LogRhythm v3.1.0

About the connector

LogRhythm delivers in-depth endpoint visibility, automated threat hunting, and breach response across the entire enterprise. LogRhythm enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs. This connector supports the investigation actions like Get Alarm, Update Alarm, etc on LogRhythm SIEM.

This document provides information about the LogRhythm Connector, which facilitates automated interactions, with a LogRhythm server using FortiSOAR™ playbooks. Add the LogRhythm Connector as a step in FortiSOAR™ playbooks and perform automated operations with LogRhythm.

Version information

Connector Version: 3.1.0

FortiSOAR™ Version Tested on: 7.4.0-3024

LogRhythm Version Tested on: Cloud Instance

Authored By: Fortinet

Certified: Yes

Release Notes for version 3.1.0

Following enhancements have been made to the LogRhythm Connector in version 3.1.0:

• This version of the connector is certified.
• Output Schema for the following actions are updated:
  • Get Hosts
  • Add File Evidence
  • Get Evidence list
  • Get Evidence
  • Delete Case Evidence
  • Add Case Tags
  • List Case Tags
  • Remove Case Tags
  • Get List Details
  • Get User List
• The following actions have updated parameters:
  • Search Alarm
    • The parameter Date Inserted has been renamed to Alarm Inserted
  • Add File Evidence
    • Removed the parameter Attachment IRI
    • Added parameters Type and Reference ID
  • Add Case Tags
    • The parameters Case ID and Tag Number are no longer optional
    • The input type of the parameter Tag Number has been changed from integer to text
  • Remove Case Tags
    • The parameters Case ID and Tag Number are no longer optional
    • The input type of the parameter Tag Number has been changed from multi-select to text
  • Get Network List
    • The parameter Page Number has been renamed to Offset
    • The parameter Page Size has been renamed to Count
  • Get User List
    • A new parameter Has Login has been added
    • The input type of the parameter User Status has been changed from select to multi-select
    • The parameter Page Number has been renamed to Offset
    • The parameter Page Size has been renamed to Count

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the yum command as a root user to install the connector:

yum install cyops-connector-logrhythm

Prerequisites to configuring the connector

• You must have the URL of the LogRhythm server to which you will connect and perform automated operations and credentials to access that server.
• The FortiSOAR™ server should have outbound connectivity to port 443 on the LogRhythm server.

Minimum Permissions Required

• Not applicable

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the LogRhythm connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter	Description
Server URL	URL of the LogRhythm server to which you will connect and perform the automated operations.
Port	Port number of the LogRhythm server to which you will connect.
Token	API token to access the rest API.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function	Description	Annotation and Category
Search Alarm	Retrieves a list of all alarms or a filtered list of alarms from the LogRhythm server, based on the input parameters you have specified.	list_alarm Investigation
Get Alarm Details	Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified. Note: This operation uses LogRhythm's Alarm API to retrieve details of the alarm.	get_alarm_details Investigation
Get Alarm Events	Retrieves the events associated with a specific alarm from the LogRhythm server, based on the alarm ID you have specified. Note: This operation uses LogRhythm's Alarm API to retrieve events of the alarm.	get_alarm_events Investigation
Get Alarm Summary	Retrieves the summary of a specific alarm from the LogRhythm server, based on the alarm ID you have specified.	get_alarm_summary Investigation
Get Alarm History	Retrieves the history of a specific alarm from the LogRhythm server, based on the alarm ID and other input parameters you have specified.	get_alarm_history Investigation
Update Alarm	Updates alarm information such as the alarm status, RBP, etc. of a specific alarm in the LogRhythm server, based on the alarm ID you have specified.	update_alarm Investigation
Add Alarm Comment	Updates the alarm history table with comments in the 'Comments' column in the LogRhythm server, based on the alarm ID you have specified.	add_alarm_comments Investigation
DrillDown - Get Alarm Details	Retrieves the details of a specific alarm from the LogRhythm server, based on the alarm ID you have specified.	get_alarm_details Investigation
DrillDown - Get Alarm Events	Retrieves the details of events associated with an alarm from the LogRhythm server, based on the alarm ID you have specified.	get_alarm_events Investigation
Get Hosts	Retrieves the details of specific hosts from the LogRhythm server, based on the Host ID you have specified or all hosts.	get_hosts Investigation
Get Hosts by Entities	Retrieves the details of hosts from the LogRhythm server, based on the entity you have specified.	get_hosts Investigation
Create Case	Creates a new case based on the name, priority, and other input parameters you have specified.	create_case Investigation
Get Case List	Returns a filtered list of cases. Supports pagination.	get_cases_list Investigation
Get Case	Returns the summary of a case by Id.	get_case Investigation
Update Case	Updates case information such as the case name, priority, due date, etc based on the case ID you have specified.	update_case Investigation
Get Case Collaborators	Returns the owner and a list of collaborators associated with a specific case.	get_case_collaborators Investigation
Get Associated Cases List	Returns a list of cases associated with a specific case.	associated_cases Investigation
Get Case Metrics	Return metrics for a specified case.	get_case_metrics Investigation
Add Alarm Evidence	Adds alarms as evidence to a specific case based on the case ID you have specified.	add_alarm_evidence Investigation
Add Note Evidence	Adds a note as evidence to a specific case based on the case ID you have specified.	add_note_evidence Investigation
Add File Evidence	Adds a file as evidence to a specific case in the LogRhythm server, based on the case ID you have specified.	add_file_evidence Investigation
Get Evidence list	Return a list of evidence summaries for a case.	get_case_evidence Investigation
Get Evidence	Return a summary of an item of evidence on a case.	get_evidence Investigation
Get Evidence Progress	Return the progress of a pending item of evidence. for example, a file upload).	get_evidence_progress Investigation
Get User Event List	Return the list of user events added as evidence on a case.	case_evidence Investigation
Download File Evidence	Downloads a specific item of file evidence of a specified case in the LogRhythm server, based on the case ID and evidence ID you have specified.	download_file_evidence Investigation
Delete Case Evidence	Deletes a specific item of evidence from a specified case in the LogRhythm server, based on the case ID and evidence ID you have specified.	delete_case_evidence Investigation
Add Case Tags	Adds specific tags to a specific case in LogRhythm based on the case ID and tag numbers you have specified.	add_case_tags Investigation
List Case Tags	Retrieves a list of all case tags or specific case tags from LogRhythm based on the input parameters you have specified.	list_case_tags Investigation
Remove Case Tags	Removes specific tags from a specific case in LogRhythm based on the case ID and tag numbers you have specified.	remove_case_tags Investigation
Get List Details	Returns details of lists from LogRhythm based on the list type and other input parameters you have specified. Note: If you do not specify any list type, then the 'User' list is returned.	get_list_details Investigation
Get Network List	Returns all networks or specific networks from LogRhythm based on the list type and other input parameters you have specified.	get_network_list Investigation
Get User List	Returns all users (hosts) or specific users from LogRhythm based on the list type and other input parameters you have specified.	get_user_list Investigation

operation: Search Alarm

Input parameters

Parameter	Description
Alarm Status	Select the status of the alarm to filter the alarms retrieved from LogRhythm. You can choose from the following values: New Open Open: Working Closed Closed: Escalated Closed: False Alarm Closed: Resolved Closed: Unresolved Closed: Reported Closed: Monitor
Alarm Inserted	Specify the date and time of alarm creation to filter the alarms retrieved from LogRhythm.
Alarm Rule name	Specify the rule name of the alarm to filter the alarms retrieved from LogRhythm.
Entity Name	Specify the entity name associated with the alarm to filter the alarms retrieved from LogRhythm.
Case Association	Specify the case name associated with the alarm to filter the alarms retrieved from LogRhythm.
Offset	Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determine how many records to retrieve starting from the offset. By default, this is set to 0.
Count	Specify the maximum number of alarms, per page, to retrieve from LogRhythm. By default, this is set to 50.

Output

The output contains the following populated JSON schema:
{
"alarmsSearchDetails": [
{
"alarmId": "",
"alarmRuleName": "",
"alarmStatus": "",
"alarmDataCached": "",
"associatedCases": [],
"entityName": "",
"dateInserted": ""
}
]
}

operation: Get Alarm Details

Input parameters

Parameter	Description
Alarm ID	Specify the ID of the alarm to retrieve its details from LogRhythm.

Output

The output contains the following populated JSON schema:
{
"alarmDetails": {
"alarmRuleID": "",
"alarmId": "",
"personId": "",
"alarmDate": "",
"alarmStatus": "",
"alarmStatusName": "",
"entityId": "",
"entityName": "",
"alarmRuleName": "",
"lastUpdatedID": "",
"lastUpdatedName": "",
"dateInserted": "",
"dateUpdated": "",
"associatedCases": [],
"lastPersonID": "",
"eventCount": "",
"eventDateFirst": "",
"eventDateLast": "",
"rbpMax": "",
"rbpAvg": "",
"smartResponseActions": "",
"alarmDataCached": ""
},
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}

operation: Get Alarm Events

Input parameters

Parameter	Description
Alarm ID	Specify the ID of the alarm to retrieve its events from LogRhythm.

Output

The output contains the following populated JSON schema:
{
"alarmEventsDetails": [
{
"account": "",
"action": "",
"amount": "",
"bytesIn": "",
"bytesOut": "",
"classificationId": "",
"classificationName": "",
"classificationTypeName": "",
"command": "",
"commonEventId": "",
"cve": "",
"commonEventName": "",
"count": "",
"directionId": "",
"directionName": "",
"domain": "",
"duration": "",
"entityId": "",
"entityName": "",
"group": "",
"impactedEntityId": "",
"impactedEntityName": "",
"impactedHostId": "",
"impactedHostName": "",
"impactedInterface": "",
"impactedIP": "",
"impactedLocation": {
"countryCode": "",
"name": "",
"latitude": "",
"locationId": "",
"locationKey": "",
"longitude": "",
"parentLocationId": "",
"recordStatus": "",
"regionCode": "",
"type": "",
"dateUpdated": ""
},
"impactedMAC": "",
"impactedName": "",
"impactedNATIP": "",
"impactedNATPort": "",
"impactedNetwork": {
"beginIPRange": {
"value": ""
},
"dateUpdated": "",
"riskThreshold": "",
"endIPRange": {
"value": ""
},
"entityId": "",
"hostZone": "",
"locationId": "",
"longDesc": "",
"name": "",
"networkId": "",
"recordStatus": "",
"shortDesc": ""
},
"impactedPort": "",
"impactedZone": "",
"itemsPacketsIn": "",
"itemsPacketsOut": "",
"logDate": "",
"login": "",
"logMessage": "",
"logSourceHostId": "",
"logSourceHostName": "",
"logSourceName": "",
"logSourceTypeName": "",
"messageId": "",
"mpeRuleId": "",
"mpeRuleName": "",
"normalDateMax": "",
"objectName": "",
"objectType": "",
"originEntityId": "",
"originEntityName": "",
"originHostId": "",
"originHostName": "",
"originInterface": "",
"originIP": "",
"originLocation": {
"countryCode": "",
"name": "",
"latitude": "",
"locationId": "",
"locationKey": "",
"longitude": "",
"parentLocationId": "",
"recordStatus": "",
"regionCode": "",
"type": "",
"dateUpdated": ""
},
"originMAC": "",
"originName": "",
"originNATIP": "",
"originNATPort": "",
"originNetwork": {
"beginIPRange": {
"value": ""
},
"dateUpdated": "",
"riskThreshold": "",
"endIPRange": {
"value": ""
},
"entityId": "",
"hostZone": "",
"locationId": "",
"longDesc": "",
"name": "",
"networkId": "",
"recordStatus": "",
"shortDesc": ""
},
"originPort": "",
"originZone": "",
"parentProcessId": "",
"parentProcessName": "",
"parentProcessPath": "",
"policy": "",
"priority": "",
"process": "",
"processId": "",
"protocolId": "",
"protocolName": "",
"quantity": "",
"rate": "",
"reason": "",
"recipient": "",
"result": "",
"responseCode": "",
"sender": "",
"session": "",
"sessionType": "",
"serialNumber": "",
"serviceId": "",
"serviceName": "",
"severity": "",
"status": "",
"size": "",
"subject": "",
"threatId": "",
"threatName": "",
"url": "",
"userAgent": "",
"vendorInfo": "",
"vendorMsgId": "",
"version": "",
"originUserIdentityName": "",
"impactedUserIdentityName": "",
"originUserIdentityId": "",
"impactedUserIdentityId": "",
"senderIdentityId": "",
"senderIdentityName": "",
"recipientIdentityId": "",
"recipientIdentityName": ""
}
],
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}

operation: Get Alarm Summary

Input parameters

Parameter	Description
Alarm ID	Specify the ID of the alarm to retrieve its summary from the LogRhythm server.

Output

The output contains the following populated JSON schema:
{
"alarmSummaryDetails": {
"dateInserted": "",
"rbpMax": "",
"rbpAvg": "",
"alarmRuleId": "",
"alarmRuleGroup": "",
"briefDescription": "",
"additionalDetails": "",
"alarmEventSummary": [
{
"msgClassId": "",
"msgClassName": "",
"commonEventId": "",
"commonEventName": "",
"originHostId": "",
"impactedHostId": "",
"originUser": "",
"impactedUser": "",
"originUserIdentityId": "",
"impactedUserIdentityId": "",
"originUserIdentityName": "",
"impactedUserIdentityName": "",
"originEntityName": "",
"impactedEntityName": ""
}
]
},
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}

operation: Get Alarm History

Input parameters

Parameter	Description
Alarm ID	Specify the ID of the alarm to retrieve its history from the LogRhythm server.
Person ID	Specify the ID of the person to retrieve their associated alarm history from the LogRhythm server.
Date Updated	Specify the DateTime of when alarms were updated to filter the alarm history retrieved from LogRhythm.
Type	Select the type of history based on which you want to filter the alarm history retrieved from LogRhythm.
Offset	Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset. By default, this is set to 0.
Count	Specify the maximum number of alarms, per page, to retrieve from LogRhythm. By default, this is set to 50.

Output

The output contains the following populated JSON schema:
{
"AlarmHistoryDetails": [
{
"alarmId": "",
"personId": "",
"comments": "",
"dateUpdated": "",
"dateInserted": ""
}
],
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}

operation: Update Alarm

Input parameters

Parameter	Description
Alarm ID	Specify the ID of the alarm to update on the LogRhythm server.
Alarm Status	(Optional) Select the alarm status to update in LogRhythm.
RBP	(Optional) Specify the alarm RBP to update in LogRhythm. It must be in between 0 - 100.

Output

The output contains the following populated JSON schema:
{
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}

operation: Add Alarm Comment

Input parameters

Parameter	Description
Alarm ID	Specify the ID of the alarm to update with the comment in LogRhythm.
Alarm Comment	Specify the comment to add to the specified alarm in LogRhythm.

