Elastic
Start free trial Contact Sales
Loading

Lumos Integration

<div class="condensed-table">
| | |
| --- | --- |
| Version | 1.4.1 (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Partner |

</div>
The Lumos integration uses Lumos' API to retrieve Activity Logs and ingest them into Elasticsearch. This allows you to search, observe, and visualize the Activity Logs through Elasticsearch.

The Elastic agent running this integration interacts with Lumos' infrastructure using their APIs to retrieve Activity Logs for a Lumos tenant.

  1. In Kibana go to Management > Integrations
  2. In the "Search for integrations" search bar type Lumos.
  3. Click on "Lumos" integration from the search results.
  4. Click on Add Lumos button to add Lumos integration.
  1. In Lumos go to Settings > API Tokens
  2. Click on "Add API Token", enter a name and description
  3. Copy the key starting with lsk_
  4. While adding Lumos integration in Elastic, paste your key into the API Token field

Activity Logs summarize the history of changes and events occurring within Lumos.

**Exported fields**
Field Description Type
@timestamp Event timestamp. date
data_stream.dataset Data stream dataset. constant_keyword
data_stream.namespace Data stream namespace. constant_keyword
data_stream.type Data stream type. constant_keyword
event.module Event module constant_keyword
input.type Input type keyword
lumos.activity_logs.actor.actor_type The type of actor keyword
lumos.activity_logs.actor.email The email of the actor keyword
lumos.activity_logs.actor.family_name The family name of the actor keyword
lumos.activity_logs.actor.given_name The given name of the actor keyword
lumos.activity_logs.event_began_at The time the event began keyword
lumos.activity_logs.event_type_user_friendly The user friendly type of the event keyword
lumos.activity_logs.targets.name keyword
lumos.activity_logs.targets.target_type keyword
**Example**

An example event for activity looks as following:

{
    "@timestamp": "2024-06-12T03:14:31.761Z",
    "agent": {
        "ephemeral_id": "164152f0-95db-44c9-a369-1412cbf18efd",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "lumos.activity_logs",
        "namespace": "41003",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "SOD_POLICY_DELETED",
        "agent_id_status": "verified",
        "created": "2024-06-12T03:14:31.761Z",
        "dataset": "lumos.activity_logs",
        "id": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7",
        "ingested": "2024-06-12T03:14:43Z",
        "kind": "event",
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "host": {
        "architecture": "x86_64",
        "containerized": false,
        "hostname": "docker-fleet-agent",
        "id": "8259e024976a406e8a54cdbffeb84fec",
        "ip": [
            "172.19.0.7"
        ],
        "mac": [
            "02-42-AC-13-00-07"
        ],
        "name": "docker-fleet-agent",
        "os": {
            "codename": "focal",
            "family": "debian",
            "kernel": "6.5.11-linuxkit",
            "name": "Ubuntu",
            "platform": "ubuntu",
            "type": "linux",
            "version": "20.04.6 LTS (Focal Fossa)"
        }
    },
    "input": {
        "type": "httpjson"
    },
    "lumos": {
        "activity_logs": {
            "actor": {
                "actor_type": "Lumos user",
                "email": "wile.e.coyote@lumos.com",
                "family_name": "Wile",
                "given_name": "Coyote"
            },
            "event_began_at": "2024-03-12T16:09:14",
            "event_type_user_friendly": "A user deleted a SOD Policy",
            "targets": [
                {
                    "name": "Untitled Rule",
                    "target_type": "SOD Policy"
                }
            ]
        }
    },
    "message": "{\"actor\":{\"actor_type\":\"Lumos user\",\"email\":\"wile.e.coyote@lumos.com\",\"family_name\":\"Wile\",\"given_name\":\"Coyote\"},\"event_began_at\":\"2024-03-12T16:09:14\",\"event_hash\":\"630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7\",\"event_metadata\":{},\"event_type\":\"SOD_POLICY_DELETED\",\"event_type_user_friendly\":\"A user deleted a SOD Policy\",\"outcome\":\"Succeeded\",\"targets\":[{\"name\":\"Untitled Rule\",\"target_type\":\"SOD Policy\"}]}"
}
**Changelog**
Version Details Kibana version(s)
1.4.1 pass:[] Bug fix (View pull request)
Fix broken links in Security Service integrations packages.
 8.13.0 or higher
1.4.0 pass:[] Enhancement (View pull request)
Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error".
 8.13.0 or higher
1.3.0 pass:[] Enhancement (View pull request)
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.
 8.13.0 or higher
1.2.1 pass:[] Bug fix (View pull request)
Fix sample event.
 8.12.1 or higher
1.2.0 pass:[] Enhancement (View pull request)
Make event.type field conform to ECS field definition.
 8.12.1 or higher
1.1.0 pass:[] Enhancement (View pull request)
Improve handling of empty responses.
 8.12.1 or higher
1.0.0 pass:[] Enhancement (View pull request)
Release package as GA.
 8.12.1 or higher
0.1.0 pass:[] Enhancement (View pull request)
Initial draft of the package