LogRhythm delivers in-depth endpoint visibility, automated threat hunting, and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs. This connector supports the investigation actions like Get Alarm, Update Alarm, etc on LogRhythm SIEM.
This document provides information about the LogRhythm Connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm Connector as a step in FortiSOAR™ playbooks and perform automated operations with LogRhythm.
Connector Version: 3.1.0
FortiSOAR™ Version Tested on: 7.4.0-3024
LogRhythm Version Tested on: Cloud Instance
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the LogRhythm Connector in version 3.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-logrhythm
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the LogRhythm connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the LogRhythm server to which you will connect and perform the automated operations. |
Port | Port number of the LogRhythm server to which you will connect. |
Token | API token to access the rest API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Search Alarm | Retrieves a list of all alarms or a filtered list of alarms from the LogRhythm server, based on the input parameters you have specified. | list_alarm Investigation |
Get Alarm Details | Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. Note: This operation uses LogRhythm's Alarm API to retrieve details of the alarm. | get_alarm_details Investigation |
Get Alarm Events | Retrieves the events associated with a specific alarm from the LogRhythm server, based on the alarm ID you have specified. Note: This operation uses LogRhythm's Alarm API to retrieve events of the alarm. | get_alarm_events Investigation |
Get Alarm Summary | Retrieves the summary of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. | get_alarm_summary Investigation |
Get Alarm History | Retrieves the history of a specific alarm from the LogRhythm server, based on the alarm ID and other input parameters you have specified. | get_alarm_history Investigation |
Update Alarm | Updates alarm information such as the alarm status, RBP, etc. of a specific alarm in the LogRhythm server, based on the alarm ID you have specified. | update_alarm Investigation |
Add Alarm Comment | Updates the alarm history table with comments in the 'Comments' column in the LogRhythm server, based on the alarm ID you have specified. | add_alarm_comments Investigation |
DrillDown - Get Alarm Details | Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. | get_alarm_details Investigation |
DrillDown - Get Alarm Events | Retrieves the details of events associated with an alarm from the LogRhythm server, based on the alarm ID you have specified. | get_alarm_events Investigation |
Get Hosts | Retrieves the details of specific hosts from the LogRhythm server, based on the Host ID you have specified or all hosts. | get_hosts Investigation |
Get Hosts by Entities | Retrieves the details of hosts from the LogRhythm server, based on the entity you have specified. | get_hosts Investigation |
Create Case | Creates a new case based on the name, priority, and other input parameters you have specified. | create_case Investigation |
Get Case List | Returns a filtered list of cases. Supports pagination. | get_cases_list Investigation |
Get Case | Returns the summary of a case by Id. | get_case Investigation |
Update Case | Updates case information such as the case name, priority, due date, etc based on the case ID you have specified. | update_case Investigation |
Get Case Collaborators | Returns the owner and a list of collaborators associated with a specific case. | get_case_collaborators Investigation |
Get Associated Cases List | Returns a list of cases associated with a specific case. | associated_cases Investigation |
Get Case Metrics | Return metrics for a specified case. | get_case_metrics Investigation |
Add Alarm Evidence | Adds alarms as evidence to a specific case based on the case ID you have specified. | add_alarm_evidence Investigation |
Add Note Evidence | Adds a note as evidence to a specific case based on the case ID you have specified. | add_note_evidence Investigation |
Add File Evidence | Adds a file as evidence to a specific case in the LogRhythm server, based on the case ID you have specified. | add_file_evidence Investigation |
Get Evidence list | Return a list of evidence summaries for a case. | get_case_evidence Investigation |
Get Evidence | Return a summary of an item of evidence on a case. | get_evidence Investigation |
Get Evidence Progress | Return the progress of a pending item of evidence. for example, a file upload). | get_evidence_progress Investigation |
Get User Event List | Return the list of user events added as evidence on a case. | case_evidence Investigation |
Download File Evidence | Downloads a specific item of file evidence of a specified case in the LogRhythm server, based on the case ID and evidence ID you have specified. | download_file_evidence Investigation |
Delete Case Evidence | Deletes a specific item of evidence from a specified case in the LogRhythm server, based on the case ID and evidence ID you have specified. | delete_case_evidence Investigation |
Add Case Tags | Adds specific tags to a specific case in LogRhythm based on the case ID and tag numbers you have specified. | add_case_tags Investigation |
List Case Tags | Retrieves a list of all case tags or specific case tags from LogRhythm based on the input parameters you have specified. | list_case_tags Investigation |
Remove Case Tags | Removes specific tags from a specific case in LogRhythm based on the case ID and tag numbers you have specified. | remove_case_tags Investigation |
Get List Details | Returns details of lists from LogRhythm based on the list type and other input parameters you have specified. Note: If you do not specify any list type, then the 'User' list is returned. | get_list_details Investigation |
Get Network List | Returns all networks or specific networks from LogRhythm based on the list type and other input parameters you have specified. | get_network_list Investigation |
Get User List | Returns all users (hosts) or specific users from LogRhythm based on the list type and other input parameters you have specified. | get_user_list Investigation |
Parameter | Description |
---|---|
Alarm Status | Select the status of the alarm to filter the alarms retrieved from LogRhythm. You can choose from the following values:
|
Alarm Inserted | Specify the date and time of alarm creation to filter the alarms retrieved from LogRhythm. |
Alarm Rule name | Specify the rule name of the alarm to filter the alarms retrieved from LogRhythm. |
Entity Name | Specify the entity name associated with the alarm to filter the alarms retrieved from LogRhythm. |
Case Association | Specify the case name associated with the alarm to filter the alarms retrieved from LogRhythm. |
Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determine how many records to retrieve starting from the offset. By default, this is set to 0 . |
Count | Specify the maximum number of alarms, per page, to retrieve from LogRhythm. By default, this is set to 50 . |
The output contains the following populated JSON schema:
{
"alarmsSearchDetails": [
{
"alarmId": "",
"alarmRuleName": "",
"alarmStatus": "",
"alarmDataCached": "",
"associatedCases": [],
"entityName": "",
"dateInserted": ""
}
]
}
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to retrieve its details from LogRhythm. |
The output contains the following populated JSON schema:
{
"alarmDetails": {
"alarmRuleID": "",
"alarmId": "",
"personId": "",
"alarmDate": "",
"alarmStatus": "",
"alarmStatusName": "",
"entityId": "",
"entityName": "",
"alarmRuleName": "",
"lastUpdatedID": "",
"lastUpdatedName": "",
"dateInserted": "",
"dateUpdated": "",
"associatedCases": [],
"lastPersonID": "",
"eventCount": "",
"eventDateFirst": "",
"eventDateLast": "",
"rbpMax": "",
"rbpAvg": "",
"smartResponseActions": "",
"alarmDataCached": ""
},
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to retrieve its events from LogRhythm. |
The output contains the following populated JSON schema:
{
"alarmEventsDetails": [
{
"account": "",
"action": "",
"amount": "",
"bytesIn": "",
"bytesOut": "",
"classificationId": "",
"classificationName": "",
"classificationTypeName": "",
"command": "",
"commonEventId": "",
"cve": "",
"commonEventName": "",
"count": "",
"directionId": "",
"directionName": "",
"domain": "",
"duration": "",
"entityId": "",
"entityName": "",
"group": "",
"impactedEntityId": "",
"impactedEntityName": "",
"impactedHostId": "",
"impactedHostName": "",
"impactedInterface": "",
"impactedIP": "",
"impactedLocation": {
"countryCode": "",
"name": "",
"latitude": "",
"locationId": "",
"locationKey": "",
"longitude": "",
"parentLocationId": "",
"recordStatus": "",
"regionCode": "",
"type": "",
"dateUpdated": ""
},
"impactedMAC": "",
"impactedName": "",
"impactedNATIP": "",
"impactedNATPort": "",
"impactedNetwork": {
"beginIPRange": {
"value": ""
},
"dateUpdated": "",
"riskThreshold": "",
"endIPRange": {
"value": ""
},
"entityId": "",
"hostZone": "",
"locationId": "",
"longDesc": "",
"name": "",
"networkId": "",
"recordStatus": "",
"shortDesc": ""
},
"impactedPort": "",
"impactedZone": "",
"itemsPacketsIn": "",
"itemsPacketsOut": "",
"logDate": "",
"login": "",
"logMessage": "",
"logSourceHostId": "",
"logSourceHostName": "",
"logSourceName": "",
"logSourceTypeName": "",
"messageId": "",
"mpeRuleId": "",
"mpeRuleName": "",
"normalDateMax": "",
"objectName": "",
"objectType": "",
"originEntityId": "",
"originEntityName": "",
"originHostId": "",
"originHostName": "",
"originInterface": "",
"originIP": "",
"originLocation": {
"countryCode": "",
"name": "",
"latitude": "",
"locationId": "",
"locationKey": "",
"longitude": "",
"parentLocationId": "",
"recordStatus": "",
"regionCode": "",
"type": "",
"dateUpdated": ""
},
"originMAC": "",
"originName": "",
"originNATIP": "",
"originNATPort": "",
"originNetwork": {
"beginIPRange": {
"value": ""
},
"dateUpdated": "",
"riskThreshold": "",
"endIPRange": {
"value": ""
},
"entityId": "",
"hostZone": "",
"locationId": "",
"longDesc": "",
"name": "",
"networkId": "",
"recordStatus": "",
"shortDesc": ""
},
"originPort": "",
"originZone": "",
"parentProcessId": "",
"parentProcessName": "",
"parentProcessPath": "",
"policy": "",
"priority": "",
"process": "",
"processId": "",
"protocolId": "",
"protocolName": "",
"quantity": "",
"rate": "",
"reason": "",
"recipient": "",
"result": "",
"responseCode": "",
"sender": "",
"session": "",
"sessionType": "",
"serialNumber": "",
"serviceId": "",
"serviceName": "",
"severity": "",
"status": "",
"size": "",
"subject": "",
"threatId": "",
"threatName": "",
"url": "",
"userAgent": "",
"vendorInfo": "",
"vendorMsgId": "",
"version": "",
"originUserIdentityName": "",
"impactedUserIdentityName": "",
"originUserIdentityId": "",
"impactedUserIdentityId": "",
"senderIdentityId": "",
"senderIdentityName": "",
"recipientIdentityId": "",
"recipientIdentityName": ""
}
],
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to retrieve its summary from the LogRhythm server. |
The output contains the following populated JSON schema:
{
"alarmSummaryDetails": {
"dateInserted": "",
"rbpMax": "",
"rbpAvg": "",
"alarmRuleId": "",
"alarmRuleGroup": "",
"briefDescription": "",
"additionalDetails": "",
"alarmEventSummary": [
{
"msgClassId": "",
"msgClassName": "",
"commonEventId": "",
"commonEventName": "",
"originHostId": "",
"impactedHostId": "",
"originUser": "",
"impactedUser": "",
"originUserIdentityId": "",
"impactedUserIdentityId": "",
"originUserIdentityName": "",
"impactedUserIdentityName": "",
"originEntityName": "",
"impactedEntityName": ""
}
]
},
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to retrieve its history from the LogRhythm server. |
Person ID | Specify the ID of the person to retrieve their associated alarm history from the LogRhythm server. |
Date Updated | Specify the DateTime of when alarms were updated to filter the alarm history retrieved from LogRhythm. |
Type | Select the type of history based on which you want to filter the alarm history retrieved from LogRhythm. |
Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
Count | Specify the maximum number of alarms, per page, to retrieve from LogRhythm. By default, this is set to 50 . |
The output contains the following populated JSON schema:
{
"AlarmHistoryDetails": [
{
"alarmId": "",
"personId": "",
"comments": "",
"dateUpdated": "",
"dateInserted": ""
}
],
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to update on the LogRhythm server. |
Alarm Status | (Optional) Select the alarm status to update in LogRhythm. |
RBP | (Optional) Specify the alarm RBP to update in LogRhythm. It must be in between 0 - 100 . |
The output contains the following populated JSON schema:
{
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to update with the comment in LogRhythm. |
Alarm Comment | Specify the comment to add to the specified alarm in LogRhythm. |
The output contains the following populated JSON schema:
{
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
NOTE: This action is part of LogRhythm's DrillDown API and takes some time to finish execution. Due to this delay, you may receive an error or a blank response.
To address this issue, add a wait step in the playbook before making a call to this DrillDown API.
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to retrieve its details from the LogRhythm server. |
The output contains the following populated JSON schema:
{
"DrillDownResults": {
"Status": "",
"AlarmID": "",
"EventID": "",
"Priority": "",
"AIEMsgXml": "",
"AIERuleID": "",
"AlarmGuid": "",
"RetryCount": "",
"RuleBlocks": [
{
"DXCount": "",
"AIECount": "",
"DDSummaries": [
{
"PIFType": "",
"DefaultValue": "",
"DrillDownSummaryLogs": ""
}
],
"RuleBlockID": "",
"DrillDownLogs": "",
"RuleBlockTypeID": "",
"NormalMessageDate": "",
"NormalMessageDateLower": "",
"NormalMessageDateUpper": ""
}
],
"AIERuleName": "",
"DateInserted": "",
"WebConsoleIds": [],
"LastDxTimeStamp": "",
"NotificationSent": "",
"NormalMessageDate": ""
},
"DrillDownSummary": ""
}
NOTE: This action is part of LogRhythm's DrillDown API and takes some time to finish execution. Due to this delay, you may receive an error or a blank response.
To address this issue, add a wait step in the playbook before making a call to this DrillDown API.
