The Wazuh XDR Custom SecOps Integration allows you to poll and push adversary-related events to your Wazuh deployment. After configuring the integration, your Wazuh deployment will be able to receive and process Lumu events. By using it, you will be able to see adversarial activity detected by Lumu, giving your Security Operations team more visibility.
SecOps integration between Wazuh XDR and Lumu
Allow all the traffic to the following hosts. These are required for the operation of this integration:
Before deploying and implementing the Lumu Integration, you must prepare your Wazuh deployment to ensure the integration works as expected. The steps depicted below depend on the deployment you are working on, Cloud or On-premise.
The following steps apply to prepare Cloud and On-premise environments
The integration needs a policy that allows the integration user to run some tasks on the Wazuh manager after setting up the decoders and rules. To do so, login to your Wazuh server and follow these steps:
1. Click on the hamburger icon in the top left corner of the screen. Then, expand the Server management section and click on the Security menu2. Under the Policies tab in the Security screen, click on the Create policy button.3. Fill in the required data for your new policy as follows:
Action Resources cluster:read node:id:* cluster:restart node:id:* manager:read *:*:* manager:restart *:*:*
You can use the following image for guidance.
4. Create your policy by clicking on the Create policy button
Now it’s time to create a tailored role for the integration and linking the created policy. To create the integration role, go to the Security screen by following the steps in the previous section. There, follow these steps:
1. Under the Roles tab in the Security screen, click on the Create role button.2. Fill in the required data for your new role following the next example:
Role name lumu_integration Policies: decoders_read_decodersdecoders_all_resourcelessrules_read_rulesrules_all_resourcelessmanager_integrationYou can use the following image for guidance.3. Create your role by clicking the Create role button
These steps apply for Wazuh On-premise deployments.
1. Under the Users tab in the Security screen, click on the Create user button
2. Fill in the data for your new user. Make sure you assign the lumu_integration role created before.
3. Create your user by clicking on the Apply button
Collect the integration username and password. These will be used to set up the integration later.
These steps apply for Wazuh Cloud deployments.
If you are working with a Cloud deployment, you need to create an internal user and map it to the created role. First, let’s create the internal user. To do it, follow these steps:
1. Click on the Security menu under the Indexer Management section.
2. In the Security window, click on the Internal users option in the left menu. Then click on the Create internal user button.
3. Fill in the Username and Password fields. Other fields are optional. Click on the Create button.
Collect the username and password. These will be used to set up the integration later.
Now, it’s time to map it to the created role.
1. Click on the hamburger icon in the top left corner of the screen. Then, expand the Server management section and click on the Security menu
2. In the Security window, click on the Roles mapping tab. Then click on the Create Role mapping button
3. Fill in the information in the Create new role mapping window. Make sure you select the lumu_integration role under the Roles field. Under the Internal users field, select the internal user created before.
4. Click on the Save role mapping buton to create your new mapping.
Wazuh Cloud deployments rely on Syslog forwarding from its agents to process data. Follow the Forward syslog events document to configure it.
The integration set-up process needs you to collect this information from Lumu portal:
Lumu Defender API key
Company UUID
Log in to your Lumu portal and run the following data collection procedures.
To collect the Lumu Defender API key, refer to the Defender API document.
To collect your Lumu company UUID, log in to your Lumu portal. Once you are in the main window, copy the string below your company name.
There are 2 environment options to deploy the script, select the one that best fits your current infrastructure.
Whichever alternative you select, you must first unpack the integration package shared by our Support team.
Unpack the deployment package provided by Lumu in your preferred path/folder. Bear in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <app_lumu_root>.
To set up the integration, add and edit the companies.yml configuration file. This file contains the collected information from your Wazuh and Lumu deployments
The companies file defines how the integration:
lumu:
uuid: "<COMPANY-UUID>"
defender_key: "<DEFENDER-KEY>"
include_muted_updates: false # Boolean: true | false
throttle: 0 # INT<[0-5]> minutes
incident_types: ["C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"] # ["C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"] | [] | null
app:
rule_level:
# Define rule severity. This will be used for creating the Lumu rules in Wazuh
# For further reference, check https://documentation.wazuh.com/current/user-manual/ruleset/rules/rules-classification.html
new_incident: 14 # 0-16 (14 | High importance security event | It is triggered with correlation most of the time, and it indicates an attack.)
updated_incident: 14 # 0-16 (14 | High importance security event | It is triggered with correlation most of the time, and it indicates an attack.)
