LogRhythm delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.
This document provides information about the LogRhythm connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm connector as a step in FortiSOAR™ playbooks and perform automated investigative operations, such as retrieving alarm details and alarm events associated with a specific alarm from the LogRhythm server.
Connector Version: 2.0.0
Authored By: Community
Certified: No
Following enhancements have been made to the LogRhythm Connector in version 2.0.0:
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-logrhythm
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the LogRhythm connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the LogRhythm server to which you will connect and perform the automated operations. |
Port | Port number of the LogRhythm server to which you will connect and perform the automated operations. |
Token | API token that you will use to access the LogRhythm's REST API to perform the operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Hosts | Retrieves the details of a specific host or all hosts from the LogRhythm server, based on the Host ID. | get_hosts Investigation |
Get Hosts by Entities | Retrieves the details of a specific host from the LogRhythm server, based on the entity name you have specified. | get_hosts Investigation |
Get Alarm Details | Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. | get_alarm_details Investigation |
Get Alarm Events | Retrieves the details of an event associated with a specific alarm from the LogRhythm server, based on the alarm ID you have specified. | get_alarm_details Investigation |
Get Case List | Retrieves a list of all cases or a filtered list of cases from the LogRhythm server, based on the input parameters you have specified. Note: This action supports pagination. |
case_summary Investigation |
Get Case | Retrieves the summary of a specific case from the LogRhythm server, based on the case ID you have specified. | case_summary Investigation |
Get Case Collaborators | Retrieves the owner and the list of collaborators associated with a specific case from the LogRhythm server, based on the case ID you have specified. | case_collaborators Investigation |
List Associated Cases | Retrieves a list of cases associated with a specific case from the LogRhythm server, based on the case ID you have specified. | associated_cases Investigation |
Get Case Metrics | Retrieves the metrics for a specified case from the LogRhythm server, based on the case ID you have specified. | case_metrics Investigation |
Get Evidence list | Retrieves a list of evidence summaries for a specified case from the LogRhythm server, based on the case ID and other input parameters you have specified. | case_evidence Investigation |
Get Evidence | Retrieves a summary of an item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. | case_evidence Investigation |
Get Evidence Progress | Retrieves the progress of a pending item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. For example, the progress of a file upload as a piece of evidence. | case_evidence Investigation |
Get User Event List | Retrieves the list of user events that are added as evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. | case_evidence Investigation |
Parameter | Description |
---|---|
Host ID | ID of the host whose details you want to retrieve from LogRhythm. |
Limit Records | Maximum number of results that you want to retrieve from LogRhythm. |
Format Result | Select this checkbox to format the results that are retrieved from LogRhythm. |
The output contains the following populated JSON schema:
{
"HostZone": "",
"UseEventlogCredentials": "",
"ThreatLevelComments": "",
"ID": "",
"Name": "",
"OS": "",
"RiskLevel": "",
"EntityName": "",
"ThreatLevel": "",
"DateUpdated": "",
"Location": "",
"OSType": "",
"EntityId": "",
"Status": ""
}
Parameter | Description |
---|---|
Entity Name | Name of the entity whose hosts details you want to retrieve from LogRhythm. |
Limit Records | (Optional) Maximum number of results that you want to retrieve from LogRhythm. |
Format Result | (Optional) Select this checkbox to format the results that are retrieved from LogRhythm. |
The output contains the following populated JSON schema:
{
"HostZone": "",
"UseEventlogCredentials": "",
"ThreatLevelComments": "",
"ID": "",
"Name": "",
"OS": "",
"RiskLevel": "",
"EntityName": "",
"ThreatLevel": "",
"DateUpdated": "",
"Location": "",
"OSType": "",
"EntityId": "",
"Status": ""
}
Parameter | Description |
---|---|
Alarm ID | ID of the alarm whose details you want to retrieve from LogRhythm. |
The output contains the following populated JSON schema:
{
"DrillDownResults": {
"RetryCount": "",
"NotificationSent": "",
"Priority": "",
"RuleBlocks": [
{
"RuleBlockID": "",
"RuleBlockTypeID": "",
"DrillDownLogs": "",
"NormalMessageDateUpper": "",
"AIECount": "",
"DXCount": "",
"DDSummaries": [
{
"DrillDownSummaryLogs": "",
"DefaultValue": "",
"PIFType": ""
}
],
"NormalMessageDate": "",
"NormalMessageDateLower": ""
}
],
"WebConsoleIds": [],
"EventID": "",
"AIERuleName": "",
"AlarmID": "",
"DateInserted": "",
"AlarmGuid": "",
"AIERuleID": "",
"NormalMessageDate": "",
"LastDxTimeStamp": "",
"AIEMsgXml": "",
"Status": ""
},
"DrillDownSummary": ""
}
Parameter | Description |
---|---|
