Fortinet Document Library

Version:


Table of Contents

2.0.0
Copy Link

About the connector

LogRhythm delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs. 

This document provides information about the LogRhythm connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm connector as a step in FortiSOAR™ playbooks and perform automated investigative operations, such as retrieving alarm details and alarm events associated with a specific alarm from the LogRhythm server.

Version information

Connector Version: 2.0.0

Authored By: Community

Certified: No

Release Notes for version 2.0.0

Following enhancements have been made to the LogRhythm Connector in version 2.0.0:

  • LogRhythm Connector v2.0.0 is built to support REST APIs. The 1.0.0 version was built to support SOAP APIs. Therefore all the actions for version 2.0.0 are based on REST APIs.
  • Introduced the Smart Response Plugin (SRP) that invokes playbooks in FortiSOAR™ whenever an alarm is triggered in LogRhythm. For more information on SRP and how to configure and use SRP, see the FSR-LogRhythm Smart Response Plugin article.

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-logrhythm

Prerequisites to configuring the connector

  • You must have the URL of the LogRhythm server to which you will connect and perform automated operations.
  • You must have the API token that you will use to access the LogRhythm's REST API to perform the operations.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the LogRhythm connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the LogRhythm server to which you will connect and perform the automated operations.
Port Port number of the LogRhythm server to which you will connect and perform the automated operations.
Token API token that you will use to access the LogRhythm's REST API to perform the operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get Hosts Retrieves the details of a specific host or all hosts from the LogRhythm server, based on the Host ID. get_hosts
Investigation
Get Hosts by Entities Retrieves the details of a specific host from the LogRhythm server, based on the entity name you have specified. get_hosts
Investigation
Get Alarm Details Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. get_alarm_details
Investigation
Get Alarm Events Retrieves the details of an event associated with a specific alarm from the LogRhythm server, based on the alarm ID you have specified. get_alarm_details
Investigation
Get Case List Retrieves a list of all cases or a filtered list of cases from the LogRhythm server, based on the input parameters you have specified.
Note: This action supports pagination.
case_summary
Investigation
Get Case Retrieves the summary of a specific case from the LogRhythm server, based on the case ID you have specified. case_summary
Investigation
Get Case Collaborators Retrieves the owner and the list of collaborators associated with a specific case from the LogRhythm server, based on the case ID you have specified. case_collaborators
Investigation
List Associated Cases Retrieves a list of cases associated with a specific case from the LogRhythm server, based on the case ID you have specified. associated_cases
Investigation
Get Case Metrics Retrieves the metrics for a specified case from the LogRhythm server, based on the case ID you have specified. case_metrics
Investigation
Get Evidence list Retrieves a list of evidence summaries for a specified case from the LogRhythm server, based on the case ID and other input parameters you have specified. case_evidence
Investigation
Get Evidence Retrieves a summary of an item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. case_evidence
Investigation
Get Evidence Progress Retrieves the progress of a pending item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. For example, the progress of a file upload as a piece of evidence. case_evidence
Investigation
Get User Event List Retrieves the list of user events that are added as evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. case_evidence
Investigation

operation: Get Hosts

Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Host ID ID of the host whose details you want to retrieve from LogRhythm.
Limit Records Maximum number of results that you want to retrieve from LogRhythm.
Format Result Select this checkbox to format the results that are retrieved from LogRhythm.

Output

The output contains the following populated JSON schema:
{
     "HostZone": "",
     "UseEventlogCredentials": "",
     "ThreatLevelComments": "",
     "ID": "",
     "Name": "",
     "OS": "",
     "RiskLevel": "",
     "EntityName": "",
     "ThreatLevel": "",
     "DateUpdated": "",
     "Location": "",
     "OSType": "",
     "EntityId": "",
     "Status": ""
}

operation: Get Hosts by Entities

Input parameters

Parameter Description
Entity Name Name of the entity whose hosts details you want to retrieve from LogRhythm.
Limit Records (Optional) Maximum number of results that you want to retrieve from LogRhythm.
Format Result (Optional) Select this checkbox to format the results that are retrieved from LogRhythm.

