About the connector
LogRhythm delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.
This document provides information about the LogRhythm connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving alarm details and alarm events associated with a specific alarm from the LogRhythm server, and updating alarms and adding comments to an alarm on the LogRhythm server.
Version information
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.11.0-1161
LogRhythm Version Tested on: 7.3.3
Authored By: Fortinet
Certified: Yes
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-logrhythm
For the detailed procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the URL of the LogRhythm API server to which you will connect and perform automated operations and credentials to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the LogRhythm connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Server URL |
URL of the LogRhythm SOAP API server to which you will connect and perform automated operations. |
| Port |
Port number for connecting to the LogRhythm API server. |
| Username |
Username to access the LogRhythm API server to which you will connect and perform automated operations.
Note: The API user specified here must have necessary permissions to Create, Read, and Update Alarms on the LogRhythm API server. |
| Password |
Password to access the LogRhythm server to which you will connect and perform automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Get an Alarm |
Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. |
get_alarm_details
Investigation |
| Update Alarm |
Updates a specific alarm on the LogRhythm server, based on the alarm ID and other input parameters you have specified. |
update_alarm
Investigation |
| Add Comment |
Adds a comment that you have specified to an alarm on the LogRhythm server, based on the alarm ID you have specified. |
update_alarm
Investigation |
| Get Alarm Events |
Retrieves the details of a events associated with an alarm from the LogRhythm server, based on the alarm ID you have specified. |
get_events
Investigation |
| Pull Alarms between specific dates |
Retrieves a list and details of all alarms for a specified time period from the LogRhythm server. |
get_alarms
Investigation |
| Pull alarms triggered in last N minutes |
Retrieves a list and details of all alarms that were triggered within the specified number of minutes from the LogRhythm server. |
get_alarms
Investigation |
| Get Host Details |
Retrieves the details of a specific host from the LogRhythm server, based on the IP address you have specified. |
get_hosts
Investigation |
operation: Get an Alarm
Input parameters
| Parameter |
Description |
| Alarm ID |
ID of the alarm whose details you want to retrieve from the LogRhythm server. |
Output
The JSON output contains the comments and details of the alarm retrieved from the LogRhythm server, based on the alarm ID you have specified.
Following image displays how comments are displayed in the output of the Get an Alarm operation:
Following image displays how alert details are displayed in the output of the Get an Alarm operation:
operation: Update Alarm
Input parameters
| Parameter |
Description |
| Alarm ID |
ID of the alarm whose details you want to update on the LogRhythm server. |
| Status |
Status that you want to update for the specified alarm on the LogRhythm server. You can choose from the following options, New, Open, or Closed. |
| Comment |
(Optional) Comment that you want to add to the specified alarm on the LogRhythm server. |
Output
The JSON output displays the Status as Success, if the specified alarm is successfully updated on the LogRhythm server.
Following image displays a sample output:
operation: Add Comment
Input parameters
| Parameter |
Description |
| Alarm ID |
ID of the alarm to which you want to add comments on the LogRhythm server. |
| Comment |
Comment that you want to add to the specified alarm on the LogRhythm server. |
Output
The JSON output displays the Status as Success, if the comment is sucessfully added to the specified alarm on the LogRhythm server.
Following image displays a sample output:
operation: Get Alarm Events
Input parameters
| Parameter |
Description |
| Alarm ID |
ID of the alarm whose associated events details you want to retrieve from the LogRhythm server. |
Output
The JSON output contains the list and details of alarms along with details of the associated event details retrieved from the LogRhythm server, based on the alarm ID you have specified.
Following image displays a sample output:
operation: Pull Alarms between specific dates
Input parameters
| Parameter |
Description |
| Start Date |
Start date from when you want to retrieve alarm details from the LogRhythm server. |
| End Date |
End date till when you want to retrieve alarm details from the LogRhythm server. |
| Maximum Alarms |
(Optional) Maximum number of results (alarms) that this operation should return.
By default this is set to 10. |
Output
The JSON output contains the list and details of all alarms for the specified time period, retrieved from the LogRhythm server.
Following image displays a sample output:
operation: Pull Alarms triggered in last N minutes
Input parameters
| Parameter |
Description |
| Minutes |
Minutes, before the current time, from when you want to retrieve the list and details of alarms that were triggered in the specified time period from the LogRhythm server.
For example, if you want the list and details of alarms that were triggered on the LogRhythm server, in the last 30 minutes, type 30 in this field. |
| Maximum Alarms |
(Optional) Maximum number of results (alarms) that this operation should return.
By default this is set to 10. |
Output
The JSON output contains the list and details of all alarms triggered in the specified minutes (before the current time) retrieved from the LogRhythm server.
Following image displays a sample output:
operation: Get Host Details
Input parameters
| Parameter |
Description |
| IP |
IP address of the host whose details you want to retrieve from the LogRhythm server. |
Output
The JSON output contains the details of the host retrieved from the LogRhythm server, based on the IP address you have specified.
Following image displays a sample output:
Included playbooks
The Sample - LogRhythm - 1.0.0 playbook collection comes bundled with the LogRhythm connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.
- Add Comment
- Get Alarm Events
- Get an Alarm
- Get Host Details
- Pull Alarms between specific dates
- Pull Alarms triggered in last N minutes
- Update Alarm
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
