ConnectWise Manage Custom Integration with Lumu Defender API

ConnectWise Manage Custom Integration with Lumu Defender API

Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised to use that integration instead.
This article shows how to leverage ConnectWise Manage API and Lumu Defender API to enhance your SecOps capabilities, push Lumu incidents into a ConnectWise Manage deployment as Service Tickets, and sync both systems.
SecOps integration between ConnectWise Manage and Lumu SecOps integration between ConnectWise Manage and Lumu.

Requirements

  1. ConnectWise Manage API Member Only keys, private and public.
            It is recommended to create a custom role with the following permissions:

Module
Function
Access - Level
Company
Company Maintenance
Inquire - All
Service Desk
Service Tickets
Add - All
Edit - All
Delete - None
Inquire - All
System
Table Setup
Inquire - All

If you have defined a custom role, please ensure you use it when you create the API Key.
  1. Lumu Defender API Key.
  2. Script host with Python 3.6+ to deploy script code.
    1. The script host must reach your ConnectWise deployment and Lumu Defender API endpoints.

Deploy the script

Remember to contact the Lumu support team to acquire the script deployment package if you haven’t already done so.

Script location

Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From this point on, we will refer to this folder as <cwm_lumu_root> .

Install requirements

The file requirements.txt contains the list of conditions for this integration. After deploying the package locally, run the following command from the deployment folder:

[sudo] pip install -r ./requirements.txt

It is recommended to define a Python virtual environment to deploy the script requirements.

Script details

To use the script, you must locate yourself on the path selected for deployment (<cwm_root>). Use the following command to show all options available for the package:

python lumucw_manage.py --help

Usage:
lumu_cw_manage.py [options]

Options
Description
-h, --help
show this help message and exit
--config CONFIG
Load options from config file
--company-key COMPANY_KEY
--company_key COMPANY_KEY
Lumu Company Key (Defender API).
--proxy-host PROXY_HOST
--proxy_host PROXY_HOST
Proxy host (if required)
--proxy-port PROXY_PORT
--proxy_port PROXY_PORT
Proxy port (if required)
--proxy-user PROXY_USER
--proxy_user PROXY_USER
Proxy user (if required)
--proxy-password PROXY_PASSWORD
--proxy_password PROXY_PASSWORD
Proxy password (if required)
--logging {screen,file}
Logging option (default screen)
--verbose, -v
Verbosity level
--company COMPANY
CW Manage Company to inject alerts to.
--board BOARD
CW Manage Board to record in tickets.
--type TYPE
CW Manage Type to record in tickets.
--subtype SUBTYPE
CW Manage Type to record in tickets.
--item ITEM
CW Manage Item to record in tickets.
--closed-status CLOSED_STATUS
--closed_status CLOSED_STATUS
Indicates the closed status name used in ConnectWise Manage to mark a ticket as closed (default Closed).
--check-wait CHECK_WAIT
--check_wait CHECK_WAIT
Seconds to wait between checking ticket closure in ConnectWise Manage (default 60).
--host HOST
CW Manage API Host.
--login-company LOGIN_COMPANY, --login_company LOGIN_COMPANY
CW Manage Login Company.
--public-key PUBLIC_KEY, --public_key PUBLIC_KEY
CW Manage Public API Key.
--private-key PRIVATE_KEY, --private_key PRIVATE_KEY
CW Manage Private API Key.

The minimum required options are:

Options
Description
--company-key COMPANY_KEY
--company_key COMPANY_KEY
Lumu Company Key (Defender API).
--host HOST
CW Manage API Host.
--login-company LOGIN_COMPANY, --login_company LOGIN_COMPANY
CW Manage Login Company.
--public-key PUBLIC_KEY, --public_key PUBLIC_KEY
CW Manage Public API Key.
--private-key PRIVATE_KEY, --private_key PRIVATE_KEY
CW Manage Private API Key.
--company COMPANY
CW Manage Company to inject alerts to.
--board BOARD
CW Manage Board to record tickets.

The script will run as a daemon process. To keep this integration working, you must guarantee the script is running at all times.