Output

The output contains the following populated JSON schema:
{
     "HostZone": "",
     "UseEventlogCredentials": "",
     "ThreatLevelComments": "",
     "ID": "",
     "Name": "",
     "OS": "",
     "RiskLevel": "",
     "EntityName": "",
     "ThreatLevel": "",
     "DateUpdated": "",
     "Location": "",
     "OSType": "",
     "EntityId": "",
     "Status": ""
}

operation: Get Alarm Details

Input parameters

Parameter Description
Alarm ID ID of the alarm whose details you want to retrieve from LogRhythm.

Output

The output contains the following populated JSON schema:
{
     "DrillDownResults": {
         "RetryCount": "",
         "NotificationSent": "",
         "Priority": "",
         "RuleBlocks": [
             {
                 "RuleBlockID": "",
                 "RuleBlockTypeID": "",
                 "DrillDownLogs": "",
                 "NormalMessageDateUpper": "",
                 "AIECount": "",
                 "DXCount": "",
                 "DDSummaries": [
                     {
                         "DrillDownSummaryLogs": "",
                         "DefaultValue": "",
                         "PIFType": ""
                     }
                 ],
                 "NormalMessageDate": "",
                 "NormalMessageDateLower": ""
             }
         ],
         "WebConsoleIds": [],
         "EventID": "",
         "AIERuleName": "",
         "AlarmID": "",
         "DateInserted": "",
         "AlarmGuid": "",
         "AIERuleID": "",
         "NormalMessageDate": "",
         "LastDxTimeStamp": "",
         "AIEMsgXml": "",
         "Status": ""
     },
     "DrillDownSummary": ""
}

operation: Get Alarm Events

Input parameters

Parameter Description
Alarm ID ID of the alarm whose events you want to retrieve from LogRhythm.
Count (Optional) Maximum number of events associated with specific alarm that you want to retrieve from LogRhythm.
Fields to Include in Result (Optional) Specify additional fields that you want to include in the alarm events retrieved from LogRhythm.
Show Log Messages Select this checkbox, i.e., set it to True if you want to include log messages in the output. By default, this is set to "True".

Output

The output contains the following populated JSON schema:
{
     "Events": [
         {
             "logMessage": "",
             "messageTypeEnum": "",
             "session": "",
             "impactedHost": "",
             "impactedZoneName": "",
             "classificationTypeName": "",
             "threatId": "",
             "mpeRuleId": "",
             "threatName": "",
             "messageId": "",
             "entityId": "",
             "count": "",
             "normalDateMin": "",
             "originZone": "",
             "originEntityName": "",
             "rootEntityId": "",
             "ruleBlockNumber": "",
             "vendorMessageId": "",
             "keyField": "",
             "rootEntityName": "",
             "protocolName": "",
             "mpeRuleName": "",
             "originHost": "",
             "entityName": "",
             "normalDate": "",
             "originIp": "",
             "impactedEntityId": "",
             "originHostName": "",
             "commonEventId": "",
             "impactedEntityName": "",
             "subject": "",
             "portProtocol": "",
             "impactedHostName": "",
             "impactedIp": "",
             "logDate": "",
             "commonEventName": "",
             "sequenceNumber": "",
             "protocolId": "",
             "classificationName": "",
             "action": "",
             "normalMsgDateMax": "",
             "originZoneName": "",
             "severity": "",
             "directionName": "",
             "priority": "",
             "originEntityId": "",
             "classificationId": "",
             "direction": "",
             "originHostId": ""
         }
     ],
     "ID": ""
}

operation: Get Case List

Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Offset Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset.

By default, this is set to 0.

Count Maximum number of cases, per page, that you want to retrieve from LogRhythm.
Order By Sorts the returned results based on the specified field.
Direction Sorts the order of the returned result, choose between asc (ascending) or desc (descending).
Updated After Filter results that were updated after the specified datetime. The datetime must be an RFC 3339 formatted string.
Updated Before Filter results that were updated before the specified datetime. The datetime must be an  RFC 3339 formatted string.
Created After Filter results that were created after the specified datetime. The datetime must be an RFC 3339 formatted string.
Created Before Filter results that were created before the specified datetime. The datetime must be an RFC 3339 formatted string.
Due Before Filter results that have a due date before the specified datetime. The datetime must be an RFC 3339 formatted string.
Priority Filter results that have a specific case priority. You can choose from multiple numbers from 1 to 5.
Status Number Filter results that have a specific case status. You can choose from multiple numbers from 1 to 5.
Owner Number Filter results that have a specific case owner, by specifying the case owner's number.
Collaborator Number Filter results that have a specific case collaborator, by specifying the case collaborator's number.
Tag Number Filter results that are tagged, by specifying the tag number.
Text Filter results that have a case number or name that contains the specified value.
Evidence Type Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file.
Reference ID Filter results that have evidence with the specified reference identifier.
External ID Filter results that have the specified unique, external identifier.
Entity Number Filter results that have the specified assigned entity number.

Output

The output contains a non-dictionary value.

operation: Get Case

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose summary you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

operation: Get Case Collaborators

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose owner and case collaborators you want to retrieve from LogRhythm. 

Output

The output contains a non-dictionary value.

operation: List Associated Cases

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose associated cases you want to retrieve from LogRhythm. 

Output

The output contains a non-dictionary value.

operation: Get Case Metrics

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose metrics details you want to retrieve from LogRhythm. 

Output

The output contains a non-dictionary value.

operation: Get Evidence list

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of evidence summaries you want to retrieve from LogRhythm. 
Type (Optional) Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file.
Status (Optional) Filter results that have evidence of the specified status. You can choose from the following options: pending, completed, or failed.

Output

The output contains a non-dictionary value.

operation: Get Evidence

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose evidence item summary you want to retrieve from LogRhythm. 
Evidence ID Unique, numeric identifier of the evidence item whose summary you want to retrieve from LogRhythm. 

Output

The output contains a non-dictionary value.

operation: Get Evidence Progress

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose pending evidence item's progress you want to retrieve from LogRhythm. For example, the progress of a file upload as a piece of evidence.
Evidence ID Unique, numeric identifier of the evidence item whose progress details you want to retrieve from LogRhythm. 

Output

The output contains a non-dictionary value.

operation: Get User Event List

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of user events that have been added as evidence, you want to retrieve from LogRhythm. 
Evidence ID Unique, numeric identifier of the evidence whose list of user events you want to retrieve from LogRhythm. 

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - LogRhythm - 2.0.0 playbook collection comes bundled with the LogRhythm connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.

  • Create LogRhythm Alert (This is the playbook that creates alert in FortiSOAR™ from LogRhythm)
  • Get Alarm Details
  • Get Alarm Events
  • Get Case
  • Get Case Collaborators
  • Get Case List
  • Get Case Metrics
  • Get Evidence
  • Get Evidence List
  • Get Evidence Progress
  • Get Hosts
  • Get Hosts by Entities
  • Get User Event List
  • List Associated Cases

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

 

About the connector

LogRhythm delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs. 

This document provides information about the LogRhythm connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm connector as a step in FortiSOAR™ playbooks and perform automated investigative operations, such as retrieving alarm details and alarm events associated with a specific alarm from the LogRhythm server.

Version information

Connector Version: 2.0.0

Authored By: Community

Certified: No

Release Notes for version 2.0.0

Following enhancements have been made to the LogRhythm Connector in version 2.0.0:

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-logrhythm

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the LogRhythm connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the LogRhythm server to which you will connect and perform the automated operations.
Port Port number of the LogRhythm server to which you will connect and perform the automated operations.
Token API token that you will use to access the LogRhythm's REST API to perform the operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get Hosts Retrieves the details of a specific host or all hosts from the LogRhythm server, based on the Host ID. get_hosts
Investigation
Get Hosts by Entities Retrieves the details of a specific host from the LogRhythm server, based on the entity name you have specified. get_hosts
Investigation
Get Alarm Details Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. get_alarm_details
Investigation
Get Alarm Events Retrieves the details of an event associated with a specific alarm from the LogRhythm server, based on the alarm ID you have specified. get_alarm_details
Investigation
Get Case List Retrieves a list of all cases or a filtered list of cases from the LogRhythm server, based on the input parameters you have specified.
Note: This action supports pagination.
case_summary
Investigation
Get Case Retrieves the summary of a specific case from the LogRhythm server, based on the case ID you have specified. case_summary
Investigation
Get Case Collaborators Retrieves the owner and the list of collaborators associated with a specific case from the LogRhythm server, based on the case ID you have specified. case_collaborators
Investigation
List Associated Cases Retrieves a list of cases associated with a specific case from the LogRhythm server, based on the case ID you have specified. associated_cases
Investigation
Get Case Metrics Retrieves the metrics for a specified case from the LogRhythm server, based on the case ID you have specified. case_metrics
Investigation
Get Evidence list Retrieves a list of evidence summaries for a specified case from the LogRhythm server, based on the case ID and other input parameters you have specified. case_evidence
Investigation
Get Evidence Retrieves a summary of an item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. case_evidence
Investigation
Get Evidence Progress Retrieves the progress of a pending item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. For example, the progress of a file upload as a piece of evidence. case_evidence
Investigation
Get User Event List Retrieves the list of user events that are added as evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. case_evidence
Investigation

operation: Get Hosts

Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Host ID ID of the host whose details you want to retrieve from LogRhythm.
Limit Records Maximum number of results that you want to retrieve from LogRhythm.
Format Result Select this checkbox to format the results that are retrieved from LogRhythm.

Output

The output contains the following populated JSON schema:
{
     "HostZone": "",
     "UseEventlogCredentials": "",
     "ThreatLevelComments": "",
     "ID": "",
     "Name": "",
     "OS": "",
     "RiskLevel": "",
     "EntityName": "",
     "ThreatLevel": "",
     "DateUpdated": "",
     "Location": "",
     "OSType": "",
     "EntityId": "",
     "Status": ""
}

operation: Get Hosts by Entities

Input parameters

Parameter Description
Entity Name Name of the entity whose hosts details you want to retrieve from LogRhythm.
Limit Records (Optional) Maximum number of results that you want to retrieve from LogRhythm.
Format Result (Optional) Select this checkbox to format the results that are retrieved from LogRhythm.

Output

The output contains the following populated JSON schema:
{
     "HostZone": "",
     "UseEventlogCredentials": "",
     "ThreatLevelComments": "",
     "ID": "",
     "Name": "",
     "OS": "",
     "RiskLevel": "",
     "EntityName": "",
     "ThreatLevel": "",
     "DateUpdated": "",
     "Location": "",
     "OSType": "",
     "EntityId": "",
     "Status": ""
}

operation: Get Alarm Details

Input parameters

Parameter Description
Alarm ID ID of the alarm whose details you want to retrieve from LogRhythm.

Output

The output contains the following populated JSON schema:
{
     "DrillDownResults": {
         "RetryCount": "",
         "NotificationSent": "",
         "Priority": "",
         "RuleBlocks": [
             {
                 "RuleBlockID": "",
                 "RuleBlockTypeID": "",
                 "DrillDownLogs": "",
                 "NormalMessageDateUpper": "",
                 "AIECount": "",
                 "DXCount": "",
                 "DDSummaries": [
                     {
                         "DrillDownSummaryLogs": "",
                         "DefaultValue": "",
                         "PIFType": ""
                     }
                 ],
                 "NormalMessageDate": "",
                 "NormalMessageDateLower": ""
             }
         ],
         "WebConsoleIds": [],
         "EventID": "",
         "AIERuleName": "",
         "AlarmID": "",
         "DateInserted": "",
         "AlarmGuid": "",
         "AIERuleID": "",
         "NormalMessageDate": "",
         "LastDxTimeStamp": "",
         "AIEMsgXml": "",
         "Status": ""
     },
     "DrillDownSummary": ""
}

operation: Get Alarm Events

Input parameters

Parameter Description
Alarm ID ID of the alarm whose events you want to retrieve from LogRhythm.
Count (Optional) Maximum number of events associated with specific alarm that you want to retrieve from LogRhythm.
Fields to Include in Result (Optional) Specify additional fields that you want to include in the alarm events retrieved from LogRhythm.
Show Log Messages Select this checkbox, i.e., set it to True if you want to include log messages in the output. By default, this is set to "True".