Alarm ID | ID of the alarm whose events you want to retrieve from LogRhythm. |
Count | (Optional) Maximum number of events associated with specific alarm that you want to retrieve from LogRhythm. |
Fields to Include in Result | (Optional) Specify additional fields that you want to include in the alarm events retrieved from LogRhythm. |
Show Log Messages | Select this checkbox, i.e., set it to True if you want to include log messages in the output. By default, this is set to "True". |
The output contains the following populated JSON schema:
{
"Events": [
{
"logMessage": "",
"messageTypeEnum": "",
"session": "",
"impactedHost": "",
"impactedZoneName": "",
"classificationTypeName": "",
"threatId": "",
"mpeRuleId": "",
"threatName": "",
"messageId": "",
"entityId": "",
"count": "",
"normalDateMin": "",
"originZone": "",
"originEntityName": "",
"rootEntityId": "",
"ruleBlockNumber": "",
"vendorMessageId": "",
"keyField": "",
"rootEntityName": "",
"protocolName": "",
"mpeRuleName": "",
"originHost": "",
"entityName": "",
"normalDate": "",
"originIp": "",
"impactedEntityId": "",
"originHostName": "",
"commonEventId": "",
"impactedEntityName": "",
"subject": "",
"portProtocol": "",
"impactedHostName": "",
"impactedIp": "",
"logDate": "",
"commonEventName": "",
"sequenceNumber": "",
"protocolId": "",
"classificationName": "",
"action": "",
"normalMsgDateMax": "",
"originZoneName": "",
"severity": "",
"directionName": "",
"priority": "",
"originEntityId": "",
"classificationId": "",
"direction": "",
"originHostId": ""
}
],
"ID": ""
}
Parameter | Description |
---|---|
Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset.
By default, this is set to 0. |
Count | Maximum number of cases, per page, that you want to retrieve from LogRhythm. |
Order By | Sorts the returned results based on the specified field. |
Direction | Sorts the order of the returned result, choose between asc (ascending) or desc (descending). |
Updated After | Filter results that were updated after the specified datetime. The datetime must be an RFC 3339 formatted string. |
Updated Before | Filter results that were updated before the specified datetime. The datetime must be an RFC 3339 formatted string. |
Created After | Filter results that were created after the specified datetime. The datetime must be an RFC 3339 formatted string. |
Created Before | Filter results that were created before the specified datetime. The datetime must be an RFC 3339 formatted string. |
Due Before | Filter results that have a due date before the specified datetime. The datetime must be an RFC 3339 formatted string. |
Priority | Filter results that have a specific case priority. You can choose from multiple numbers from 1 to 5. |
Status Number | Filter results that have a specific case status. You can choose from multiple numbers from 1 to 5. |
Owner Number | Filter results that have a specific case owner, by specifying the case owner's number. |
Collaborator Number | Filter results that have a specific case collaborator, by specifying the case collaborator's number. |
Tag Number | Filter results that are tagged, by specifying the tag number. |
Text | Filter results that have a case number or name that contains the specified value. |
Evidence Type | Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file. |
Reference ID | Filter results that have evidence with the specified reference identifier. |
External ID | Filter results that have the specified unique, external identifier. |
Entity Number | Filter results that have the specified assigned entity number. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose summary you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose owner and case collaborators you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose associated cases you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose metrics details you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of evidence summaries you want to retrieve from LogRhythm. |
Type | (Optional) Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file. |
Status | (Optional) Filter results that have evidence of the specified status. You can choose from the following options: pending, completed, or failed. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose evidence item summary you want to retrieve from LogRhythm. |
Evidence ID | Unique, numeric identifier of the evidence item whose summary you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose pending evidence item's progress you want to retrieve from LogRhythm. For example, the progress of a file upload as a piece of evidence. |
Evidence ID | Unique, numeric identifier of the evidence item whose progress details you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of user events that have been added as evidence, you want to retrieve from LogRhythm. |
Evidence ID | Unique, numeric identifier of the evidence whose list of user events you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
The Sample - LogRhythm - 2.0.0
playbook collection comes bundled with the LogRhythm connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Smart Response Plugin (SRP) to invoke the playbooks in FortiSOAR™ whenever an alarm is triggered in LogRhythm. The "FSR_SmartResponse_Automation_Plugin" is attached to this article, you can download this SRP and then follow the steps mentioned in this article to import and configure the SRP.
