Fortinet black logo

LogRhythm

2.0.0
3.1.0
3.0.1
3.0.0
2.1.0
2.0.0
1.0.0

LogRhythm v2.0.0

About the connector

LogRhythm delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.

This document provides information about the LogRhythm connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm connector as a step in FortiSOAR™ playbooks and perform automated investigative operations, such as retrieving alarm details and alarm events associated with a specific alarm from the LogRhythm server.

Version information

Connector Version: 2.0.0

Authored By: Community

Certified: No

Release Notes for version 2.0.0

Following enhancements have been made to the LogRhythm Connector in version 2.0.0:

  • LogRhythm Connector v2.0.0 is built to support REST APIs. The 1.0.0 version was built to support SOAP APIs. Therefore all the actions for version 2.0.0 are based on REST APIs.
  • Introduced the Smart Response Plugin (SRP) that invokes playbooks in FortiSOAR™ whenever an alarm is triggered in LogRhythm. For more information on SRP and how to configure and use SRP, see the FSR-LogRhythm Smart Response Plugin section.

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-logrhythm

Prerequisites to configuring the connector

  • You must have the URL of the LogRhythm server to which you will connect and perform automated operations.
  • You must have the API token that you will use to access the LogRhythm's REST API to perform the operations.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the LogRhythm connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of the LogRhythm server to which you will connect and perform the automated operations.
Port Port number of the LogRhythm server to which you will connect and perform the automated operations.
Token API token that you will use to access the LogRhythm's REST API to perform the operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get Hosts Retrieves the details of a specific host or all hosts from the LogRhythm server, based on the Host ID. get_hosts
Investigation
Get Hosts by Entities Retrieves the details of a specific host from the LogRhythm server, based on the entity name you have specified. get_hosts
Investigation
Get Alarm Details Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. get_alarm_details
Investigation
Get Alarm Events Retrieves the details of an event associated with a specific alarm from the LogRhythm server, based on the alarm ID you have specified. get_alarm_details
Investigation
Get Case List Retrieves a list of all cases or a filtered list of cases from the LogRhythm server, based on the input parameters you have specified.
Note: This action supports pagination.		 case_summary
Investigation
Get Case Retrieves the summary of a specific case from the LogRhythm server, based on the case ID you have specified. case_summary
Investigation
Get Case Collaborators Retrieves the owner and the list of collaborators associated with a specific case from the LogRhythm server, based on the case ID you have specified. case_collaborators
Investigation
List Associated Cases Retrieves a list of cases associated with a specific case from the LogRhythm server, based on the case ID you have specified. associated_cases
Investigation
Get Case Metrics Retrieves the metrics for a specified case from the LogRhythm server, based on the case ID you have specified. case_metrics
Investigation
Get Evidence list Retrieves a list of evidence summaries for a specified case from the LogRhythm server, based on the case ID and other input parameters you have specified. case_evidence
Investigation
Get Evidence Retrieves a summary of an item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. case_evidence
Investigation
Get Evidence Progress Retrieves the progress of a pending item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. For example, the progress of a file upload as a piece of evidence. case_evidence
Investigation
Get User Event List Retrieves the list of user events that are added as evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. case_evidence
Investigation

operation: Get Hosts

Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Host ID ID of the host whose details you want to retrieve from LogRhythm.
Limit Records Maximum number of results that you want to retrieve from LogRhythm.
Format Result Select this checkbox to format the results that are retrieved from LogRhythm.

Output

The output contains the following populated JSON schema:
{
"HostZone": "",
"UseEventlogCredentials": "",
"ThreatLevelComments": "",
"ID": "",
"Name": "",
"OS": "",
"RiskLevel": "",
"EntityName": "",
"ThreatLevel": "",
"DateUpdated": "",
"Location": "",
"OSType": "",
"EntityId": "",
"Status": ""
}

operation: Get Hosts by Entities

Input parameters

Parameter Description
Entity Name Name of the entity whose hosts details you want to retrieve from LogRhythm.
Limit Records (Optional) Maximum number of results that you want to retrieve from LogRhythm.
Format Result (Optional) Select this checkbox to format the results that are retrieved from LogRhythm.