# Defines the wazuh receiver information
wazuh_receiver: "<WAZUH_RECEIVER_DATA>" # (udp|tcp):hostname_ip:port
api:
# Connection parameters to manage Wazuh
host: "<WAZUH_HOST_IP>" # Wazuh Manager host or IP address. For Cloud deployments, this has the format HOSTNAME.cloud.wazuh.com
port: <WAZUH_API_PORT> # Wazuh Manager API port. By default is 55000
username: "<WAZUH_API_USERNAME>" # Wazuh API username
password: "<WAZUH_API_PASSWORD>" # Wazuh API password
verify: false # Verify Wazuh SSL certificate
Within the configuration file, fill in these fields:
From Lumu
From Wazuh
(tcp|udp):HOSTNAME_IP:PORT
To tailor in detail your integration, you can use the following parameters within the configuration file:
If Python is your chosen deployment method, you will need to create a Virtual environment for each integration to avoid conflicts between them and your operating system tools. Make sure you follow the steps in our Preparing Environment for Custom Integrations article.
To deploy the integration as a script, run the install.sh script inside the integration package.
To run the installation script, locate yourself in the app_lumu_root folder, then execute this line through CLI.
The installation script will set up the Python environment and a cron job. This job will try to keep running your integration script even if your deployment host restarts.
To use the script, you must locate yourself on the path selected for deployment (<app_lumu_root>). Use the following command to show all options available for the package:
usage: wazuh_lumu [-h] [--config CONFIG] [--ioc-manager-db-path IOC_MANAGER_DB_PATH] [-v] [-c] [-l {screen,file}] [--hours HOURS]
Options | Description |
-h, --help | show this help message and exit |
--config CONFIG | CONFIG FILE PATH of the integration. (Default: companies.yml) |
--logging {screen,file} | Logging option (default screen). |
--verbose, -v | Verbosity level. |
--hours HOURS | keep db log record from [x hours], for auto maintenance local db purpose |
To configure your Wazuh Manager and send Lumu detection events to your Wazuh deployment with the default values, run the following command.
According to your needs, you can combine the examples shown. If you need more details on the steps executed by the integration script, you can add the –logging {file, screen} and –verbose arguments. These arguments can be used for troubleshooting.
If you have a Docker environment, you can select this option to run the integration as a Docker process. To deploy and run your integration as a docker container, locate yourself at the <app_lumu_root> folder, and follow these instructions:
1. Build the container by running the following command.
docker build \[--build-arg ADDITIONAL_ARGUMENS='<ADDITIONAL_ARGUMENTS>']--tag img-lumu-wazuh-secops \--file Dockerfile .Do not forget the dot "."<ADDITIONAL_ARGUMENTS> can be used to pass to your Docker container other arguments. For further reference, check the Deploy Integration as a script section. You can use this argument to collect DEBUG logs by setting ADDITIONAL_ARGUMENTS to -v.2. Run the container by using the following command.
docker run -d \--restart unless-stopped \--log-driver json-file \--log-opt max-size=30m \--log-opt max-file=3 \--name lumu-wazuh-secops \img-lumu-wazuh-secops
For troubleshooting purposes, you can run the following commands:
To log in to your container using an interactive shell:
To collect integration logs:
After running the integration, you will see:
New decoders
New rules
These
will allow Wazuh to process Lumu alerts. You will see them in your
Wazuh dashboard for new incidents or new contacts to identified
adversaries.
To identify failures in the script execution, use the -v flag. The script execution log will show more detailed information.
The application logs will be redirected to lumu.log file. The file errors.log stores only the errors to make them easier to find and aid the troubleshooting process.
If you receive errors like this:
It means you are using the wrong key parameters or the wrong values for those parameters.
If you receive the following error:
There could be another instance running. To check this, open the pid.pid file in the integration folder. This file stores the process ID if it’s running.