Output

The output contains the following populated JSON schema:
{
"statusCode": "",
"statusMessage": "",
"responseMessage": ""
}

operation: DrillDown - Get Alarm Details

NOTE: This action is part of LogRhythm's DrillDown API and takes some time to finish execution. Due to this delay, you may receive an error or a blank response.

To address this issue, add a wait step in the playbook before making a call to this DrillDown API.

Input parameters

Parameter	Description
Alarm ID	Specify the ID of the alarm to retrieve its details from the LogRhythm server.

Output

The output contains the following populated JSON schema:
{
"DrillDownResults": {
"Status": "",
"AlarmID": "",
"EventID": "",
"Priority": "",
"AIEMsgXml": "",
"AIERuleID": "",
"AlarmGuid": "",
"RetryCount": "",
"RuleBlocks": [
{
"DXCount": "",
"AIECount": "",
"DDSummaries": [
{
"PIFType": "",
"DefaultValue": "",
"DrillDownSummaryLogs": ""
}
],
"RuleBlockID": "",
"DrillDownLogs": "",
"RuleBlockTypeID": "",
"NormalMessageDate": "",
"NormalMessageDateLower": "",
"NormalMessageDateUpper": ""
}
],
"AIERuleName": "",
"DateInserted": "",
"WebConsoleIds": [],
"LastDxTimeStamp": "",
"NotificationSent": "",
"NormalMessageDate": ""
},
"DrillDownSummary": ""
}

operation: DrillDown - Get Alarm Events

NOTE: This action is part of LogRhythm's DrillDown API and takes some time to finish execution. Due to this delay, you may receive an error or a blank response.

To address this issue, add a wait step in the playbook before making a call to this DrillDown API.

Input parameters

Parameter	Description
Alarm ID	Specify the ID of the alarm to retrieve its events from the LogRhythm server.
Count	Specify the maximum number of events, associated with alarm, to return.
Fields to Include in Result	(Optional) Specify fields to include in output.
Show Log Messages	Select whether you want to include log messages in output. Default is true.

Output

The output contains the following populated JSON schema:
{
"ID": "",
"Events": [
{
"classificationId": "",
"classificationName": "",
"classificationTypeName": "",
"commonEventName": "",
"commonEventId": "",
"direction": "",
"directionName": "",
"impactedEntityId": "",
"impactedEntityName": "",
"impactedHost": "",
"impactedHostName": "",
"impactedIp": "",
"impactedZoneName": "",
"logDate": "",
"mpeRuleId": "",
"mpeRuleName": "",
"originEntityName": "",
"originEntityId": "",
"originHostId": "",
"originHostName": "",
"originHost": "",
"originIp": "",
"originZone": "",
"originZoneName": "",
"priority": "",
"protocolId": "",
"protocolName": "",
"ruleBlockNumber": "",
"portProtocol": "",
"session": "",
"severity": "",
"subject": "",
"vendorMessageId": "",
"sequenceNumber": "",
"threatId": "",
"threatName": "",
"action": "",
"keyField": "",
"count": "",
"entityId": "",
"rootEntityId": "",
"rootEntityName": "",
"entityName": "",
"logMessage": "",
"messageId": "",
"messageTypeEnum": "",
"normalDate": "",
"normalMsgDateMax": "",
"normalDateMin": ""
}
]
}

operation: Get Hosts

Input parameters

Parameter	Description
Host ID	Specify the ID of the host to retrieve its details from the LogRhythm server.
Limit Records	Specify the count of hosts to retrieve from the LogRhythm server.
Format Result	Select to format the host details retrieved from the LogRhythm server.

Output

The output contains the following populated JSON schema:
{
"id": "",
"entity": {
"id": "",
"name": ""
},
"name": "",
"riskLevel": "",
"threatLevel": "",
"threatLevelComments": "",
"recordStatusName": "",
"hostZone": "",
"location": {
"id": ""
},
"os": "",
"useEventlogCredentials": "",
"osType": "",
"dateUpdated": "",
"hostRoles": [],
"hostIdentifiers": []
}

operation: Get Hosts by Entities

Input parameters

Parameter	Description
Entity Name	Specify the name of the entity to retrieve its host details from the LogRhythm server.
Limit Records	Specify the count of hosts to retrieve from the LogRhythm server.
Format Result	Select to format the hosts details retrieved from the LogRhythm server.

Output

The output contains the following populated JSON schema:
{
"EntityId": "",
"EntityName": "",
"OS": "",
"ThreatLevel": "",
"UseEventlogCredentials": "",
"Name": "",
"DateUpdated": "",
"HostZone": "",
"RiskLevel": "",
"Location": "",
"Status": "",
"ThreatLevelComments": "",
"ID": "",
"OSType": ""
}

operation: Create Case

Input parameters

Parameter	Description
Name	Specify the name of the case to create in LogRhythm.
Priority	Select the priority to set for the case to create in LogRhythm.
External ID	(Optional) Specify the ID of an external identifier for the case to create in LogRhythm.
Due Date	(Optional) Specify the due date of the case to create in LogRhythm.
Summary	(Optional) Specify the note summarizing the case to create in LogRhythm.