Output

The output contains the following populated JSON schema:
{
"HostZone": "",
"UseEventlogCredentials": "",
"ThreatLevelComments": "",
"ID": "",
"Name": "",
"OS": "",
"RiskLevel": "",
"EntityName": "",
"ThreatLevel": "",
"DateUpdated": "",
"Location": "",
"OSType": "",
"EntityId": "",
"Status": ""
}

operation: Get Alarm Details

Input parameters

Parameter Description
Alarm ID ID of the alarm whose details you want to retrieve from LogRhythm.

Output

The output contains the following populated JSON schema:
{
"DrillDownResults": {
"RetryCount": "",
"NotificationSent": "",
"Priority": "",
"RuleBlocks": [
{
"RuleBlockID": "",
"RuleBlockTypeID": "",
"DrillDownLogs": "",
"NormalMessageDateUpper": "",
"AIECount": "",
"DXCount": "",
"DDSummaries": [
{
"DrillDownSummaryLogs": "",
"DefaultValue": "",
"PIFType": ""
}
],
"NormalMessageDate": "",
"NormalMessageDateLower": ""
}
],
"WebConsoleIds": [],
"EventID": "",
"AIERuleName": "",
"AlarmID": "",
"DateInserted": "",
"AlarmGuid": "",
"AIERuleID": "",
"NormalMessageDate": "",
"LastDxTimeStamp": "",
"AIEMsgXml": "",
"Status": ""
},
"DrillDownSummary": ""
}

operation: Get Alarm Events

Input parameters

Parameter Description
Alarm ID ID of the alarm whose events you want to retrieve from LogRhythm.
Count (Optional) Maximum number of events associated with specific alarm that you want to retrieve from LogRhythm.
Fields to Include in Result (Optional) Specify additional fields that you want to include in the alarm events retrieved from LogRhythm.
Show Log Messages Select this checkbox, i.e., set it to True if you want to include log messages in the output. By default, this is set to "True".

Output

The output contains the following populated JSON schema:
{
"Events": [
{
"logMessage": "",
"messageTypeEnum": "",
"session": "",
"impactedHost": "",
"impactedZoneName": "",
"classificationTypeName": "",
"threatId": "",
"mpeRuleId": "",
"threatName": "",
"messageId": "",
"entityId": "",
"count": "",
"normalDateMin": "",
"originZone": "",
"originEntityName": "",
"rootEntityId": "",
"ruleBlockNumber": "",
"vendorMessageId": "",
"keyField": "",
"rootEntityName": "",
"protocolName": "",
"mpeRuleName": "",
"originHost": "",
"entityName": "",
"normalDate": "",
"originIp": "",
"impactedEntityId": "",
"originHostName": "",
"commonEventId": "",
"impactedEntityName": "",
"subject": "",
"portProtocol": "",
"impactedHostName": "",
"impactedIp": "",
"logDate": "",
"commonEventName": "",
"sequenceNumber": "",
"protocolId": "",
"classificationName": "",
"action": "",
"normalMsgDateMax": "",
"originZoneName": "",
"severity": "",
"directionName": "",
"priority": "",
"originEntityId": "",
"classificationId": "",
"direction": "",
"originHostId": ""
}
],
"ID": ""
}

operation: Get Case List

Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Offset Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset.

