Use the LogRhythm integration to manage hosts and entities.

Use Cases

  • Execute queries on logs data.
  • Add new host.
  • Get host information.
  • Update host status.

Configure LogRhythmRest on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for LogRhythmRest.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Hostname, IP address, or server URL.
    • API Token : see the LogRhythm documentation
    • Trust any certificate (unsecure)
    • Use system proxy settings
    • Search API cluster ID : In the LogRhythm host, enter http://localhost:8500/ui/#/dc1/services/lr-legacy-search-api , the cluster ID is under the TAGS header
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. Search for logs


Executes a query for logs that match query parameters.

Base Command

lr-execute-query

Input
Argument Name Description Required
keyword Filter log messages by this argument. Required
page-size Number of logs to return. Optional
time-frame If time_frame is “Custom”, specify the start time for the time range. Optional
start-date Start date for the data query, for example: “2018-04-20”. Only use this argument if the time-frame argument is “Custom”. Optional
end-date End date for the data query, for example: “2018-04-20”. Only use this argument if the time-frame argument is “Custom”. Optional

Context Output
Path Type Description
Logrhythm.Log.Channel string Channel.
Logrhythm.Log.Computer string Computer.
Logrhythm.Log.EventData string Event data.
Logrhythm.Log.EventID string Event ID.
Logrhythm.Log.Keywords string Keywords.
Logrhythm.Log.Level string Level.
Logrhythm.Log.Opcode string Opcode.
Logrhythm.Log.Task string Task.

Command Example
lr-execute-query keyword=Failure time-frame=Custom start-date=2019-05-15 end-date=2019-05-16 page-size=2
Context Example
{
    "Logrhythm.Log": [
        {
            "EventID": "4625", 
            "Task": "Logon", 
            "Level": "Information", 
            "Computer": "WIN-1234.demisto.lab", 
            "Opcode": "Info", 
            "Keywords": "Audit Failure", 
            "EventData": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\tGPWARD\n\tAccount Domain:\t\t\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", 
            "Channel": "Security"
        }, 
        {
            "EventID": "4625", 
            "Task": "Logon", 
            "Level": "Information", 
            "Computer": "WIN-1234.demisto.lab", 
            "Opcode": "Info", 
            "Keywords": "Audit Failure", 
            "EventData": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\tTMARTIN\n\tAccount Domain:\t\t\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", 
            "Channel": "Security"
        }
    ]
}
Human Readable Output

Logs results

Level Computer Channel Keywords EventData
Information WIN-1234.demisto.lab Security Audit Failure An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: GPWARD
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Information WIN-1234.demisto.lab Security Audit Failure An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: TMARTIN
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

2. Get a list of hosts for an entity


Retrieves a list of hosts for a given entity, or an empty list if none is found.

Base Command

lr-get-hosts-by-entity

Input
Argument Name Description Required
entity-name The entity name. Required
count Number of hosts to return. Optional

Context Output
Path Type Description
Logrhythm.Host.EntityId string The entity ID.
Logrhythm.Host.EntityName string The entity name.
Logrhythm.Host.OS string The host OS.
Logrhythm.Host.ThreatLevel string The host threat level.
Logrhythm.Host.UseEventlogCredentials string Use event log credentials
Logrhythm.Host.Name string The name of the host.
Logrhythm.Host.DateUpdated string The last update date of the host.
Logrhythm.Host.HostZone string The host zone.
Logrhythm.Host.RiskLevel string The risk level.
Logrhythm.Host.Location string The host location.
Logrhythm.Host.Status string The host status.
Logrhythm.Host.ID string The unique ID of the host object.
Logrhythm.Host.OSType string The type of the host OS.

Command Example
lr-get-hosts-by-entity entity-name=primary count=2
Context Example
{
    "Logrhythm.Host": [
        {
            "Status": "Active", 
            "Name": "AI Engine Server", 
            "RiskLevel": "None", 
            "OS": "Unknown", 
            "EntityName": "Primary Site", 
            "ID": -1000002, 
            "Location": "NA", 
            "OSType": "Other", 
            "ThreatLevel": "None", 
            "DateUpdated": "2019-04-24T09:58:32.003Z", 
            "HostZone": "Internal", 
            "EntityId": 1, 
            "UseEventlogCredentials": false
        }, 
        {
            "Status": "Active", 
            "Name": "WIN-JSBOL5ERCQA", 
            "RiskLevel": "Medium-Medium", 
            "OS": "Windows", 
            "EntityName": "Primary Site", 
            "ID": 1, 
            "Location": "NA", 
            "OSType": "Other", 
            "ThreatLevel": "None", 
            "DateUpdated": "2018-10-04T05:02:01.893Z", 
            "HostZone": "Internal", 
            "EntityId": 1, 
            "UseEventlogCredentials": false
        }
    ]
}
Human Readable Output