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to retrieve its events from the LogRhythm server. |
Count | Specify the maximum number of events, associated with alarm, to return. |
Fields to Include in Result | (Optional) Specify fields to include in output. |
Show Log Messages | Select whether you want to include log messages in output. Default is true . |
The output contains the following populated JSON schema:
{
"ID": "",
"Events": [
{
"classificationId": "",
"classificationName": "",
"classificationTypeName": "",
"commonEventName": "",
"commonEventId": "",
"direction": "",
"directionName": "",
"impactedEntityId": "",
"impactedEntityName": "",
"impactedHost": "",
"impactedHostName": "",
"impactedIp": "",
"impactedZoneName": "",
"logDate": "",
"mpeRuleId": "",
"mpeRuleName": "",
"originEntityName": "",
"originEntityId": "",
"originHostId": "",
"originHostName": "",
"originHost": "",
"originIp": "",
"originZone": "",
"originZoneName": "",
"priority": "",
"protocolId": "",
"protocolName": "",
"ruleBlockNumber": "",
"portProtocol": "",
"session": "",
"severity": "",
"subject": "",
"vendorMessageId": "",
"sequenceNumber": "",
"threatId": "",
"threatName": "",
"action": "",
"keyField": "",
"count": "",
"entityId": "",
"rootEntityId": "",
"rootEntityName": "",
"entityName": "",
"logMessage": "",
"messageId": "",
"messageTypeEnum": "",
"normalDate": "",
"normalMsgDateMax": "",
"normalDateMin": ""
}
]
}
Parameter | Description |
---|---|
Host ID | Specify the ID of the host to retrieve its details from the LogRhythm server. |
Limit Records | Specify the count of hosts to retrieve from the LogRhythm server. |
Format Result | Select to format the host details retrieved from the LogRhythm server. |
The output contains the following populated JSON schema:
{
"id": "",
"entity": {
"id": "",
"name": ""
},
"name": "",
"riskLevel": "",
"threatLevel": "",
"threatLevelComments": "",
"recordStatusName": "",
"hostZone": "",
"location": {
"id": ""
},
"os": "",
"useEventlogCredentials": "",
"osType": "",
"dateUpdated": "",
"hostRoles": [],
"hostIdentifiers": []
}
Parameter | Description |
---|---|
Entity Name | Specify the name of the entity to retrieve its host details from the LogRhythm server. |
Limit Records | Specify the count of hosts to retrieve from the LogRhythm server. |
Format Result | Select to format the hosts details retrieved from the LogRhythm server. |
The output contains the following populated JSON schema:
{
"EntityId": "",
"EntityName": "",
"OS": "",
"ThreatLevel": "",
"UseEventlogCredentials": "",
"Name": "",
"DateUpdated": "",
"HostZone": "",
"RiskLevel": "",
"Location": "",
"Status": "",
"ThreatLevelComments": "",
"ID": "",
"OSType": ""
}
Parameter | Description |
---|---|
Name | Specify the name of the case to create in LogRhythm. |
Priority | Select the priority to set for the case to create in LogRhythm. |
External ID | (Optional) Specify the ID of an external identifier for the case to create in LogRhythm. |
Due Date | (Optional) Specify the due date of the case to create in LogRhythm. |
Summary | (Optional) Specify the note summarizing the case to create in LogRhythm. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}
Parameter | Description |
---|---|
Due Before | Select a date to filter cases that have a due date before the specified date. |
Priority | Select a priority to filter results that have a specific case priority. |
Status Number | Select a status number to filter results that have the selected case status. |
Owner Number | Specify an owner number to filter results that have the specified case owner, by person numbers. |
Collaborator Number | Specify a collaborator number to filter results that have specified case collaborator, by person number. |
Tag Number | Specify a tag number to filter results that are tagged, by tag numbers. |
Text | Specify the text to filter results that have a case number or name containing the specified value. |
Evidence Type | Select from the following options to filter results that have evidence of the selected type.
|
Reference ID | Specify the reference ID to filter the results containing the given reference identifier. |
External ID | Specify the external ID to filter results containing the specified unique, external identifier. |
Entity Number | Specify the entity number to filter results containing the specified assigned entity number. |
Offset | Specify the number of results to skip when paging. |
Count | Specify the maximum number of results to return per page. |
Order By | Select the sorting criterion of the returned results from the following options:
|
Direction | Select the sort order of the returned results from the following options:
|
Updated After | Select the date to retrieve cases updated after the selected date. Must be an RFC 3339 formatted string. |
Updated Before | Select the date to retrieve cases updated before the selected date. Must be an RFC 3339 formatted string. |
Created After | Select the date to retrieve cases created after the selected date. Must be an RFC 3339 formatted string. |
Created Before | Select the date to retrieve cases created before the selected date. Must be an RFC 3339 formatted string. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": "",
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": "",
"disabled": ""
}
],
"tags": []
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case to get its details. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": "",
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": "",
"disabled": ""
}
],
"tags": []
}
Parameter | Description |
---|---|
Case ID | Specify the ID of the case to update in LogRhythm. |
Name | (Optional) Specify the name of the case to update in LogRhythm. |
Priority | (Optional) Specify the priority to set for the case to update in LogRhythm. |
External ID | (Optional) Specify the ID of an external identifier for the case to update in LogRhythm. |
Due Date | (Optional) Specify the due date of the case to update in LogRhythm. |
Summary | (Optional) Specify the note summarizing the case to update in LogRhythm. |
Resolution | (Optional) Specify the description of the case to update in LogRhythm. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier for the case, either as an RFC 4122 formatted string or as a number, to get the collaborators on the case. |
The output contains the following populated JSON schema:
{
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"collaborators": [
{
"number": "",
"name": "",
"disabled": ""
}
]
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier for the case to get a list of its associated cases. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"private": "",
"summary": {
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}
}
Specify the unique identifier for the case, either as an RFC 4122
formatted string or as a number, to get the metrics related to the case.
Parameter | Description |
---|---|
Case ID |
The output contains the following populated JSON schema:
{
"created": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
},
"completed": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
},
"incident": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
},
"mitigated": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
},
"resolved": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
},
"earliestEvidence": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
}
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case to which to add alarms as evidence. |
Alarm IDs | Specify the comma-separated list of numeric IDs of the alarms to add as evidence to a case. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": ""
},
"lastUpdatedBy": {
"number": "",
"name": ""
},
"type": "",
"status": "",
"pinned": "",
"datePinned": "",
"alarm": {
"alarmId": "",
"alarmDate": "",
"alarmRuleId": "",
"alarmRuleName": "",
"dateInserted": "",
"entityId": "",
"entityName": "",
"riskBasedPriorityMax": ""
}
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case to which to add a note as evidence. |
Note | Specify the text of the note to add as evidence to a case. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": ""
},
"lastUpdatedBy": {
"number": "",
"name": ""
},
"type": "",
"status": "",
"text": "",
"pinned": "",
"datePinned": ""
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case to which to add a note as evidence in LogRhythm. |
Type | Select the type of the evidence from following options to add to the case:
|
Reference ID | Specify a reference ID to access the attachment metadata from the FortiSOAR™'s Attachments module. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"type": "",
"status": "",
"statusMessage": "",
"text": "",
"pinned": "",
"datePinned": "",
"file": {
"name": "",
"size": ""
}
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier for the case, either as an RFC 4122 formatted string or as a number, to get the list of evidences associated with the case. |
Type | Select the evidence types to filter results containing evidence of the selected types. Multiple criteria can be selected from the following options:
|
Status | Select the evidence status to filter results containing evidence of the selected status. Multiple criteria can be selected from the following options:
|
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"type": "",
"status": "",
"statusMessage": "",