Output

The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}

operation: Get Case List

Input parameters

Parameter	Description
Due Before	Select a date to filter cases that have a due date before the specified date.
Priority	Select a priority to filter results that have a specific case priority.
Status Number	Select a status number to filter results that have the selected case status.
Owner Number	Specify an owner number to filter results that have the specified case owner, by person numbers.
Collaborator Number	Specify a collaborator number to filter results that have specified case collaborator, by person number.
Tag Number	Specify a tag number to filter results that are tagged, by tag numbers.
Text	Specify the text to filter results that have a case number or name containing the specified value.
Evidence Type	Select from the following options to filter results that have evidence of the selected type. alarm userEvents log note file
Reference ID	Specify the reference ID to filter the results containing the given reference identifier.
External ID	Specify the external ID to filter results containing the specified unique, external identifier.
Entity Number	Specify the entity number to filter results containing the specified assigned entity number.
Offset	Specify the number of results to skip when paging.
Count	Specify the maximum number of results to return per page.
Order By	Select the sorting criterion of the returned results from the following options: dateCreated dateClosed dateUpdated name number priority dueDate age statusNumber
Direction	Select the sort order of the returned results from the following options: asc: Sort in ascending order desc: Sort in descending order
Updated After	Select the date to retrieve cases updated after the selected date. Must be an RFC 3339 formatted string.
Updated Before	Select the date to retrieve cases updated before the selected date. Must be an RFC 3339 formatted string.
Created After	Select the date to retrieve cases created after the selected date. Must be an RFC 3339 formatted string.
Created Before	Select the date to retrieve cases created before the selected date. Must be an RFC 3339 formatted string.

Output

The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": "",
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": "",
"disabled": ""
}
],
"tags": []
}

operation: Get Case

Input parameters

Parameter	Description
Case ID	Specify the unique identifier of the case to get its details.

Output

The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": "",
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": "",
"disabled": ""
}
],
"tags": []
}

operation: Update Case

Input parameters

Parameter	Description
Case ID	Specify the ID of the case to update in LogRhythm.
Name	(Optional) Specify the name of the case to update in LogRhythm.
Priority	(Optional) Specify the priority to set for the case to update in LogRhythm.
External ID	(Optional) Specify the ID of an external identifier for the case to update in LogRhythm.
Due Date	(Optional) Specify the due date of the case to update in LogRhythm.
Summary	(Optional) Specify the note summarizing the case to update in LogRhythm.
Resolution	(Optional) Specify the description of the case to update in LogRhythm.

Output

The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}

operation: Get Case Collaborators

Input parameters

Parameter	Description
Case ID	Specify the unique identifier for the case, either as an RFC 4122 formatted string or as a number, to get the collaborators on the case.

Output

The output contains the following populated JSON schema:
{
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"collaborators": [
{
"number": "",
"name": "",
"disabled": ""
}
]
}

operation: Get Associated Cases List

Input parameters

Parameter	Description
Case ID	Specify the unique identifier for the case to get a list of its associated cases.

Output

The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"private": "",
"summary": {
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}
}

operation: Get Case Metrics

Input parameters

Specify the unique identifier for the case, either as an RFC 4122 formatted string or as a number, to get the metrics related to the case.

Parameter	Description
Case ID

Output

The output contains the following populated JSON schema:
{
"created": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
},
"completed": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
},
"incident": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
},
"mitigated": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
},
"resolved": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
},
"earliestEvidence": {
"date": "",
"originalDate": "",
"customDate": "",
"note": ""
}
}

operation: Add Alarm Evidence

Input parameters

Parameter	Description
Case ID	Specify the unique identifier of the case to which to add alarms as evidence.
Alarm IDs	Specify the comma-separated list of numeric IDs of the alarms to add as evidence to a case.

Output

The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": ""
},
"lastUpdatedBy": {
"number": "",
"name": ""
},
"type": "",
"status": "",
"pinned": "",
"datePinned": "",
"alarm": {
"alarmId": "",
"alarmDate": "",
"alarmRuleId": "",
"alarmRuleName": "",
"dateInserted": "",
"entityId": "",
"entityName": "",
"riskBasedPriorityMax": ""
}
}

operation: Add Note Evidence

Input parameters

Parameter	Description
Case ID	Specify the unique identifier of the case to which to add a note as evidence.
Note	Specify the text of the note to add as evidence to a case.

Output

The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": ""
},
"lastUpdatedBy": {
"number": "",
"name": ""
},
"type": "",
"status": "",
"text": "",
"pinned": "",
"datePinned": ""
}

operation: Add File Evidence

Input parameters

Parameter	Description
Case ID	Specify the unique identifier of the case to which to add a note as evidence in LogRhythm.
Type	Select the type of the evidence from following options to add to the case: Attachment ID: The next parameter, Reference ID defaults to {{vars.attachment_id}} value. File IRI The next parameter, Reference ID defaults to {{vars.file_iri}} value.
Reference ID	Specify a reference ID to access the attachment metadata from the FortiSOAR™'s Attachments module.

