Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

LogRhythm delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.

This document provides information about the LogRhythm connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving alarm details and alarm events associated with a specific alarm from the LogRhythm server, and updating alarms and adding comments to an alarm on the LogRhythm server.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.11.0-1161

LogRhythm Version Tested on: 7.3.3

Authored By: Fortinet

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-logrhythm

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must have the URL of the LogRhythm API server to which you will connect and perform automated operations and credentials to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the LogRhythm connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the LogRhythm SOAP API server to which you will connect and perform automated operations.
Port Port number for connecting to the LogRhythm API server.
Username Username to access the LogRhythm API server to which you will connect and perform automated operations.
Note: The API user specified here must have necessary permissions to Create, Read, and Update Alarms on the LogRhythm API server.
Password Password to access the LogRhythm server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get an Alarm Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. get_alarm_details
Investigation
Update Alarm Updates a specific alarm on the LogRhythm server, based on the alarm ID and other input parameters you have specified. update_alarm
Investigation
Add Comment Adds a comment that you have specified to an alarm on the LogRhythm server, based on the alarm ID you have specified. update_alarm
Investigation
Get Alarm Events Retrieves the details of a events associated with an alarm from the LogRhythm server, based on the alarm ID you have specified. get_events
Investigation
Pull Alarms between specific dates Retrieves a list and details of all alarms for a specified time period from the LogRhythm server. get_alarms
Investigation
Pull alarms triggered in last N minutes Retrieves a list and details of all alarms that were triggered within the specified number of minutes from the LogRhythm server. get_alarms
Investigation
Get Host Details Retrieves the details of a specific host from the LogRhythm server, based on the IP address you have specified. get_hosts
Investigation

 

operation: Get an Alarm

Input parameters

 

Parameter Description
Alarm ID ID of the alarm whose details you want to retrieve from the LogRhythm server.

 

Output

The JSON output contains the comments and details of the alarm retrieved from the LogRhythm server, based on the alarm ID you have specified.

Following image displays how comments are displayed in the output of the Get an Alarm operation:

Sample output of the Comments output Get an Alarm operation

Following image displays how alert details are displayed in the output of the Get an Alarm operation:

Sample output of the Alert Details output Get an Alarm operation

operation: Update Alarm

Input parameters

 

Parameter Description
Alarm ID ID of the alarm whose details you want to update on the LogRhythm server.
Status Status that you want to update for the specified alarm on the LogRhythm server. You can choose from the following options, New, Open, or Closed.
Comment (Optional) Comment that you want to add to the specified alarm on the LogRhythm server.

 

Output

The JSON output displays the Status as Success, if the specified alarm is successfully updated on the LogRhythm server.

Following image displays a sample output:

Sample output of the Update Alarm operation

operation: Add Comment

Input parameters

 

Parameter Description
Alarm ID ID of the alarm to which you want to add comments on the LogRhythm server.
Comment Comment that you want to add to the specified alarm on the LogRhythm server.

 

Output

The JSON output displays the Status as Success, if the comment is sucessfully added to the specified alarm on the LogRhythm server.

Following image displays a sample output:

Sample output of the Add Comment operation

operation: Get Alarm Events

Input parameters

 

Parameter Description
Alarm ID ID of the alarm whose associated events details you want to retrieve from the LogRhythm server.

 

Output

The JSON output contains the list and details of alarms along with details of the associated event details retrieved from the LogRhythm server, based on the alarm ID you have specified.

Following image displays a sample output:

Sample output of the Get Alarm Events operation

operation: Pull Alarms between specific dates

Input parameters

 

Parameter Description
Start Date Start date from when you want to retrieve alarm details from the LogRhythm server.
End Date End date till when you want to retrieve alarm details from the LogRhythm server.
Maximum Alarms (Optional) Maximum number of results (alarms) that this operation should return.
By default this is set to 10.

 

Output

The JSON output contains the list and details of all alarms for the specified time period, retrieved from the LogRhythm server.

Following image displays a sample output:

Sample output of the Pull Alarms between specific dates operation

operation: Pull Alarms triggered in last N minutes

Input parameters

 

Parameter Description
Minutes Minutes, before the current time, from when you want to retrieve the list and details of alarms that were triggered in the specified time period from the LogRhythm server.
For example, if you want the list and details of alarms that were triggered on the LogRhythm server, in the last 30 minutes, type 30 in this field.
Maximum Alarms (Optional) Maximum number of results (alarms) that this operation should return.
By default this is set to 10.

 

Output

The JSON output contains the list and details of all alarms triggered in the specified minutes (before the current time) retrieved from the LogRhythm server.

Following image displays a sample output:

Sample output of the Pull Alarms triggered in last N minutes operation

operation: Get Host Details

Input parameters

 

Parameter Description
IP IP address of the host whose details you want to retrieve from the LogRhythm server.

 

Output

The JSON output contains the details of the host retrieved from the LogRhythm server, based on the IP address you have specified.

Following image displays a sample output:

Sample output of the Get Host Details operation

Included playbooks

The Sample - LogRhythm - 1.0.0 playbook collection comes bundled with the LogRhythm connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.

