This article shows how to leverage ServiceNow API and Lumu Defender API to enhance your SecOps capabilities, pushing Lumu incidents into a ServiceNow deployment Incident Tickets, and syncing both systems.
Before you deploy and implement the Lumu Integration, you need to prepare your ServiceNow deployment to ensure integration works as is expected.
1. In your ServiceNow Web console, expand the All menu. Using the search bar, search for the System Plugins option.
2. The All Applications window will appear. Click on the Click here link in the notification bar.
3. Search for the OAuth plugin using the System Plugins search bar. Click on the OAuth row and click on the Activate link. Follow the on-screen instructions to activate the module. If it is already activated, leave it as it is.
1. After activating the OAuth plugin, you need to create a new OAuth registry for Lumu. To do so, use the search bar from the All menu. Search for OAuth. Click on the Application Registry option and then, click on the New button.
2. In the OAuth application window, click on the Create an OAuth API endpoint for external clients link. Fill in the required data. Click on the Submit button. Open the recently created registry to copy the Client ID and Client Secret. These will be used later for setting up the integration.
1. Go to the Credentials menu under the Configuration & Credentials section using the search bar. In the Credentials window, click on the New button. Fill in the required information.
1. It’s recommended to create a dedicated ServiceNow user to operate with the integration. This user will be used as the Caller in the created incidents in ServiceNow. Go to Users under the User Administration section using the search bar in the All menu.
2. In the Users window, click on the New button. Fill in the required data. Be sure that the Web service access only check is marked. Click on the Submit button.
3. To set the password for this user, search for it in the Users window. Open the record and click on the Set Password button. Generate and save the password for the user. Keep this information at hand, it will be required for setting the integration.
1. You need to add a new category tree to work with Lumu integration. To do so, use the search bar to search for the Tables & Columns menu.
2. In the Tables & Columns window, search for the Incidents table, select it and click on the Edit bu tton.
3. Edit the columns Category and Subcategory, adding the items depicted in the following table:
Column |
Label |
Value |
Dependent value |
Category |
Lumu |
lumu |
NA |
Subcategory |
Malware |
malware |
lumu |
Subcategory |
DGA |
dga |
lumu |
Subcategory |
C&C |
c&c |
lumu |
Subcategory |
Mining |
mining |
lumu |
Subcategory |
Spam |
spam |
lumu |
Subcategory |
Phishing |
phishing |
lumu |
For more details of how to add the category tree for Lumu, refer to Add a category or a subcategory reference.
To maintain incident records synchronized from ServiceNow to Lumu, you need to add a Script Action. This action will trigger after a Lumu incident record is updated. To do so, use the Search bar to search for Script actions. Click on the Script Actions link under the System Policy > Events section.
On the Script Actions window, click on the New button. Fill in the required data according to the following table:
Field |
Value |
Name |
LumuScript |
Event Name |
incident.updated |
Condition script |
current.short_description.toLowerCase().includes('lumu') || current.category.toLowerCase() == 'lumu' |
Script |
Take the content of the file named ServiceNow side/script.js in the integration package |
To deploy the integration package, you have two options:
Select the alternative that best suits your needs.
Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From this point on, we will refer to this folder as <sn_lumu_root>.
The file requirements.txt contains the list of dependencies for this integration. After deploying the package locally, run the following command from the deployment folder:
- [sudo] pip install -r ./requirements.txt
To use the script, you must locate yourself on the path selected for deployment ( <sn_root> ). Use the following command to show all options available for the package:
python servicenow_lumu.py --help
Usage: servicenow_lumu.py.py [options]
Options |
Description |
-h, --help |
show this help message and exit |
--client_id CLIENT_ID
|
ServiceNow Application registry (CLIENT ID) |
--client_secret CLIENT_SECRET
|
ServiceNow Application registry (CLIENT SECRET) |
--username USERNAME
|
ServiceNow username with privilege to run the PublicAPI |
--password PASSWORD
|
password of ServiceNow username with privilege to run the PublicAPI |
--company_key COMPANY_KEY
|
Lumu Company Key (Defender API). |
--sn_hostname SN_HOSTNAME
|
ServiceNow API Hostname, example: "dev134220.service-now.com" |
-snuser SN_USER_NAME --sn_user_name SN_USER_NAME |
ServiceNow Integrator user, example: "lumu.integrator" |
--logging {screen,file}
|
Logging option (default screen ) |
--verbose, -v |
Verbosity level |
Use the following command to listen to Lumu operational events and manage service tickets in your ServiceNow instance:
- python servicenow_lumu.py --company_key <Lumu Defender Key> --client_id <ServiceNow Client ID> --client_secret <ServiceNow Client Secret> --username <ServiceNow user> --password <ServiceNow password> -sn <ServiceNow API Domain Name>
Use the option --logging=file to store a record of all tasks run by the script. Using this, all the script output will be redirected to a file named lumu.log in the folder where you have deployed the script.
- python servicenow_lumu.py --company_key <Lumu Defender Key> --client_id <ServiceNow Client ID> --client_secret <ServiceNow Client Secret> --username <ServiceNow user> --password <ServiceNow password> -sn <ServiceNow API Domain Name> --logging file
The above samples could be combined according to your needs.
For identified failures on the script, please use the -v flag. This will allow you to identify failures in the script execution.
The integration can be deployed in a docker environment. To do so, run the following commands located in the integration folder:
- docker build --build-arg company_key=<value> --build-arg client_id=<value> --build-arg client_secret=<value> --build-arg username=<value> --build-arg password=<value> --build-arg sn_hostname=<value> --build-arg sn_user_name=<value> --tag python-lumu-servicenow .
- docker run -d --name lumu-servicenow python-lumu-servicenow
In order to check live logs of the container, run the following command:
- docker logs -f lumu-servicenow
After running the script, it will listen for incident updates on Lumu. After an incident is updated on Lumu, you will see a new incident in the
Incidents
window in the
Service Desk
section.
ServiceNow state/action |
Lumu state/action |
Comments |
New |
Open |
Applies for a new incident detected by Lumu |
On hold |
Muted |
|
In progress |
Unmute |
If the incident is unmuted, it will be marked as In progress in ServiceNow |
Closed |
Closed |
|
These transitions are supported in both directions. Each transition made in one of the services will be reflected in the other. Following, you can find some examples of how the operation between both services works.