Output

The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"type": "",
"status": "",
"statusMessage": "",
"text": "",
"pinned": "",
"datePinned": "",
"file": {
"name": "",
"size": ""
}
}

operation: Get Evidence list

Input parameters

Parameter	Description
Case ID	Specify the unique identifier for the case, either as an RFC 4122 formatted string or as a number, to get the list of evidences associated with the case.
Type	Select the evidence types to filter results containing evidence of the selected types. Multiple criteria can be selected from the following options: alarm userEvents log note file
Status	Select the evidence status to filter results containing evidence of the selected status. Multiple criteria can be selected from the following options: pending completed failed

Output

The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"type": "",
"status": "",
"statusMessage": "",
"text": "",
"pinned": "",
"datePinned": ""
}

operation: Get Evidence

Input parameters

Parameter	Description
Case ID	Specify the unique identifier for the case to get its evidences.
Evidence Number	Specify the unique numeric identifier associated with the evidence.

Output

The output contains the following populated JSON schema:
{
"number": "",
"dateCreated": "",
"dateUpdated": "",
"createdBy": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"type": "",
"status": "",
"statusMessage": "",
"text": "",
"pinned": "",
"datePinned": ""
}

operation: Get Evidence Progress

Input parameters

Parameter	Description
Case ID	Specify the unique identifier for the case to get its evidence progress.
Evidence Number	Specify the unique numeric identifier associated with the evidence.

Output

The output contains the following populated JSON schema:
{
"status": ""
}

operation: Get User Event List

Input parameters

Parameter	Description
Case ID	Specify the unique identifier for the case.
Evidence Number	Unique, numeric identifier for the evidence.

Output

The output contains a non-dictionary value.

operation: Download File Evidence

Input parameters

Parameter	Description
Case ID	Specify the unique identifier of the case whose associated file evidence you want to download from LogRhythm.
Evidence Number	Specify the unique numeric identifier of the evidence associated with the specified case to download from LogRhythm.

Output

The output contains a non-dictionary value.

operation: Delete Case Evidence

Input parameters

Parameter	Description
Case ID	Specify the unique identifier of the case whose associated file evidence you want to delete from LogRhythm.
Evidence Number	Specify the unique, numeric identifier of the evidence associated with the specified case to delete from LogRhythm.

Output

The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}

operation: Add Case Tags

Input parameters

Parameter	Description
Case ID	Specify the unique identifier of the case to which you want to add tags in LogRhythm.
Tag Number	Specify the tag number to add to the specified case in LogRhythm. You can get the tag number using the 'List Case Tags' operation.

Output

The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": "",
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": "",
"disabled": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}

operation: List Case Tags

Input parameters

Parameter	Description
Tag Name	Specify the tag name to filter case tags retrieved from LogRhythm.
Offset	Specify an offset value to retrieve a subset of records starting with the offset value. Offset works with limits, which determines how many records to retrieve starting from the offset. By default, this is set to 0.
Count	Specify the maximum number of alarms, per page, to retrieve from LogRhythm. By default, this is set to 50.

Output

The output contains the following populated JSON schema:
{
"number": "",
"text": "",
"dateCreated": "",
"createdBy": {
"number": "",
"name": "",
"disabled": ""
}
}

operation: Remove Case Tags

Input parameters

Parameter	Description
Case ID	Specify the unique identifier of the case to which you want to remove tags from LogRhythm.
Tag Number	Specify the tag number to remove from the specified case in LogRhythm. You can get the tag number using the List Case Tags operation.

Output

The output contains the following populated JSON schema:
{
"id": "",
"number": "",
"externalId": "",
"dateCreated": "",
"dateUpdated": "",
"dateClosed": "",
"owner": {
"number": "",
"name": "",
"disabled": ""
},
"lastUpdatedBy": {
"number": "",
"name": "",
"disabled": ""
},
"name": "",
"status": {
"name": "",
"number": ""
},
"priority": "",
"dueDate": "",
"resolution": "",
"resolutionDateUpdated": "",
"resolutionLastUpdatedBy": "",
"summary": "",
"entity": {
"number": "",
"name": "",
"fullName": ""
},
"collaborators": [
{
"number": "",
"name": "",
"disabled": ""
}
],
"tags": [
{
"number": "",
"text": ""
}
]
}

operation: Get List Details

Input parameters

Parameter	Description
List Type	Select the type of list whose details you want to retrieve from LogRhythm. You can choose between list types such as Application, Host, Entity, etc. Note: If you do not specify any list type, then the 'User' list is returned.
List Name	Specify the name of the object or regex match to filter lists retrieved from?LogRhythm.
Can Edit	Select this option to retrieve Write Only (true) or Read Only (false) lists from LogRhythm.
Page Number	Specify the number of pages to view.
Page Size	Specify the number of records to display per page. By default, this is set to 100.

