• Incident response research
• Post-mortem investigation
• Threat hunting activities
  

Requirements

• A SIEM deployment with log ingest capabilities:
• Syslog
  

• HTTP Collector
  

• An active Lumu Insights or Defender subscription.
• A Docker-enabled host. This will be used for setting up the Lumu Universal SIEM integration tool.
  

Add Integration

1. Log in to your Lumu account through the Lumu Portal and navigate to the integrations screen.
2. Locate the Universal SIEM integration in the available apps area. Add the integration using the corresponding option to view more details. Familiarize yourself with the integration details available in the app description. Begin the activation process by clicking on the Activate button.
3. Fill in the name of the integration. Then, click on Create.
4. Once you create the integration, you will get the required information to setup the Universal SIEM integration tool.

Take note of the Integration Key. It will be needed for setting up the Universal SIEM integration tool.

Lumu Universal SIEM Integration tool

Now, it’s time to configure and deploy the Lumu Integration tool. Use the Universal SIEM repository link to open the Docker hub image repository. Based on your SIEM deployment, you will need to run some configurations according to the forwarding method you want to use. Please refer to your SIEM administrator or your SIEM vendor to obtain more information.

You can check the Docker image used for deploying the Universal SIEM Integration tools here.

Choose one of the following methods to forward Lumu events:

• Syslog forwarding
• HTTP Collector

Syslog forwarding

Use this method if your SIEM supports event ingestion via Syslog. Lumu Universal SIEM can deliver Syslog messages in one of these formats:

• RFC 5424
• RFC 3164

RFC 5424

The RFC 5424 Syslog standard follows this format:

<PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROC-ID MSGID STRUCTURED-DATA MESSAGE

Here's an example of a Lumu RFC 5424 Syslog message:

<150>1 2024-02-16T14:39:49.246Z 78af70ae0d97 lumu-incs 7 ceb204e8272c457d84af3499a15bb011 - {"IncidentUpdated": {"companyId": "...", "incident": {"id": "..", "timestamp": "2024-02-15T17:07:35.535Z", "statusTimestamp": "2024-02-15T17:07:35.535Z", "status": "open", "contacts": 16, "adversaries": ["www.safdemircelik.com"], "adversaryId": "www.safdemircelik.com", "adversaryTypes": ["Malware"], "description": "Malware family Unknown", "labelDistribution": {"label_1": 2, "label_2": 14}, "totalEndpoints": 2, "lastContact": "2024-02-16T14:39:26.571Z", "unread": false, "hasPlaybackContacts": false, "firstContact": "2024-02-15T17:07:24.557Z", "integrationsThatResponded": ["integration_id_1", ..., "integration_id_n"]}, "contactSummary": {"uuid": "...", "timestamp": "2024-02-16T14:39:26.571Z", "adversaryHost": "www.safdemircelik.com", "adversaryTypes": ["Malware"], "endpointIp": "192.168.100.55", "endpointName": "LUMU_01", "label": {"name": "label_1", "relevance": "Low"}, "fromPlayback": false}}, "url": "https://portal.lumu.io/compromise/incidents/show/incident_id/detections"}

The field values for the previous message are:

• PRI: 150
• VERSION: 1
• TIMESTAMP: 2024-02-16T14:39:49.246Z (ISO 8601 format)
• HOSTNAME: 78af70ae0d97
• APP-NAME: lumu-incs
• PROC-ID: 7
• MSGID: ceb204e8272c457d84af3499a15bb011
• STRUCTURED-DATA MESSAGE: {"IncidentUpdated": ...}

RFC 3164

The RFC 3164 Syslog standard follows this format:

<PRI>TIMESTAMP HOSTNAME TAG[PID]: MESSAGE

A Lumu RFC 3164 Syslog message looks as follows:

<150>Feb 16 14:43:08 6d2b4d9e1293 lumu-incs[7]: {"IncidentUpdated": {"companyId": "...", "incident": {"id": "...", "timestamp": "2024-02-15T17:07:35.535Z", "statusTimestamp": "2024-02-15T17:07:35.535Z", "status": "open", "contacts": 17, "adversaries": ["www.safdemircelik.com"], "adversaryId": "www.safdemircelik.com", "adversaryTypes": ["Malware"], "description": "Malware family Unknown", "labelDistribution": {"label_1": 2, "label_2": 15}, "totalEndpoints": 2, "lastContact": "2024-02-16T14:42:18.699Z", "unread": false, "hasPlaybackContacts": false, "firstContact": "2024-02-15T17:07:24.557Z", "integrationsThatResponded": ["integration_id_1", ..., "integration_id_n"]}, "contactSummary": {"uuid": "...", "timestamp": "2024-02-16T14:42:18.699Z", "adversaryHost": "www.safdemircelik.com", "adversaryTypes": ["Malware"], "endpointIp": "192.168.100.55", "endpointName": "LUMU_01", "label": {"name": "label_1", "relevance": "Low"}, "fromPlayback": false}}, "url": "https://portal.lumu.io/compromise/incidents/show/incident_id/detections"}

The field values for the previous message are:

• PRI: 150
• TIMESTAMP: Feb 16 14:43:08 (3-letter month day 24-hour:minutes:seconds UTC)
• HOSTNAME: 6d2b4d9e1293
• TAG: lumu-incs
• PID: 7
• MESSAGE: {"IncidentUpdated": ...}

Usage

Parameters

• COMPANY_KEY: Lumu integration key
• INCLUDE_MUTED_UPDATES: Set this to true if you want to include contacts of muted incidents, false otherwise (default is false)
  
• APP_VERBOSE: Change logging level to DEBUG (default INFO)
  
• OUTPUT_SERVERS: Syslog server information (PROTO:IP_HOSTNAME:PORT)
• SYSLOG_RFC: RFC to use for forwarding events. Select between 3164 or 5424

HTTP collector

Use this method if your SIEM supports event collection via HTTP collection. The SIEM exposes an HTTP URL where the forwarder injects data with POST Web requests.

Before you start

First, create the Lumu HTTP collector in your SIEM deployment. If your SIEM requires to send the Web requests with query parameters, a particular body format, or specific headers, create and configure the .env_ auxiliary files as follows:

.env_headers

If you need to set specific HTTP headers, create the .env_headers file using this structure:

APP_HEADERS='
{
    "Content-Type": "application/json",
}'

.env_body

If you need to set a specific HTTP request body format, create the .env_body file using this structure:

# Lumu variable is "{{LUMU_EVENT}}"
APP_BODY='[
{
    "key_1": "value_1",
    ...,
    "key_n": "value_n"
    "message": "{{LUMU_EVENT}}",
}
]'
APP_ESCAPE_LUMU_EVENT=0 # 1|0,  If you need to quote Lumu event as string
APP_REPLACE_LUMU_EVENT=1

Some considerations:

• Add the required fields within the HTTP body in key: value pairs. To add the message to the payload, use the string {{ LUMU_EVENT }}
• The APP_ESCAPE_LUMU_EVENT must be set to 1 if you need to send it as a string. 0 to send it as JSON
• If you don't add the {{ LUMU_EVENT }} string within the APP_BODY, Lumu events will not be part of the HTTP request's body

.env_queries

If you need to set query parameters for the HTTP request, create the .env_queries file using this structure:

APP_QUERIES='{
    "param1":"value1", 
    "param2": "value2"
}'

Add each required query parameter as a key: value pair.

Usage

2. Run it:



docker start lumu-universal-siem

Parameters

• COMPANY_KEY: Lumu integration key.
• INCLUDE_MUTED_UPDATES: Set this to true if you want to include contacts of muted incidents, false otherwise (default is false).
  
• APP_VERBOSE: Change logging level to DEBUG (default INFO)
  
• CUSTOM_FULL_URL: Receiver URL given by the SIEM.

General recommendations

For the proper operation of the integration, follow these recommendations:

• Integration between Lumu and your SIEM relies on a stable network connection, including the Internet. Make sure the following hosts are reachable:
• SIEM collector/endpoint.
• defender.lumu.io.
• Docker hosts
• HTTP, HTTPS, and WSS are required.
• Do not stop the Docker container. Doing this will interrupt the event forwarding process. Events generated with a halted container will not be forwarded to your SIEM.

Other implementations

Here, you find some uses of the Universal SIEM integration with particular SIEMs:

• Microsoft Sentinel
  
• FortiSIEM
  
• Datadog
  
• Sumo Logic