Hosts for primary

ID Name EntityId EntityName OS Status Location RiskLevel ThreatLevel ThreatLevelComments DateUpdated HostZone
-1000002 AI Engine Server 1 Primary Site Unknown Active NA None None 2019-04-24T09:58:32.003Z Internal
1 WIN-1234 1 Primary Site Windows Active NA Medium-Medium None 2018-10-04T05:02:01.893Z Internal

3. Add a host to an entity


Add a new host to an entity.

Base Command

lr-add-host

Input
Argument Name Description Required
entity-id The entity ID. Required
entity-name The entity name. Required
name The LogRhythm host name. Required
short-description The short description. Optional
long-description The long description. Optional
risk-level The short description. Required
threat-level The host threat level. Optional
threat-level-comments Comments for the host threat level. Optional
host-status The host status. Required
host-zone The host zone. Required
os The host OS. Required
use-eventlog-credentials Use eventlog credentials. Required
os-type The host OS. Optional

Context Output
Path Type Description
Logrhythm.Host.EntityId string The entity ID.
Logrhythm.Host.EntityName string The entity name.
Logrhythm.Host.OS string The host OS.
Logrhythm.Host.ThreatLevel string The host threat level.
Logrhythm.Host.UseEventlogCredentials string Use event log credentials
Logrhythm.Host.Name string The name of the host.
Logrhythm.Host.DateUpdated string The last update date of the host.
Logrhythm.Host.HostZone string The host zone.
Logrhythm.Host.RiskLevel string The risk level.
Logrhythm.Host.Location string The host location.
Logrhythm.Host.Status string The host status.
Logrhythm.Host.ID string The unique ID of the host object.
Logrhythm.Host.OSType string The type of the host OS.

Command Example
lr-add-host entity-id=1 entity-name=`Primary Site` host-status=New host-zone=Internal name=host-name os=Windows risk-level="High-Medium" use-eventlog-credentials=false
Context Example
{
    "Logrhythm.Host": [
        {
            "Status": "New", 
            "Name": "host-name", 
            "RiskLevel": "High-Medium", 
            "OS": "Windows", 
            "EntityName": "Primary Site", 
            "ThreatLevelComments": "None", 
            "ID": 46, 
            "Location": "NA", 
            "OSType": "Unknown", 
            "ThreatLevel": "None", 
            "DateUpdated": "2019-05-28T14:26:19.543Z", 
            "HostZone": "Internal", 
            "EntityId": 1, 
            "UseEventlogCredentials": true
        }
    ]
}
Human Readable Output

host-name added successfully to Primary Site

4. Update the status of a host


Updates an host status.

Base Command

lr-update-host-status

Input
Argument Name Description Required
host-id The unique ID of the host. Required
status The enumeration status of the host. Required

Context Output
Path Type Description
Logrhythm.Host.EntityId string The entity ID.
Logrhythm.Host.EntityName string The entity name.
Logrhythm.Host.OS string The host OS.
Logrhythm.Host.ThreatLevel string The host threat level.
Logrhythm.Host.UseEventlogCredentials string Use event log credentials
Logrhythm.Host.Name string The name of the host.
Logrhythm.Host.DateUpdated string The last update date of the host.
Logrhythm.Host.HostZone string The host zone.
Logrhythm.Host.RiskLevel string The risk level.
Logrhythm.Host.Location string The host location.
Logrhythm.Host.Status string The host status.
Logrhythm.Host.ID string The unique ID of the host object.
Logrhythm.Host.OSType string The type of the host OS.

Command Example
lr-update-host-status host-id=8 status=Retired
Context Example
{
    "Logrhythm": {
        "Host": {
            "Status": "Retired", 
            "Name": "test-host7", 
            "RiskLevel": "Low-Medium", 
            "OS": "Linux", 
            "EntityName": "Primary Site", 
            "ID": 8, 
            "Location": "NA", 
            "OSType": "Other", 
            "ThreatLevel": "Low-High", 
            "DateUpdated": "2019-05-28T14:32:39.43Z", 
            "HostZone": "Internal", 
            "EntityId": 1, 
            "UseEventlogCredentials": false
        }
    }
}
Human Readable Output

Status updated to Retired

5. Get a list of persons


Retrieves a list of persons.

