Using Grouping Rules with Lumu Collectors
Grouping Rules is a feature shared by some of our collectors that allows you to better organize and categorize the traffic these collectors analyze using your labels.
Data Collection collectors are designed to receive traffic in bulk, which is not ideal for Lumu’s Label system. Grouping Rules allows you to properly label traffic from your network to maximize efficiency and visibility.
The following collectors support Grouping Rules:
-
Agents Server Collector
-
Virtual Appliances
-
Custom Collector (API)
-
Log Forwarder
-
Out-of-the-Box Data Collection Integrations
-
AWS
-
Google Cloud
-
Kubernetes
-
Netskope
-
Cisco Umbrella
-
Grouping Rules leverage the power of Lumu’s Label system. To know more about Labels, read this article.
Setting Up Group Rules
1. Head to your Collector Details panel and click on Add Rule.
Once you complete your first set of Grouping Rules you can copy them if needed by clicking on the Add rules from another collector button and selecting the collector you wish to copy the Grouping Rules from.
2. You will be asked to fill in the specific CIDR or IP of the assets you want the collector to see and collect for, as well as a Label. Here you must choose the appropriate label for this segment from the ones you have created previously. You can also exclude this network segment from data analysis.
Grouping Rules uses CIDR (Classless Inter-Domain Routing) and Labels to sort the machines in your network into specific categories of your choosing. You can create up to 200 fields for specific CIDR clusters, each with a Label of your choosing.
Once you’re done, click on the Diskette Icon to save it.
3. Once done, you will see the new Rule listed in the panel. You can edit it by clicking on the Pencil icon, or delete it by clicking on the Trashcan icon. You can delete rules in bulk by selecting them using the checkbox on the left. You can also search for specific CIDR/IP or Label using the search bar, which you can easily identify by the Looking Glass icon.
Use Cases
Grouping rules are available for an array of Lumu Collectors. We will provide some examples and use cases to illustrate how this feature can be valuable for your security operation.
-
You have configured a Lumu Virtual Appliance to collect metadata of a firewall that protects your office. This firewall handles traffic of 25 different devices belonging to three different departments: HR, R&D and Executives, which you are interested in classifying according to the unique conditions of each environment. Using Grouping Rules, you can organize the traffic by team using IP ranges, assign the appropriate label to each of them, and better read the metadata collected from the firewall instead of having the bulk of that traffic assigned to a single label.
-
You have set up Lumu to collect metadata from your organization's network; however, a segment of it is configured as a guest network, meaning that your organization can’t control the devices connected to it. Due to the way the collector is configured, you would only be able to assign a single label to it by default. With Grouping Rules, you can assign a label to the guest segment of your network and exclude it from analysis, which would alleviate alert fatigue caused by unneeded noise, and help your team focus on the security of critical assets.
Related Articles
Deploy Collectors with Log Forwarder for Windows
Log Forwarder is designed to streamline the data collection processes from third party data collection services. While not as optimized as a fully-fledged Virtual Appliance deployment, it is a great alternative for fast and accessible deployment. ...Deploy Collectors with Log Forwarder for Linux
The Lumu Log Forwarder Agent is available for Linux-based operating systems. In this article, you will find the installation procedures, both automatic and manual, for all the supported distributions. Log Forwarder is designed to streamline the data ...Lumu Log Forwarder FortiGate Configuration
In scenarios where all your FortiGate deployment logs are centralized within a FortiAnalyzer, you can use it to accelerate the deployment of Lumu and forward all firewall logs at once using the FortiAnalyzer data collection capabilities from Lumu. ...Custom Collector API
Some enterprises may already be using defense solutions such as Endpoint Detection and Response (EDR) or network monitoring tools as part of their pipelines to centralize their logs. Lumu gives the option to deploy custom collectors to send your ...Custom Collector API Specifications
The Custom Collector API is a seamless way to integrate your network infrastructure with Lumu while layering Continuous Compromise Assessment. It allows sending network metadata captured from third-party platforms/services/appliances to Lumu, and it ...