GLPI Custom SecOps Integration

GLPI Custom SecOps Integration

This article shows how to leverage GLPI API and Lumu Defender API to enhance your SecOps capabilities, pushing Lumu incidents into a GLPI deployment as Service Tickets, and syncing both systems.


Requirements

  • A GLPI active server and Web access.
  • An active Defender subscription.
  • Lumu Defender API key.
    • To retrieve an API token, please refer to the Defender API document.
  • Script host.
    • A scripting host is required to deploy the integration. This host must have Internet visibility over the Lumu Defender API and the GLPI server. According to the deployment model you select, you will need a host with:
      • Python 3.10+, or
      • A Docker-enabled host
  • Script package.
    • Contact the Lumu support team to request the package we created to deploy the required files.

Before you start

Contacted hosts

Please, allow all the traffic to the following hosts. These are required for the operation of this integration:

  • GLPI server IP
  • defender.lumu.io
  • pypi.org
  • files.pythonhosted.org
  • *.docker.com (for Docker deployments)

Prepare GLPI for Lumu integration

Before you deploy and implement the Lumu Integration, you need to prepare your GLPI deployment to ensure the integration works as expected.

Enable REST API

To enable the REST API in your GLPI deployment, log in to your GLPI Web console, then go to the General menu under the Setup section in the left navigation pane. In the General window, click on the API tab. There, change the Enable Rest API setting to yes. Click on the Save button.


To have traceability of all actions executed by the integration, it’s recommended to create a dedicated user for it. Create the user as you usually do through the Administration > User menu. Fill in the required data, and make sure you assign the Admin profile to it.

If your GLPI deployment serves multiple customers or entities, please configure this new user to have Admin permissions on the desired entity only.

Create API Client - API Token

To create an API client and token, go to the API tab from the previous step. Once there, click on the Add API client button. The API Clients window will appear. Fill in the required data, making sure that the Active option is set to Yes. Enable the Regenerate checkbox and click the Add button.


If the Application Token (app_token) field is not populated, you can regenerate the token by entering again in the configured API client.

Make sure you copy the Application token before closing the API Client window. This string will be required later.

Deploy the package

Remember to contact the Lumu support team to acquire the deployment package if you haven’t already done so.

To deploy the integration package, you have two options:

  • Run it as a Python script.
  • Run it as a Docker container.

Select the alternative that best suits your needs.

Prepare Python on your environment

As a recommended practice, we encourage you to create a Virtual environment for each integration to avoid conflicts between them and your operating system tools. Make sure you follow the steps in our Preparing Environment for Custom Integrations article.

Run it as a Python script

Script location

Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From this point on, we will refer to this folder as <glpi_lumu_root>.

Install requirements

The file requirements.txt contains the list of dependencies for this integration. After deploying the package locally, run the following command from the deployment folder:

[sudo] pip install -r ./requirements.txt

It is recommended to define a Python virtual environment to deploy the script requirements.

Script details

To use the script, you must locate yourself on the path selected for deployment (<glpi_root>). Use the following command to show all options available for the package:

python glpi_lumu.py --help

Usage: glpi_lumu.py [options]

Options Description
-h, --help show this help message and exit
-tk GLPI_TOKEN--glpi_token GLPI_TOKEN GLPI Token of API client
-u GLPI_USER--glpi_user GLPI_USER GLPI Web username
--company_key COMPANY_KEY -key COMPANY_KEY Lumu Defender API Key
-p GLPI_PASSWD--glpi_passwd GLPI_PASSWD GLPI Web usernamepassword
-r GLPI_URL--glpi_url GLPI_URL GLPI url, e.g http://192.168.73.180
--glpi_requester GLPI_REQUESTER Optional, GLPI username for the ticket's requester
--glpi_assigned_to GLPI_ASSIGNED_TO Optional, GLPI username for the tickets assigned to
 --glpi_category GLPI_CATEGORY
 Optional, GLPI ticket Category
 --glpi_request_source GLPI_REQUEST_SOURCE
 Optional, GLPI Requests Source, e.g Lumu.
 --glpi_urgency {very_high,high,medium,low,very_low}
 Optional, default “low”, GLPI Urgency, get a choice
--logging {screen,file} -l {screen,file} Logging option (default screen)
--verbose, -v Verbosity level

The script will run as a daemon process. To keep this integration working, you need to guarantee the script is running all the time.

Usage examples

Task: basic usage or standard usage

Use the following command to listen to Lumu operational events and manage service tickets in your GLPI Server:

python glpi_lumu.py  -tk/--glpi_token GLPI_TOKEN -u/--glpi_user GLPI_USER -key/--company_key COMPANY_KEY -p/--glpi_passwd GLPI_PASSWD -r/--glpi_url GLPI_URL [--glpi_category GLPI_CATEGORY][--glpi_request_source GLPI_REQUEST_SOURCE] [--glpi_urgency {very_high,high,medium,low,very_low}]

This example will allow you to manage GLPI tickets without assigning any user to the ticket.

Task: basic usage or standard usage with ticket user

Parameters in square brackets: "[<parameter>]" are optional.

Use the following command to listen to Lumu operational events and manage service tickets in your GLPI Server, assigning specific requesters and assigned users based on your deployment:

python glpi_lumu.py  -tk/--glpi_token GLPI_TOKEN -u/--glpi_user GLPI_USER -key/--company_key COMPANY_KEY -p/--glpi_passwd GLPI_PASSWD -r/--glpi_url GLPI_URL --glpi_requester GLPI_REQUESTER --glpi_assigned_to GLPI_ASSIGNED_TO [--glpi_category GLPI_CATEGORY][--glpi_request_source GLPI_REQUEST_SOURCE] [--glpi_urgency {very_high,high,medium,low,very_low}]

Task: use a configuration file for setting up script variables

The integration package comes with a .config_sample file. You can use it to tailor your own .config file with the required configuration for running the integration script.