Base Command

lr-get-persons

Input
Argument Name Description Required
person-id The LogRhythm person id. Optional
count Number of persons to return. Optional

Context Output
Path Type Description
Logrhythm.Person.DateUpdated String Date updated
Logrhythm.Person.FirstName String First name
Logrhythm.Person.LastName String Last name
Logrhythm.Person.HostStatus string Host status
Logrhythm.Person.ID String Person ID
Logrhythm.Person.IsAPIPerson Boolean Is API person
Logrhythm.Person.UserID String User ID
Logrhythm.Person.UserLogin String User login

Command Example
!lr-get-persons person-id=7
Context Example
{
    "Logrhythm.Person": [
        {
            "IsAPIPerson": false, 
            "FirstName": "demisto", 
            "LastName": "demisto", 
            "UserID": 5, 
            "UserLogin": "DEMISTO\\lrapi", 
            "DateUpdated": "0001-01-01T00:00:00Z", 
            "ID": 7, 
            "HostStatus": "Retired"
        }
    ]
}
Human Readable Output

Persons information

ID HostStatus IsAPIPerson FirstName LastName UserID UserLogin DateUpdated
7 Retired false demisto demisto 5 DEMISTO\lrapi 0001-01-01T00:00:00Z

6. Get a list of networks


Retrieves a list of networks.

Base Command

lr-get-networks

Input
Argument Name Description Required
network-id The LogRhythm network ID. Optional
count Number of networks to return. Optional

Context Output
Path Type Description
Logrhythm.Network.BIP String Began ip address
Logrhythm.Network.ThreatLevel String Threat level
Logrhythm.Network.Name String Network name
Logrhythm.Network.EIP String End ip address
Logrhythm.Network.DateUpdated String Date updated
Logrhythm.Network.EntityName String Entity name
Logrhythm.Network.HostZone String Host zone
Logrhythm.Network.RiskLevel String Risk level
Logrhythm.Network.Location String Network location
Logrhythm.Network.HostStatus String Host status
Logrhythm.Network.ID String Network ID
Logrhythm.Network.EntityId String Entity ID

Command Example
!lr-get-networks network-id=1
Context Example
{
    "Logrhythm.Network": [
        {
            "EndIP": "2.2.2.2", 
            "Name": "test", 
            "RiskLevel": "None", 
            "EntityName": "Global Entity", 
            "ID": 1, 
            "Location": {
                "id": -1
            }, 
            "ThreatLevel": "None", 
            "DateUpdated": "2019-02-20T10:57:13.983Z", 
            "BeganIP": "1.1.1.1", 
            "HostZone": "External", 
            "EntityId": -100, 
            "HostStatus": "Active"
        }
    ]
}
Human Readable Output

Networks information

ID BeganIP EndIP HostStatus Name RiskLevel EntityId EntityName Location ThreatLevel DateUpdated HostZone
1 1.1.1.1 2.2.2.2 Active test None -100 Global Entity id: -1 None 2019-02-20T10:57:13.983Z External

7. Get a list of hosts


Retrieves a list of hosts.

Base Command

lr-get-hosts

Input
Argument Name Description Required
host-id The LogRhythm host ID. Optional
count Number of hosts to return. Optional

Context Output
Path Type Description
Logrhythm.Host.EntityId String The entity ID.
Logrhythm.Host.EntityName String The entity name.
Logrhythm.Host.OS String The host OS.
Logrhythm.Host.ThreatLevel String The host threat level.
Logrhythm.Host.UseEventlogCredentials String Use event log credentials
Logrhythm.Host.Name String The name of the host.
Logrhythm.Host.DateUpdated String The last update date of the host.
Logrhythm.Host.HostZone String The host zone.
Logrhythm.Host.RiskLevel String The risk level.
Logrhythm.Host.Location String The host location.
Logrhythm.Host.Status String The host status.
Logrhythm.Host.ID String The unique ID of the host object.
Logrhythm.Host.OSType String The type of the host OS.