"text": "",
"pinned": "",
"datePinned": ""
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier for the case to get its evidences. |
Evidence Number | Specify the unique numeric identifier associated with the evidence. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"type": "",
"status": "",
"statusMessage": "",
"text": "",
"pinned": "",
"datePinned": ""
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier for the case to get its evidence progress. |
Evidence Number | Specify the unique numeric identifier associated with the evidence. |
The output contains the following populated JSON schema:
{
"status": ""
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier for the case. |
Evidence Number | Unique, numeric identifier for the evidence. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case whose associated file evidence you want to download from LogRhythm. |
Evidence Number | Specify the unique numeric identifier of the evidence associated with the specified case to download from LogRhythm. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case whose associated file evidence you want to delete from LogRhythm. |
Evidence Number | Specify the unique, numeric identifier of the evidence associated with the specified case to delete from LogRhythm. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case to which you want to add tags in LogRhythm. |
Tag Number | Specify the tag number to add to the specified case in LogRhythm. You can get the tag number using the 'List Case Tags' operation. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": "",
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": "",
"disabled": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}
Parameter | Description |
---|---|
Tag Name | Specify the tag name to filter case tags retrieved from LogRhythm. |
Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
Count | Specify the maximum number of alarms, per page, to retrieve from LogRhythm. By default, this is set to 50 . |
The output contains the following populated JSON schema:
{
"number": "",
"text": "",
"dateCreated": "",
"createdBy": {
"number": "",
"name": "",
"disabled": ""
}
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case to which you want to remove tags from LogRhythm. |
Tag Number | Specify the tag number to remove from the specified case in LogRhythm. You can get the tag number using the List Case Tags operation. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": "",
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": "",
"disabled": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}
Parameter | Description |
---|---|
List Type | Select the type of list whose details you want to retrieve from LogRhythm. You can choose between list types such as Application, Host, Entity, etc. Note: If you do not specify any list type, then the 'User' list is returned. |
List Name | Specify the name of the object or regex match to filter lists retrieved from?LogRhythm. |
Can Edit | Select this option to retrieve Write Only (true) or Read Only (false) lists from LogRhythm. |
Page Number | Specify the number of pages to view. |
Page Size | Specify the number of records to display per page. By default, this is set to 100 . |
The output contains the following populated JSON schema:
{
"listType": "",
"status": "",
"name": "",
"shortDescription": "",
"useContext": [],
"autoImportOption": {
"enabled": "",
"usePatterns": "",
"replaceExisting": ""
},
"id": "",
"guid": "",
"dateCreated": "",
"dateUpdated": "",
"readAccess": "",
"writeAccess": "",
"restrictedRead": "",
"entityName": "",
"entryCount": "",
"needToNotify": "",
"doesExpire": "",
"owner": ""
}
Parameter | Description |
---|---|
Name | Specify the name of the network whose details you want to retrieve from LogRhythm. |
Record Status | Select the status of the record (object recordStatus) to filter the networks retrieved from LogRhythm. |
BIP | Specify the starting IP address to allow records to be filtered on a specified IP address, e.g. 127.0.0.1. |
EIP | Specify the ending IP address to allow records to be filtered on a specified IP address, e.g. 127.0.0.1. |
Entity | Specify the entity name to allow records to be filtered on a specified Entity name. |
Offset | Specify the starting point of records to be returned. |
Count | Specify the number of records to display per page. By default, this is set to 100 . |
The output contains the following populated JSON schema:
{
"id": "",
"entity": {
"id": "",
"name": ""
},
"name": "",
"shortDesc": "",
"longDesc": "",
"riskLevel": "",
"threatLevel": "",
"threatLevelComment": "",
"recordStatusName": "",
"hostZone": "",
"location": {
"id": "",
"name": ""
},
"bip": "",
"eip": "",
"dateUpdated": ""
}
Parameter | Description |
---|---|
User ID | Specify a comma-separated list of user IDs whose details you want to retrieve from LogRhythm. |
Entity ID | Specify a comma-separated list of entity IDs whose associated user details you want to retrieve from LogRhythm. |
Has Login | Select the login status of the user to filter the user lists retrieved from LogRhythm. |
User Status | Select the status of the user (object userStatus) to filter the user lists retrieved from LogRhythm. |
Offset | Specify the starting point of records to be returned. |
Count | Specify the number of records to display per page. By default, this is set to 100 . |
The output contains the following populated JSON schema:
{
"firstName": "",
"lastName": "",
"userType": "",
"fullName": "",
"objectPermissions": {
"readAccess": "",
"writeAccess": "",
"entity": {
"id": "",
"name": ""
},
"owner": {
"id": "",
"name": ""
}
},
"id": "",
"recordStatusName": "",
"dateUpdated": ""
}
The Sample - LogRhythm - 3.1.0
playbook collection comes bundled with the LogRhythm connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Smart Response Plugin (SRP) to invoke the playbooks in FortiSOAR™ whenever an alarm is triggered in LogRhythm. The "FSR_SmartResponse_Automation_Plugin" is attached to this article, you can download this SRP and then follow the steps mentioned in this article to import and configure the SRP.
Following is the procedure on how to import and configure the SRP:
Client Console > Deployment Manager > AI Engine > Rule to trigger playbook > Action
On the "Action" screen, configure the necessary fields as is defined in Step 4.
crhost
– URL of the FortiSOAR™ server.https://fortisoarhost
.authapi
– FortiSOAR™ URI defined for authentication./auth/authenticate
playbookapi
– FortiSOAR™ URI defined for playbooks.lrcreatealert
:/api/triggers/1/lrcreatealert
Ignoressl
– TRUE/FALSE parameter to ignore the SSL certificate. By default, FortiSOAR™ is installed using a self-signed certificate; therefore, if you want LogRhythm to accept it, set this parameter as TRUEUsername
– Username used to log on to the FortiSOAR™ platform with the necessary privileges.Password
– Password used to log on to the FortiSOAR™ platform with the necessary privileges.alarm id
– The unique identifier of an alarm in LogRhythm.alert_input
whose value is set as {{vars.input.params['api_body']}}
. You can add the value of the variable using "Dynamic Values":Now, all parameters that are passed from LogRhythm will be accessible using:
{{vars.alert_input.alarm_id}}
{{vars.alert_input.p1}}
{{vars.alert_input.p2}}
{{vars.alert_input.p3}}
{{vars.alert_input.p4}}
{{vars.alert_input.p5}}
The LogRhythm connector contains the "Create LogRhythm Alert" playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm.
Following is a snapshot of the Executed Playbook Log for the playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm:
Following is a sample image of the alert created in FortiSOAR™:
FSR_SmartResponse_Automation_Plugin.tgz
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alarms from LogRhythm. Currently, alarms ingested from LogRhythm are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming LogRhythm alarms to FortiSOAR™ alerts.
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from LogRhythm into FortiSOAR™. It also lets you pull some sample data from LogRhythm using which you can define the mapping of data between LogRhythm and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to alarms from LogRhythm.
On the Field Mapping screen, map the fields of an alarm ingested from LogRhythm to the fields of an alert present in FortiSOAR™
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the associatedCases
parameter of an alarm ingested from LogRhythm to the Description parameter of a FortiSOAR™ alert, click the Description field and then click the associatedCases
field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the FortiSOAR™ product documentation's Connectors Guide. Once you have completed the mapping of fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to LogRhythm, so that the content gets pulled from the LogRhythm integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression For example, if you want to pull data from LogRhythm every morning at 5 am, click Daily, in the hour box enter 5
, and in the minute box enter 0
:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
LogRhythm delivers in-depth endpoint visibility, automated threat hunting, and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs. This connector supports the investigation actions like Get Alarm, Update Alarm, etc on LogRhythm SIEM.
