Lumos
An integration with Lumos to ship your Activity logs to your Elastic instance.
Version |
0.1.0 (View all) |
Compatible Kibana version(s) |
8.12.1 or higher |
Supported Serverless project types |
Security Observability |
Subscription level |
Basic |
Level of support |
Partner |
The Lumos integration uses Lumos' API to retrieve Activity Logs and ingest them into Elasticsearch. This allows you to search, observe, and visualize the Activity Logs through Elasticsearch.
The Elastic agent running this integration interacts with Lumos' infrastructure using their APIs to retrieve Activity Logs for a Lumos tenant.
Configuration
Enabling the integration in Elastic
- In Kibana go to Management > Integrations
- In the "Search for integrations" search bar type Lumos.
- Click on "Lumos" integration from the search results.
- Click on Add Lumos button to add Lumos integration.
Configure Lumos Activity Logs data stream
- In Lumos go to Settings > API Tokens
- Click on "Add API Token", enter a name and description
- Copy the key starting with
lsk_
- While adding Lumos integration in Elastic, paste your key into the
API Token
field
Logs
Activity Logs
Activity Logs summarize the history of changes and events occurring within Lumos.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Event timestamp. | date |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
event.action | The activity that occurred | keyword |
event.created | The time the event began | date |
event.id | The event hash | keyword |
event.module | Event module | constant_keyword |
event.outcome | The outcome of the event, whether it succeeded or failed | keyword |
input.type | Input type | keyword |
lumos.activity_logs.actor.actor_type | The type of actor | keyword |
lumos.activity_logs.actor.email | The email of the actor | keyword |
lumos.activity_logs.actor.family_name | The family name of the actor | keyword |
lumos.activity_logs.actor.given_name | The given name of the actor | keyword |
lumos.activity_logs.event_began_at | The time the event began | keyword |
lumos.activity_logs.event_type_user_friendly | The user friendly type of the event | keyword |
lumos.activity_logs.targets.name | keyword | |
lumos.activity_logs.targets.target_type | keyword | |
message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
An example event for activity
looks as following:
{
"@timestamp": "2024-03-14T17:53:58.869Z",
"agent": {
"ephemeral_id": "9d0d6b51-1c05-4ab1-ab5c-c16e485d734f",
"id": "f57bb12d-cf67-4ec4-9ed0-52eeb865959e",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.1"
},
"data_stream": {
"dataset": "lumos.activity_logs",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "f57bb12d-cf67-4ec4-9ed0-52eeb865959e",
"snapshot": false,
"version": "8.12.1"
},
"event": {
"action": "SOD_POLICY_DELETED",
"agent_id_status": "verified",
"created": "2024-03-14T17:53:58.869Z",
"dataset": "lumos.activity_logs",
"id": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7",
"ingested": "2024-03-14T17:54:10Z",
"kind": "event",
"outcome": "success",
"type": "info"
},
"host": {
"architecture": "aarch64",
"containerized": false,
"hostname": "docker-fleet-agent",
"id": "fb3be8e9409740ebb6621b777f0c397d",
"ip": [
"192.168.144.7"
],
"mac": [
"02-42-C0-A8-90-07"
],
"name": "docker-fleet-agent",
"os": {
"codename": "focal",
"family": "debian",
"kernel": "6.6.12-linuxkit",
"name": "Ubuntu",
"platform": "ubuntu",
"type": "linux",
"version": "20.04.6 LTS (Focal Fossa)"
}
},
"input": {
"type": "httpjson"
},
"lumos": {
"activity_logs": {
"actor": {
"actor_type": "Lumos user",
"email": "wile.e.coyote@lumos.com",
"family_name": "Wile",
"given_name": "Coyote"
},
"event_began_at": "2024-03-12T16:09:14",
"event_type_user_friendly": "A user deleted a SOD Policy",
"targets": [
{
"name": "Untitled Rule",
"target_type": "SOD Policy"
}
]
}
},
"message": "{\"actor\":{\"actor_type\":\"Lumos user\",\"email\":\"wile.e.coyote@lumos.com\",\"family_name\":\"Wile\",\"given_name\":\"Coyote\"},\"event_began_at\":\"2024-03-12T16:09:14\",\"event_hash\":\"630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7\",\"event_metadata\":{},\"event_type\":\"SOD_POLICY_DELETED\",\"event_type_user_friendly\":\"A user deleted a SOD Policy\",\"outcome\":\"Succeeded\",\"targets\":[{\"name\":\"Untitled Rule\",\"target_type\":\"SOD Policy\"}]}"
}
Changelog
Version | Details | Kibana version(s) |
---|---|---|
0.1.0 | Enhancement View pull request | — |