  • Add Comment
  • Get Alarm Events
  • Get an Alarm
  • Get Host Details
  • Pull Alarms between specific dates
  • Pull Alarms triggered in last N minutes
  • Update Alarm

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

LogRhythm delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.

This document provides information about the LogRhythm connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving alarm details and alarm events associated with a specific alarm from the LogRhythm server, and updating alarms and adding comments to an alarm on the LogRhythm server.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.11.0-1161

LogRhythm Version Tested on: 7.3.3

Authored By: Fortinet

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-logrhythm

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the LogRhythm connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the LogRhythm SOAP API server to which you will connect and perform automated operations.
Port Port number for connecting to the LogRhythm API server.
Username Username to access the LogRhythm API server to which you will connect and perform automated operations.
Note: The API user specified here must have necessary permissions to Create, Read, and Update Alarms on the LogRhythm API server.
Password Password to access the LogRhythm server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get an Alarm Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. get_alarm_details
Investigation
Update Alarm Updates a specific alarm on the LogRhythm server, based on the alarm ID and other input parameters you have specified. update_alarm
Investigation
Add Comment Adds a comment that you have specified to an alarm on the LogRhythm server, based on the alarm ID you have specified. update_alarm
Investigation
Get Alarm Events Retrieves the details of a events associated with an alarm from the LogRhythm server, based on the alarm ID you have specified. get_events
Investigation
Pull Alarms between specific dates Retrieves a list and details of all alarms for a specified time period from the LogRhythm server. get_alarms
Investigation
Pull alarms triggered in last N minutes Retrieves a list and details of all alarms that were triggered within the specified number of minutes from the LogRhythm server. get_alarms
Investigation
Get Host Details Retrieves the details of a specific host from the LogRhythm server, based on the IP address you have specified. get_hosts
Investigation

 

operation: Get an Alarm

Input parameters

 

Parameter Description
Alarm ID ID of the alarm whose details you want to retrieve from the LogRhythm server.

 

Output

The JSON output contains the comments and details of the alarm retrieved from the LogRhythm server, based on the alarm ID you have specified.

Following image displays how comments are displayed in the output of the Get an Alarm operation:

Sample output of the Comments output Get an Alarm operation

Following image displays how alert details are displayed in the output of the Get an Alarm operation:

Sample output of the Alert Details output Get an Alarm operation

operation: Update Alarm

Input parameters

 

Parameter Description
Alarm ID ID of the alarm whose details you want to update on the LogRhythm server.
Status Status that you want to update for the specified alarm on the LogRhythm server. You can choose from the following options, New, Open, or Closed.
Comment (Optional) Comment that you want to add to the specified alarm on the LogRhythm server.

 

Output

The JSON output displays the Status as Success, if the specified alarm is successfully updated on the LogRhythm server.

Following image displays a sample output:

Sample output of the Update Alarm operation

operation: Add Comment

Input parameters

 

Parameter Description
Alarm ID ID of the alarm to which you want to add comments on the LogRhythm server.
Comment Comment that you want to add to the specified alarm on the LogRhythm server.

 

Output

The JSON output displays the Status as Success, if the comment is sucessfully added to the specified alarm on the LogRhythm server.

Following image displays a sample output:

Sample output of the Add Comment operation

operation: Get Alarm Events

Input parameters

 

Parameter Description
Alarm ID ID of the alarm whose associated events details you want to retrieve from the LogRhythm server.

 

Output

The JSON output contains the list and details of alarms along with details of the associated event details retrieved from the LogRhythm server, based on the alarm ID you have specified.

Following image displays a sample output:

Sample output of the Get Alarm Events operation

operation: Pull Alarms between specific dates

Input parameters

 

Parameter Description
Start Date Start date from when you want to retrieve alarm details from the LogRhythm server.
End Date End date till when you want to retrieve alarm details from the LogRhythm server.
Maximum Alarms (Optional) Maximum number of results (alarms) that this operation should return.
By default this is set to 10.

 

Output

The JSON output contains the list and details of all alarms for the specified time period, retrieved from the LogRhythm server.

Following image displays a sample output:

Sample output of the Pull Alarms between specific dates operation

operation: Pull Alarms triggered in last N minutes

Input parameters

 

Parameter Description
Minutes Minutes, before the current time, from when you want to retrieve the list and details of alarms that were triggered in the specified time period from the LogRhythm server.
For example, if you want the list and details of alarms that were triggered on the LogRhythm server, in the last 30 minutes, type 30 in this field.
Maximum Alarms (Optional) Maximum number of results (alarms) that this operation should return.
By default this is set to 10.

 

Output

The JSON output contains the list and details of all alarms triggered in the specified minutes (before the current time) retrieved from the LogRhythm server.

Following image displays a sample output:

Sample output of the Pull Alarms triggered in last N minutes operation

operation: Get Host Details

Input parameters

 

Parameter Description
IP IP address of the host whose details you want to retrieve from the LogRhythm server.

 

Output

The JSON output contains the details of the host retrieved from the LogRhythm server, based on the IP address you have specified.

Following image displays a sample output:

Sample output of the Get Host Details operation

Included playbooks

The Sample - LogRhythm - 1.0.0 playbook collection comes bundled with the LogRhythm connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.