Following is the procedure on how to import and configure the SRP:
Client Console > Deployment Manager > AI Engine > Rule to trigger playbook > Action
On the "Action" screen, configure the necessary fields as is defined in Step 4.
crhost
– URL of the FortiSOAR™ server.authapi
– FortiSOAR™ URI defined for authentication./auth/authenticate
playbookapi
– FortiSOAR™ URI defined for playbooks.lrcreatealert
:/api/triggers/1/lrcreatealert
Ignoressl
– TRUE/FALSE parameter to ignore the SSL certificate. By default, FortiSOAR™ is installed using a self-signed certificate; therefore, if you want LogRhythm to accept it, set this parameter as TRUEUsername
– Username used to log on to the FortiSOAR™ platform with the necessary privileges.Password
– Password used to log on to the FortiSOAR™ platform with the necessary privileges.alarm id
– The unique identifier of an alarm in LogRhythm.alert_input
whose value is set as {{vars.input.params['api_body']}}
. You can add the value of the variable using "Dynamic Values":Now, all parameters that are passed from LogRhythm will be accessible using:
{{vars.alert_input.alarm_id}}
{{vars.alert_input.p1}}
{{vars.alert_input.p2}}
{{vars.alert_input.p3}}
{{vars.alert_input.p4}}
{{vars.alert_input.p5}}
The LogRhythm connector contains the "Create LogRhythm Alert" playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm.
Following is a snapshot of the Executed Playbook Log for the playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm:
Following is a sample image of the alert created in FortiSOAR™:
FSR_SmartResponse_Automation_Plugin.tgz
LogRhythm delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.
This document provides information about the LogRhythm connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm connector as a step in FortiSOAR™ playbooks and perform automated investigative operations, such as retrieving alarm details and alarm events associated with a specific alarm from the LogRhythm server.
Connector Version: 2.0.0
Authored By: Community
Certified: No
Following enhancements have been made to the LogRhythm Connector in version 2.0.0:
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-logrhythm
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the LogRhythm connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the LogRhythm server to which you will connect and perform the automated operations. |
Port | Port number of the LogRhythm server to which you will connect and perform the automated operations. |
Token | API token that you will use to access the LogRhythm's REST API to perform the operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Hosts | Retrieves the details of a specific host or all hosts from the LogRhythm server, based on the Host ID. | get_hosts Investigation |
Get Hosts by Entities | Retrieves the details of a specific host from the LogRhythm server, based on the entity name you have specified. | get_hosts Investigation |
Get Alarm Details | Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. | get_alarm_details Investigation |
Get Alarm Events | Retrieves the details of an event associated with a specific alarm from the LogRhythm server, based on the alarm ID you have specified. | get_alarm_details Investigation |
Get Case List | Retrieves a list of all cases or a filtered list of cases from the LogRhythm server, based on the input parameters you have specified. Note: This action supports pagination. |
case_summary Investigation |
Get Case | Retrieves the summary of a specific case from the LogRhythm server, based on the case ID you have specified. | case_summary Investigation |
Get Case Collaborators | Retrieves the owner and the list of collaborators associated with a specific case from the LogRhythm server, based on the case ID you have specified. | case_collaborators Investigation |
List Associated Cases | Retrieves a list of cases associated with a specific case from the LogRhythm server, based on the case ID you have specified. | associated_cases Investigation |
Get Case Metrics | Retrieves the metrics for a specified case from the LogRhythm server, based on the case ID you have specified. | case_metrics Investigation |
Get Evidence list | Retrieves a list of evidence summaries for a specified case from the LogRhythm server, based on the case ID and other input parameters you have specified. | case_evidence Investigation |