This document provides information about the LogRhythm Connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm Connector as a step in FortiSOAR™ playbooks and perform automated operations with LogRhythm.
Connector Version: 3.1.0
FortiSOAR™ Version Tested on: 7.4.0-3024
LogRhythm Version Tested on: Cloud Instance
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the LogRhythm Connector in version 3.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-logrhythm
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the LogRhythm connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the LogRhythm server to which you will connect and perform the automated operations. |
Port | Port number of the LogRhythm server to which you will connect. |
Token | API token to access the rest API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Search Alarm | Retrieves a list of all alarms or a filtered list of alarms from the LogRhythm server, based on the input parameters you have specified. | list_alarm Investigation |
Get Alarm Details | Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. Note: This operation uses LogRhythm's Alarm API to retrieve details of the alarm. | get_alarm_details Investigation |
Get Alarm Events | Retrieves the events associated with a specific alarm from the LogRhythm server, based on the alarm ID you have specified. Note: This operation uses LogRhythm's Alarm API to retrieve events of the alarm. | get_alarm_events Investigation |
Get Alarm Summary | Retrieves the summary of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. | get_alarm_summary Investigation |
Get Alarm History | Retrieves the history of a specific alarm from the LogRhythm server, based on the alarm ID and other input parameters you have specified. | get_alarm_history Investigation |
Update Alarm | Updates alarm information such as the alarm status, RBP, etc. of a specific alarm in the LogRhythm server, based on the alarm ID you have specified. | update_alarm Investigation |
Add Alarm Comment | Updates the alarm history table with comments in the 'Comments' column in the LogRhythm server, based on the alarm ID you have specified. | add_alarm_comments Investigation |
DrillDown - Get Alarm Details | Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. | get_alarm_details Investigation |
DrillDown - Get Alarm Events | Retrieves the details of events associated with an alarm from the LogRhythm server, based on the alarm ID you have specified. | get_alarm_events Investigation |
Get Hosts | Retrieves the details of specific hosts from the LogRhythm server, based on the Host ID you have specified or all hosts. | get_hosts Investigation |
Get Hosts by Entities | Retrieves the details of hosts from the LogRhythm server, based on the entity you have specified. | get_hosts Investigation |
Create Case | Creates a new case based on the name, priority, and other input parameters you have specified. | create_case Investigation |
Get Case List | Returns a filtered list of cases. Supports pagination. | get_cases_list Investigation |
Get Case | Returns the summary of a case by Id. | get_case Investigation |
Update Case | Updates case information such as the case name, priority, due date, etc based on the case ID you have specified. | update_case Investigation |
Get Case Collaborators | Returns the owner and a list of collaborators associated with a specific case. | get_case_collaborators Investigation |
Get Associated Cases List | Returns a list of cases associated with a specific case. | associated_cases Investigation |
Get Case Metrics | Return metrics for a specified case. | get_case_metrics Investigation |
Add Alarm Evidence | Adds alarms as evidence to a specific case based on the case ID you have specified. | add_alarm_evidence Investigation |
Add Note Evidence | Adds a note as evidence to a specific case based on the case ID you have specified. | add_note_evidence Investigation |
Add File Evidence | Adds a file as evidence to a specific case in the LogRhythm server, based on the case ID you have specified. | add_file_evidence Investigation |
Get Evidence list | Return a list of evidence summaries for a case. | get_case_evidence Investigation |
Get Evidence | Return a summary of an item of evidence on a case. | get_evidence Investigation |
Get Evidence Progress | Return the progress of a pending item of evidence. for example, a file upload). | get_evidence_progress Investigation |
Get User Event List | Return the list of user events added as evidence on a case. | case_evidence Investigation |
Download File Evidence | Downloads a specific item of file evidence of a specified case in the LogRhythm server, based on the case ID and evidence ID you have specified. | download_file_evidence Investigation |
Delete Case Evidence | Deletes a specific item of evidence from a specified case in the LogRhythm server, based on the case ID and evidence ID you have specified. | delete_case_evidence Investigation |
Add Case Tags | Adds specific tags to a specific case in LogRhythm based on the case ID and tag numbers you have specified. | add_case_tags Investigation |
List Case Tags | Retrieves a list of all case tags or specific case tags from LogRhythm based on the input parameters you have specified. | list_case_tags Investigation |
Remove Case Tags | Removes specific tags from a specific case in LogRhythm based on the case ID and tag numbers you have specified. | remove_case_tags Investigation |
Get List Details | Returns details of lists from LogRhythm based on the list type and other input parameters you have specified. Note: If you do not specify any list type, then the 'User' list is returned. | get_list_details Investigation |
Get Network List | Returns all networks or specific networks from LogRhythm based on the list type and other input parameters you have specified. | get_network_list Investigation |
Get User List | Returns all users (hosts) or specific users from LogRhythm based on the list type and other input parameters you have specified. | get_user_list Investigation |
Parameter | Description |
---|---|
Alarm Status | Select the status of the alarm to filter the alarms retrieved from LogRhythm. You can choose from the following values:
|
Alarm Inserted | Specify the date and time of alarm creation to filter the alarms retrieved from LogRhythm. |
Alarm Rule name | Specify the rule name of the alarm to filter the alarms retrieved from LogRhythm. |
Entity Name | Specify the entity name associated with the alarm to filter the alarms retrieved from LogRhythm. |
Case Association | Specify the case name associated with the alarm to filter the alarms retrieved from LogRhythm. |
Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determine how many records to retrieve starting from the offset. By default, this is set to 0 . |
Count | Specify the maximum number of alarms, per page, to retrieve from LogRhythm. By default, this is set to 50 . |
The output contains the following populated JSON schema:
{
"alarmsSearchDetails": [
{
"alarmId": "",
"alarmRuleName": "",
"alarmStatus": "",
"alarmDataCached": "",
