OR

Now, it’s time to configure and deploy the Lumu Integration tool. Use the Universal SIEM repository link to open the Docker hub image repository. Based on your SIEM deployment, you will need to run some configurations according to the forwarding method you want to use. Please refer to your SIEM administrator or your SIEM vendor to obtain more information.
Choose one of the following methods to forward Lumu events:
Use this method if your SIEM supports event ingestion via Syslog. Lumu Universal SIEM can deliver Syslog messages in one of these formats:
The RFC 5424 Syslog standard follows this format:
<PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROC-ID MSGID STRUCTURED-DATA MESSAGE
Here's an example of a Lumu RFC 5424 Syslog message:
<150>1 2026-04-17T12:11:26.346Z 78af70ae0d97 lumu-incs 7 ceb204e8272c457d84af3499a15bb011 - {"IncidentUpdated": {"companyId": "...", "incident": {"id": "...", "timestamp": "2026-04-17T12:11:26.346Z", "status": "open", "statusTimestamp": "2026-04-17T12:11:26.346Z", "incidentGroupingFields": {"adversary": "tactip.cyou"}, "detectorType": "activity", "incidentType": "malicious-infrastructure", "totalEvents": 5, "firstEvent": {"timestamp": "2026-04-17T12:10:52.328Z", "id": "..."}, "lastEvent": {"timestamp": "2026-04-17T13:17:53.256Z", "id": "..."}, "adversaryTypes": ["Malware"], "description": "Malware family Lumma stealer", "environmentStats": [{"environment": {"id": "36222", "type": "network-label", "label_name": "Lab_CR", "label_relevance": "High"}, "count": 4}, {"environment": {"id": "27713", "type": "network-label", "label_name": "epmLow", "label_relevance": "Low"}, "count": 1}], "counts": {"endpointTargetsCount": 4, "userTargetsCount": 0, "otherTargetsCount": 0, "totalTargetsCount": 4, "offendersCount": 1}, "offendersSamples": [{"_id": "tactip.cyou", "type": "network-location", "value": "tactip.cyou"}], "targetsSamples": [{"_id": "CARLOS-WIN10|36222", "type": "network-endpoint", "label": "36222", "name": "CARLOS-WIN10", "endpoint_ip": "77.227.136.33", "label_name": "Lab_CR", "label_relevance": "High"}, {"_id": "DESKTOP-MNSN261.lumu.lab|36222", "type": "network-endpoint", "label": "36222", "name": "DESKTOP-MNSN261.lumu.lab", "endpoint_ip": "10.0.0.10", "label_name": "Lab_CR", "label_relevance": "High"}, {"_id": "carlos-ubuntu|36222", "type": "network-endpoint", "label": "36222", "name": "carlos-ubuntu", "endpoint_ip": "77.227.136.33", "label_name": "Lab_CR", "label_relevance": "High"}, {"_id": "eliza.net|27713", "type": "network-endpoint", "label": "27713", "name": "eliza.net", "endpoint_ip": "192.168.10.64", "label_name": "epmLow", "label_relevance": "Low"}], "unread": false, "hasPlaybackEvents": false, "autopilotOperation": null, "integrationsThatResponded": ["...", "..."], "builtInResponseTypes": ["agent"], "accumulators": [{"type": "int_accumulator", "key": "5|13", "value": 1}, {"type": "int_accumulator", "key": "5|12", "value": 4}], "eventsGroupingsCount": 4}, "event": {"eventId": "...", "eventType": "malicious-infrastructure", "timestamp": "2026-04-17T13:17:53.256Z", "eventSource": {"source_type": "custom_collector", "source_id": "...", "collector_index": null}, "adversaryTypes": ["Malware"], "eventDescription": "Malware family Lumma stealer", "affectedEnvironments": [{"type": "network-label", "id": "27713", "label_name": "epmLow", "label_relevance": "Low"}], "targets": [{"_id": "eliza.net|27713", "type": "network-endpoint", "label": "27713", "name": "eliza.net", "endpoint_ip": "192.168.10.64", "label_name": "epmLow", "label_relevance": "Low"}], "offenders": [{"_id": "tactip.cyou", "type": "network-location", "value": "tactip.cyou"}], "fromPlayback": false, "dataToIndex": {"data": {"DNSQueryExtraInfo": {"queryType": "A"}}}, "repetitionCount": 1}}, "url": "https://portal.lumu.io/compromise/incidents/show/…/detections"}