By default, this is set to 0.
Count Maximum number of cases, per page, that you want to retrieve from LogRhythm.
Order By Sorts the returned results based on the specified field.
Direction Sorts the order of the returned result, choose between asc (ascending) or desc (descending).
Updated After Filter results that were updated after the specified datetime. The datetime must be an RFC 3339 formatted string.
Updated Before Filter results that were updated before the specified datetime. The datetime must be an RFC 3339 formatted string.
Created After Filter results that were created after the specified datetime. The datetime must be an RFC 3339 formatted string.
Created Before Filter results that were created before the specified datetime. The datetime must be an RFC 3339 formatted string.
Due Before Filter results that have a due date before the specified datetime. The datetime must be an RFC 3339 formatted string.
Priority Filter results that have a specific case priority. You can choose from multiple numbers from 1 to 5.
Status Number Filter results that have a specific case status. You can choose from multiple numbers from 1 to 5.
Owner Number Filter results that have a specific case owner, by specifying the case owner's number.
Collaborator Number Filter results that have a specific case collaborator, by specifying the case collaborator's number.
Tag Number Filter results that are tagged, by specifying the tag number.
Text Filter results that have a case number or name that contains the specified value.
Evidence Type Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file.
Reference ID Filter results that have evidence with the specified reference identifier.
External ID Filter results that have the specified unique, external identifier.
Entity Number Filter results that have the specified assigned entity number.

Output

The output contains a non-dictionary value.

operation: Get Case

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose summary you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

operation: Get Case Collaborators

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose owner and case collaborators you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

operation: List Associated Cases

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose associated cases you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

operation: Get Case Metrics

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose metrics details you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

operation: Get Evidence list

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of evidence summaries you want to retrieve from LogRhythm.
Type (Optional) Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file.
Status (Optional) Filter results that have evidence of the specified status. You can choose from the following options: pending, completed, or failed.

Output

The output contains a non-dictionary value.

operation: Get Evidence

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose evidence item summary you want to retrieve from LogRhythm.
Evidence ID Unique, numeric identifier of the evidence item whose summary you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

operation: Get Evidence Progress

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose pending evidence item's progress you want to retrieve from LogRhythm. For example, the progress of a file upload as a piece of evidence.
Evidence ID Unique, numeric identifier of the evidence item whose progress details you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

operation: Get User Event List

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of user events that have been added as evidence, you want to retrieve from LogRhythm.
Evidence ID Unique, numeric identifier of the evidence whose list of user events you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - LogRhythm - 2.0.0 playbook collection comes bundled with the LogRhythm connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.

  • Create LogRhythm Alert (This is the playbook that creates alert in FortiSOAR™ from LogRhythm)
  • Get Alarm Details
  • Get Alarm Events
  • Get Case
  • Get Case Collaborators
  • Get Case List
  • Get Case Metrics
  • Get Evidence
  • Get Evidence List
  • Get Evidence Progress
  • Get Hosts
  • Get Hosts by Entities
  • Get User Event List
  • List Associated Cases

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

FSR-LogRhythm Smart Response Plugin

Use the Smart Response Plugin (SRP) to invoke the playbooks in FortiSOAR™ whenever an alarm is triggered in LogRhythm. The "FSR_SmartResponse_Automation_Plugin" is attached to this article, you can download this SRP and then follow the steps mentioned in this article to import and configure the SRP.

Following is the procedure on how to import and configure the SRP:

  1. Ensure that the LogRhythm server can connect to the FortiSOAR™ HTTPS server using port 443. You can check the connectivity by browsing the FortiSOAR™ UI using the LogRhythm server’s browser.
  2. Import the LPI file of the SRP to the LogRhythm Client console by opening the Smart Response Plugin Manager located at Client Console > Deployment Manager > Tools > Administration > Smart Response Plugin Manager. On the Smart Response Plugin Manager screen click Actions > Import > Choose LPI and then choose SRP's LPI file.
    Now, the SRP is ready to trigger all required playbooks in FortiSOAR™:
  3. LogRhythm using the following two methods:
    1. Using an AIE Alarm:
      When an alarm is triggered in LogRhythm, for example, Malware, Dos Attack, Port Scan, etc, and if the team needs to invoke a playbook to complete some actions automatically, then open the Client Console and configure the rule to trigger the playbook as follows:

      Client Console > Deployment Manager > AI Engine > Rule to trigger playbook > Action
      On the "Action" screen, configure the necessary fields as is defined in Step 4.