Output

The output contains the following populated JSON schema:
{
"listType": "",
"status": "",
"name": "",
"shortDescription": "",
"useContext": [],
"autoImportOption": {
"enabled": "",
"usePatterns": "",
"replaceExisting": ""
},
"id": "",
"guid": "",
"dateCreated": "",
"dateUpdated": "",
"readAccess": "",
"writeAccess": "",
"restrictedRead": "",
"entityName": "",
"entryCount": "",
"needToNotify": "",
"doesExpire": "",
"owner": ""
}

operation: Get Network List

Input parameters

Parameter	Description
Name	Specify the name of the network whose details you want to retrieve from LogRhythm.
Record Status	Select the status of the record (object recordStatus) to filter the networks retrieved from LogRhythm.
BIP	Specify the starting IP address to allow records to be filtered on a specified IP address, e.g. 127.0.0.1.
EIP	Specify the ending IP address to allow records to be filtered on a specified IP address, e.g. 127.0.0.1.
Entity	Specify the entity name to allow records to be filtered on a specified Entity name.
Offset	Specify the starting point of records to be returned.
Count	Specify the number of records to display per page. By default, this is set to 100.

Output

The output contains the following populated JSON schema:
{
"id": "",
"entity": {
"id": "",
"name": ""
},
"name": "",
"shortDesc": "",
"longDesc": "",
"riskLevel": "",
"threatLevel": "",
"threatLevelComment": "",
"recordStatusName": "",
"hostZone": "",
"location": {
"id": "",
"name": ""
},
"bip": "",
"eip": "",
"dateUpdated": ""
}

operation: Get User List

Input parameters

Parameter	Description
User ID	Specify a comma-separated list of user IDs whose details you want to retrieve from LogRhythm.
Entity ID	Specify a comma-separated list of entity IDs whose associated user details you want to retrieve from LogRhythm.
Has Login	Select the login status of the user to filter the user lists retrieved from LogRhythm.
User Status	Select the status of the user (object userStatus) to filter the user lists retrieved from LogRhythm.
Offset	Specify the starting point of records to be returned.
Count	Specify the number of records to display per page. By default, this is set to 100.

Output

The output contains the following populated JSON schema:
{
"firstName": "",
"lastName": "",
"userType": "",
"fullName": "",
"objectPermissions": {
"readAccess": "",
"writeAccess": "",
"entity": {
"id": "",
"name": ""
},
"owner": {
"id": "",
"name": ""
}
},
"id": "",
"recordStatusName": "",
"dateUpdated": ""
}

Included playbooks

The Sample - LogRhythm - 3.1.0 playbook collection comes bundled with the LogRhythm connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the LogRhythm connector.

• > Logrhythm > Fetch and Create
• > Logrhythm > Fetch the Alarm Events
• Add Alarm Comment
• Add Alarm Evidence
• Add Case Tags
• Add File Evidence
• Add Note Evidence
• Create Case
• Delete Case Evidence
• Download File Evidence
• DrillDown - Get Alarm Details
• DrillDown - Get Alarm Events
• Get Alarm Details
• Get Alarm Events
• Get Alarm History
• Get Alarm Summary
• Get Associated Cases List
• Get Case
• Get Case Collaborators
• Get Case List
• Get Case Metrics
• Get Evidence
• Get Evidence Progress
• Get Evidence list
• Get Hosts
• Get Hosts by Entities
• Get List Details
• Get Network List
• Get User Event List
• Get User List
• Create Logrhythm Alert
• List Case Tags
• Logrhythm > Ingest
• Remove Case Tags
• Search Alarm
• Update Alarm
• Update Case

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

FSR-LogRhythm Smart Response Plugin

Use the Smart Response Plugin (SRP) to invoke the playbooks in FortiSOAR™ whenever an alarm is triggered in LogRhythm. The "FSR_SmartResponse_Automation_Plugin" is attached to this article, you can download this SRP and then follow the steps mentioned in this article to import and configure the SRP.

Following is the procedure on how to import and configure the SRP:

1. Ensure that the LogRhythm server can connect to the FortiSOAR™ HTTPS server using port 443. You can check the connectivity by browsing the FortiSOAR™ UI using the LogRhythm server's browser.
2. Import the LPI file of the SRP to the LogRhythm Client console by opening the Smart Response Plugin Manager located at Client Console > Deployment Manager > Tools > Administration > Smart Response Plugin Manager. On the Smart Response Plugin Manager screen click Actions > Import > Choose LPIand then choose SRP's LPI file.
   Now, the SRP is ready to trigger all required playbooks in FortiSOAR™:
   
3. LogRhythm uses the following two methods:
   1. Using an AIE Alarm:
      When an alarm is triggered in LogRhythm, for example, Malware, Dos Attack, Port Scan, etc, and if the team needs to invoke a playbook to complete some actions automatically, then open the Client Console and configure the rule to trigger the playbook as follows:

      Client Console > Deployment Manager > AI Engine > Rule to trigger playbook > Action
      On the "Action" screen, configure the necessary fields as is defined in Step 4.
      