Get Evidence | Retrieves a summary of an item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. | case_evidence Investigation |
Get Evidence Progress | Retrieves the progress of a pending item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. For example, the progress of a file upload as a piece of evidence. | case_evidence Investigation |
Get User Event List | Retrieves the list of user events that are added as evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. | case_evidence Investigation |
Parameter | Description |
---|---|
Host ID | ID of the host whose details you want to retrieve from LogRhythm. |
Limit Records | Maximum number of results that you want to retrieve from LogRhythm. |
Format Result | Select this checkbox to format the results that are retrieved from LogRhythm. |
The output contains the following populated JSON schema:
{
"HostZone": "",
"UseEventlogCredentials": "",
"ThreatLevelComments": "",
"ID": "",
"Name": "",
"OS": "",
"RiskLevel": "",
"EntityName": "",
"ThreatLevel": "",
"DateUpdated": "",
"Location": "",
"OSType": "",
"EntityId": "",
"Status": ""
}
Parameter | Description |
---|---|
Entity Name | Name of the entity whose hosts details you want to retrieve from LogRhythm. |
Limit Records | (Optional) Maximum number of results that you want to retrieve from LogRhythm. |
Format Result | (Optional) Select this checkbox to format the results that are retrieved from LogRhythm. |
The output contains the following populated JSON schema:
{
"HostZone": "",
"UseEventlogCredentials": "",
"ThreatLevelComments": "",
"ID": "",
"Name": "",
"OS": "",
"RiskLevel": "",
"EntityName": "",
"ThreatLevel": "",
"DateUpdated": "",
"Location": "",
"OSType": "",
"EntityId": "",
"Status": ""
}
Parameter | Description |
---|---|
Alarm ID | ID of the alarm whose details you want to retrieve from LogRhythm. |
The output contains the following populated JSON schema:
{
"DrillDownResults": {
"RetryCount": "",
"NotificationSent": "",
"Priority": "",
"RuleBlocks": [
{
"RuleBlockID": "",
"RuleBlockTypeID": "",
"DrillDownLogs": "",
"NormalMessageDateUpper": "",
"AIECount": "",
"DXCount": "",
"DDSummaries": [
{
"DrillDownSummaryLogs": "",
"DefaultValue": "",
"PIFType": ""
}
],
"NormalMessageDate": "",
"NormalMessageDateLower": ""
}
],
"WebConsoleIds": [],
"EventID": "",
"AIERuleName": "",
"AlarmID": "",
"DateInserted": "",
"AlarmGuid": "",
"AIERuleID": "",
"NormalMessageDate": "",
"LastDxTimeStamp": "",
"AIEMsgXml": "",
"Status": ""
},
"DrillDownSummary": ""
}
Parameter | Description |
---|---|
Alarm ID | ID of the alarm whose events you want to retrieve from LogRhythm. |
Count | (Optional) Maximum number of events associated with specific alarm that you want to retrieve from LogRhythm. |
Fields to Include in Result | (Optional) Specify additional fields that you want to include in the alarm events retrieved from LogRhythm. |
Show Log Messages | Select this checkbox, i.e., set it to True if you want to include log messages in the output. By default, this is set to "True". |
The output contains the following populated JSON schema:
{
"Events": [
{
"logMessage": "",
"messageTypeEnum": "",
"session": "",
"impactedHost": "",
"impactedZoneName": "",
"classificationTypeName": "",
"threatId": "",
"mpeRuleId": "",
"threatName": "",
"messageId": "",
"entityId": "",
"count": "",
"normalDateMin": "",
"originZone": "",
"originEntityName": "",
"rootEntityId": "",
"ruleBlockNumber": "",
"vendorMessageId": "",
"keyField": "",
"rootEntityName": "",
"protocolName": "",
"mpeRuleName": "",
"originHost": "",
"entityName": "",
"normalDate": "",
"originIp": "",
"impactedEntityId": "",
"originHostName": "",
"commonEventId": "",
"impactedEntityName": "",
"subject": "",
"portProtocol": "",
"impactedHostName": "",
"impactedIp": "",
"logDate": "",
"commonEventName": "",
"sequenceNumber": "",
"protocolId": "",
"classificationName": "",
"action": "",
"normalMsgDateMax": "",
"originZoneName": "",
"severity": "",
"directionName": "",
"priority": "",
"originEntityId": "",
"classificationId": "",
"direction": "",
"originHostId": ""
}
],
"ID": ""
}
Parameter | Description |
---|---|
Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset.
