Contents x
      LogRhythm 2.1.0
      • 06 Apr 2025
      • 1 Minute to read
      • Dark
        Light
      • PDF
      Contents

      LogRhythm 2.1.0

      • Updated on 06 Apr 2025
      • 1 Minute to read
      • Dark
        Light
      • PDF
      Article summary

      LogRhythm - 2.1.0

      tags: python | Sensor | Alarm API | SIEM | LR 7.7 | ST2 based implementation

      Table of Contents

      Description

      Integration with LogRhythm is created to support CDC users by providing the extraction of logs as observables; which enable CDC users to take an informed decision in Incident response.

      The LogRhythm Enterprise SIEM Platform aligns team, technology, and processes. It helps to see across IT environment, identify threats, and quickly mitigate and recover from security incidents.

      We have extensively used LogRhythm 7.7‘s Alarm and comment API’s to make this integration work. The LogRhythm Alarm API is a REST API that communicates over HTTPS and uses JSON. The API’s available routes and methods are used primarily for retrieving Alarm Details and performing actions on alarms based on Alarm ID.

      All the information read are passed on to CDC in form of an alert with information stored as Raw information and observables.

      Integration Type:SIEM
      Information read:Logs from LogRhythm based on Criteria defined
      API Supported:API 7.7
      Input:N/A
      Output:Detailed logs which lead to creation of Alerts and Observables on CDC.

      Customer Configuration

      1. Open LogRhythm Client Console, navigate to the Deployment Manager, and the Third-Party Applications tab.
      2. Create a new application with name and description once done, click Apply.
      3. Once you see the Client ID and Client Secret appear, you can create an API token by configuring the required parameters and clicking on generate token.
      4. Now, create a LogRhythm user to tie the above token.
      5. Ensure the above user has access to the SQL alarm DB that has all the alarm information. If not already provisioned, then provide the read, write and Insert permissions.
      6. Confirm base URL (https://:8443) and token with CDC deployment team for the further configuration of the pack.
      ParameterRequired
      Server URLTrue
      API TokenTrue

      CDC Command Lines

      No CDC command lines

      Workflows

      * **create_alert_in_cdc**
      This creates new alerts in cdc for the logrhythm alerts.

      Rules

      * **close_alert**
      Close Alerts i.e. Alarms in LogRhythm

      * **cdc_new_alert_from_logrhythm**
      Triggers injections of a new alert to CDC workflow when created in LogRhythm

      Sensors

      * **LogRhythmSensor**
      Sensor that pulls alerts from LogRhythm

      Poll interval - 30s

      Triggers

      No triggers

      Known Issues

      When 'rbpavg' field of an alarm is null/empty in LogRhythm, the severity of the corresponding alert on CDC is defaulted to 'Low'.

      Was this article helpful?
      What's Next