- 06 Oct 2022
- 1 Minute to read
- DarkLight
- PDF
LogRhythm 2.2.0
- Updated on 06 Oct 2022
- 1 Minute to read
- DarkLight
- PDF
tags: python | Sensor | Alarm API | SIEM | LR 7.7 | ST2 based implementation
Description
Integration with LogRhythm is created to support CDC users by providing the extraction of logs as observables. This enables CDC users to make informed decisions regarding incident response.
The LogRhythm Enterprise SIEM Platform aligns teams, technologies, and processes. It helps to monitor across IT environments, identify threats, and quickly mitigate and recover from security incidents.
We have extensively used LogRhythm 7.7‘s Alarm and comment APIs to make this integration work. The LogRhythm Alarm API is a REST API that communicates over HTTPS and uses JSON. The API’s available routes and methods are used primarily for retrieving Alarm Details and performing actions on alarms based on Alarm ID.
All the read information is passed on to the CDC in the form of an alert, with information stored as raw information and observables.
Integration Type: | SIEM |
Information read: | Logs from LogRhythm based on defined criteria. |
API Supported: | API 7.7 |
Input: | N/A |
Output: | Detailed logs that lead to the creation of alerts and observables in the CDC. |
Customer Configuration
- Open LogRhythm Client Console, and navigate to the Deployment Manager, and then to the Third-Party Applications tab.
- Create a new application with a name and description. Once done, click Apply.
- Once you see the Client ID and Client Secret appear, you can create an API token by configuring the required parameters and clicking Generate Token.
- Create a LogRhythm user to tie the above token.
- Ensure that the above user has access to the SQL alarm database that has all the alarm information. If not already provisioned, provide the read, write, and insert permissions.
- Confirm the base URL (https://:8443) and token with the CDC Deployment team, for further configuration of the pack.
Parameter | Required |
---|---|
Server URL | True |
API Token | True |
CDC Command Lines
No CDC command lines
Workflows
* **create_alert_in_cdc**
This creates new alerts in the CDC for the LogRhythm alerts.
Rules
* **close_alert**
Closes alerts (i.e., alarms) in LogRhythm.
* **cdc_new_alert_from_logrhythm**
Triggers injections of a new alert to the CDC workflow when created in LogRhythm.
Sensors
* **LogRhythmSensor**
Sensor that pulls alerts from LogRhythm.
Poll interval - 30s
Triggers
No triggers
Known Issues
When the 'rbpavg' field of an alarm is null/empty in LogRhythm, the severity of the corresponding alert in the CDC is defaulted to 'Low'.