    2. Using the LogRhythm Web UI:
      Analysts can trigger a playbook as per their requirement from the LogRhythm Web UI.
      Open Web Console > Select the corresponding log to action > Inspector Tab > Smart Response Plugin.
  4. Configure the following parameters in SRP:
    • crhost – URL of the FortiSOAR™ server.
      Should be with an https, and with no ‘/ ‘at the end. For example, https://fortisoarhost.
    • authapi – FortiSOAR™ URI defined for authentication.
      Example of the value of this parameter: /auth/authenticate
    • playbookapi – FortiSOAR™ URI defined for playbooks.
      You can define the API when you create a playbook as follows:
      Click Custom API Endpoint as the "Trigger Step"
      In the Route field enter lrcreatealert:

      The URI in the above sample is: /api/triggers/1/lrcreatealert
    • Ignoressl – TRUE/FALSE parameter to ignore the SSL certificate. By default, FortiSOAR™ is installed using a self-signed certificate; therefore, if you want LogRhythm to accept it, set this parameter as TRUE
    • Username – Username used to log on to the FortiSOAR™ platform with the necessary privileges.
    • Password – Password used to log on to the FortiSOAR™ platform with the necessary privileges.
    • alarm id – The unique identifier of an alarm in LogRhythm.
      Always choose "Alarm field – Alarm ID" in LogRhythm when invoking the FortiSOAR™ API.
    • Optional parameters ( 1-5 ) – These are the optional parameters that you want to share from LogRhythm to FortiSOAR™ when an alarm is triggered on LogRhythm. SRP supports up to 5 Parameters to be passed to FortiSOAR™ for running playbooks for an alarm.
      For example, when LogRhythm alerts a “DoS '' alarm, it contains the origin of the "Host" that should be passed to FortiSOAR™ for further investigation and/or blocking the IP in the network firewall. Therefore, in LogRhythm, pass the following values to FortiSOAR™.
  5. Once you complete configuring the values in SRP, now you can start receiving the values from LogRhythm:
    1. In the Custom API Endpoint Trigger step, add a variable named alert_input whose value is set as {{vars.input.params['api_body']}}. You can add the value of the variable using "Dynamic Values":
      For more information on "Dynamic Values", see the FortiSOAR™ product documentation.
    2. For easy usage, it is recommended that you add "Set Variable" as the next step and save the playbook.

Now, all parameters that are passed from LogRhythm will be accessible using:

{{vars.alert_input.alarm_id}}
{{vars.alert_input.p1}}
{{vars.alert_input.p2}}
{{vars.alert_input.p3}}
{{vars.alert_input.p4}}
{{vars.alert_input.p5}}

The LogRhythm connector contains the "Create LogRhythm Alert" playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm.

Following is a snapshot of the Executed Playbook Log for the playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm:

Following is a sample image of the alert created in FortiSOAR™:

FSR_SmartResponse_Automation_Plugin.tgz

Previous
Next

About the connector

LogRhythm delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.

This document provides information about the LogRhythm connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm connector as a step in FortiSOAR™ playbooks and perform automated investigative operations, such as retrieving alarm details and alarm events associated with a specific alarm from the LogRhythm server.

Version information

Connector Version: 2.0.0

Authored By: Community

Certified: No

Release Notes for version 2.0.0

Following enhancements have been made to the LogRhythm Connector in version 2.0.0:

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-logrhythm

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the LogRhythm connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of the LogRhythm server to which you will connect and perform the automated operations.
Port Port number of the LogRhythm server to which you will connect and perform the automated operations.
Token API token that you will use to access the LogRhythm's REST API to perform the operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get Hosts Retrieves the details of a specific host or all hosts from the LogRhythm server, based on the Host ID. get_hosts
Investigation
Get Hosts by Entities Retrieves the details of a specific host from the LogRhythm server, based on the entity name you have specified. get_hosts
Investigation
Get Alarm Details Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. get_alarm_details
Investigation
Get Alarm Events Retrieves the details of an event associated with a specific alarm from the LogRhythm server, based on the alarm ID you have specified. get_alarm_details
Investigation
Get Case List Retrieves a list of all cases or a filtered list of cases from the LogRhythm server, based on the input parameters you have specified.
Note: This action supports pagination.		 case_summary
Investigation
Get Case Retrieves the summary of a specific case from the LogRhythm server, based on the case ID you have specified. case_summary
Investigation
Get Case Collaborators Retrieves the owner and the list of collaborators associated with a specific case from the LogRhythm server, based on the case ID you have specified. case_collaborators
Investigation
List Associated Cases Retrieves a list of cases associated with a specific case from the LogRhythm server, based on the case ID you have specified. associated_cases
Investigation
Get Case Metrics Retrieves the metrics for a specified case from the LogRhythm server, based on the case ID you have specified. case_metrics
Investigation
Get Evidence list Retrieves a list of evidence summaries for a specified case from the LogRhythm server, based on the case ID and other input parameters you have specified. case_evidence
Investigation
Get Evidence Retrieves a summary of an item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. case_evidence
Investigation
Get Evidence Progress Retrieves the progress of a pending item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. For example, the progress of a file upload as a piece of evidence. case_evidence
Investigation
Get User Event List Retrieves the list of user events that are added as evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. case_evidence
Investigation

operation: Get Hosts

Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Host ID ID of the host whose details you want to retrieve from LogRhythm.
Limit Records Maximum number of results that you want to retrieve from LogRhythm.
Format Result Select this checkbox to format the results that are retrieved from LogRhythm.

Output

The output contains the following populated JSON schema:
{
"HostZone": "",
"UseEventlogCredentials": "",
"ThreatLevelComments": "",
"ID": "",
"Name": "",
"OS": "",
"RiskLevel": "",
"EntityName": "",
"ThreatLevel": "",
"DateUpdated": "",
"Location": "",
"OSType": "",
"EntityId": "",
"Status": ""
}

operation: Get Hosts by Entities

Input parameters

Parameter Description
Entity Name Name of the entity whose hosts details you want to retrieve from LogRhythm.
Limit Records (Optional) Maximum number of results that you want to retrieve from LogRhythm.
Format Result (Optional) Select this checkbox to format the results that are retrieved from LogRhythm.

Output

The output contains the following populated JSON schema:
{
"HostZone": "",
"UseEventlogCredentials": "",
"ThreatLevelComments": "",
"ID": "",
"Name": "",
"OS": "",
"RiskLevel": "",
"EntityName": "",
"ThreatLevel": "",
"DateUpdated": "",
"Location": "",
"OSType": "",
"EntityId": "",
"Status": ""
}

operation: Get Alarm Details

Input parameters

Parameter Description
Alarm ID ID of the alarm whose details you want to retrieve from LogRhythm.

Output

The output contains the following populated JSON schema:
{
"DrillDownResults": {
"RetryCount": "",
"NotificationSent": "",
"Priority": "",
"RuleBlocks": [
{
"RuleBlockID": "",
"RuleBlockTypeID": "",
"DrillDownLogs": "",
"NormalMessageDateUpper": "",
"AIECount": "",
"DXCount": "",
"DDSummaries": [
{
"DrillDownSummaryLogs": "",
"DefaultValue": "",
"PIFType": ""
}
],
"NormalMessageDate": "",
"NormalMessageDateLower": ""
}
],
"WebConsoleIds": [],
"EventID": "",
"AIERuleName": "",
"AlarmID": "",
"DateInserted": "",
"AlarmGuid": "",
"AIERuleID": "",
"NormalMessageDate": "",
"LastDxTimeStamp": "",
"AIEMsgXml": "",
"Status": ""
},
"DrillDownSummary": ""
}

operation: Get Alarm Events

Input parameters

Parameter Description
Alarm ID ID of the alarm whose events you want to retrieve from LogRhythm.
Count (Optional) Maximum number of events associated with specific alarm that you want to retrieve from LogRhythm.
Fields to Include in Result (Optional) Specify additional fields that you want to include in the alarm events retrieved from LogRhythm.
Show Log Messages Select this checkbox, i.e., set it to True if you want to include log messages in the output. By default, this is set to "True".