  1. ## Config file sample # Lumu parameters company_key=<LUMU_COMPANY_KEY> # GLPI glpi_url=<GLPI_BASE_URL> glpi_user=<GLPI_USER> glpi_passwd=<GLPI_PASSWORD> glpi_token=<GLPI_TOKEN> # GLPI - Optional [glpi_assigned_to=<GLPI_USER_TO_ASSIGN_TICKETS>]
    [glpi_requester=<GLPI_REQUESTED_USER>]
    [glpi_category=<GLPI_CATEGORY>]
    [glpi_request_source=<GLPI_REQUEST_SOURCE>]
    [glpi_urgency=<very_high,high,medium,low,very_low>] # Misc # For Docker deployments, make sure you set this parameter to screen logging=[screen|file]

Task: use environment variables to run the integration

First, set the environment variables either in the OS or in the execution console

  1. company_key=<LUMU_COMPANY_KEY>
    glpi_url=<GLPI_BASE_URL>
    glpi_user=<GLPI_USER>
    glpi_passwd=<GLPI_PASSWORD>
    glpi_token=<GLPI_TOKEN>BBB
    [glpi_assigned_to=<GLPI_USER_TO_ASSIGN_TICKETS>]
    [glpi_requester=<GLPI_REQUESTED_USER>]
    [glpi_category=<GLPI_CATEGORY>]
    [glpi_request_source=<GLPI_REQUEST_SOURCE>]
    [glpi_urgency=<very_high,high,medium,low,very_low>]

Then, run the following command:

python glpi_lumu.py

Task: log the script output into a file

Use the option --logging=file to store a record of all tasks run by the script. Using this, all the script output will be redirected to a file named lumu.log in the folder where you have deployed the script.

python glpi_lumu.py  -tk/--glpi_token GLPI_TOKEN -u/--glpi_user GLPI_USER -key/--company_key COMPANY_KEY -p/--glpi_passwd GLPI_PASSWD -r/--glpi_url GLPI_URL [--glpi_requester GLPI_REQUESTER] [--glpi_assigned_to GLPI_ASSIGNED_TO] [--glpi_category GLPI_CATEGORY][--glpi_request_source GLPI_REQUEST_SOURCE] [--glpi_urgency {very_high,high,medium,low,very_low}] --logging file

Other tasks

The above samples could be combined according to your needs.

Troubleshooting

For identified failures on the script, please use the -v flag. This will allow you to identify failures in the script execution.

Run it as a Docker container

Parameters in square brackets: "[<parameter>]" are optional.

The integration can be deployed in a docker environment. To do so, run the following commands located in the integration folder:

1. Build the Docker image

docker build --build-arg company_key='xxx' --build-arg glpi_token='xxx' --build-arg glpi_user='xxx' --build-arg glpi_passwd='xxx' --build-arg glpi_url='xxx' [--build-arg glpi_requester='xxx'] [--build-arg glpi_assigned_to='xxx'] --build-arg company_key='xxx' [--build-arg glpi_category='xxx'] [--build-arg glpi_request_source='xxx'] [--build-arg glpi_urgency='low'] --tag python-lumu-glpi .

The reference of the arguments used in the Docker image are the same used for the script. Please refer to them for filling up this data.
2. Create and run the Docker container

docker run -d --restart unless-stopped --name lumu-glpi python-lumu-glpi

Troubleshooting

To check the live logs of the container, run the following command:

docker logs -f lumu-glpi

Expected results

After running the script, it will listen for incident updates on Lumu. After an incident is updated on Lumu, you will see a new incident in the Tickets window in the Service Desk section.

The following table shows the transition between states among incidents in Lumu and GLPI.

GLPI state/action

Lumu state/action

Comments

New/Opened Open This applies to new incidents detected by Lumu
Pending Muted  
Processing (planned) Unmute If the incident is unmuted, it will be marked as Processing (planned) in GLPI
Closed Closed  

These transitions are supported in both directions. Each transition made in one of the services will be reflected in the other. Following, you can find some examples of how the operation between both services works.

Activity from Lumu to GLPI portal

Some actions are shown below. All the states in the previous table are supported in both ways.

GLPI Ticket Description - New/Update incident


Close Incident


Activity from GLPI Platform to Lumu Portal

Pending/processing Ticket




        • Related Articles

        • ServiceNow Custom SecOps Integration

          This article shows how to leverage ServiceNow API and Lumu Defender API to enhance your SecOps capabilities, pushing Lumu incidents into a ServiceNow deployment Incident Tickets, and syncing both systems. Requirements ServiceNow active subscription ...
        • Wazuh XDR Custom SecOps Integration

          The Wazuh XDR Custom SecOps Integration allows you to poll and push adversary-related events to your Wazuh deployment. After configuring the integration, your Wazuh deployment will be able to receive and process Lumu events. By using it, you will be ...
        • Cortex XDR Custom SecOps Integration

          The Cortex XDR Custom SecOps Integration allows you to poll and push adversary-related events to your Cortex XDR deployment. After configuring the integration, your Cortex deployment will be able to receive and process Lumu events. Using it lets you ...
        • Chronicle SIEM Custom SecOps Integration

          The Chronicle SIEM Custom SecOps integration allows you to receive Lumu detections and related operating events. In this article, you will find out how to configure your Chronicle SIEM instance and its Lumu integration to enhance your current ...
        • Kaseya BMS PSA Custom SecOps Integration

          This article shows how to leverage Kaseya BMS API and Lumu Defender API to enhance your SecOps capabilities, pushing Lumu incidents into a BMS deployment as Service Desk - Tickets, and syncing both systems. SecOps integration between Kaseya BMS and ...