   2. Using the LogRhythm Web UI:
      Analysts can trigger a playbook as per their requirements from the LogRhythm Web UI.
      Open Web Console > Select the corresponding log to action > Inspector Tab > Smart Response Plugin.
4. Configure the following parameters in SRP:
   • crhost – URL of the FortiSOAR™ server.
     Should be with an https, and with no ‘/ ‘at the end. For example, https://fortisoarhost.
   • authapi – FortiSOAR™ URI defined for authentication.
     Example of the value of this parameter: /auth/authenticate
   • playbookapi – FortiSOAR™ URI defined for playbooks.
     You can define the API when you create a playbook as follows:
     Click Custom API Endpoint as the "Trigger Step"
     
     In the Route field enter lrcreatealert:
     
     The URI in the above sample is: /api/triggers/1/lrcreatealert
   • Ignoressl – TRUE/FALSE parameter to ignore the SSL certificate. By default, FortiSOAR™ is installed using a self-signed certificate; therefore, if you want LogRhythm to accept it, set this parameter as TRUE
   • Username – Username used to log on to the FortiSOAR™ platform with the necessary privileges.
   • Password – Password used to log on to the FortiSOAR™ platform with the necessary privileges.
   • alarm id – The unique identifier of an alarm in LogRhythm.
     Always choose "Alarm field – Alarm ID" in LogRhythm when invoking the FortiSOAR™ API.
     
   • Optional parameters ( 1-5 ) – These are the optional parameters that you want to share from LogRhythm to FortiSOAR™ when an alarm is triggered on LogRhythm. SRP supports up to 5 Parameters to be passed to FortiSOAR™ for running playbooks for an alarm.
     For example, when LogRhythm alerts a “DoS '' alarm, it contains the origin of the "Host" that should be passed to FortiSOAR™ for further investigation and/or blocking the IP in the network firewall. Therefore, in LogRhythm, pass the following values to FortiSOAR™.
     
5. Once you complete configuring the values in SRP, now you can start receiving the values from LogRhythm:
   1. In the Custom API Endpoint Trigger step, add a variable named alert_input whose value is set as {{vars.input.params['api_body']}}. You can add the value of the variable using "Dynamic Values":
      
      For more information on "Dynamic Values", see the FortiSOAR™ product documentation.
   2. For easy usage, it is recommended that you add "Set Variable" as the next step and save the playbook.
      

Now, all parameters that are passed from LogRhythm will be accessible using:

{{vars.alert_input.alarm_id}}
{{vars.alert_input.p1}}
{{vars.alert_input.p2}}
{{vars.alert_input.p3}}
{{vars.alert_input.p4}}
{{vars.alert_input.p5}}

The LogRhythm connector contains the "Create LogRhythm Alert" playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm.

Following is a snapshot of the Executed Playbook Log for the playbook that creates an alert in FortiSOAR™ when an alarm is triggered in LogRhythm:

Following is a sample image of the alert created in FortiSOAR™:

FSR_SmartResponse_Automation_Plugin.tgz

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alarms from LogRhythm. Currently, alarms ingested from LogRhythm are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming LogRhythm alarms to FortiSOAR™ alerts.

The Data Ingestion Wizard enables you to configure the scheduled pulling of data from LogRhythm into FortiSOAR™. It also lets you pull some sample data from LogRhythm using which you can define the mapping of data between LogRhythm and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to alarms from LogRhythm.

1. To begin configuring data ingestion, click Configure Data Ingestion on the LogRhythm connector's Configurations page.
   Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
   
   Sample data is required to create a field mapping between the LogRhythm alarm data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
2. On the Fetch Data screen, provide the configurations required to fetch alarm data from LogRhythm.
   Specify the time in minutes in the Pull Alarms Created in Last X Mins field to specify the time from when you want to pull alarms from LogRhythm. You can also filter the alarms fetched from LogRhythm based on the alarm status, alarm rule name, entity name, and case association:
   
   The fetched data is used to create a mapping between the alarms retrieved from LogRhythm and FortiSOAR™ alerts. To fetch alarm events associated with an alarm, select the checkbox Fetch Alarm Events.
   Once you have completed specifying the configurations and click Fetch Data.

3. On the Field Mapping screen, map the fields of an alarm ingested from LogRhythm to the fields of an alert present in FortiSOAR™
   To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the associatedCases parameter of an alarm ingested from LogRhythm to the Description parameter of a FortiSOAR™ alert, click the Description field and then click the associatedCases field to populate its keys:
   
   For more information on field mapping, see the Data Ingestion chapter in the FortiSOAR™ product documentation's Connectors Guide. Once you have completed the mapping of fields, click Save Mapping & Continue.

4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to LogRhythm, so that the content gets pulled from the LogRhythm integration into FortiSOAR™.
   On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
   In the Configure Schedule Settings section, specify the Cron expression For example, if you want to pull data from LogRhythm every morning at 5 am, click Daily, in the hour box enter 5, and in the minute box enter 0:
   
   Once you have completed scheduling, click Save Settings & Continue.

5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.