By default, this is set to 0. |
Count | Maximum number of cases, per page, that you want to retrieve from LogRhythm. |
Order By | Sorts the returned results based on the specified field. |
Direction | Sorts the order of the returned result, choose between asc (ascending) or desc (descending). |
Updated After | Filter results that were updated after the specified datetime. The datetime must be an RFC 3339 formatted string. |
Updated Before | Filter results that were updated before the specified datetime. The datetime must be an RFC 3339 formatted string. |
Created After | Filter results that were created after the specified datetime. The datetime must be an RFC 3339 formatted string. |
Created Before | Filter results that were created before the specified datetime. The datetime must be an RFC 3339 formatted string. |
Due Before | Filter results that have a due date before the specified datetime. The datetime must be an RFC 3339 formatted string. |
Priority | Filter results that have a specific case priority. You can choose from multiple numbers from 1 to 5. |
Status Number | Filter results that have a specific case status. You can choose from multiple numbers from 1 to 5. |
Owner Number | Filter results that have a specific case owner, by specifying the case owner's number. |
Collaborator Number | Filter results that have a specific case collaborator, by specifying the case collaborator's number. |
Tag Number | Filter results that are tagged, by specifying the tag number. |
Text | Filter results that have a case number or name that contains the specified value. |
Evidence Type | Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file. |
Reference ID | Filter results that have evidence with the specified reference identifier. |
External ID | Filter results that have the specified unique, external identifier. |
Entity Number | Filter results that have the specified assigned entity number. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose summary you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose owner and case collaborators you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose associated cases you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose metrics details you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of evidence summaries you want to retrieve from LogRhythm. |
Type | (Optional) Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file. |
Status | (Optional) Filter results that have evidence of the specified status. You can choose from the following options: pending, completed, or failed. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose evidence item summary you want to retrieve from LogRhythm. |
Evidence ID | Unique, numeric identifier of the evidence item whose summary you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose pending evidence item's progress you want to retrieve from LogRhythm. For example, the progress of a file upload as a piece of evidence. |
Evidence ID | Unique, numeric identifier of the evidence item whose progress details you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of user events that have been added as evidence, you want to retrieve from LogRhythm. |
Evidence ID | Unique, numeric identifier of the evidence whose list of user events you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
The Sample - LogRhythm - 2.0.0
playbook collection comes bundled with the LogRhythm connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Smart Response Plugin (SRP) to invoke the playbooks in FortiSOAR™ whenever an alarm is triggered in LogRhythm. The "FSR_SmartResponse_Automation_Plugin" is attached to this article, you can download this SRP and then follow the steps mentioned in this article to import and configure the SRP.
Following is the procedure on how to import and configure the SRP:
Client Console > Deployment Manager > AI Engine > Rule to trigger playbook > Action
On the "Action" screen, configure the necessary fields as is defined in Step 4.
crhost
– URL of the FortiSOAR™ server.authapi
– FortiSOAR™ URI defined for authentication./auth/authenticate
playbookapi
– FortiSOAR™ URI defined for playbooks.lrcreatealert
:/api/triggers/1/lrcreatealert
Ignoressl
– TRUE/FALSE parameter to ignore the SSL certificate. By default, FortiSOAR™ is installed using a self-signed certificate; therefore, if you want LogRhythm to accept it, set this parameter as TRUEUsername
– Username used to log on to the FortiSOAR™ platform with the necessary privileges.Password
– Password used to log on to the FortiSOAR™ platform with the necessary privileges.alarm id
– The unique identifier of an alarm in LogRhythm.alert_input
whose value is set as {{vars.input.params['api_body']}}
. You can add the value of the variable using "Dynamic Values":Now, all parameters that are passed from LogRhythm will be accessible using:
{{vars.alert_input.alarm_id}}
{{vars.alert_input.p1}}
{{vars.alert_input.p2}}
{{vars.alert_input.p3}}
{{vars.alert_input.p4}}
{{vars.alert_input.p5}}
The LogRhythm connector contains the "Create LogRhythm Alert" playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm.
Following is a snapshot of the Executed Playbook Log for the playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm:
Following is a sample image of the alert created in FortiSOAR™:
FSR_SmartResponse_Automation_Plugin.tgz