Command Example
!lr-get-hosts host-id=1
Context Example
{
    "Logrhythm.Host": [
        {
            "Status": "Active", 
            "Name": "WIN-JSBOL5ERCQA", 
            "RiskLevel": "Medium-Medium", 
            "OS": "Windows", 
            "EntityName": "Primary Site", 
            "ID": 1, 
            "Location": {
                "id": -1
            }, 
            "OSType": "Other", 
            "ThreatLevel": "None", 
            "DateUpdated": "2019-07-03T07:20:24.44Z", 
            "HostZone": "Internal", 
            "EntityId": 1, 
            "UseEventlogCredentials": false
        }
    ]
}
Human Readable Output

Hosts information:

ID Name EntityId EntityName OS Status Location RiskLevel ThreatLevel ThreatLevelComments DateUpdated HostZone
1 WIN-JSBOL5ERCQA 1 Primary Site Windows Active id: -1 Medium-Medium None 2019-07-03T07:20:24.44Z Internal

8. Get information for an alarm


Retrieves alarm data.

Base Command

lr-get-alarm-data

Input
Argument Name Description Required
alarm-id The alarm ID. Required

Context Output
Path Type Description
Logrhythm.Alarm.Status String The alarm status.
Logrhythm.Alarm.EventID String The alarm event ID.
Logrhythm.Alarm.LastDxTimeStamp String The timestamp of the last time the drilldown returned new results from the Data Indexer.
Logrhythm.Alarm.DateInserted String The alarm date inserted.
Logrhythm.Alarm.AIERuleName String The alarm AI engine (AIE) rule.
Logrhythm.Alarm.Priority String The alarm priority.
Logrhythm.Alarm.AIERuleID String The alarm AI engine (AIE) rule ID.
Logrhythm.Alarm.ID String The alarm ID.
Logrhythm.Alarm.NotificationSent Boolean Whether the alarm notification was sent.
Logrhythm.Alarm.AlarmGuid String The alarm GUID.
Logrhythm.Alarm.RetryCount String The alarm retry count.
Logrhythm.Alarm.NormalMessageDate String The alarm message date.
Logrhythm.Alarm.WebConsoleIds String

The alarm web console IDs

Logrhythm.Alarm.Summary.PIFType String Alarm Primary Inspection Field (the original name for “Summary Field”).
Logrhythm.Alarm.Summary.DrillDownSummaryLogs String Drill down summary logs.

Command Example
!lr-get-alarm-data alarm-id=1824
Context Example
{
    "Logrhythm.Alarm": {
        "EventID": 337555, 
        "Priority": 85, 
        "LastDxTimeStamp": "0001-01-01T00:00:00", 
        "DateInserted": "2019-06-20T12:13:28.363", 
        "AIERuleName": "Use Of Admin User", 
        "AIERuleID": 1000000003, 
        "Status": "Completed", 
        "AIEMsgXml": {
            "v": "1", 
            "_": {
                "DateEdited": "2019-06-20 11:54:42", 
                "AIERuleID": "1000000003"
            }, 
            "_0": {
                "FactCount": "1", 
                "RuleBlockType": "1", 
                "NormalMsgDate": "2019-06-20 12:13:19", 
                "NormalMsgDateLower": "2019-06-20 12:13:19", 
                "NormalMsgDateUpper": "2019-06-20 12:13:20", 
                "Login": "administrator"
            }
        }, 
        "Summary": [
            {
                "DrillDownSummaryLogs": "administrator", 
                "PIFType": "User (Origin)"
            }
        ], 
        "NotificationSent": false, 
        "AlarmGuid": "5a4d8d77-5ec6-4669-b455-fb0cdbeed7df", 
        "RetryCount": 0, 
        "NormalMessageDate": "2019-06-20T12:13:20.243", 
        "WebConsoleIds": [
            "c272b5f5-1db6-461b-9e9c-78d171429494"
        ], 
        "ID": 1824
    }
}
Human Readable Output

Alarm information for alarm id 1824

AIERuleID AIERuleName Status RetryCount LastDxTimeStamp DateInserted AlarmGuid NotificationSent EventID NormalMessageDate WebConsoleIds Priority ID
1000000003 Use Of Admin User Completed 0 0001-01-01T00:00:00 2019-06-20T12:13:28.363 5a4d8d77-5ec6-4669-b455-fb0cdbeed7df false 337555 2019-06-20T12:13:20.243 c272b5f5-1db6-461b-9e9c-78d171429494 85 1824

Alarm summaries

PIFType DrillDownSummaryLogs
User (Origin) administrator

9. Get a list of events


Retrieves a list of events by alarm ID.

Base Command

lr-get-alarm-events

Input
Argument Name Description Required
alarm-id The alarm ID. Required
count Number of events to return. Optional
fields CSV list of fields (outputs) to return in the context. If empty, will return all fields. Optional
get-log-message Retrieves the log message from the event. Optional

Context Output
Path Type Description
Logrhythm.Alarm.Event String Alarm event information.
Logrhythm.Alarm.ID String The alarm ID.

