Autotask Custom SecOps Integration

Autotask Custom SecOps Integration

This article shows how to leverage Autotask API and Lumu Defender API to enhance your SecOps capabilities, pushing Lumu incidents into an Autotask deployment as Service Tickets, and syncing both systems.

Requirements

  • An Autotask active subscription and Web access.
  • An active Defender subscription.
  • Lumu Defender API key
  • A scripting host with Python 3.10
  • A scripting host with Docker support (Optional)

Before you start

Contacted hosts

Please, allow all the traffic to the following hosts. These are required for the operation of this integration:

  • webservices.autotask.net
  • defender.lumu.io

Prepare Autotask for Lumu integration

Before you deploy and implement the Lumu Integration, you need to prepare your Autotask deployment to ensure the integration works as expected.

Create a copy of API User (System) Security Level

In your Autotask Web console, expand the Three lines menu at the top left corner of the screen. Click on the Admin section, and click on the Security Levels menu under select Account Settings & Users > Resources/Users (HR) > Security .

Copy the API User (system) (API-only) and give a name to the new one (API User (system) LUMU (API-only))


Edit the new security level (API User (system) LUMU (API-only)). Modify the permissions according to the following table:

Section

Parameter

Value

CRM > Account & Contact Access

Customer & Cancellation

All

Service Desk > Object Permissions

Tickets > View

All

Service Desk > Object Permissions

Tickets > Add

Yes

Service Desk > Object Permissions

Tickets > Edit

Yes

Service Desk > Object Permissions

Tickets Notes > Edit

All

Service Desk > Other Permissions

Can administer tags and tag groups

Enabled

Admin > Feature Access

Service Desk (Tickets)

Enabled

Web Services API > Feature Access

Can login to Web Services API

Enabled

Web Services API > Resource Impersonation

Service Desk > Tickets > View (Query)

Enabled

Web Services API > Resource Impersonation

Service Desk > Tickets > Add

Enabled

Web Services API > Resource Impersonation

Service Desk > Tickets > Edit (Update)

Enabled

Web Services API > Resource Impersonation

Service Desk > Ticket Notes > View (Query)

Enabled

Web Services API > Resource Impersonation

Service Desk > Ticket Notes > Add

Enabled

Web Services API > Resource Impersonation

Service Desk > Ticket Notes > Edit (Update)

Enabled

Web Services API > Contact Impersonation

Service Desk > Tickets

Enabled

Web Services API > Contact Impersonation

Service Desk > Ticket Notes

Enabled

Create the API User

In your Autotask Web console, expand the Three lines menu. Click on the Admin section, then click on the Resources/Users menu under Account Settings & Users  Resources/Users (HR) . In the Resources window, click on the right drop arrow of the New button, and select New API User.


Complete all the mandatory fields. Follow these directions in order to complete specific sections:

  • In the Credentials section, you choose between generating the username/key and the password/secret or defining it by yourself.
  • In the API Tracking Identifier , select the Integration Vendor radio button. Search for Lumu Technologies - Network Security  in the Integration Vendor drop-down list. s
  • In the Line of Business section, select the ones that must apply for your integration user.



Create Lumu Tag

Only create a Lumu tag if it does not already exist.

In your Autotask Web console, expand the Three lines menu. Click on the Admin section, and click on the Tags & Tag Groups under the Automation > Tagging section.


In the Tags window, click on the New Tag button. In the Tag (label) field, type lumu, and in the Aliases, type incidents.


Create Service Desk Parameters

To fully integrate Lumu with your Autotask deployment, you need to create the Service categories, issues, and sub-issues. To do so, you will be working with the Service Desk (Tickets) section under the Admin > Features & Settings tab.


Queue

It’s recommended to use an existing Queue to group Lumu incidents with other ones. According to your operation, you can reuse or create a new one. To do so, expand the Three lines menu. Click on the Admin section, then, click on the Queues menu under the Select Features & Settings  -Service Desk (Tickets) section. In the Service Desk Queues  window, click on the New button. Fill in the required data.


Categories

In your Autotask Web console, expand the Three lines menu. Click on the Admin section, then, click on the Ticket Categories menu under the Features & Settings > Service Desk (Tickets) section. In the Ticket Categories window, click on the New button.

In the New Ticket Category window, follow these directions:

  • Fill in the Ticket Category Name.
  • Activate the API-only checkbox.
  • In the Header section, change the Default Value/Selection for the Ticket Type to Incident.
  • In the Main Body section, activate the Tags Visible checkbox.



Issues

In your Autotask Web console, expand the Three lines menu. Click on the Admin section, then, click on the Issue & Sub-Issue Types menu under the Features & Settings  >   Service Desk (Tickets) section. In the Issue Types window, click on the New button.

Create the Lumu Issue and its Sub-Issues: DGA, Spam, Malware, C&C, Phishing, and Mining. The Lumu issue type must look as follows:


Deploy the package

Remember to contact the Lumu support team to acquire the deployment package if you haven’t already done so.

To deploy the integration package, you have two options:

  • Run it as a Python script.
  • Run it as a Docker container.

Select the alternative that best suits your needs.

Run it as a python script

Script location

Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From this point on, we will refer to this folder as <at_lumu_root>.

Install requirements

The file requirements.txt contains the list of dependencies for this integration. After deploying the package locally, run the following command from the deployment folder:

  1. python autotask_lumu.py --company_key <Lumu Defender Key> --username <API Username generated> --secret <API Secret generated> --api_integration_code <Code Given by Vendor integration> --reference_user <Default email user for the integration>
It is recommended to define a Python virtual environment to deploy the script requirements.

Script details

There are two scripts, the init script and the main script.The init script must be executed before the main script. After setting the environment, you can run the main script .