Usage examples

Task: basic usage
Use the following command to listen to Lumu operational events and create service tickets in your ConnectWise Manage instance:
python lumu_cw_manage --company-key=<Lumu Defender Key> --host=<ConnectWise Manage Host> --login-company=<ConnectWise Manage Login Company> --public-key=<ConnectWise Manage API Member Only Public Key> --private-key=<ConnectWise Manage API Member Only Private Key> --company=<Company Name in CW to create Service Tickets> --board=<Service Desk board to be used for service ticket creation>

Task: create service tickets using a custom type, subtype, or item
Use the following command to set the type, subtype, and items in service tickets:
python lumu_cw_manage --company-key=<Lumu Defender Key> --host=<ConnectWise Manage Host> --login-company=<ConnectWise Manage Login Company> --public-key=<ConnectWise Manage API Member Only Public Key> --private-key=<ConnectWise Manage API Member Only Private Key> --company=<Company Name in CW to create Service Tickets> --board=<Service Desk board to be used for service ticket creation> --type=<Type> --subtype=<Subtype> --item=<Item>

Task: use a custom service ticket closed status
By default, the script will periodically check all the created service tickets in ConnectWise Manage to identify if they have been closed. If the service ticket status has the word Closed in it, the script will close the associated incidents in the Lumu Portal. If you want to override this configuration, use the option --closed-status as follows:
python lumu_cw_manage --company-key=<Lumu Defender Key> --host=<ConnectWise Manage Host> --login-company=<ConnectWise Manage Login Company> --public-key=<ConnectWise Manage API Member Only Public Key> --private-key=<ConnectWise Manage API Member Only Private Key> --company=<Company Name in CW to create Service Tickets> --board=<Service Desk board to be used for service ticket creation> --closed-status=<Custom Close Status>

Task: check Service Ticket status every X seconds
By default, the script checks the Service Ticket status in ConnectWise Manage every 60 seconds. If you need to change this value, use the option --check-wait as follows:
python lumu_cw_manage --company-key=<Lumu Defender Key> --host=<ConnectWise Manage Host> --login-company=<ConnectWise Manage Login Company> --public-key=<ConnectWise Manage API Member Only Public Key> --private-key=<ConnectWise Manage API Member Only Private Key> --company=<Company Name in CW to create Service Tickets> --board=<Service Desk board to be used for service ticket creation> --check-wait=120
In this example, the script will check the service ticket status every 120 seconds.

Task: save script log to file
Use the option --logging=file to store a record of all tasks run by the script. Using this, all the script output will be redirected to a file named lumu_cw_manage.log in the folder where you have deployed the script.

Other tasks

The above samples can be combined according to your needs.

Expected results

After running the script, it will listen for incident updates on Lumu. After an incident is updated on Lumu, you will see a new service ticket associated with the company and defined in the Board’s script options.
 Lumu Portal new incident Lumu Portal new incident.

ConnectWise Manage service ticket related to Lumu incident ConnectWise Manage service ticket related to Lumu incident.

All the details are included in the ConnectWise service ticket as notes:

ConnectWise service ticket ConnectWise service ticket.

All new contacts are recorded in the service ticket:

ConnectWise Service Ticket details ConnectWise Service Ticket details.

After the security operations team’s investigation and closure, the script will synchronize the Lumu Portal. If the security investigator has included a resolution note in the service ticket, it will be used in the closure of the Lumu incident:

Service ticket resolution note Service ticket resolution note.

Lumu incident closing note Lumu incident closing note.

Further considerations

This script will run as a daemon to keep both systems synced. Please guarantee the script is running all the time to keep the integration working.

Troubleshooting

For identified failures on the script, please use the -v flag. This will allow you to identify failures in the script execution.
        • Related Articles

        • Connectwise Manage Out-of-the-Box SecOps Integration

          The ConnectWise Manage Out-of-the-Box Integration allows you to manage incidents detected by Lumu in your prefered ConnectWise Manage service board. A new service ticket will be created when Lumu detects an incident. Incident and related ticket ...
        • Windows Defender response Integration by API

          Windows Defender response Integration by API This article shows how to leverage the Lumu Defender API to integrate API indicators from Windows Defender Figure 1 - Lumu Event API data collection configuration Requirements Lumu Defender API key. ...
        • VMWare Carbon Black EDR Custom Response Integration with Lumu Defender API

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...
        • Crowdstrike Custom Response Integration with Lumu Defender API

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...
        • Defender API

          Some enterprises may already be using diverse defense solutions such as Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR) technologies, etc. Lumu provides an easy-to-use and comprehensive API ...