The field values for the previous message are:
The RFC 3164 Syslog standard follows this format:
<PRI>TIMESTAMP HOSTNAME TAG[PID]: MESSAGE
A Lumu RFC 3164 Syslog message looks as follows:
<150>Apr 17 13:17:53 6d2b4d9e1293 lumu-incs[7]: {"IncidentUpdated": {"companyId": "...", "incident": {"id": "...", "timestamp": "2026-04-17T12:11:26.346Z", "status": "open", "statusTimestamp": "2026-04-17T12:11:26.346Z", "incidentGroupingFields": {"adversary": "tactip.cyou"}, "detectorType": "activity", "incidentType": "malicious-infrastructure", "totalEvents": 5, "firstEvent": {"timestamp": "2026-04-17T12:10:52.328Z", "id": "..."}, "lastEvent": {"timestamp": "2026-04-17T13:17:53.256Z", "id": "..."}, "adversaryTypes": ["Malware"], "description": "Malware family Lumma stealer", "environmentStats": [{"environment": {"id": "36222", "type": "network-label", "label_name": "Lab_CR", "label_relevance": "High"}, "count": 4}, {"environment": {"id": "27713", "type": "network-label", "label_name": "epmLow", "label_relevance": "Low"}, "count": 1}], "counts": {"endpointTargetsCount": 4, "userTargetsCount": 0, "otherTargetsCount": 0, "totalTargetsCount": 4, "offendersCount": 1}, "offendersSamples": [{"_id": "tactip.cyou", "type": "network-location", "value": "tactip.cyou"}], "targetsSamples": [{"_id": "CARLOS-WIN10|36222", "type": "network-endpoint", "label": "36222", "name": "CARLOS-WIN10", "endpoint_ip": "77.227.136.33", "label_name": "Lab_CR", "label_relevance": "High"}, {"_id": "DESKTOP-MNSN261.lumu.lab|36222", "type": "network-endpoint", "label": "36222", "name": "DESKTOP-MNSN261.lumu.lab", "endpoint_ip": "10.0.0.10", "label_name": "Lab_CR", "label_relevance": "High"}, {"_id": "carlos-ubuntu|36222", "type": "network-endpoint", "label": "36222", "name": "carlos-ubuntu", "endpoint_ip": "77.227.136.33", "label_name": "Lab_CR", "label_relevance": "High"}, {"_id": "eliza.net|27713", "type": "network-endpoint", "label": "27713", "name": "eliza.net", "endpoint_ip": "192.168.10.64", "label_name": "epmLow", "label_relevance": "Low"}], "unread": false, "hasPlaybackEvents": false, "autopilotOperation": null, "integrationsThatResponded": ["...", "..."], "builtInResponseTypes": ["agent"], "accumulators": [{"type": "int_accumulator", "key": "5|13", "value": 1}, {"type": "int_accumulator", "key": "5|12", "value": 4}], "eventsGroupingsCount": 4}, "event": {"eventId": "...", "eventType": "malicious-infrastructure", "timestamp": "2026-04-17T13:17:53.256Z", "eventSource": {"source_type": "custom_collector", "source_id": "...", "collector_index": null}, "adversaryTypes": ["Malware"], "eventDescription": "Malware family Lumma stealer", "affectedEnvironments": [{"type": "network-label", "id": "27713", "label_name": "epmLow", "label_relevance": "Low"}], "targets": [{"_id": "eliza.net|27713", "type": "network-endpoint", "label": "27713", "name": "eliza.net", "endpoint_ip": "192.168.10.64", "label_name": "epmLow", "label_relevance": "Low"}], "offenders": [{"_id": "tactip.cyou", "type": "network-location", "value": "tactip.cyou"}], "fromPlayback": false, "dataToIndex": {"data": {"DNSQueryExtraInfo": {"queryType": "A"}}}, "repetitionCount": 1}}, "url": "https://portal.lumu.io/compromise/incidents/show/…/detections"}
The field values for the previous message are:
1. Prepare the container (replace VALUE with proper values):
docker create \
-e CUSTOM_OUTPUT="syslog_proto" \
-e INCLUDE_MUTED_UPDATES=VALUE \
-e EVENTS=VALUE \ -e COMPANY_KEY=VALUE \
-e OUTPUT_SERVERS=VALUE \
-e SYSLOG_RFC=VALUE \
--restart unless-stopped \
--name lumu-universal-siem \
--log-opt tag=lumu-universal-siem \
--log-opt max-size=100m \
--log-opt max-file=1 \lumutools/universal-siem:latest2. Run it:
docker start lumu-universal-siem
Review the Lumu event reference section for detailed information on the Lumu events you can select.
