Now, it’s time to configure and deploy the Lumu Integration tool. Use the Universal SIEM repository link to open the Docker hub image repository. Based on your SIEM deployment, you will need to run some configurations according to the forwarding method you want to use. Please refer to your SIEM administrator or your SIEM vendor to obtain more information.
Choose one of the following methods to forward Lumu events:
Use this method if your SIEM supports event ingestion via Syslog. Lumu Universal SIEM can deliver Syslog messages in one of these formats:
The RFC 5424 Syslog standard follows this format:
<PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROC-ID MSGID STRUCTURED-DATA MESSAGE
Here's an example of a Lumu RFC 5424 Syslog message:
<150>1 2024-02-16T14:39:49.246Z 78af70ae0d97 lumu-incs 7 ceb204e8272c457d84af3499a15bb011 - {"IncidentUpdated": {"companyId": "...", "incident": {"id": "..", "timestamp": "2024-02-15T17:07:35.535Z", "statusTimestamp": "2024-02-15T17:07:35.535Z", "status": "open", "contacts": 16, "adversaries": ["www.safdemircelik.com"], "adversaryId": "www.safdemircelik.com", "adversaryTypes": ["Malware"], "description": "Malware family Unknown", "labelDistribution": {"label_1": 2, "label_2": 14}, "totalEndpoints": 2, "lastContact": "2024-02-16T14:39:26.571Z", "unread": false, "hasPlaybackContacts": false, "firstContact": "2024-02-15T17:07:24.557Z", "integrationsThatResponded": ["integration_id_1", ..., "integration_id_n"]}, "contactSummary": {"uuid": "...", "timestamp": "2024-02-16T14:39:26.571Z", "adversaryHost": "www.safdemircelik.com", "adversaryTypes": ["Malware"], "endpointIp": "192.168.100.55", "endpointName": "LUMU_01", "label": {"name": "label_1", "relevance": "Low"}, "fromPlayback": false}}, "url": "https://portal.lumu.io/compromise/incidents/show/incident_id/detections"}
The field values for the previous message are:
The RFC 3164 Syslog standard follows this format:
<PRI>TIMESTAMP HOSTNAME TAG[PID]: MESSAGE
A Lumu RFC 3164 Syslog message looks as follows:
<150>Feb 16 14:43:08 6d2b4d9e1293 lumu-incs[7]: {"IncidentUpdated": {"companyId": "...", "incident": {"id": "...", "timestamp": "2024-02-15T17:07:35.535Z", "statusTimestamp": "2024-02-15T17:07:35.535Z", "status": "open", "contacts": 17, "adversaries": ["www.safdemircelik.com"], "adversaryId": "www.safdemircelik.com", "adversaryTypes": ["Malware"], "description": "Malware family Unknown", "labelDistribution": {"label_1": 2, "label_2": 15}, "totalEndpoints": 2, "lastContact": "2024-02-16T14:42:18.699Z", "unread": false, "hasPlaybackContacts": false, "firstContact": "2024-02-15T17:07:24.557Z", "integrationsThatResponded": ["integration_id_1", ..., "integration_id_n"]}, "contactSummary": {"uuid": "...", "timestamp": "2024-02-16T14:42:18.699Z", "adversaryHost": "www.safdemircelik.com", "adversaryTypes": ["Malware"], "endpointIp": "192.168.100.55", "endpointName": "LUMU_01", "label": {"name": "label_1", "relevance": "Low"}, "fromPlayback": false}}, "url": "https://portal.lumu.io/compromise/incidents/show/incident_id/detections"}
The field values for the previous message are:
1. Prepare the container (replace VALUE with proper values):
docker create \
-e CUSTOM_OUTPUT="syslog_proto" \
-e INCLUDE_MUTED_UPDATES=VALUE \
-e APP_VERBOSE=VALUE \
-e COMPANY_KEY=VALUE \
-e OUTPUT_SERVERS=VALUE \
-e SYSLOG_RFC=VALUE \
--restart unless-stopped \
--name lumu-universal-siem \
--log-opt tag=lumu-universal-siem \
--log-opt max-size=1030m \
--log-opt max-file=13 \
lumutools/universal-siem:latest2. Run it:docker start lumu-universal-siem
Use this method if your SIEM supports event collection via HTTP collection. The SIEM exposes an HTTP URL where the forwarder injects data with POST Web requests.
First, create the Lumu HTTP collector in your SIEM deployment. If your SIEM requires to send the Web requests with query parameters, a particular body format, or specific headers, create and configure the .env_ auxiliary files as follows:
If you need to set specific HTTP headers, create the .env_headers file using this structure:
APP_HEADERS='{"Content-Type": "application/json",}'
If you need to set a specific HTTP request body format, create the .env_body file using this structure:
# Lumu variable is "{{LUMU_EVENT}}"
APP_BODY='[
{
"key_1": "value_1",
...,
"key_n": "value_n"
"message": "{{LUMU_EVENT}}",
}
]'
APP_ESCAPE_LUMU_EVENT=0 # 1|0, If you need to quote Lumu event as string
APP_REPLACE_LUMU_EVENT=1
Some considerations:
If you need to set query parameters for the HTTP request, create the .env_queries file using this structure:
APP_QUERIES='{
"param1":"value1",
"param2": "value2"
}'
Add each required query parameter as a key: value pair.
1. Prepare the container (replace VALUE with proper values):docker create \
-e CUSTOM_OUTPUT="custom_http" \
-e COMPANY_KEY=VALUE \
-e INCLUDE_MUTED_UPDATES=VALUE \
-e APP_VERBOSE=VALUE \
-e CUSTOM_FULL_URL=VALUE \
-v $(pwd)/.env_headers:/app/.env_headers \
-v $(pwd)/.env_body:/app/.env_body \
-v $(pwd)/.env_queries:/app/.env_queries \
--restart unless-stopped \
--name lumu-universal-siem \
--log-opt tag=lumu-universal-siem \
--log-opt max-size=3100m \
--log-opt max-file=13 \
lumutools/universal-siem:latestIf you don't need to define custom parameters for a particular HTTP request attribute, remove the corresponding line from the previous command.
For the proper operation of the integration, follow these recommendations:
Here, you find some uses of the Universal SIEM integration with particular SIEMs: