LogRhythm delivers in-depth endpoint visibility, automated threat hunting, and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.
This document provides information about the LogRhythm connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm connector as a step in FortiSOAR™ playbooks and perform automated investigative operations, such as retrieving alarm details and alarm events associated with a specific alarm from the LogRhythm server.
LogRhythm Connector v2.0.0 and later is built to support REST APIs. The 1.0.0 version was built to support SOAP APIs. Therefore, all the actions for version 2.0.0 and later are based on REST APIs. FortiSOAR™ also contains the Smart Response Plugin (SRP) which invokes playbooks in FortiSOAR™ whenever an alarm is triggered in LogRhythm. For more information on SRP and how to configure and use SRP, see the FSR-LogRhythm Smart Response Plugin section.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alarms from LogRhythm. Currently, the "alarms" ingested from LogRhythm are mapped to "alerts" in FortiSOAR™. For more information, see the Data Ingestion Support section.
Important: Version 3.0.0 and later of the LogRhythm connector uses LogRhythm Rest API version 7.8.0.
Connector Version: 3.0.1
Authored By: Community
Certified: No
Following enhancements have been made to the LogRhythm Connector in version 3.0.1:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-logrhythm
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the LogRhythm connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL of the LogRhythm server to which you will connect and perform the automated operations. |
| Port | Specify the Port number of the LogRhythm server to which you will connect and perform the automated operations. |
| Token | Specify the API token that you will use to access LogRhythm's REST API to perform the operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Hosts | Retrieves the details of a specific host or all hosts from the LogRhythm server, based on the Host ID. | get_hosts Investigation |
| Get Hosts by Entities | Retrieves the details of a specific host from the LogRhythm server, based on the entity name you have specified. | get_hosts Investigation |
| DrillDown - Get Alarm Details | Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. Note: This operation uses LogRhythm's AI Engine Cache Drilldown API to retrieve details of the alarm. |
get_alarm_details Investigation |
| DrillDown - Get Alarm Events | Retrieves the details of an event associated with a specific alarm from the LogRhythm server, based on the alarm ID you have specified. Note: This operation uses LogRhythm's AI Engine Cache Drilldown API to retrieve events of the alarm. |
get_alarm_details Investigation |
| Create Case | Creates a new case based on the name, priority, and other input parameters you have specified. | create_case Investigation |
| Update Case | Updates case information such as the case name, priority, due date, etc based on the case ID you have specified. | update_case Investigation |
| Get Case List | Retrieves a list of all cases or a filtered list of cases from the LogRhythm server, based on the input parameters you have specified. Note: This action supports pagination. |
case_summary Investigation |
| Get Case | Retrieves the summary of a specific case from the LogRhythm server, based on the case ID you have specified. | case_summary Investigation |
| Get Case Collaborators | Retrieves the owner and the list of collaborators associated with a specific case from the LogRhythm server, based on the case ID you have specified. | case_collaborators Investigation |
| Get Associated Cases List | Retrieves a list of cases associated with a specific case from the LogRhythm server, based on the case ID you have specified. | associated_cases Investigation |
| Get Case Metrics | Retrieves the metrics for a specified case from the LogRhythm server, based on the case ID you have specified. | case_metrics Investigation |
| Add Alarm Evidence | Adds alarms as evidence to a specific case based on the case ID you have specified. | add_alarm_evidence Investigation |
| Add Note Evidence | Adds a note as evidence to a specific case based on the case ID you have specified. | add_note_evidence Investigation |
| Get Evidence list | Retrieves a list of evidence summaries for a specified case from the LogRhythm server, based on the case ID and other input parameters you have specified. | case_evidence Investigation |
| Get Evidence | Retrieves a summary of an item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. | case_evidence Investigation |
| Get Evidence Progress | Retrieves the progress of a pending item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. For example, the progress of a file upload as a piece of evidence. | case_evidence Investigation |
| Get User Event List | Retrieves the list of user events that are added as evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. | case_evidence Investigation |
| Search Alarm | Retrieves a list of all alarms or a filtered list of alarms from the LogRhythm server, based on the input parameters you have specified. | list_alarm Investigation |
| Get Alarm Details | Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. Note: This operation uses LogRhythm's Alarm API to retrieve details of the alarm. |
get_alarm_details Investigation |
| Get Alarm Events | Retrieves the events associated with a specific alarm from the LogRhythm server, based on the alarm ID you have specified. Note: This operation uses LogRhythm's Alarm API to retrieve events of the alarm. |
get_alarm_events Investigation |
| Get Alarm Summary | Retrieves the summary of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. | get_alarm_summary Investigation |
| Get Alarm History | Retrieves the history of a specific alarm from the LogRhythm server, based on the alarm ID and other input parameters you have specified. | get_alarm_history Investigation |
| Update Alarm | Updates alarm information such as the alarm status, RBP, etc. of a specific alarm on the LogRhythm server, based on the alarm ID you have specified. | update_alarm Investigation |
| Add Alarm Comment | Updates the alarm history table with comments in the 'Comments' column in the LogRhythm server, based on the alarm ID you have specified. | add_alarm_comments Investigation |
| Add File Evidence | Adds a file as evidence to a specific case in the LogRhythm server, based on the case ID you have specified. | add_file_evidence Investigation |
| Download File Evidence | Downloads a specific item of file evidence of a specified case in the LogRhythm server, based on the case ID and evidence ID you have specified. | download_file_evidence Investigation |
| Delete Case Evidence | Deletes a specific item of file evidence from a specified case in the LogRhythm server, based on the case ID and evidence ID you have specified. | delete_case_evidence Investigation |
| List Case Tags | Retrieves a list of all case tags or specific case tags from LogRhythm based on the input parameters you have specified. | list_case_tags Investigation |
| Add Case Tags | Adds specific tags to a specific case in LogRhythm based on the case ID and tag numbers you have specified. | add_case_tags Investigation |
| Remove Case Tags | Removes specific tags from a specific case in LogRhythm based on the case ID and tag numbers you have specified. | remove_case_tags Investigation |
| Get List Details | Returns details of lists from LogRhythm based on the list type and other input parameters you have specified. Note: If you do not specify any list type, then the 'User' list is returned. |
get_list_details Investigation |
| Get Network List | Returns all networks or specific networks from LogRhythm based on the list type and other input parameters you have specified. | get_network_list Investigation |
| Get User List | Returns all users (hosts) or specific users from LogRhythm based on the list type and other input parameters you have specified. | get_user_list Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Host ID | The ID of the host whose details you want to retrieve from LogRhythm. |
| Limit Records | The maximum number of results that you want to retrieve from LogRhythm. |
| Format Result | Select this checkbox to format the results that are retrieved from LogRhythm. |
The output contains the following populated JSON schema:
{
"HostZone": "",
"UseEventlogCredentials": "",
"ThreatLevelComments": "",
"ID": "",
"Name": "",
"OS": "",
"RiskLevel": "",
"EntityName": "",
"ThreatLevel": "",
"DateUpdated": "",
"Location": "",
"OSType": "",
"EntityId": "",
"Status": ""
}
| Parameter | Description |
|---|---|
| Entity Name | Name of the entity whose host details you want to retrieve from LogRhythm. |
| Limit Records | (Optional) The maximum number of results that you want to retrieve from LogRhythm. |
| Format Result | (Optional) Select this checkbox to format the results that are retrieved from LogRhythm. |
The output contains the following populated JSON schema:
{
"HostZone": "",
"UseEventlogCredentials": "",
"ThreatLevelComments": "",
"ID": "",
"Name": "",
"OS": "",
"RiskLevel": "",
"EntityName": "",
"ThreatLevel": "",
"DateUpdated": "",
"Location": "",
"OSType": "",
"EntityId": "",
"Status": ""
}
Note: This operation uses LogRhythm's AI Engine Cache Drilldown API to retrieve details of the alarm.
| Parameter | Description |
|---|---|
| Alarm ID | Specify the ID of the alarm whose details you want to retrieve from LogRhythm. |
The output contains the following populated JSON schema:
{
"DrillDownResults": {
"RetryCount": "",
"NotificationSent": "",
"Priority": "",
"RuleBlocks": [
{
"RuleBlockID": "",
"RuleBlockTypeID": "",
"DrillDownLogs": "",
"NormalMessageDateUpper": "",
"AIECount": "",
"DXCount": "",
"DDSummaries": [
{
"DrillDownSummaryLogs": "",
"DefaultValue": "",
"PIFType": ""
}
],
"NormalMessageDate": "",
"NormalMessageDateLower": ""
}
],
"WebConsoleIds": [],
"EventID": "",
"AIERuleName": "",
"AlarmID": "",
"DateInserted": "",
"AlarmGuid": "",
"AIERuleID": "",
"NormalMessageDate": "",
"LastDxTimeStamp": "",
"AIEMsgXml": "",
"Status": ""
},
"DrillDownSummary": ""
}
Note: This operation uses LogRhythm's AI Engine Cache Drilldown API to retrieve events of the alarm.
| Parameter | Description |
|---|---|
| Alarm ID | The ID of the alarm whose events you want to retrieve from LogRhythm. |
| Count | (Optional) The maximum number of events associated with a specific alarm that you want to retrieve from LogRhythm. |
| Fields to Include in Result | (Optional) Specify additional fields that you want to include in the alarm events retrieved from LogRhythm. |
| Show Log Messages | Select this checkbox, i.e., set it to True if you want to include log messages in the output. By default, this is set to "True". |
The output contains the following populated JSON schema:
{
"Events": [
{
"logMessage": "",
"messageTypeEnum": "",
"session": "",
"impactedHost": "",
"impactedZoneName": "",
"classificationTypeName": "",
"threatId": "",
"mpeRuleId": "",
"threatName": "",
"messageId": "",
"entityId": "",
"count": "",
"normalDateMin": "",
"originZone": "",
"originEntityName": "",
"rootEntityId": "",
"ruleBlockNumber": "",
"vendorMessageId": "",
"keyField": "",
"rootEntityName": "",
"protocolName": "",
"mpeRuleName": "",
"originHost": "",
"entityName": "",
"normalDate": "",
"originIp": "",
"impactedEntityId": "",
"originHostName": "",
"commonEventId": "",
"impactedEntityName": "",
"subject": "",
"portProtocol": "",
"impactedHostName": "",
"impactedIp": "",
"logDate": "",
"commonEventName": "",
"sequenceNumber": "",
"protocolId": "",
"classificationName": "",
"action": "",
"normalMsgDateMax": "",
"originZoneName": "",
"severity": "",
"directionName": "",
"priority": "",
"originEntityId": "",
"classificationId": "",
"direction": "",
"originHostId": ""
}
],
"ID": ""
}
| Parameter | Description |
|---|---|
| Name | Name of the case that you want to create in LogRhythm. |
| Priority | The priority that you want to set for the case that you want to create in LogRhythm. |
| External ID | (Optional) The ID of an external identifier for the case that you want to create in LogRhythm. |
| Due Date | (Optional) Due date of the case that you want to create in LogRhythm. |
| Summary | (Optional) Note summarizing the case that you want to create in LogRhythm. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}
| Parameter | Description |
|---|---|
| Case ID | The ID of the case that you want to update in LogRhythm. |
| Name | (Optional) Name of the case that you want to update in LogRhythm. |
| Priority | (Optional) The priority that you want to set for the case that you want to update in LogRhythm. |
| External ID | (Optional) The ID of an external identifier for the case that you want to update in LogRhythm. |
| Due Date | (Optional) Due date of the case that you want to update in LogRhythm. |
| Summary | (Optional) Note summarizing the case that you want to update in LogRhythm. |
| Resolution | (Optional) Description of how the case that you want to update in LogRhythm was resolved. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": " ",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
| Count | The maximum number of cases, per page, that you want to retrieve from LogRhythm. |
| Order By | Sorts the returned results based on the specified field. |
| Direction | Sorts the order of the returned result, choose between asc (ascending) or desc (descending). |
| Updated After | Filter results that were updated after the specified DateTime. The DateTime must be an RFC 3339 formatted string. |
| Updated Before | Filter results that were updated before the specified DateTime. The DateTime must be an RFC 3339 formatted string. |
| Created After | Filter results that were created after the specified DateTime. The DateTime must be an RFC 3339 formatted string. |
| Created Before | Filter results that were created before the specified DateTime. The DateTime must be an RFC 3339 formatted string. |
| Due Before | Filter results that have a due date before the specified DateTime. The DateTime must be an RFC 3339 formatted string. |
| Priority | Filter results that have a specific case priority. You can choose from multiple numbers from 1 to 5. |
| Status Number | Filter results that have a specific case status. You can choose from multiple numbers from 1 to 5. |
| Owner Number | Filter results that have a specific case owner, by specifying the case owner's number. |
| Collaborator Number | Filter results that have a specific case collaborator, by specifying the case collaborator's number. |
| Tag Number | Filter results that are tagged, by specifying the tag number. |
| Text | Filter results that have a case number or name that contains the specified value. |
| Evidence Type | Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file. |
| Reference ID | Filter results that have evidence with the specified reference identifier. |
| External ID | Filter results that have the specified unique, external identifier. |
| Entity Number | Filter results that have the specified assigned entity number. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose summary you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose owner and case collaborators you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose associated cases you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose metrics details you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case to which you want to add alarms as evidence. |
| Alarm IDs | Comma-separated list of numeric IDs of the alarms that you want to add as evidence to a case. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": ""
},
"lastUpdatedBy": {
"number": "",
"name": ""
},
"type": "",
"status": "",
"pinned": "",
"datePinned": "",
"alarm": {
"alarmId": "",
"alarmDate": "",
"alarmRuleId": "",
"alarmRuleName": "",
"dateInserted": "",
"entityId": "",
"entityName": "",
"riskBasedPriorityMax": ""
}
}
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case to which you want to add a note as evidence. |
| Note | Text of the note that you want to add as evidence to a case. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": ""
},
"lastUpdatedBy": {
"number": "",
"name": ""
},
"type": "",
"status": "",
"text": "",
"pinned": "",
"datePinned": ""
}
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of evidence summaries you want to retrieve from LogRhythm. |
| Type | (Optional) Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file. |
| Status | (Optional) Filter results that have evidence of the specified status. You can choose from the following options: pending, completed, or failed. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose evidence item summary you want to retrieve from LogRhythm. |
| Evidence ID | Unique, numeric identifier of the evidence item whose summary you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose pending evidence item's progress you want to retrieve from LogRhythm. For example, the progress of a file upload as a piece of evidence. |
| Evidence ID | Unique, numeric identifier of the evidence item whose progress details you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of user events you want to retrieve from LogRhythm. |
| Evidence ID | Unique, numeric identifier of the evidence whose list of user events you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Alarm Status | Select the status of the alarm using which you want to filter the alarms retrieved from LogRhythm. You can choose from the following values: "New", "Opened", "Working", "Escalated", Closed, "Closed_FalseAlarm", "Closed_Resolved", "Closed_Unresolved", "Closed_Reported", or "Closed_Monitor". |
| Date Inserted | Specify the DateTime of alarm creation using which you want to filter the alarms retrieved from LogRhythm. |
| Alarm Rule name | Specify the rule name of the alarm using which you want to filter the alarms retrieved from LogRhythm. |
| Entity Name | Specify the entity name associated with the alarm using which you want to filter the alarms retrieved from LogRhythm. |
| Case Association | Specify the case name associated with the alarm using which you want to filter the alarms retrieved from LogRhythm. |
| Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
| Count | Specify the maximum number of alarms, per page, that you want to retrieve from LogRhythm. By default, this is set as 50. |
The output contains the following populated JSON schema:
{
"alarmsSearchDetails": [
{
"alarmId": "",
"alarmRuleName": "",
"alarmStatus": "",
"alarmDataCached": "",
"associatedCases": [],
"entityName": "",
"dateInserted": ""
}
]
}
Note: This operation uses LogRhythm's Alarm API to retrieve details of the alarm.
| Parameter | Description |
|---|---|
| Alarm ID | Specify the ID of the alarm whose details you want to retrieve from LogRhythm. |
The output contains the following populated JSON schema:
{
"alarmDetails": {
"alarmRuleID": "",
"alarmId": "",
"personId": "",
"alarmDate": "",
"alarmStatus": "",
"alarmStatusName": "",
"entityId": "",
"entityName": "",
"alarmRuleName": "",
"lastUpdatedID": "",
"lastUpdatedName": "",
"dateInserted": "",
"dateUpdated": "",
"associatedCases": [],
"lastPersonID": "",
"eventCount": "",
"eventDateFirst": "",
"eventDateLast": "",
"rbpMax": "",
"rbpAvg": "",
"smartResponseActions": "",
"alarmDataCached": ""
},
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
Note: This operation uses LogRhythm's Alarm API to retrieve events of the alarm.
| Parameter | Description |
|---|---|
| Alarm ID | Specify the ID of the alarm whose events you want to retrieve from LogRhythm. |
The output contains the following populated JSON schema:
{
"alarmEventsDetails": [
{
"account": "",
"action": "",
"amount": "",
"bytesIn": "",
"bytesOut": "",
"classificationId": "",
"classificationName": "",
"classificationTypeName": "",
"command": "",
"commonEventId": "",
"cve": "",
"commonEventName": "",
"count": "",
"directionId": "",
"directionName": "",
"domain": "",
"duration": "",
"entityId": "",
"entityName": "",
"group": "",
"impactedEntityId": "",
"impactedEntityName": "",
"impactedHostId": "",
"impactedHostName": "",
"impactedInterface": "",
"impactedIP": "",
"impactedLocation": {
"countryCode": "",
"name": "",
"latitude": "",
"locationId": "",
"locationKey": "",
"longitude": "",
"parentLocationId": "",
"recordStatus": "",
"regionCode": "",
"type": "",
"dateUpdated": ""
},
"impactedMAC": "",
"impactedName": "",
"impactedNATIP": "",
"impactedNATPort": "",
"impactedNetwork": {
"beginIPRange": {
"value": ""
},
"dateUpdated": "",
"riskThreshold": "",
"endIPRange": {
"value": ""
},
"entityId": "",
"hostZone": "",
"locationId": "",
"longDesc": "",
"name": "",
"networkId": "",
"recordStatus": "",
"shortDesc": ""
},
"impactedPort": "",
"impactedZone": "",
"itemsPacketsIn": "",
"itemsPacketsOut": "",
"logDate": "",
"login": "",
"logMessage": "",
"logSourceHostId": "",
"logSourceHostName": "",
"logSourceName": "",
"logSourceTypeName": "",
"messageId": "",
"mpeRuleId": "",
"mpeRuleName": "",
"normalDateMax": "",
"objectName": "",
"objectType": "",
"originEntityId": "",
"originEntityName": "",
"originHostId": "",
"originHostName": "",
"originInterface": "",
"originIP": "",
"originLocation": {
"countryCode": "",
"name": "",
"latitude": "",
"locationId": "",
"locationKey": "",
"longitude": "",
"parentLocationId": "",
"recordStatus": "",
"regionCode": "",
"type": "",
"dateUpdated": ""
},
"originMAC": "",
"originName": "",
"originNATIP": "",
"originNATPort": "",
"originNetwork": {
"beginIPRange": {
"value": ""
},
"dateUpdated": "",
"riskThreshold": "",
"endIPRange": {
"value": ""
},
"entityId": "",
"hostZone": "",
"locationId": "",
"longDesc": "",
"name": "",
"networkId": "",
"recordStatus": "",
"shortDesc": ""
},
"originPort": "",
"originZone": "",
"parentProcessId": "",
"parentProcessName": "",
"parentProcessPath": "",
"policy": "",
"priority": "",
"process": "",
"processId": "",
"protocolId": "",
"protocolName": "",
"quantity": "",
"rate": "",
"reason": "",
"recipient": "",
"result": "",
"responseCode": "",
"sender": "",
"session": "",
"sessionType": "",
"serialNumber": "",
"serviceId": "",
"serviceName": "",
"severity": "",
"status": "",
"size": "",
"subject": "",
"threatId": "",
"threatName": "",
"url": "",
"userAgent": "",
"vendorInfo": "",
"vendorMsgId": "",
"version": "",
"originUserIdentityName": "",
"impactedUserIdentityName": "",
"originUserIdentityId": "",
"impactedUserIdentityId": "",
"senderIdentityId": "",
"senderIdentityName": "",
"recipientIdentityId": "",
"recipientIdentityName": ""
}
],
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
| Parameter | Description |
|---|---|
| Alarm ID | Specify the ID of the alarm whose summary you want to retrieve from the LogRhythm server. |
The output contains the following populated JSON schema:
{
"alarmSummaryDetails": {
"dateInserted": "",
"rbpMax": "",
"rbpAvg": "",
"alarmRuleId": "",
"alarmRuleGroup": "",
"briefDescription": "",
"additionalDetails": "",
"alarmEventSummary": [
{
"msgClassId": "",
"msgClassName": "",
"commonEventId": "",
"commonEventName": "",
"originHostId": "",
"impactedHostId": "",
"originUser": "",
"impactedUser": "",
"originUserIdentityId": "",
"impactedUserIdentityId": "",
"originUserIdentityName": "",
"impactedUserIdentityName": "",
"originEntityName": "",
"impactedEntityName": ""
}
]
},
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
| Parameter | Description |
|---|---|
| Alarm ID | Specify the ID of the alarm whose history you want to retrieve from the LogRhythm server |
| Person ID | Specify the ID of the person whose associated alarm history you want to retrieve from the LogRhythm server. |
| Date Updated | Specify the DateTime of when alarms were updated using which you want to filter the alarm history retrieved from LogRhythm. |
| Type | Select the type of history based on which you want to filter the alarm history retrieved from LogRhythm. |
| Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
| Count | Specify the maximum number of alarms, per page, that you want to retrieve from LogRhythm. By default, this is set as 50. |
The output contains the following populated JSON schema:
{
"AlarmHistoryDetails": [
{
"alarmId": "",
"personId": "",
"comments": "",
"dateUpdated": "",
"dateInserted": ""
}
],
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
| Parameter | Description |
|---|---|
| Alarm ID | Specify the ID of the alarm that you want to update on the LogRhythm server. |
| Alarm Status | (Optional) Select the status that you want to set for the alarm that you want to update on LogRhythm. |
| RBP | (Optional) Select the alarm RBP that you want to update in LogRhythm. |
The output contains the following populated JSON schema:
{
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
| Parameter | Description |
|---|---|
| Alarm ID | Specify the ID of the alarm that you want to update with the specific comment in LogRhythm. |
| Alarm Comment | Specify the comment that you want to add to the specified alarm in LogRhythm. |
The output contains the following populated JSON schema:
{
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
| Parameter | Description |
|---|---|
| Case ID | Specify the unique identifier of the case to which you want to add a note as evidence in LogRhythm. |
| Attachment IRI | Specify the 'Attachment IRI' of the file that you want to add as evidence to the specified case in LogRhythm. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": ""
},
"lastUpdatedBy": {
"number": "",
"name": ""
},
"type": "",
"status": "",
"text": "",
"pinned": "",
"datePinned": ""
}
| Parameter | Description |
|---|---|
| Case ID | Specify the unique identifier of the case whose associated file evidence you want to download from LogRhythm. |
| Evidence Number | Specify the unique, numeric identifier of the evidence associated with the specified case that you want to download from LogRhythm. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Specify the unique identifier of the case whose associated file evidence you want to delete from LogRhythm. |
| Evidence Number | Specify the unique, numeric identifier of the evidence associated with the specified case that you want to delete from LogRhythm. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": ""
},
"lastUpdatedBy": {
"number": "",
"name": ""
},
"type": "",
"status": "",
"text": "",
"pinned": "",
"datePinned": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Tag Name | Specify the tag name using which you want to filter case tags retrieved from LogRhythm. |
| Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
| Count | Specify the maximum number of alarms, per page, that you want to retrieve from LogRhythm. By default, this is set as 50. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Specify the unique identifier of the case to which you want to add tags in LogRhythm. |
| Tag Number | Specify the tag number that you want to add to the specified case in LogRhythm. You can get the tag number using the 'List Case Tags' operation. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Specify the unique identifier of the case to which you want to remove tags from LogRhythm. |
| Tag Number | Specify the tag number that you want to remove from the specified case in LogRhythm. You can get the tag number using the 'List Case Tags' operation. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| List Type | Select the type of list whose details you want to retrieve from LogRhythm. You can choose between list types such as Application, Host, Entity, etc. Note: If you do not specify any list type, then the 'User' list is returned. |
| List Name | Specify the name of the object or regex match using which you want to filter lists retrieved from LogRhythm. |
| Can Edit | Select this option to retrieve Write Only (true) or Read Only (false) lists from LogRhythm. |
| Page Number | Specify the number of pages that you want to view. |
| Page Size | Specify the number of records that you want to display per page. By default, this is set as 100. |
The output contains the following populated JSON schema:
{
"number": "",
"text": "",
"dateCreated": "",
"createdBy": {
"number": "",
"name": "",
"disabled": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Name | Specify the name of the network whose details you want to retrieve from LogRhythm. |
| Record Status | Select the status of the record (object recordStatus) using which you want to filter the networks retrieved from LogRhythm. |
| BIP | Specify the starting IP address to allow records to be filtered on a specified IP address, e.g. 127.0.0.1. |
| EIP | Specify the ending IP address to allow records to be filtered on a specified IP address, e.g. 127.0.0.1. |
| Entity | Specify the entity name to allow records to be filtered on a specified Entity name. |
| Page Number | Specify the number of pages that you want to view. |
| Page Size | Specify the number of records that you want to display per page. By default, this is set as 100. |
The output contains the following populated JSON schema:
{
"id": "",
"entity": {
"id": "",
"name": ""
},
"name": "",
"shortDesc": "",
"longDesc": "",
"riskLevel": "",
"threatLevel": "",
"threatLevelComment": "",
"recordStatusName": "",
"hostZone": "",
"location": {
"id": "",
"name": ""
},
"bip": "",
"eip": "",
"dateUpdated": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| User ID | Specify a comma-separated list of user IDs whose details you want to retrieve from LogRhythm. |
| Entity ID | Specify a comma-separated list of entity IDs whose associated user details you want to retrieve from LogRhythm |
| User Status | Select the status of the user (object userStatus) using which you want to filter the user lists retrieved from LogRhythm |
| Page Number | Specify the number of pages that you want to view. |
| Page Size | Specify the number of records that you want to display per page. By default, this is set as 100. |
The output contains the following populated JSON schema:
{
"id": "",
"recordStatusName": "",
"dateUpdated": "",
"objectPermissions": {
"readAccess": "",
"writeAccess": "",
"entity": {
"id": "",
"name": ""
}
},
"firstName": "",
"middleName": "",
"lastName": "",
"abbreviation": "",
"userType": "",
"shortDesc": "",
"longDesc": "",
"adGroup": "",
"adDomain": "",
"userPrincipalName": "",
"fullName": ""
}
The Sample - LogRhythm - 3.0.1 playbook collection comes bundled with the LogRhythm connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Smart Response Plugin (SRP) to invoke the playbooks in FortiSOAR™ whenever an alarm is triggered in LogRhythm. The "FSR_SmartResponse_Automation_Plugin" is attached to this article, you can download this SRP and then follow the steps mentioned in this article to import and configure the SRP.
Following is the procedure on how to import and configure the SRP:
Client Console > Deployment Manager > AI Engine > Rule to trigger playbook > Action
On the "Action" screen, configure the necessary fields as is defined in Step 4.
crhost – URL of the FortiSOAR™ server.https://fortisoarhost.authapi – FortiSOAR™ URI defined for authentication./auth/authenticateplaybookapi – FortiSOAR™ URI defined for playbooks.
lrcreatealert:
/api/triggers/1/lrcreatealertIgnoressl – TRUE/FALSE parameter to ignore the SSL certificate. By default, FortiSOAR™ is installed using a self-signed certificate; therefore, if you want LogRhythm to accept it, set this parameter as TRUEUsername – Username used to log on to the FortiSOAR™ platform with the necessary privileges.Password – Password used to log on to the FortiSOAR™ platform with the necessary privileges.alarm id – The unique identifier of an alarm in LogRhythm.
alert_input whose value is set as {{vars.input.params['api_body']}}. You can add the value of the variable using "Dynamic Values":
Now, all parameters that are passed from LogRhythm will be accessible using:
{{vars.alert_input.alarm_id}}
{{vars.alert_input.p1}}
{{vars.alert_input.p2}}
{{vars.alert_input.p3}}
{{vars.alert_input.p4}}
{{vars.alert_input.p5}}
The LogRhythm connector contains the "Create LogRhythm Alert" playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm.
Following is a snapshot of the Executed Playbook Log for the playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm:
Following is a sample image of the alert created in FortiSOAR™:
FSR_SmartResponse_Automation_Plugin.tgz
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alarms from LogRhythm. Currently, alarms ingested from LogRhythm are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming LogRhythm alarms to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from LogRhythm into FortiSOAR™. It also lets you pull some sample data from LogRhythm using which you can define the mapping of data between LogRhythm and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to alarms from LogRhythm.
On the Field Mapping screen, map the fields of an alarm ingested from LogRhythm to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the associatedCases parameter of an alarm ingested from LogRhythm to the Description parameter of a FortiSOAR™ alert, click the Description field and then click the associatedCases field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to LogRhythm, so that the content gets pulled from the LogRhythm integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression For example, if you want to pull data from LogRhythm every morning at 5 am, click Daily, and in the hour box enter 5, and in the minute box enter 0:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
LogRhythm delivers in-depth endpoint visibility, automated threat hunting, and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.
This document provides information about the LogRhythm connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm connector as a step in FortiSOAR™ playbooks and perform automated investigative operations, such as retrieving alarm details and alarm events associated with a specific alarm from the LogRhythm server.
LogRhythm Connector v2.0.0 and later is built to support REST APIs. The 1.0.0 version was built to support SOAP APIs. Therefore, all the actions for version 2.0.0 and later are based on REST APIs. FortiSOAR™ also contains the Smart Response Plugin (SRP) which invokes playbooks in FortiSOAR™ whenever an alarm is triggered in LogRhythm. For more information on SRP and how to configure and use SRP, see the FSR-LogRhythm Smart Response Plugin section.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alarms from LogRhythm. Currently, the "alarms" ingested from LogRhythm are mapped to "alerts" in FortiSOAR™. For more information, see the Data Ingestion Support section.
Important: Version 3.0.0 and later of the LogRhythm connector uses LogRhythm Rest API version 7.8.0.
Connector Version: 3.0.1
Authored By: Community
Certified: No
Following enhancements have been made to the LogRhythm Connector in version 3.0.1:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-logrhythm
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the LogRhythm connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL of the LogRhythm server to which you will connect and perform the automated operations. |
| Port | Specify the Port number of the LogRhythm server to which you will connect and perform the automated operations. |
| Token | Specify the API token that you will use to access LogRhythm's REST API to perform the operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Hosts | Retrieves the details of a specific host or all hosts from the LogRhythm server, based on the Host ID. | get_hosts Investigation |
| Get Hosts by Entities | Retrieves the details of a specific host from the LogRhythm server, based on the entity name you have specified. | get_hosts Investigation |
| DrillDown - Get Alarm Details | Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. Note: This operation uses LogRhythm's AI Engine Cache Drilldown API to retrieve details of the alarm. |
get_alarm_details Investigation |
| DrillDown - Get Alarm Events | Retrieves the details of an event associated with a specific alarm from the LogRhythm server, based on the alarm ID you have specified. Note: This operation uses LogRhythm's AI Engine Cache Drilldown API to retrieve events of the alarm. |
get_alarm_details Investigation |
| Create Case | Creates a new case based on the name, priority, and other input parameters you have specified. | create_case Investigation |
| Update Case | Updates case information such as the case name, priority, due date, etc based on the case ID you have specified. | update_case Investigation |
| Get Case List | Retrieves a list of all cases or a filtered list of cases from the LogRhythm server, based on the input parameters you have specified. Note: This action supports pagination. |
case_summary Investigation |
| Get Case | Retrieves the summary of a specific case from the LogRhythm server, based on the case ID you have specified. | case_summary Investigation |
| Get Case Collaborators | Retrieves the owner and the list of collaborators associated with a specific case from the LogRhythm server, based on the case ID you have specified. | case_collaborators Investigation |
| Get Associated Cases List | Retrieves a list of cases associated with a specific case from the LogRhythm server, based on the case ID you have specified. | associated_cases Investigation |
| Get Case Metrics | Retrieves the metrics for a specified case from the LogRhythm server, based on the case ID you have specified. | case_metrics Investigation |
| Add Alarm Evidence | Adds alarms as evidence to a specific case based on the case ID you have specified. | add_alarm_evidence Investigation |
| Add Note Evidence | Adds a note as evidence to a specific case based on the case ID you have specified. | add_note_evidence Investigation |
| Get Evidence list | Retrieves a list of evidence summaries for a specified case from the LogRhythm server, based on the case ID and other input parameters you have specified. | case_evidence Investigation |
| Get Evidence | Retrieves a summary of an item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. | case_evidence Investigation |
| Get Evidence Progress | Retrieves the progress of a pending item of evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. For example, the progress of a file upload as a piece of evidence. | case_evidence Investigation |
| Get User Event List | Retrieves the list of user events that are added as evidence for a specified case from the LogRhythm server, based on the case ID and evidence ID you have specified. | case_evidence Investigation |
| Search Alarm | Retrieves a list of all alarms or a filtered list of alarms from the LogRhythm server, based on the input parameters you have specified. | list_alarm Investigation |
| Get Alarm Details | Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. Note: This operation uses LogRhythm's Alarm API to retrieve details of the alarm. |
get_alarm_details Investigation |
| Get Alarm Events | Retrieves the events associated with a specific alarm from the LogRhythm server, based on the alarm ID you have specified. Note: This operation uses LogRhythm's Alarm API to retrieve events of the alarm. |
get_alarm_events Investigation |
| Get Alarm Summary | Retrieves the summary of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. | get_alarm_summary Investigation |
| Get Alarm History | Retrieves the history of a specific alarm from the LogRhythm server, based on the alarm ID and other input parameters you have specified. | get_alarm_history Investigation |
| Update Alarm | Updates alarm information such as the alarm status, RBP, etc. of a specific alarm on the LogRhythm server, based on the alarm ID you have specified. | update_alarm Investigation |
| Add Alarm Comment | Updates the alarm history table with comments in the 'Comments' column in the LogRhythm server, based on the alarm ID you have specified. | add_alarm_comments Investigation |
| Add File Evidence | Adds a file as evidence to a specific case in the LogRhythm server, based on the case ID you have specified. | add_file_evidence Investigation |
| Download File Evidence | Downloads a specific item of file evidence of a specified case in the LogRhythm server, based on the case ID and evidence ID you have specified. | download_file_evidence Investigation |
| Delete Case Evidence | Deletes a specific item of file evidence from a specified case in the LogRhythm server, based on the case ID and evidence ID you have specified. | delete_case_evidence Investigation |
| List Case Tags | Retrieves a list of all case tags or specific case tags from LogRhythm based on the input parameters you have specified. | list_case_tags Investigation |
| Add Case Tags | Adds specific tags to a specific case in LogRhythm based on the case ID and tag numbers you have specified. | add_case_tags Investigation |
| Remove Case Tags | Removes specific tags from a specific case in LogRhythm based on the case ID and tag numbers you have specified. | remove_case_tags Investigation |
| Get List Details | Returns details of lists from LogRhythm based on the list type and other input parameters you have specified. Note: If you do not specify any list type, then the 'User' list is returned. |
get_list_details Investigation |
| Get Network List | Returns all networks or specific networks from LogRhythm based on the list type and other input parameters you have specified. | get_network_list Investigation |
| Get User List | Returns all users (hosts) or specific users from LogRhythm based on the list type and other input parameters you have specified. | get_user_list Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Host ID | The ID of the host whose details you want to retrieve from LogRhythm. |
| Limit Records | The maximum number of results that you want to retrieve from LogRhythm. |
| Format Result | Select this checkbox to format the results that are retrieved from LogRhythm. |
The output contains the following populated JSON schema:
{
"HostZone": "",
"UseEventlogCredentials": "",
"ThreatLevelComments": "",
"ID": "",
"Name": "",
"OS": "",
"RiskLevel": "",
"EntityName": "",
"ThreatLevel": "",
"DateUpdated": "",
"Location": "",
"OSType": "",
"EntityId": "",
"Status": ""
}
| Parameter | Description |
|---|---|
| Entity Name | Name of the entity whose host details you want to retrieve from LogRhythm. |
| Limit Records | (Optional) The maximum number of results that you want to retrieve from LogRhythm. |
| Format Result | (Optional) Select this checkbox to format the results that are retrieved from LogRhythm. |
The output contains the following populated JSON schema:
{
"HostZone": "",
"UseEventlogCredentials": "",
"ThreatLevelComments": "",
"ID": "",
"Name": "",
"OS": "",
"RiskLevel": "",
"EntityName": "",
"ThreatLevel": "",
"DateUpdated": "",
"Location": "",
"OSType": "",
"EntityId": "",
"Status": ""
}
Note: This operation uses LogRhythm's AI Engine Cache Drilldown API to retrieve details of the alarm.
| Parameter | Description |
|---|---|
| Alarm ID | Specify the ID of the alarm whose details you want to retrieve from LogRhythm. |
The output contains the following populated JSON schema:
{
"DrillDownResults": {
"RetryCount": "",
"NotificationSent": "",
"Priority": "",
"RuleBlocks": [
{
"RuleBlockID": "",
"RuleBlockTypeID": "",
"DrillDownLogs": "",
"NormalMessageDateUpper": "",
"AIECount": "",
"DXCount": "",
"DDSummaries": [
{
"DrillDownSummaryLogs": "",
"DefaultValue": "",
"PIFType": ""
}
],
"NormalMessageDate": "",
"NormalMessageDateLower": ""
}
],
"WebConsoleIds": [],
"EventID": "",
"AIERuleName": "",
"AlarmID": "",
"DateInserted": "",
"AlarmGuid": "",
"AIERuleID": "",
"NormalMessageDate": "",
"LastDxTimeStamp": "",
"AIEMsgXml": "",
"Status": ""
},
"DrillDownSummary": ""
}
Note: This operation uses LogRhythm's AI Engine Cache Drilldown API to retrieve events of the alarm.
| Parameter | Description |
|---|---|
| Alarm ID | The ID of the alarm whose events you want to retrieve from LogRhythm. |
| Count | (Optional) The maximum number of events associated with a specific alarm that you want to retrieve from LogRhythm. |
| Fields to Include in Result | (Optional) Specify additional fields that you want to include in the alarm events retrieved from LogRhythm. |
| Show Log Messages | Select this checkbox, i.e., set it to True if you want to include log messages in the output. By default, this is set to "True". |
The output contains the following populated JSON schema:
{
"Events": [
{
"logMessage": "",
"messageTypeEnum": "",
"session": "",
"impactedHost": "",
"impactedZoneName": "",
"classificationTypeName": "",
"threatId": "",
"mpeRuleId": "",
"threatName": "",
"messageId": "",
"entityId": "",
"count": "",
"normalDateMin": "",
"originZone": "",
"originEntityName": "",
"rootEntityId": "",
"ruleBlockNumber": "",
"vendorMessageId": "",
"keyField": "",
"rootEntityName": "",
"protocolName": "",
"mpeRuleName": "",
"originHost": "",
"entityName": "",
"normalDate": "",
"originIp": "",
"impactedEntityId": "",
"originHostName": "",
"commonEventId": "",
"impactedEntityName": "",
"subject": "",
"portProtocol": "",
"impactedHostName": "",
"impactedIp": "",
"logDate": "",
"commonEventName": "",
"sequenceNumber": "",
"protocolId": "",
"classificationName": "",
"action": "",
"normalMsgDateMax": "",
"originZoneName": "",
"severity": "",
"directionName": "",
"priority": "",
"originEntityId": "",
"classificationId": "",
"direction": "",
"originHostId": ""
}
],
"ID": ""
}
| Parameter | Description |
|---|---|
| Name | Name of the case that you want to create in LogRhythm. |
| Priority | The priority that you want to set for the case that you want to create in LogRhythm. |
| External ID | (Optional) The ID of an external identifier for the case that you want to create in LogRhythm. |
| Due Date | (Optional) Due date of the case that you want to create in LogRhythm. |
| Summary | (Optional) Note summarizing the case that you want to create in LogRhythm. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}
| Parameter | Description |
|---|---|
| Case ID | The ID of the case that you want to update in LogRhythm. |
| Name | (Optional) Name of the case that you want to update in LogRhythm. |
| Priority | (Optional) The priority that you want to set for the case that you want to update in LogRhythm. |
| External ID | (Optional) The ID of an external identifier for the case that you want to update in LogRhythm. |
| Due Date | (Optional) Due date of the case that you want to update in LogRhythm. |
| Summary | (Optional) Note summarizing the case that you want to update in LogRhythm. |
| Resolution | (Optional) Description of how the case that you want to update in LogRhythm was resolved. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": " ",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
| Count | The maximum number of cases, per page, that you want to retrieve from LogRhythm. |
| Order By | Sorts the returned results based on the specified field. |
| Direction | Sorts the order of the returned result, choose between asc (ascending) or desc (descending). |
| Updated After | Filter results that were updated after the specified DateTime. The DateTime must be an RFC 3339 formatted string. |
| Updated Before | Filter results that were updated before the specified DateTime. The DateTime must be an RFC 3339 formatted string. |
| Created After | Filter results that were created after the specified DateTime. The DateTime must be an RFC 3339 formatted string. |
| Created Before | Filter results that were created before the specified DateTime. The DateTime must be an RFC 3339 formatted string. |
| Due Before | Filter results that have a due date before the specified DateTime. The DateTime must be an RFC 3339 formatted string. |
| Priority | Filter results that have a specific case priority. You can choose from multiple numbers from 1 to 5. |
| Status Number | Filter results that have a specific case status. You can choose from multiple numbers from 1 to 5. |
| Owner Number | Filter results that have a specific case owner, by specifying the case owner's number. |
| Collaborator Number | Filter results that have a specific case collaborator, by specifying the case collaborator's number. |
| Tag Number | Filter results that are tagged, by specifying the tag number. |
| Text | Filter results that have a case number or name that contains the specified value. |
| Evidence Type | Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file. |
| Reference ID | Filter results that have evidence with the specified reference identifier. |
| External ID | Filter results that have the specified unique, external identifier. |
| Entity Number | Filter results that have the specified assigned entity number. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose summary you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose owner and case collaborators you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose associated cases you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose metrics details you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case to which you want to add alarms as evidence. |
| Alarm IDs | Comma-separated list of numeric IDs of the alarms that you want to add as evidence to a case. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": ""
},
"lastUpdatedBy": {
"number": "",
"name": ""
},
"type": "",
"status": "",
"pinned": "",
"datePinned": "",
"alarm": {
"alarmId": "",
"alarmDate": "",
"alarmRuleId": "",
"alarmRuleName": "",
"dateInserted": "",
"entityId": "",
"entityName": "",
"riskBasedPriorityMax": ""
}
}
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case to which you want to add a note as evidence. |
| Note | Text of the note that you want to add as evidence to a case. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": ""
},
"lastUpdatedBy": {
"number": "",
"name": ""
},
"type": "",
"status": "",
"text": "",
"pinned": "",
"datePinned": ""
}
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of evidence summaries you want to retrieve from LogRhythm. |
| Type | (Optional) Filter results that have evidence of the specified type. You can choose from the following options: alarm, userEvent, log, note, or file. |
| Status | (Optional) Filter results that have evidence of the specified status. You can choose from the following options: pending, completed, or failed. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose evidence item summary you want to retrieve from LogRhythm. |
| Evidence ID | Unique, numeric identifier of the evidence item whose summary you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose pending evidence item's progress you want to retrieve from LogRhythm. For example, the progress of a file upload as a piece of evidence. |
| Evidence ID | Unique, numeric identifier of the evidence item whose progress details you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Unique identifier of the case, either as an RFC 4122 formatted string or as a number, whose list of user events you want to retrieve from LogRhythm. |
| Evidence ID | Unique, numeric identifier of the evidence whose list of user events you want to retrieve from LogRhythm. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Alarm Status | Select the status of the alarm using which you want to filter the alarms retrieved from LogRhythm. You can choose from the following values: "New", "Opened", "Working", "Escalated", Closed, "Closed_FalseAlarm", "Closed_Resolved", "Closed_Unresolved", "Closed_Reported", or "Closed_Monitor". |
| Date Inserted | Specify the DateTime of alarm creation using which you want to filter the alarms retrieved from LogRhythm. |
| Alarm Rule name | Specify the rule name of the alarm using which you want to filter the alarms retrieved from LogRhythm. |
| Entity Name | Specify the entity name associated with the alarm using which you want to filter the alarms retrieved from LogRhythm. |
| Case Association | Specify the case name associated with the alarm using which you want to filter the alarms retrieved from LogRhythm. |
| Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
| Count | Specify the maximum number of alarms, per page, that you want to retrieve from LogRhythm. By default, this is set as 50. |
The output contains the following populated JSON schema:
{
"alarmsSearchDetails": [
{
"alarmId": "",
"alarmRuleName": "",
"alarmStatus": "",
"alarmDataCached": "",
"associatedCases": [],
"entityName": "",
"dateInserted": ""
}
]
}
Note: This operation uses LogRhythm's Alarm API to retrieve details of the alarm.
| Parameter | Description |
|---|---|
| Alarm ID | Specify the ID of the alarm whose details you want to retrieve from LogRhythm. |
The output contains the following populated JSON schema:
{
"alarmDetails": {
"alarmRuleID": "",
"alarmId": "",
"personId": "",
"alarmDate": "",
"alarmStatus": "",
"alarmStatusName": "",
"entityId": "",
"entityName": "",
"alarmRuleName": "",
"lastUpdatedID": "",
"lastUpdatedName": "",
"dateInserted": "",
"dateUpdated": "",
"associatedCases": [],
"lastPersonID": "",
"eventCount": "",
"eventDateFirst": "",
"eventDateLast": "",
"rbpMax": "",
"rbpAvg": "",
"smartResponseActions": "",
"alarmDataCached": ""
},
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
Note: This operation uses LogRhythm's Alarm API to retrieve events of the alarm.
| Parameter | Description |
|---|---|
| Alarm ID | Specify the ID of the alarm whose events you want to retrieve from LogRhythm. |
The output contains the following populated JSON schema:
{
"alarmEventsDetails": [
{
"account": "",
"action": "",
"amount": "",
"bytesIn": "",
"bytesOut": "",
"classificationId": "",
"classificationName": "",
"classificationTypeName": "",
"command": "",
"commonEventId": "",
"cve": "",
"commonEventName": "",
"count": "",
"directionId": "",
"directionName": "",
"domain": "",
"duration": "",
"entityId": "",
"entityName": "",
"group": "",
"impactedEntityId": "",
"impactedEntityName": "",
"impactedHostId": "",
"impactedHostName": "",
"impactedInterface": "",
"impactedIP": "",
"impactedLocation": {
"countryCode": "",
"name": "",
"latitude": "",
"locationId": "",
"locationKey": "",
"longitude": "",
"parentLocationId": "",
"recordStatus": "",
"regionCode": "",
"type": "",
"dateUpdated": ""
},
"impactedMAC": "",
"impactedName": "",
"impactedNATIP": "",
"impactedNATPort": "",
"impactedNetwork": {
"beginIPRange": {
"value": ""
},
"dateUpdated": "",
"riskThreshold": "",
"endIPRange": {
"value": ""
},
"entityId": "",
"hostZone": "",
"locationId": "",
"longDesc": "",
"name": "",
"networkId": "",
"recordStatus": "",
"shortDesc": ""
},
"impactedPort": "",
"impactedZone": "",
"itemsPacketsIn": "",
"itemsPacketsOut": "",
"logDate": "",
"login": "",
"logMessage": "",
"logSourceHostId": "",
"logSourceHostName": "",
"logSourceName": "",
"logSourceTypeName": "",
"messageId": "",
"mpeRuleId": "",
"mpeRuleName": "",
"normalDateMax": "",
"objectName": "",
"objectType": "",
"originEntityId": "",
"originEntityName": "",
"originHostId": "",
"originHostName": "",
"originInterface": "",
"originIP": "",
"originLocation": {
"countryCode": "",
"name": "",
"latitude": "",
"locationId": "",
"locationKey": "",
"longitude": "",
"parentLocationId": "",
"recordStatus": "",
"regionCode": "",
"type": "",
"dateUpdated": ""
},
"originMAC": "",
"originName": "",
"originNATIP": "",
"originNATPort": "",
"originNetwork": {
"beginIPRange": {
"value": ""
},
"dateUpdated": "",
"riskThreshold": "",
"endIPRange": {
"value": ""
},
"entityId": "",
"hostZone": "",
"locationId": "",
"longDesc": "",
"name": "",
"networkId": "",
"recordStatus": "",
"shortDesc": ""
},
"originPort": "",
"originZone": "",
"parentProcessId": "",
"parentProcessName": "",
"parentProcessPath": "",
"policy": "",
"priority": "",
"process": "",
"processId": "",
"protocolId": "",
"protocolName": "",
"quantity": "",
"rate": "",
"reason": "",
"recipient": "",
"result": "",
"responseCode": "",
"sender": "",
"session": "",
"sessionType": "",
"serialNumber": "",
"serviceId": "",
"serviceName": "",
"severity": "",
"status": "",
"size": "",
"subject": "",
"threatId": "",
"threatName": "",
"url": "",
"userAgent": "",
"vendorInfo": "",
"vendorMsgId": "",
"version": "",
"originUserIdentityName": "",
"impactedUserIdentityName": "",
"originUserIdentityId": "",
"impactedUserIdentityId": "",
"senderIdentityId": "",
"senderIdentityName": "",
"recipientIdentityId": "",
"recipientIdentityName": ""
}
],
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
| Parameter | Description |
|---|---|
| Alarm ID | Specify the ID of the alarm whose summary you want to retrieve from the LogRhythm server. |
The output contains the following populated JSON schema:
{
"alarmSummaryDetails": {
"dateInserted": "",
"rbpMax": "",
"rbpAvg": "",
"alarmRuleId": "",
"alarmRuleGroup": "",
"briefDescription": "",
"additionalDetails": "",
"alarmEventSummary": [
{
"msgClassId": "",
"msgClassName": "",
"commonEventId": "",
"commonEventName": "",
"originHostId": "",
"impactedHostId": "",
"originUser": "",
"impactedUser": "",
"originUserIdentityId": "",
"impactedUserIdentityId": "",
"originUserIdentityName": "",
"impactedUserIdentityName": "",
"originEntityName": "",
"impactedEntityName": ""
}
]
},
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
| Parameter | Description |
|---|---|
| Alarm ID | Specify the ID of the alarm whose history you want to retrieve from the LogRhythm server |
| Person ID | Specify the ID of the person whose associated alarm history you want to retrieve from the LogRhythm server. |
| Date Updated | Specify the DateTime of when alarms were updated using which you want to filter the alarm history retrieved from LogRhythm. |
| Type | Select the type of history based on which you want to filter the alarm history retrieved from LogRhythm. |
| Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
| Count | Specify the maximum number of alarms, per page, that you want to retrieve from LogRhythm. By default, this is set as 50. |
The output contains the following populated JSON schema:
{
"AlarmHistoryDetails": [
{
"alarmId": "",
"personId": "",
"comments": "",
"dateUpdated": "",
"dateInserted": ""
}
],
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
| Parameter | Description |
|---|---|
| Alarm ID | Specify the ID of the alarm that you want to update on the LogRhythm server. |
| Alarm Status | (Optional) Select the status that you want to set for the alarm that you want to update on LogRhythm. |
| RBP | (Optional) Select the alarm RBP that you want to update in LogRhythm. |
The output contains the following populated JSON schema:
{
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
| Parameter | Description |
|---|---|
| Alarm ID | Specify the ID of the alarm that you want to update with the specific comment in LogRhythm. |
| Alarm Comment | Specify the comment that you want to add to the specified alarm in LogRhythm. |
The output contains the following populated JSON schema:
{
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
| Parameter | Description |
|---|---|
| Case ID | Specify the unique identifier of the case to which you want to add a note as evidence in LogRhythm. |
| Attachment IRI | Specify the 'Attachment IRI' of the file that you want to add as evidence to the specified case in LogRhythm. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": ""
},
"lastUpdatedBy": {
"number": "",
"name": ""
},
"type": "",
"status": "",
"text": "",
"pinned": "",
"datePinned": ""
}
| Parameter | Description |
|---|---|
| Case ID | Specify the unique identifier of the case whose associated file evidence you want to download from LogRhythm. |
| Evidence Number | Specify the unique, numeric identifier of the evidence associated with the specified case that you want to download from LogRhythm. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Specify the unique identifier of the case whose associated file evidence you want to delete from LogRhythm. |
| Evidence Number | Specify the unique, numeric identifier of the evidence associated with the specified case that you want to delete from LogRhythm. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": ""
},
"lastUpdatedBy": {
"number": "",
"name": ""
},
"type": "",
"status": "",
"text": "",
"pinned": "",
"datePinned": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Tag Name | Specify the tag name using which you want to filter case tags retrieved from LogRhythm. |
| Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
| Count | Specify the maximum number of alarms, per page, that you want to retrieve from LogRhythm. By default, this is set as 50. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Specify the unique identifier of the case to which you want to add tags in LogRhythm. |
| Tag Number | Specify the tag number that you want to add to the specified case in LogRhythm. You can get the tag number using the 'List Case Tags' operation. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | Specify the unique identifier of the case to which you want to remove tags from LogRhythm. |
| Tag Number | Specify the tag number that you want to remove from the specified case in LogRhythm. You can get the tag number using the 'List Case Tags' operation. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| List Type | Select the type of list whose details you want to retrieve from LogRhythm. You can choose between list types such as Application, Host, Entity, etc. Note: If you do not specify any list type, then the 'User' list is returned. |
| List Name | Specify the name of the object or regex match using which you want to filter lists retrieved from LogRhythm. |
| Can Edit | Select this option to retrieve Write Only (true) or Read Only (false) lists from LogRhythm. |
| Page Number | Specify the number of pages that you want to view. |
| Page Size | Specify the number of records that you want to display per page. By default, this is set as 100. |
The output contains the following populated JSON schema:
{
"number": "",
"text": "",
"dateCreated": "",
"createdBy": {
"number": "",
"name": "",
"disabled": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Name | Specify the name of the network whose details you want to retrieve from LogRhythm. |
| Record Status | Select the status of the record (object recordStatus) using which you want to filter the networks retrieved from LogRhythm. |
| BIP | Specify the starting IP address to allow records to be filtered on a specified IP address, e.g. 127.0.0.1. |
| EIP | Specify the ending IP address to allow records to be filtered on a specified IP address, e.g. 127.0.0.1. |
| Entity | Specify the entity name to allow records to be filtered on a specified Entity name. |
| Page Number | Specify the number of pages that you want to view. |
| Page Size | Specify the number of records that you want to display per page. By default, this is set as 100. |
The output contains the following populated JSON schema:
{
"id": "",
"entity": {
"id": "",
"name": ""
},
"name": "",
"shortDesc": "",
"longDesc": "",
"riskLevel": "",
"threatLevel": "",
"threatLevelComment": "",
"recordStatusName": "",
"hostZone": "",
"location": {
"id": "",
"name": ""
},
"bip": "",
"eip": "",
"dateUpdated": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| User ID | Specify a comma-separated list of user IDs whose details you want to retrieve from LogRhythm. |
| Entity ID | Specify a comma-separated list of entity IDs whose associated user details you want to retrieve from LogRhythm |
| User Status | Select the status of the user (object userStatus) using which you want to filter the user lists retrieved from LogRhythm |
| Page Number | Specify the number of pages that you want to view. |
| Page Size | Specify the number of records that you want to display per page. By default, this is set as 100. |
The output contains the following populated JSON schema:
{
"id": "",
"recordStatusName": "",
"dateUpdated": "",
"objectPermissions": {
"readAccess": "",
"writeAccess": "",
"entity": {
"id": "",
"name": ""
}
},
"firstName": "",
"middleName": "",
"lastName": "",
"abbreviation": "",
"userType": "",
"shortDesc": "",
"longDesc": "",
"adGroup": "",
"adDomain": "",
"userPrincipalName": "",
"fullName": ""
}
The Sample - LogRhythm - 3.0.1 playbook collection comes bundled with the LogRhythm connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Smart Response Plugin (SRP) to invoke the playbooks in FortiSOAR™ whenever an alarm is triggered in LogRhythm. The "FSR_SmartResponse_Automation_Plugin" is attached to this article, you can download this SRP and then follow the steps mentioned in this article to import and configure the SRP.
Following is the procedure on how to import and configure the SRP:
Client Console > Deployment Manager > AI Engine > Rule to trigger playbook > Action
On the "Action" screen, configure the necessary fields as is defined in Step 4.
crhost – URL of the FortiSOAR™ server.https://fortisoarhost.authapi – FortiSOAR™ URI defined for authentication./auth/authenticateplaybookapi – FortiSOAR™ URI defined for playbooks.lrcreatealert:/api/triggers/1/lrcreatealertIgnoressl – TRUE/FALSE parameter to ignore the SSL certificate. By default, FortiSOAR™ is installed using a self-signed certificate; therefore, if you want LogRhythm to accept it, set this parameter as TRUEUsername – Username used to log on to the FortiSOAR™ platform with the necessary privileges.Password – Password used to log on to the FortiSOAR™ platform with the necessary privileges.alarm id – The unique identifier of an alarm in LogRhythm.alert_input whose value is set as {{vars.input.params['api_body']}}. You can add the value of the variable using "Dynamic Values":Now, all parameters that are passed from LogRhythm will be accessible using:
{{vars.alert_input.alarm_id}}
{{vars.alert_input.p1}}
{{vars.alert_input.p2}}
{{vars.alert_input.p3}}
{{vars.alert_input.p4}}
{{vars.alert_input.p5}}
The LogRhythm connector contains the "Create LogRhythm Alert" playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm.
Following is a snapshot of the Executed Playbook Log for the playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm:
Following is a sample image of the alert created in FortiSOAR™:
FSR_SmartResponse_Automation_Plugin.tgz
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alarms from LogRhythm. Currently, alarms ingested from LogRhythm are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming LogRhythm alarms to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from LogRhythm into FortiSOAR™. It also lets you pull some sample data from LogRhythm using which you can define the mapping of data between LogRhythm and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to alarms from LogRhythm.
On the Field Mapping screen, map the fields of an alarm ingested from LogRhythm to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the associatedCases parameter of an alarm ingested from LogRhythm to the Description parameter of a FortiSOAR™ alert, click the Description field and then click the associatedCases field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to LogRhythm, so that the content gets pulled from the LogRhythm integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression For example, if you want to pull data from LogRhythm every morning at 5 am, click Daily, and in the hour box enter 5, and in the minute box enter 0:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.