Output

The output contains the following populated JSON schema:
{
     "Events": [
         {
             "logMessage": "",
             "messageTypeEnum": "",
             "session": "",
             "impactedHost": "",
             "impactedZoneName": "",
             "classificationTypeName": "",
             "threatId": "",
             "mpeRuleId": "",
             "threatName": "",
             "messageId": "",
             "entityId": "",
             "count": "",
             "normalDateMin": "",
             "originZone": "",
             "originEntityName": "",
             "rootEntityId": "",
             "ruleBlockNumber": "",
             "vendorMessageId": "",
             "keyField": "",
             "rootEntityName": "",
             "protocolName": "",
             "mpeRuleName": "",
             "originHost": "",
             "entityName": "",
             "normalDate": "",
             "originIp": "",
             "impactedEntityId": "",
             "originHostName": "",
             "commonEventId": "",
             "impactedEntityName": "",
             "subject": "",
             "portProtocol": "",
             "impactedHostName": "",
             "impactedIp": "",
             "logDate": "",
             "commonEventName": "",
             "sequenceNumber": "",
             "protocolId": "",
             "classificationName": "",
             "action": "",
             "normalMsgDateMax": "",
             "originZoneName": "",
             "severity": "",
             "directionName": "",
             "priority": "",
             "originEntityId": "",
             "classificationId": "",
             "direction": "",
             "originHostId": ""
         }
     ],
     "ID": ""
}

operation: Get Case List

Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Offset Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset.

By default, this is set to 0.

Count Maximum number of cases, per page, that you want to retrieve from LogRhythm.
Order By Sorts the returned results based on the specified field.
Direction Sorts the order of the returned result, choose between asc (ascending) or desc (descending).
Updated After Filter results that were updated after the specified datetime. The datetime must be an RFC 3339 formatted string.
Updated Before Filter results that were updated before the specified datetime. The datetime must be an  RFC 3339 formatted string.
Created After Filter results that were created after the specified datetime. The datetime must be an RFC 3339 formatted string.
Created Before Filter results that were created before the specified datetime. The datetime must be an RFC 3339 formatted string.
Due Before Filter results that have a due date before the specified datetime. The datetime must be an RFC 3339 formatted string.
Priority Filter results that have a specific case priority. You can choose from multiple numbers from 1 to 5.
Status Number Filter results that have a specific case status. You can choose from multiple numbers from 1 to 5.
Owner Number Filter results that have a specific case owner, by specifying the case owner's number.
Collaborator Number Filter results that have a specific case collaborator, by specifying the case collaborator's number.
Tag Number Filter results that are tagged, by specifying the tag number.
Text Filter results that have a case number or name that contains the specified value.
Evidence Type Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file.
Reference ID Filter results that have evidence with the specified reference identifier.
External ID Filter results that have the specified unique, external identifier.
Entity Number Filter results that have the specified assigned entity number.

Output

The output contains a non-dictionary value.

operation: Get Case

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose summary you want to retrieve from LogRhythm.

Output

The output contains a non-dictionary value.

operation: Get Case Collaborators

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose owner and case collaborators you want to retrieve from LogRhythm. 

Output

The output contains a non-dictionary value.

operation: List Associated Cases

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose associated cases you want to retrieve from LogRhythm. 

Output

The output contains a non-dictionary value.

operation: Get Case Metrics

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose metrics details you want to retrieve from LogRhythm. 

Output

The output contains a non-dictionary value.

operation: Get Evidence list

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of evidence summaries you want to retrieve from LogRhythm. 
Type (Optional) Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file.
Status (Optional) Filter results that have evidence of the specified status. You can choose from the following options: pending, completed, or failed.

Output

The output contains a non-dictionary value.

operation: Get Evidence

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose evidence item summary you want to retrieve from LogRhythm. 
Evidence ID Unique, numeric identifier of the evidence item whose summary you want to retrieve from LogRhythm. 

Output

The output contains a non-dictionary value.

operation: Get Evidence Progress

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose pending evidence item's progress you want to retrieve from LogRhythm. For example, the progress of a file upload as a piece of evidence.
Evidence ID Unique, numeric identifier of the evidence item whose progress details you want to retrieve from LogRhythm. 

Output

The output contains a non-dictionary value.

operation: Get User Event List

Input parameters

Parameter Description
Case ID Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of user events that have been added as evidence, you want to retrieve from LogRhythm. 
Evidence ID Unique, numeric identifier of the evidence whose list of user events you want to retrieve from LogRhythm. 

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - LogRhythm - 2.0.0 playbook collection comes bundled with the LogRhythm connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.