Command Example
!lr-get-alarm-events alarm-id=1835
Context Example
{
    "Logrhythm.Alarm": {
        "Event": [
            {
                "originEntityId": 1, 
                "rootEntityId": 1, 
                "classificationTypeName": "Audit", 
                "logSourceName": "WIN-JSBOL5ERCQA MS Security Log", 
                "entityName": "Primary Site", 
                "originZone": 0, 
                "session": "0x0", 
                "normalDateMin": "2019-06-20 12:27:03", 
                "normalDate": "2019-06-20 12:27:03", 
                "vendorMessageId": "4625", 
                "entityId": 1, 
                "subject": "Unknown user name or bad password", 
                "priority": 3, 
                "sequenceNumber": 211157, 
                "impactedZoneName": "Unknown", 
                "originHostId": -1, 
                "mpeRuleId": 1060400, 
                "logSourceHostName": "WIN-JSBOL5ERCQA", 
                "logSourceHost": "WIN-JSBOL5ERCQA", 
                "originZoneName": "Unknown", 
                "logSourceType": 1000030, 
                "mpeRuleName": "EVID 4625 : User Logon Type 3: Wrong Password", 
                "impactedName": "win-jsbol5ercqa.demisto.lab", 
                "normalMsgDateMax": "2019-06-20 12:27:03", 
                "status": "0xC000006D", 
                "direction": 0, 
                "logSourceHostId": 1, 
                "ruleBlockNumber": 1, 
                "objectName": "0xC000006A", 
                "classificationId": 1040, 
                "impactedEntityId": 1, 
                "messageTypeEnum": 1, 
                "impactedEntityName": "Primary Site", 
                "reason": "Unknown user name or bad password", 
                "directionName": "Unknown", 
                "logDate": "2019-06-20 05:27:03", 
                "commonEventName": "User Logon Failure : Bad Password", 
                "impactedHostName": "", 
                "messageId": "1e28712d-4af4-4e82-9403-a2ebfda82f2d", 
                "originEntityName": "Primary Site", 
                "severity": "Information", 
                "count": 1, 
                "keyField": "messageId", 
                "rootEntityName": "Primary Site", 
                "parentProcessId": "0x0", 
                "protocolId": -1, 
                "logSourceTypeName": "MS Windows Event Logging - Security", 
                "object": "NtLmSsp", 
                "vendorInfo": "An account failed to log on", 
                "impactedHost": "win-jsbol5ercqa.demisto.lab", 
                "command": "3", 
                "commonEventId": 19812, 
                "login": "administrator", 
                "classificationName": "Authentication Failure", 
                "logSourceId": 1
            }, 
        ], 
        "ID": 1835
    }
}
Human Readable Output

Events information for alarm 1835

classificationId classificationName classificationTypeName command commonEventName commonEventId direction directionName impactedEntityId impactedEntityName impactedHost impactedHostName impactedName impactedZoneName logDate mpeRuleId mpeRuleName object objectName originEntityName originEntityId originHostId login originZone originZoneName priority protocolId ruleBlockNumber session severity subject vendorMessageId sequenceNumber vendorInfo parentProcessId reason status keyField count entityId rootEntityId rootEntityName entityName logSourceHostId logSourceHost logSourceHostName logSourceId logSourceName logSourceType logSourceTypeName messageId messageTypeEnum normalDate normalMsgDateMax normalDateMin
1040 Authentication Failure Audit 3 User Logon Failure : Bad Password 19812 0 Unknown 1 Primary Site win-jsbol5ercqa.demisto.lab win-jsbol5ercqa.demisto.lab Unknown 2019-06-20 05:27:03 1060400 EVID 4625 : User Logon Type 3: Wrong Password NtLmSsp 0xC000006A Primary Site 1 -1 administrator 0 Unknown 3 -1 1 0x0 Information Unknown user name or bad password 4625 211157 An account failed to log on 0x0 Unknown user name or bad password 0xC000006D messageId 1 1 1 Primary Site Primary Site 1 WIN-JSBOL5ERCQA WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA MS Security Log 1000030 MS Windows Event Logging - Security 1e28712d-4af4-4e82-9403-a2ebfda82f2d 1 2019-06-20 12:27:03 2019-06-20 12:27:03 2019-06-20 12:27:03