Output

The output contains the following populated JSON schema:
{
"Events": [
{
"logMessage": "",
"messageTypeEnum": "",
"session": "",
"impactedHost": "",
"impactedZoneName": "",
"classificationTypeName": "",
"threatId": "",
"mpeRuleId": "",
"threatName": "",
"messageId": "",
"entityId": "",
"count": "",
"normalDateMin": "",
"originZone": "",
"originEntityName": "",
"rootEntityId": "",
"ruleBlockNumber": "",
"vendorMessageId": "",
"keyField": "",
"rootEntityName": "",
"protocolName": "",
"mpeRuleName": "",
"originHost": "",
"entityName": "",
"normalDate": "",
"originIp": "",
"impactedEntityId": "",
"originHostName": "",
"commonEventId": "",
"impactedEntityName": "",
"subject": "",
"portProtocol": "",
"impactedHostName": "",
"impactedIp": "",
"logDate": "",
"commonEventName": "",
"sequenceNumber": "",
"protocolId": "",
"classificationName": "",
"action": "",
"normalMsgDateMax": "",
"originZoneName": "",
"severity": "",
"directionName": "",
"priority": "",
"originEntityId": "",
"classificationId": "",
"direction": "",
"originHostId": ""
}
],
"ID": ""
}

operation: Get Case List

Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Offset Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset.

By default, this is set to 0.
Count Maximum number of cases, per page, that you want to retrieve from LogRhythm.
Order By Sorts the returned results based on the specified field.
Direction Sorts the order of the returned result, choose between asc (ascending) or desc (descending).
Updated After Filter results that were updated after the specified datetime. The datetime must be an RFC 3339 formatted string.
Updated Before Filter results that were updated before the specified datetime. The datetime must be an RFC 3339 formatted string.
Created After Filter results that were created after the specified datetime. The datetime must be an RFC 3339 formatted string.
Created Before Filter results that were created before the specified datetime. The datetime must be an RFC 3339 formatted string.
Due Before Filter results that have a due date before the specified datetime. The datetime must be an RFC 3339 formatted string.
Priority Filter results that have a specific case priority. You can choose from multiple numbers from 1 to 5.
Status Number Filter results that have a specific case status. You can choose from multiple numbers from 1 to 5.
Owner Number Filter results that have a specific case owner, by specifying the case owner's number.
Collaborator Number Filter results that have a specific case collaborator, by specifying the case collaborator's number.
Tag Number Filter results that are tagged, by specifying the tag number.
Text Filter results that have a case number or name that contains the specified value.
Evidence Type Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file.
Reference ID Filter results that have evidence with the specified reference identifier.
External ID Filter results that have the specified unique, external identifier.
Entity Number Filter results that have the specified assigned entity number.

Output

The output contains a non-dictionary value.

operation: Get Case

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose summary you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

operation: Get Case Collaborators

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose owner and case collaborators you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

operation: List Associated Cases

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose associated cases you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

operation: Get Case Metrics

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose metrics details you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

operation: Get Evidence list

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of evidence summaries you want to retrieve from LogRhythm.
Type (Optional) Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file.
Status (Optional) Filter results that have evidence of the specified status. You can choose from the following options: pending, completed, or failed.

Output

The output contains a non-dictionary value.

operation: Get Evidence

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose evidence item summary you want to retrieve from LogRhythm.
Evidence ID Unique, numeric identifier of the evidence item whose summary you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

operation: Get Evidence Progress

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose pending evidence item's progress you want to retrieve from LogRhythm. For example, the progress of a file upload as a piece of evidence.
Evidence ID Unique, numeric identifier of the evidence item whose progress details you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

operation: Get User Event List

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of user events that have been added as evidence, you want to retrieve from LogRhythm.
Evidence ID Unique, numeric identifier of the evidence whose list of user events you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - LogRhythm - 2.0.0 playbook collection comes bundled with the LogRhythm connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

FSR-LogRhythm Smart Response Plugin

Use the Smart Response Plugin (SRP) to invoke the playbooks in FortiSOAR™ whenever an alarm is triggered in LogRhythm. The "FSR_SmartResponse_Automation_Plugin" is attached to this article, you can download this SRP and then follow the steps mentioned in this article to import and configure the SRP.