Init Script details

To use the script, you must locate yourself on the path selected for deployment (<at_root>). Use the following command to show all options available for the package:

  1. python autotask_lumu.py --company_key <Lumu Defender Key> --username <API Username generated> --secret <API Secret generated> --api_integration_code <Code Given by Vendor integration> --reference_user <Default email user for the integration>

Usage: setup_autotask_params .py [options]


Options

Description

-h, --help

show this help message and exit

--username USERNAME
-u USERNAME

Datto Autotask username with privilege to run the PublicAPI

--secret SECRET
-s SECRET

secret of Datto Autotask username with privilege to run the PublicAPI

--company_key COMPANY_KEY
-key COMPANY_KEY

Lumu defender API Key

--reference_user REFERENCE_USER
-ru REFERENCE_USER

Datto Autotask reference user, example: " user1@company.any "

Have in mind all parameters requested by the setup script must be defined. Please define them according to your needs and the Autotask preparation steps.

Main Script details

To use the script, you must locate yourself on the path selected for deployment (<at_root>). Use the following command to show all options available for the package:

  1. python autotask_lumu.py --help

Usage: autotask_lumu.py [options]

Options

Description

-h, --help

show this help message and ex

--username USERNAME
-u USERNAME

Datto Autotask username with privilege to run the PublicAPI

--secret SECRET
-s SECRET

secret of Datto Autotask username with privilege to run the PublicAPI

--company_key COMPANY_KEY
-key COMPANY_KEY

Lumu defender API Key

--reference_user REFERENCE_USER
-ru REFERENCE_USER

Datto Autotask reference user, example: " user1@company.any "

--logging {screen,file}
-l {screen,file}

Logging option (default screen)

--verbose, -v

Verbosity level

The script will run as a daemon process. To keep this integration working, you need to guarantee the script is running all the time.

Usage examples

Task: basic usage or standard usage

Use the following command to listen to Lumu operational events and manage service tickets in your Autotask instance:

  1. python autotask_lumu.py --company_key <Lumu Defender Key> --username <API Username generated> --secret <API Secret generated> --api_integration_code <Code Given by Vendor integration> --reference_user <Default email user for the integration>

Task: save script log in file

Use the option --logging=file to store a record of all tasks run by the script. Using this, all the script output will be redirected to a file named lumu.log  in the folder where you have deployed the script. 

  1. python autotask_lumu.py --company_key <Lumu Defender Key> --username <API Username generated> --secret <API Secret generated> --api_integration_code <Code Given by Vendor integration> --reference_user <Default email user for the integration> --logging file
Other tasks

The above samples can be combined according to your needs.

Troubleshooting

For identified failures on the script, please use the -v  flag. This will allow you to identify failures in the script execution.

Run it as a Docker container

The integration can be deployed in a docker environment. To do so, run the following commands located in the integration folder:

  1. Build the Docker image
    1. python autota docker build --build-arg company_key=<value> --build-arg api_integration_code=<value> --build-arg secret=<value> --build-arg username=<value> --build-arg reference_user=<value>  --tag python-lumu-autotask .

The reference of the arguments used in the Docker image are the same used for the script. Please refer to them for filling up this data.

  1. Create and run the Docker container 
    1. docker run -d --name lumu-autotask python-lumu-autotask

  1. Run the Init Script within Docker container 
    1. docker exec -it lumu-autotask python setup_autotask_params.py

Troubleshooting

In order to check live logs of the container, run the following command: 

  1. docker logs -f lumu-autotask

Expected results

After running the script, it will listen for incident updates on Lumu. After an incident is updated on Lumu, you will see a new incident in the Tickets window in the Service Desk section.


The following table shows the transition between states among incidents in Lumu and Autotask.

Autotask state/action

Lumu state/action

Comments

New

Open

Applies for a new incident detected by Lumu

Waiting Customer

Muted

In progress

Unmute

If the incident is unmuted, it will be marked as In progress  in Autotask

Complete

Closed

These transitions are supported in both directions. Each transition made in one of the services will be reflected in the other. Following, you can find some examples of how the operation between both services works.

Activity from Lumu portal

Mute - Unmute incident


Comment Incident

Close Incident


Activity from Autotask Platform

Waiting Ticket


In progress Ticket


Complete Ticket (Close Incident)





    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • ServiceNow Custom SecOps Integration

          This article shows how to leverage ServiceNow API and Lumu Defender API to enhance your SecOps capabilities, pushing Lumu incidents into a ServiceNow deployment Incident Tickets, and syncing both systems. Requirements ServiceNow active subscription ...

        • GLPI Custom SecOps Integration

          This article shows how to leverage GLPI API and Lumu Defender API to enhance your SecOps capabilities, pushing Lumu incidents into a GLPI deployment as Service Tickets, and syncing both systems. Requirements A GLPI active server and Web access. An ...

        • Chronicle SIEM Custom SecOps Integration

          The Chronicle SIEM Custom SecOps integration allows you to receive Lumu detections and related operating events. In this article, you will find out how to configure your Chronicle SIEM instance and its Lumu integration to enhance your current ...

        • HaloPSA Custom SecOps Integration

          This article shows how to leverage HaloPSA API and Lumu Defender API to enhance your SecOps capabilities, pushing Lumu incidents into a HaloPSA deployment as Tickets, and syncing both systems. Requirements A HaloPSA subscription and Web access. Lumu ...

        • Kaseya BMS PSA Custom SecOps Integration

          This article shows how to leverage Kaseya BMS API and Lumu Defender API to enhance your SecOps capabilities, pushing Lumu incidents into a BMS deployment as Service Desk - Tickets, and syncing both systems. SecOps integration between Kaseya BMS and ...