Contents x
      LogRhythm 2.2.0
      • 06 Oct 2022
      • 1 Minute to read
      • Dark
        Light
      • PDF
      Contents

      LogRhythm 2.2.0

      • Updated on 06 Oct 2022
      • 1 Minute to read
      • Dark
        Light
      • PDF
      Article Summary

      tags: python | Sensor | Alarm API | SIEM | LR 7.7 | ST2 based implementation

      Description

      Integration with LogRhythm is created to support CDC users by providing the extraction of logs as observables. This enables CDC users to make informed decisions regarding incident response.

      The LogRhythm Enterprise SIEM Platform aligns teams, technologies, and processes. It helps to monitor across IT environments, identify threats, and quickly mitigate and recover from security incidents.

      We have extensively used LogRhythm 7.7‘s Alarm and comment APIs to make this integration work. The LogRhythm Alarm API is a REST API that communicates over HTTPS and uses JSON. The API’s available routes and methods are used primarily for retrieving Alarm Details and performing actions on alarms based on Alarm ID.

      All the read information is passed on to the CDC in the form of an alert, with information stored as raw information and observables.

      Integration Type:SIEM
      Information read:Logs from LogRhythm based on defined criteria.
      API Supported:API 7.7
      Input:N/A
      Output:Detailed logs that lead to the creation of alerts and observables in the CDC.

      Customer Configuration

      1. Open LogRhythm Client Console, and navigate to the Deployment Manager, and then to the Third-Party Applications tab.
      2. Create a new application with a name and description. Once done, click Apply.
      3. Once you see the Client ID and Client Secret appear, you can create an API token by configuring the required parameters and clicking Generate Token.
      4. Create a LogRhythm user to tie the above token.
      5. Ensure that the above user has access to the SQL alarm database that has all the alarm information. If not already provisioned, provide the read, write, and insert permissions.
      6. Confirm the base URL (https://:8443) and token with the CDC Deployment team, for further configuration of the pack.
      ParameterRequired
      Server URLTrue
      API TokenTrue

      CDC Command Lines

      No CDC command lines

      Workflows

      * **create_alert_in_cdc**
      This creates new alerts in the CDC for the LogRhythm alerts.

      Rules

      * **close_alert**
      Closes alerts (i.e., alarms) in LogRhythm.

      * **cdc_new_alert_from_logrhythm**
      Triggers injections of a new alert to the CDC workflow when created in LogRhythm.

      Sensors

      * **LogRhythmSensor**
      Sensor that pulls alerts from LogRhythm.

      Poll interval - 30s

      Triggers

      No triggers

      Known Issues

      When the 'rbpavg' field of an alarm is null/empty in LogRhythm, the severity of the corresponding alert in the CDC is defaulted to 'Low'.

      Was this article helpful?
      What's Next