Following is the procedure on how to import and configure the SRP:

  1. Ensure that the LogRhythm server can connect to the FortiSOAR™ HTTPS server using port 443. You can check the connectivity by browsing the FortiSOAR™ UI using the LogRhythm server’s browser.
  2. Import the LPI file of the SRP to the LogRhythm Client console by opening the Smart Response Plugin Manager located at Client Console > Deployment Manager > Tools > Administration > Smart Response Plugin Manager. On the Smart Response Plugin Manager screen click Actions > Import > Choose LPI and then choose SRP's LPI file.
    Now, the SRP is ready to trigger all required playbooks in FortiSOAR™:
  3. LogRhythm using the following two methods:
    1. Using an AIE Alarm:
      When an alarm is triggered in LogRhythm, for example, Malware, Dos Attack, Port Scan, etc, and if the team needs to invoke a playbook to complete some actions automatically, then open the Client Console and configure the rule to trigger the playbook as follows:

      Client Console > Deployment Manager > AI Engine > Rule to trigger playbook > Action
      On the "Action" screen, configure the necessary fields as is defined in Step 4.

    2. Using the LogRhythm Web UI:
      Analysts can trigger a playbook as per their requirement from the LogRhythm Web UI.
      Open Web Console > Select the corresponding log to action > Inspector Tab > Smart Response Plugin.
  4. Configure the following parameters in SRP:
    • crhost – URL of the FortiSOAR™ server.
      Should be with an https, and with no ‘/ ‘at the end. For example, https://fortisoarhost.
    • authapi – FortiSOAR™ URI defined for authentication.
      Example of the value of this parameter: /auth/authenticate
    • playbookapi – FortiSOAR™ URI defined for playbooks.
      You can define the API when you create a playbook as follows:
      Click Custom API Endpoint as the "Trigger Step"
      In the Route field enter lrcreatealert:

      The URI in the above sample is: /api/triggers/1/lrcreatealert
    • Ignoressl – TRUE/FALSE parameter to ignore the SSL certificate. By default, FortiSOAR™ is installed using a self-signed certificate; therefore, if you want LogRhythm to accept it, set this parameter as TRUE
    • Username – Username used to log on to the FortiSOAR™ platform with the necessary privileges.
    • Password – Password used to log on to the FortiSOAR™ platform with the necessary privileges.
    • alarm id – The unique identifier of an alarm in LogRhythm.
      Always choose "Alarm field – Alarm ID" in LogRhythm when invoking the FortiSOAR™ API.
    • Optional parameters ( 1-5 ) – These are the optional parameters that you want to share from LogRhythm to FortiSOAR™ when an alarm is triggered on LogRhythm. SRP supports up to 5 Parameters to be passed to FortiSOAR™ for running playbooks for an alarm.
      For example, when LogRhythm alerts a “DoS '' alarm, it contains the origin of the "Host" that should be passed to FortiSOAR™ for further investigation and/or blocking the IP in the network firewall. Therefore, in LogRhythm, pass the following values to FortiSOAR™.
  5. Once you complete configuring the values in SRP, now you can start receiving the values from LogRhythm:
    1. In the Custom API Endpoint Trigger step, add a variable named alert_input whose value is set as {{vars.input.params['api_body']}}. You can add the value of the variable using "Dynamic Values":
      For more information on "Dynamic Values", see the FortiSOAR™ product documentation.
    2. For easy usage, it is recommended that you add "Set Variable" as the next step and save the playbook.

Now, all parameters that are passed from LogRhythm will be accessible using:

{{vars.alert_input.alarm_id}}
{{vars.alert_input.p1}}
{{vars.alert_input.p2}}
{{vars.alert_input.p3}}
{{vars.alert_input.p4}}
{{vars.alert_input.p5}}

The LogRhythm connector contains the "Create LogRhythm Alert" playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm.

Following is a snapshot of the Executed Playbook Log for the playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm:

Following is a sample image of the alert created in FortiSOAR™:

FSR_SmartResponse_Automation_Plugin.tgz

Previous
Next