"associatedCases": [],
"entityName": "",
"dateInserted": ""
}
]
}
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to retrieve its details from LogRhythm. |
The output contains the following populated JSON schema:
{
"alarmDetails": {
"alarmRuleID": "",
"alarmId": "",
"personId": "",
"alarmDate": "",
"alarmStatus": "",
"alarmStatusName": "",
"entityId": "",
"entityName": "",
"alarmRuleName": "",
"lastUpdatedID": "",
"lastUpdatedName": "",
"dateInserted": "",
"dateUpdated": "",
"associatedCases": [],
"lastPersonID": "",
"eventCount": "",
"eventDateFirst": "",
"eventDateLast": "",
"rbpMax": "",
"rbpAvg": "",
"smartResponseActions": "",
"alarmDataCached": ""
},
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to retrieve its events from LogRhythm. |
The output contains the following populated JSON schema:
{
"alarmEventsDetails": [
{
"account": "",
"action": "",
"amount": "",
"bytesIn": "",
"bytesOut": "",
"classificationId": "",
"classificationName": "",
"classificationTypeName": "",
"command": "",
"commonEventId": "",
"cve": "",
"commonEventName": "",
"count": "",
"directionId": "",
"directionName": "",
"domain": "",
"duration": "",
"entityId": "",
"entityName": "",
"group": "",
"impactedEntityId": "",
"impactedEntityName": "",
"impactedHostId": "",
"impactedHostName": "",
"impactedInterface": "",
"impactedIP": "",
"impactedLocation": {
"countryCode": "",
"name": "",
"latitude": "",
"locationId": "",
"locationKey": "",
"longitude": "",
"parentLocationId": "",
"recordStatus": "",
"regionCode": "",
"type": "",
"dateUpdated": ""
},
"impactedMAC": "",
"impactedName": "",
"impactedNATIP": "",
"impactedNATPort": "",
"impactedNetwork": {
"beginIPRange": {
"value": ""
},
"dateUpdated": "",
"riskThreshold": "",
"endIPRange": {
"value": ""
},
"entityId": "",
"hostZone": "",
"locationId": "",
"longDesc": "",
"name": "",
"networkId": "",
"recordStatus": "",
"shortDesc": ""
},
"impactedPort": "",
"impactedZone": "",
"itemsPacketsIn": "",
"itemsPacketsOut": "",
"logDate": "",
"login": "",
"logMessage": "",
"logSourceHostId": "",
"logSourceHostName": "",
"logSourceName": "",
"logSourceTypeName": "",
"messageId": "",
"mpeRuleId": "",
"mpeRuleName": "",
"normalDateMax": "",
"objectName": "",
"objectType": "",
"originEntityId": "",
"originEntityName": "",
"originHostId": "",
"originHostName": "",
"originInterface": "",
"originIP": "",
"originLocation": {
"countryCode": "",
"name": "",
"latitude": "",
"locationId": "",
"locationKey": "",
"longitude": "",
"parentLocationId": "",
"recordStatus": "",
"regionCode": "",
"type": "",
"dateUpdated": ""
},
"originMAC": "",
"originName": "",
"originNATIP": "",
"originNATPort": "",
"originNetwork": {
"beginIPRange": {
"value": ""
},
"dateUpdated": "",
"riskThreshold": "",
"endIPRange": {
"value": ""
},
"entityId": "",
"hostZone": "",
"locationId": "",
"longDesc": "",
"name": "",
"networkId": "",
"recordStatus": "",
"shortDesc": ""
},
"originPort": "",
"originZone": "",
"parentProcessId": "",
"parentProcessName": "",
"parentProcessPath": "",
"policy": "",
"priority": "",
"process": "",
"processId": "",
"protocolId": "",
"protocolName": "",
"quantity": "",
"rate": "",
"reason": "",
"recipient": "",
"result": "",
"responseCode": "",
"sender": "",
"session": "",
"sessionType": "",
"serialNumber": "",
"serviceId": "",
"serviceName": "",
"severity": "",
"status": "",
"size": "",
"subject": "",
"threatId": "",
"threatName": "",
"url": "",
"userAgent": "",
"vendorInfo": "",
"vendorMsgId": "",
"version": "",
"originUserIdentityName": "",
"impactedUserIdentityName": "",
"originUserIdentityId": "",
"impactedUserIdentityId": "",
"senderIdentityId": "",
"senderIdentityName": "",
"recipientIdentityId": "",
"recipientIdentityName": ""
}
],
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to retrieve its summary from the LogRhythm server. |
The output contains the following populated JSON schema:
{
"alarmSummaryDetails": {
"dateInserted": "",
"rbpMax": "",
"rbpAvg": "",
"alarmRuleId": "",
"alarmRuleGroup": "",
"briefDescription": "",
"additionalDetails": "",
"alarmEventSummary": [
{
"msgClassId": "",
"msgClassName": "",
"commonEventId": "",
"commonEventName": "",
"originHostId": "",
"impactedHostId": "",
"originUser": "",
"impactedUser": "",
"originUserIdentityId": "",
"impactedUserIdentityId": "",
"originUserIdentityName": "",
"impactedUserIdentityName": "",
"originEntityName": "",
"impactedEntityName": ""
}
]
},
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to retrieve its history from the LogRhythm server. |
Person ID | Specify the ID of the person to retrieve their associated alarm history from the LogRhythm server. |
Date Updated | Specify the DateTime of when alarms were updated to filter the alarm history retrieved from LogRhythm. |
Type | Select the type of history based on which you want to filter the alarm history retrieved from LogRhythm. |
Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
Count | Specify the maximum number of alarms, per page, to retrieve from LogRhythm. By default, this is set to 50 . |
The output contains the following populated JSON schema:
{
"AlarmHistoryDetails": [
{
"alarmId": "",
"personId": "",
"comments": "",
"dateUpdated": "",
"dateInserted": ""
}
],
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to update on the LogRhythm server. |
Alarm Status | (Optional) Select the alarm status to update in LogRhythm. |
RBP | (Optional) Specify the alarm RBP to update in LogRhythm. It must be in between 0 - 100 . |
The output contains the following populated JSON schema:
{
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to update with the comment in LogRhythm. |
Alarm Comment | Specify the comment to add to the specified alarm in LogRhythm. |
The output contains the following populated JSON schema:
{
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}
NOTE: This action is part of LogRhythm's DrillDown API and takes some time to finish execution. Due to this delay, you may receive an error or a blank response.
To address this issue, add a wait step in the playbook before making a call to this DrillDown API.
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to retrieve its details from the LogRhythm server. |
The output contains the following populated JSON schema:
{
"DrillDownResults": {
"Status": "",
"AlarmID": "",
"EventID": "",
"Priority": "",
"AIEMsgXml": "",
"AIERuleID": "",
"AlarmGuid": "",
"RetryCount": "",
"RuleBlocks": [
{
"DXCount": "",
"AIECount": "",
"DDSummaries": [
{
"PIFType": "",
"DefaultValue": "",
"DrillDownSummaryLogs": ""
}
],
"RuleBlockID": "",
"DrillDownLogs": "",
"RuleBlockTypeID": "",
"NormalMessageDate": "",
"NormalMessageDateLower": "",
"NormalMessageDateUpper": ""
}
],
"AIERuleName": "",
"DateInserted": "",
"WebConsoleIds": [],
"LastDxTimeStamp": "",
"NotificationSent": "",
"NormalMessageDate": ""
},
"DrillDownSummary": ""
}
NOTE: This action is part of LogRhythm's DrillDown API and takes some time to finish execution. Due to this delay, you may receive an error or a blank response.
To address this issue, add a wait step in the playbook before making a call to this DrillDown API.
Parameter | Description |
---|---|
Alarm ID | Specify the ID of the alarm to retrieve its events from the LogRhythm server. |
Count | Specify the maximum number of events, associated with alarm, to return. |
Fields to Include in Result | (Optional) Specify fields to include in output. |
Show Log Messages | Select whether you want to include log messages in output. Default is true . |
The output contains the following populated JSON schema:
{
"ID": "",
"Events": [
{
"classificationId": "",
"classificationName": "",
"classificationTypeName": "",
"commonEventName": "",
"commonEventId": "",
"direction": "",
"directionName": "",
"impactedEntityId": "",
"impactedEntityName": "",
"impactedHost": "",
"impactedHostName": "",
"impactedIp": "",
"impactedZoneName": "",
"logDate": "",
"mpeRuleId": "",
"mpeRuleName": "",
"originEntityName": "",
"originEntityId": "",
"originHostId": "",
"originHostName": "",
"originHost": "",
"originIp": "",
"originZone": "",
"originZoneName": "",
"priority": "",
"protocolId": "",
"protocolName": "",
"ruleBlockNumber": "",
"portProtocol": "",
"session": "",
"severity": "",
"subject": "",
"vendorMessageId": "",
"sequenceNumber": "",
"threatId": "",
"threatName": "",
"action": "",
"keyField": "",
"count": "",
"entityId": "",
"rootEntityId": "",
"rootEntityName": "",
"entityName": "",
"logMessage": "",
"messageId": "",
"messageTypeEnum": "",
"normalDate": "",
"normalMsgDateMax": "",
"normalDateMin": ""
}
]
}
Parameter | Description |
---|---|
Host ID | Specify the ID of the host to retrieve its details from the LogRhythm server. |
Limit Records | Specify the count of hosts to retrieve from the LogRhythm server. |
Format Result | Select to format the host details retrieved from the LogRhythm server. |
The output contains the following populated JSON schema:
{
"id": "",
"entity": {
"id": "",
"name": ""
},
"name": "",
"riskLevel": "",
"threatLevel": "",
"threatLevelComments": "",
"recordStatusName": "",
"hostZone": "",
"location": {
"id": ""
},
"os": "",
"useEventlogCredentials": "",
"osType": "",
"dateUpdated": "",
"hostRoles": [],
"hostIdentifiers": []
}
Parameter | Description |
---|---|
Entity Name | Specify the name of the entity to retrieve its host details from the LogRhythm server. |
Limit Records | Specify the count of hosts to retrieve from the LogRhythm server. |
Format Result | Select to format the hosts details retrieved from the LogRhythm server. |
The output contains the following populated JSON schema:
{
"EntityId": "",
"EntityName": "",
"OS": "",
"ThreatLevel": "",
"UseEventlogCredentials": "",
"Name": "",
"DateUpdated": "",
"HostZone": "",
"RiskLevel": "",
"Location": "",
"Status": "",
"ThreatLevelComments": "",
"ID": "",
"OSType": ""
}
Parameter | Description |
---|---|
Name | Specify the name of the case to create in LogRhythm. |
Priority | Select the priority to set for the case to create in LogRhythm. |
External ID | (Optional) Specify the ID of an external identifier for the case to create in LogRhythm. |
Due Date | (Optional) Specify the due date of the case to create in LogRhythm. |
Summary | (Optional) Specify the note summarizing the case to create in LogRhythm. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}
Parameter | Description |
---|---|
Due Before | Select a date to filter cases that have a due date before the specified date. |
Priority | Select a priority to filter results that have a specific case priority. |
Status Number | Select a status number to filter results that have the selected case status. |
Owner Number | Specify an owner number to filter results that have the specified case owner, by person numbers. |
Collaborator Number | Specify a collaborator number to filter results that have specified case collaborator, by person number. |
Tag Number | Specify a tag number to filter results that are tagged, by tag numbers. |
Text | Specify the text to filter results that have a case number or name containing the specified value. |
Evidence Type | Select from the following options to filter results that have evidence of the selected type.
|
Reference ID | Specify the reference ID to filter the results containing the given reference identifier. |
External ID | Specify the external ID to filter results containing the specified unique, external identifier. |
Entity Number | Specify the entity number to filter results containing the specified assigned entity number. |
Offset | Specify the number of results to skip when paging. |
Count | Specify the maximum number of results to return per page. |
Order By | Select the sorting criterion of the returned results from the following options:
|
Direction | Select the sort order of the returned results from the following options:
|
Updated After | Select the date to retrieve cases updated after the selected date. Must be an RFC 3339 formatted string. |
Updated Before | Select the date to retrieve cases updated before the selected date. Must be an RFC 3339 formatted string. |
Created After | Select the date to retrieve cases created after the selected date. Must be an RFC 3339 formatted string. |
Created Before | Select the date to retrieve cases created before the selected date. Must be an RFC 3339 formatted string. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": "",
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": "",
"disabled": ""
}
],
"tags": []
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case to get its details. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": "",
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": "",
"disabled": ""
}
],
"tags": []
}
Parameter | Description |
---|---|
Case ID | Specify the ID of the case to update in LogRhythm. |
Name | (Optional) Specify the name of the case to update in LogRhythm. |
Priority | (Optional) Specify the priority to set for the case to update in LogRhythm. |
External ID | (Optional) Specify the ID of an external identifier for the case to update in LogRhythm. |
Due Date | (Optional) Specify the due date of the case to update in LogRhythm. |
Summary | (Optional) Specify the note summarizing the case to update in LogRhythm. |
Resolution | (Optional) Specify the description of the case to update in LogRhythm. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier for the case, either as an RFC 4122 formatted string or as a number, to get the collaborators on the case. |
The output contains the following populated JSON schema:
{
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"collaborators": [
{
"number": "",
"name": "",
"disabled": ""
}
]
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier for the case to get a list of its associated cases. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"private": "",
"summary": {
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}
}
Specify the unique identifier for the case, either as an RFC 4122
formatted string or as a number, to get the metrics related to the case.
Parameter | Description |
---|---|
Case ID |
The output contains the following populated JSON schema:
{
"created": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
},
"completed": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
},
"incident": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
},
"mitigated": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
},
"resolved": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
},
"earliestEvidence": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
}
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case to which to add alarms as evidence. |
Alarm IDs | Specify the comma-separated list of numeric IDs of the alarms to add as evidence to a case. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": ""
},
"lastUpdatedBy": {
"number": "",
"name": ""
},
"type": "",
"status": "",
"pinned": "",
"datePinned": "",
"alarm": {
"alarmId": "",
"alarmDate": "",
"alarmRuleId": "",
"alarmRuleName": "",
"dateInserted": "",
"entityId": "",
"entityName": "",
"riskBasedPriorityMax": ""
}
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case to which to add a note as evidence. |
Note | Specify the text of the note to add as evidence to a case. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": ""
},
"lastUpdatedBy": {
"number": "",
"name": ""
},
"type": "",
"status": "",
"text": "",
"pinned": "",
"datePinned": ""
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case to which to add a note as evidence in LogRhythm. |
Type | Select the type of the evidence from following options to add to the case:
|
Reference ID | Specify a reference ID to access the attachment metadata from the FortiSOAR™'s Attachments module. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"type": "",
"status": "",
"statusMessage": "",
"text": "",
"pinned": "",
"datePinned": "",
"file": {
"name": "",
"size": ""
}
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier for the case, either as an RFC 4122 formatted string or as a number, to get the list of evidences associated with the case. |
Type | Select the evidence types to filter results containing evidence of the selected types. Multiple criteria can be selected from the following options:
|
Status | Select the evidence status to filter results containing evidence of the selected status. Multiple criteria can be selected from the following options:
|
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"type": "",
"status": "",
"statusMessage": "",
"text": "",
"pinned": "",
"datePinned": ""
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier for the case to get its evidences. |
Evidence Number | Specify the unique numeric identifier associated with the evidence. |
The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"type": "",
"status": "",
"statusMessage": "",
"text": "",
"pinned": "",
"datePinned": ""
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier for the case to get its evidence progress. |
Evidence Number | Specify the unique numeric identifier associated with the evidence. |
The output contains the following populated JSON schema:
{
"status": ""
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier for the case. |
Evidence Number | Unique, numeric identifier for the evidence. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case whose associated file evidence you want to download from LogRhythm. |
Evidence Number | Specify the unique numeric identifier of the evidence associated with the specified case to download from LogRhythm. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case whose associated file evidence you want to delete from LogRhythm. |
Evidence Number | Specify the unique, numeric identifier of the evidence associated with the specified case to delete from LogRhythm. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case to which you want to add tags in LogRhythm. |
Tag Number | Specify the tag number to add to the specified case in LogRhythm. You can get the tag number using the 'List Case Tags' operation. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": "",
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": "",
"disabled": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}
Parameter | Description |
---|---|
Tag Name | Specify the tag name to filter case tags retrieved from LogRhythm. |
Offset | Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
Count | Specify the maximum number of alarms, per page, to retrieve from LogRhythm. By default, this is set to 50 . |
The output contains the following populated JSON schema:
{
"number": "",
"text": "",
"dateCreated": "",
"createdBy": {
"number": "",
"name": "",
"disabled": ""
}
}
Parameter | Description |
---|---|
Case ID | Specify the unique identifier of the case to which you want to remove tags from LogRhythm. |
Tag Number | Specify the tag number to remove from the specified case in LogRhythm. You can get the tag number using the List Case Tags operation. |
The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": "",
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": "",
"disabled": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}
Parameter | Description |
---|---|
List Type | Select the type of list whose details you want to retrieve from LogRhythm. You can choose between list types such as Application, Host, Entity, etc. Note: If you do not specify any list type, then the 'User' list is returned. |
List Name | Specify the name of the object or regex match to filter lists retrieved from?LogRhythm. |
Can Edit | Select this option to retrieve Write Only (true) or Read Only (false) lists from LogRhythm. |
Page Number | Specify the number of pages to view. |
Page Size | Specify the number of records to display per page. By default, this is set to 100 . |
The output contains the following populated JSON schema:
{
"listType": "",
"status": "",
"name": "",
"shortDescription": "",
"useContext": [],
"autoImportOption": {
"enabled": "",
"usePatterns": "",
"replaceExisting": ""
},
"id": "",
"guid": "",
"dateCreated": "",
"dateUpdated": "",
"readAccess": "",
"writeAccess": "",
"restrictedRead": "",
"entityName": "",
"entryCount": "",
"needToNotify": "",
"doesExpire": "",
"owner": ""
}
Parameter | Description |
---|---|
Name | Specify the name of the network whose details you want to retrieve from LogRhythm. |
Record Status | Select the status of the record (object recordStatus) to filter the networks retrieved from LogRhythm. |
BIP | Specify the starting IP address to allow records to be filtered on a specified IP address, e.g. 127.0.0.1. |
EIP | Specify the ending IP address to allow records to be filtered on a specified IP address, e.g. 127.0.0.1. |
Entity | Specify the entity name to allow records to be filtered on a specified Entity name. |
Offset | Specify the starting point of records to be returned. |
Count | Specify the number of records to display per page. By default, this is set to 100 . |
The output contains the following populated JSON schema:
{
"id": "",
"entity": {
"id": "",
"name": ""
},
"name": "",
"shortDesc": "",
"longDesc": "",
"riskLevel": "",
"threatLevel": "",
"threatLevelComment": "",
"recordStatusName": "",
"hostZone": "",
"location": {
"id": "",
"name": ""
},
"bip": "",
"eip": "",
"dateUpdated": ""
}
Parameter | Description |
---|---|
User ID | Specify a comma-separated list of user IDs whose details you want to retrieve from LogRhythm. |
Entity ID | Specify a comma-separated list of entity IDs whose associated user details you want to retrieve from LogRhythm. |
Has Login | Select the login status of the user to filter the user lists retrieved from LogRhythm. |
User Status | Select the status of the user (object userStatus) to filter the user lists retrieved from LogRhythm. |
Offset | Specify the starting point of records to be returned. |
Count | Specify the number of records to display per page. By default, this is set to 100 . |
The output contains the following populated JSON schema:
{
"firstName": "",
"lastName": "",
"userType": "",
"fullName": "",
"objectPermissions": {
"readAccess": "",
"writeAccess": "",
"entity": {
"id": "",
"name": ""
},
"owner": {
"id": "",
"name": ""
}
},
"id": "",
"recordStatusName": "",
"dateUpdated": ""
}
The Sample - LogRhythm - 3.1.0
playbook collection comes bundled with the LogRhythm connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Smart Response Plugin (SRP) to invoke the playbooks in FortiSOAR™ whenever an alarm is triggered in LogRhythm. The "FSR_SmartResponse_Automation_Plugin" is attached to this article, you can download this SRP and then follow the steps mentioned in this article to import and configure the SRP.
Following is the procedure on how to import and configure the SRP:
Client Console > Deployment Manager > AI Engine > Rule to trigger playbook > Action
On the "Action" screen, configure the necessary fields as is defined in Step 4.
crhost
– URL of the FortiSOAR™ server.https://fortisoarhost
.authapi
– FortiSOAR™ URI defined for authentication./auth/authenticate
playbookapi
– FortiSOAR™ URI defined for playbooks.lrcreatealert
:/api/triggers/1/lrcreatealert
Ignoressl
– TRUE/FALSE parameter to ignore the SSL certificate. By default, FortiSOAR™ is installed using a self-signed certificate; therefore, if you want LogRhythm to accept it, set this parameter as TRUEUsername
– Username used to log on to the FortiSOAR™ platform with the necessary privileges.Password
– Password used to log on to the FortiSOAR™ platform with the necessary privileges.alarm id
– The unique identifier of an alarm in LogRhythm.alert_input
whose value is set as {{vars.input.params['api_body']}}
. You can add the value of the variable using "Dynamic Values":Now, all parameters that are passed from LogRhythm will be accessible using:
{{vars.alert_input.alarm_id}}
{{vars.alert_input.p1}}
{{vars.alert_input.p2}}
{{vars.alert_input.p3}}
{{vars.alert_input.p4}}
{{vars.alert_input.p5}}
The LogRhythm connector contains the "Create LogRhythm Alert" playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm.
Following is a snapshot of the Executed Playbook Log for the playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm:
Following is a sample image of the alert created in FortiSOAR™:
FSR_SmartResponse_Automation_Plugin.tgz
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alarms from LogRhythm. Currently, alarms ingested from LogRhythm are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming LogRhythm alarms to FortiSOAR™ alerts.
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from LogRhythm into FortiSOAR™. It also lets you pull some sample data from LogRhythm using which you can define the mapping of data between LogRhythm and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to alarms from LogRhythm.
On the Field Mapping screen, map the fields of an alarm ingested from LogRhythm to the fields of an alert present in FortiSOAR™
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the associatedCases
parameter of an alarm ingested from LogRhythm to the Description parameter of a FortiSOAR™ alert, click the Description field and then click the associatedCases
field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the FortiSOAR™ product documentation's Connectors Guide. Once you have completed the mapping of fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to LogRhythm, so that the content gets pulled from the LogRhythm integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression For example, if you want to pull data from LogRhythm every morning at 5 am, click Daily, in the hour box enter 5
, and in the minute box enter 0
:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.