LogRhythm delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.
This document provides information about the LogRhythm connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving alarm details and alarm events associated with a specific alarm from the LogRhythm server, and updating alarms and adding comments to an alarm on the LogRhythm server.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.11.0-1161
LogRhythm Version Tested on: 7.3.3
Authored By: Fortinet
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-logrhythm
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the LogRhythm connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the LogRhythm SOAP API server to which you will connect and perform automated operations. |
Port | Port number for connecting to the LogRhythm API server. |
Username | Username to access the LogRhythm API server to which you will connect and perform automated operations. Note: The API user specified here must have necessary permissions to Create, Read, and Update Alarms on the LogRhythm API server. |
Password | Password to access the LogRhythm server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get an Alarm | Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. | get_alarm_details Investigation |
Update Alarm | Updates a specific alarm on the LogRhythm server, based on the alarm ID and other input parameters you have specified. | update_alarm Investigation |
Add Comment | Adds a comment that you have specified to an alarm on the LogRhythm server, based on the alarm ID you have specified. | update_alarm Investigation |
Get Alarm Events | Retrieves the details of a events associated with an alarm from the LogRhythm server, based on the alarm ID you have specified. | get_events Investigation |
Pull Alarms between specific dates | Retrieves a list and details of all alarms for a specified time period from the LogRhythm server. | get_alarms Investigation |
Pull alarms triggered in last N minutes | Retrieves a list and details of all alarms that were triggered within the specified number of minutes from the LogRhythm server. | get_alarms Investigation |
Get Host Details | Retrieves the details of a specific host from the LogRhythm server, based on the IP address you have specified. | get_hosts Investigation |
Parameter | Description |
---|---|
Alarm ID | ID of the alarm whose details you want to retrieve from the LogRhythm server. |
The JSON output contains the comments and details of the alarm retrieved from the LogRhythm server, based on the alarm ID you have specified.
Following image displays how comments are displayed in the output of the Get an Alarm operation:
Following image displays how alert details are displayed in the output of the Get an Alarm operation:
Parameter | Description |
---|---|
Alarm ID | ID of the alarm whose details you want to update on the LogRhythm server. |
Status | Status that you want to update for the specified alarm on the LogRhythm server. You can choose from the following options, New, Open, or Closed. |
Comment | (Optional) Comment that you want to add to the specified alarm on the LogRhythm server. |
The JSON output displays the Status as Success
, if the specified alarm is successfully updated on the LogRhythm server.
Following image displays a sample output:
Parameter | Description |
---|---|
Alarm ID | ID of the alarm to which you want to add comments on the LogRhythm server. |
Comment | Comment that you want to add to the specified alarm on the LogRhythm server. |
The JSON output displays the Status as Success
, if the comment is sucessfully added to the specified alarm on the LogRhythm server.
Following image displays a sample output:
Parameter | Description |
---|---|
Alarm ID | ID of the alarm whose associated events details you want to retrieve from the LogRhythm server. |
The JSON output contains the list and details of alarms along with details of the associated event details retrieved from the LogRhythm server, based on the alarm ID you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Start Date | Start date from when you want to retrieve alarm details from the LogRhythm server. |
End Date | End date till when you want to retrieve alarm details from the LogRhythm server. |
Maximum Alarms | (Optional) Maximum number of results (alarms) that this operation should return. By default this is set to 10 . |
The JSON output contains the list and details of all alarms for the specified time period, retrieved from the LogRhythm server.
Following image displays a sample output:
Parameter | Description |
---|---|
Minutes | Minutes, before the current time, from when you want to retrieve the list and details of alarms that were triggered in the specified time period from the LogRhythm server. For example, if you want the list and details of alarms that were triggered on the LogRhythm server, in the last 30 minutes, type 30 in this field. |
Maximum Alarms | (Optional) Maximum number of results (alarms) that this operation should return. By default this is set to 10 . |
The JSON output contains the list and details of all alarms triggered in the specified minutes (before the current time) retrieved from the LogRhythm server.
Following image displays a sample output:
Parameter | Description |
---|---|
IP | IP address of the host whose details you want to retrieve from the LogRhythm server. |
The JSON output contains the details of the host retrieved from the LogRhythm server, based on the IP address you have specified.
Following image displays a sample output:
The Sample - LogRhythm - 1.0.0
playbook collection comes bundled with the LogRhythm connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
LogRhythm delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.
