LogRhythm

Use the LogRhythm integration to manage your alarm systems.

This integration was integrated and tested with LogRhythm v7.3.2 / UI 18.5.1.

Use Cases

  • Get alarms.
  • Update alarm data.
  • Get incidents from one day ago until the current time.

Prerequisites

Contact LogRhythm support for information about retrieving an API token. You can refer to the following LogRhythm documentation.

  • LogRhythm-SOAP-API-InstallationGuide
  • LogRhythm-SOAP-API-WindowsAuthenticationGuide

Configure LogRhythm on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for LogRhythm.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance
    • Hostname or IP address
    • Do not validate server certificate (not secure)
    • Use system proxy settings
    • Fetch incidents
    • Default page size for alarm queries (for example: 2000)
    • Timezone offset in minutes of the LogRhythm server machine
    • Incident type
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Add an alarm comment: lr-add-alarm-comments
  2. Get information for an alarm: lr-get-alarm-by-id
  3. Get information for events: lr-get-alarm-events-by-id
  4. Get the history of an alarm: lr-get-alarm-history-by-id
  5. Update the status of an alarm: lr-update-alarm-status
  6. Get information for multiple alarms: lr-get-alarms

1. Add an alarm comment


Adds a comment to an alarm.

Basic Command

lr-add-alarm-comments

Input
Argument Name Description
alarm-id Unique ID of the alarm
comments Alarm comments

Command Example

!lr-add-alarm-comments alarm-id=18 comments="test comment" raw-response=true

Context Output
{  
   "DataID":"18",
   "Errors":"",
   "Key":"0",
   "Succeeded":"true",
   "Warnings":{  
      "-a":"http://schemas.microsoft.com/2003/10/Serialization/Arrays"
   }
}

2. Get information for an alarm


Returns information of an alarm.

Basic Command

lr-get-alarm-by-id

Input
Argument Name Description
alarm-id Unique ID of the alarm

Command Example

!lr-get-alarm-by-id alarm-id=18 raw-response=true

Context Output
{  
   "AlarmDate":"2018-03-27T09:18:04.41",
   "AlarmID":"18",
   "AlarmRuleID":"677",
   "AlarmRuleName":"LogRhythm AI Comm Manager Heartbeat Missed",
   "AlarmStatus":"New",
   "DateInserted":"2018-03-27T09:18:04.72",
   "DateUpdated":"2018-04-09T08:50:47.027",
   "EntityID":"1",
   "EntityName":"Primary Site",
   "EventCount":"1",
   "EventDateFirst":"2018-03-27T09:18:02.873",
   "EventDateLast":"2018-03-27T09:18:02.873",
   "LastUpdatedID":"3",
   "LastUpdatedName":"api, lrapi",
   "RBPAvg":"67",
   "RBPMax":"67"
}

3. Get information for events


Get alarm events.

Basic Command

lr-get-alarm-events-by-id

Input
Argument Name Description
alarm-id Unique ID of the alarm
include-raw-log Include raw log

Command Example

!lr-get-alarm-events-by-id alarm-id=5 raw-response=true

Context Output
"Command":"",
"CommonEventID":"-1100001",
"CommonEventName":"LogRhythm Mediator Heartbeat Missed",
"Count":"1",
"DateInserted":"0001-01-01T00:00:00",
"Direction":"Local",
"DirectionName":"Local",
"Domain":"",
"Duration":"NaN",
"EntityID":"0",
"EntityName":{  
   "-nil":"true"
},
"Group":"",
"ImpactedEntityID":"1",
"ImpactedEntityName":"Primary Site",
"ImpactedHostID":"1",
"ImpactedHostName":"WIN-JSBOL5ERCQA",
"ImpactedIP":"",
...

4. Get the history of an alarm


Returns the history of an alarm.

Basic Command

lr-get-alarm-history-by-id

Input
Argument Name Description
alarm-id Unique ID of the alarm
include-notifications Include notification history
include-comments Include comments history

Command Example

!lr-get-alarm-history-by-id alarm-id=5 raw-response=true include-comments=true

Context Output
"AlarmID":"18",
"Comments":{  
   "AlarmCommentDataModel":[  
      {  
         "Comment":"Comment: test comment",
         "DateInserted":"2018-04-09T08:50:47.027",
         "ID":"11",
         "PersonID":"3",
         "PersonName":"api, lrapi"
      },
      {  
         "Comment":"Changed status to: New\r\nComment:",
         "DateInserted":"2018-04-08T15:34:51",
         "ID":"10",
         "PersonID":"3",
         "PersonName":"api, lrapi"
      },
      {  
         "Comment":"Comment: test 2",
         "DateInserted":"2018-04-08T15:34:07.91",
         "ID":"9",
         "PersonID":"3",

5. Update the status of an alarm


Updates the status of an alarm.

Basic Command

lr-update-alarm-status

Input
Argument Name Description
alarm-id Unique ID of the alarm
status Enumeration status of the alarm
comments Alarm comments

Command example

!lr-update-alarm-status alarm-id=5 status=New raw-response=true

Context Output
"DataID":"5",
"Errors":"",
"Key":"0",
"Succeeded":"true",
"Warnings":{  
   "-a":"http://schemas.microsoft.com/2003/10/Serialization/Arrays"
}

6. Get information for multiple alarms


Returns information for multiple alarms.

Basic Command

lr-get-alarms

Input
Argument Name Description
start-date Start date for the data query. For example: start-date="2018-03-27"
end-date End date for the data query. For example: end-date="2018-04-08"
all-users Alarms for all users
count

Number of alerts to retrieve,

Defaults: 1000

status Enumeration status of the alarm
time_frame Time frame to retrieve alerts for ("Today", "Last2Days", "LastWeek", "LastMonth", and "Custom". If "Custom", you need to specify the start-date and end-date arguments, otherwise the command ignores the time_frame argument.

Command Example

!lr-get-alarms start-date="2018-03-27" end-date="2018-04-01" status=New all-users=true raw-response=true

Context Output
{  
   "AlarmDate":"2018-03-27T08:23:33.55",
   "AlarmID":"13",
   "AlarmRuleID":"102",
   "AlarmRuleName":"LogRhythm Mediator Heartbeat Missed",
   "AlarmStatus":"New",
   "DateInserted":"2018-03-27T08:23:33.987",
   "DateUpdated":"2018-03-27T08:23:34.053",
   "EntityID":"1",
   "EntityName":"Primary Site",
   "EventCount":"1",
   "EventDateFirst":"2018-03-27T08:23:31.517",
   "EventDateLast":"2018-03-27T08:23:31.517",
   "LastUpdatedID":"0",
   "LastUpdatedName":{  
      "-nil":"true"
   },
   "RBPAvg":"67",
   "RBPMax":"67"
}...