Use this method if your SIEM supports event collection via HTTP collection. The SIEM exposes an HTTP URL where the forwarder injects data with POST Web requests.
First, create the Lumu HTTP collector in your SIEM deployment. If your SIEM requires to send the Web requests with query parameters, a particular body format, or specific headers, create and configure the .env_ auxiliary files as follows:
If you need to set specific HTTP headers, create the .env_headers file using this structure:
APP_HEADERS='{"Content-Type": "application/json",}'
If you need to set a specific HTTP request body format, create the .env_body file using this structure:
# Lumu variable is "{{LUMU_EVENT}}"
APP_BODY='[
{
"key_1": "value_1",
...,
"key_n": "value_n"
"message": "{{LUMU_EVENT}}",
}
]'
APP_ESCAPE_LUMU_EVENT=0 # 1|0, If you need to quote Lumu event as string
APP_REPLACE_LUMU_EVENT=1
Some considerations:
If you need to set query parameters for the HTTP request, create the .env_queries file using this structure:
APP_QUERIES='{
"param1":"value1",
"param2": "value2"
}'
Add each required query parameter as a key: value pair.
1. Prepare the container (replace VALUE with proper values):docker create \-e CUSTOM_OUTPUT="custom_http" \-e COMPANY_KEY=VALUE \-e INCLUDE_MUTED_UPDATES=VALUE \-e EVENTS=VALUE \-e APP_VERBOSE=VALUE \-e CUSTOM_FULL_URL=VALUE \-v $(pwd)/.env_headers:/app/.env_headers \-v $(pwd)/.env_body:/app/.env_body \-v $(pwd)/.env_queries:/app/.env_queries \--restart unless-stopped \--name lumu-universal-siem \--log-opt tag=lumu-universal-siem \--log-opt max-size=30m \--log-opt max-file=3 \lumutools/universal-siem:latestIf you don't need to define custom parameters for a particular HTTP request attribute, remove the corresponding line from the previous command.
Review the Lumu event reference section for detailed information on the Lumu events you can select.
For the proper operation of the integration, follow these recommendations:
Use this table to build the comma-separated string to include Lumu events of interest in the Universal SIEM component configuration.
| Event Code | Description |
| NewIncidentCreated | Lumu reported a new detection |
| IncidentUpdated | Lumu reported a new event related to an existing detection |
| IncidentClosed | A Lumu detection was manually or automatically closed |
| IncidentMuted | A Lumu detection was muted by an analyst |
| IncidentUnmuted | A previously muted detection was re-activated |
| IncidentIntegrationsResponseUpdated | External integrations acknowledged/responded to the incident |
| IncidentBuiltInResponseUpdated | Lumu's built-in response mechanisms (e.g. agent) were applied |
| IncidentActionAdded | A manual action (e.g. sharing a report) was performed on the incident |
| IncidentMarkedAsRead | The Lumu detection was read. |
| IncidentCommentAdded | A comment was recorded on the Lumu detection |
For example, if you are interested in new detections and new events on existing detections, you must use the following:
If you want to add the status change to the Lumu-reported events, you must use the following:
Here, you find some uses of the Universal SIEM integration with particular SIEMs: