SIEM Webhooks

Last updated: October 7, 2024

Background

If you want to quickly be made aware of critical access or app-related events taking place in Lumos, having Lumos log to your SIEM lets you create the right alerts and filter out the noise. πŸ™…β€β™€

If Lumos doesn't have a native integration with your SIEM, you can create a SIEM webhook that pushes every SIEM event to an HTTP endpoint of your choosing. SeeπŸ“„ How Lumos Logs to Your SIEM

This article walks you through the setup process to add a SIEM webhook in Lumos and connect it an arbitrary HTTP endpoint.

What's sent in the webhook?

Lumos sends an HTTP POST with a JSON payload of log data when the webhook is triggered. The format of this payload is below.

{
  "event": {
    "actor": {
      "actor_data": {
      "email": "wile.e.coyote@acme.com",
      "family_name": "Coyote",
      "given_name": "Wile E."
      },
      "actor_type": "ActivityActorType.LUMOS_USER"
  },
  "event_began_at": "2024-02-16T14:06:19.705603",
  "event_hash": "f9d5af2986701a4a9866b3bc4d5008eaae6602cf519664b28b4cc10ceef1763f99a915bf09468e114f2c893467d63806d62a5f5d7735ed381265654836101d8",
  "event_metadata": {
    "access_length": null,
    "appstore_request_metadata": null,
    "business_justification": null,
    "deprovisioned_through_direct_integration": null,
    "error_message": null,
    "itsm_ticket_link": null,
    "operation_trigger": null,
    "permissions": null,
    "reason_for_preapproval": null,
    "success_message": null
  },
  "event_type": "ADMIN_UPDATED_APP_ADMINS",
  "event_type_user_friendly": "Updated App Admins",
  "outcome": "SUCCEEDED",
  "targets": [
    {
      "target_data": {
      "app_id": "trains.com",
      "instance_id": "region/american-southwest",
      "user_friendly_label": "Train Ticket"
      },
      "target_type": "ActivityTargetType.APP_INSTANCE"
    },
    {
     "target_data": {
     "external_id": "01op0j5njx6uqdw",
     "name": "Coyotes"
     },
     "target_type": "ActivityTargetType.LUMOS_GROUP"
   }
  ]
 }
}

How should my script or workflow respond?

A SIEM webhook will be considered successful if the Endpoint URL returns any HTTP 2XX response.

How do I start sending webhooks to my SIEM?

1. Create a SIEM webhook. SeeπŸ“„ Creating Webhooks

2. Navigate to your SIEM settings, choose your webhook in the dropdown, then click theΒ Save button.

Your webhook will now begin broadcasting events to your desired endpoint every time a new Activity Log entry is created!