reason, Lumu was designed to work alongside ...