This document provides information about the LogRhythm connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving alarm details and alarm events associated with a specific alarm from the LogRhythm server, and updating alarms and adding comments to an alarm on the LogRhythm server.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.11.0-1161
LogRhythm Version Tested on: 7.3.3
Authored By: Fortinet
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-logrhythm
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the LogRhythm connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the LogRhythm SOAP API server to which you will connect and perform automated operations. |
Port | Port number for connecting to the LogRhythm API server. |
Username | Username to access the LogRhythm API server to which you will connect and perform automated operations. Note: The API user specified here must have necessary permissions to Create, Read, and Update Alarms on the LogRhythm API server. |
Password | Password to access the LogRhythm server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get an Alarm | Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. | get_alarm_details Investigation |
Update Alarm | Updates a specific alarm on the LogRhythm server, based on the alarm ID and other input parameters you have specified. | update_alarm Investigation |
Add Comment | Adds a comment that you have specified to an alarm on the LogRhythm server, based on the alarm ID you have specified. | update_alarm Investigation |
Get Alarm Events | Retrieves the details of a events associated with an alarm from the LogRhythm server, based on the alarm ID you have specified. | get_events Investigation |
Pull Alarms between specific dates | Retrieves a list and details of all alarms for a specified time period from the LogRhythm server. | get_alarms Investigation |
Pull alarms triggered in last N minutes | Retrieves a list and details of all alarms that were triggered within the specified number of minutes from the LogRhythm server. | get_alarms Investigation |
Get Host Details | Retrieves the details of a specific host from the LogRhythm server, based on the IP address you have specified. | get_hosts Investigation |
Parameter | Description |
---|---|
Alarm ID | ID of the alarm whose details you want to retrieve from the LogRhythm server. |
The JSON output contains the comments and details of the alarm retrieved from the LogRhythm server, based on the alarm ID you have specified.
Following image displays how comments are displayed in the output of the Get an Alarm operation:
Following image displays how alert details are displayed in the output of the Get an Alarm operation:
Parameter | Description |
---|---|
Alarm ID | ID of the alarm whose details you want to update on the LogRhythm server. |
Status | Status that you want to update for the specified alarm on the LogRhythm server. You can choose from the following options, New, Open, or Closed. |
Comment | (Optional) Comment that you want to add to the specified alarm on the LogRhythm server. |
The JSON output displays the Status as Success
, if the specified alarm is successfully updated on the LogRhythm server.
Following image displays a sample output:
Parameter | Description |
---|---|
Alarm ID | ID of the alarm to which you want to add comments on the LogRhythm server. |
Comment | Comment that you want to add to the specified alarm on the LogRhythm server. |
The JSON output displays the Status as Success
, if the comment is sucessfully added to the specified alarm on the LogRhythm server.
Following image displays a sample output:
Parameter | Description |
---|---|
Alarm ID | ID of the alarm whose associated events details you want to retrieve from the LogRhythm server. |
The JSON output contains the list and details of alarms along with details of the associated event details retrieved from the LogRhythm server, based on the alarm ID you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Start Date | Start date from when you want to retrieve alarm details from the LogRhythm server. |
End Date | End date till when you want to retrieve alarm details from the LogRhythm server. |
Maximum Alarms | (Optional) Maximum number of results (alarms) that this operation should return. By default this is set to 10 . |
The JSON output contains the list and details of all alarms for the specified time period, retrieved from the LogRhythm server.
Following image displays a sample output:
Parameter | Description |
---|---|
Minutes | Minutes, before the current time, from when you want to retrieve the list and details of alarms that were triggered in the specified time period from the LogRhythm server. For example, if you want the list and details of alarms that were triggered on the LogRhythm server, in the last 30 minutes, type 30 in this field. |
Maximum Alarms | (Optional) Maximum number of results (alarms) that this operation should return. By default this is set to 10 . |
The JSON output contains the list and details of all alarms triggered in the specified minutes (before the current time) retrieved from the LogRhythm server.
Following image displays a sample output:
Parameter | Description |
---|---|
IP | IP address of the host whose details you want to retrieve from the LogRhythm server. |
The JSON output contains the details of the host retrieved from the LogRhythm server, based on the IP address you have specified.
Following image displays a sample output:
The Sample - LogRhythm - 1.0.0
playbook collection comes bundled with the LogRhythm connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.