All Collections
Integration Guide
LogRhythm
LogRhythm
H
Written by Hassan Shozeb
Updated over a week ago

About LogRhythm


LogRhythm SIEM is a comprehensive security solution designed to consolidate log management, security analytics, and endpoint monitoring/forensics. Its primary objective is to detect threats and minimize an organization's risk exposure.

Developed by seasoned security experts specifically for their peers, LogRhythm SIEM reflects a deep understanding of what constitutes an effective SIEM tool. This all-in-one package offers a plethora of features, including threat lifecycle management, security automation and orchestration, targeted searches, and compliance reporting, equipping security professionals with a powerful arsenal to combat cyber threats.

Supported Actions

SIRP’s LogRhythm integration app allows you to execute the following actions:

1

GET ALERTS ALARMS

Get Alamrs from LogRhythm

Create REST API Token in LogRhythm

  • Open LogRhythm Platform manager >Logrthm console >Third Party Application

  • Right Click New

  • Now generate the new Rest API Token

  • Enable and Configure the LogRhythm App

  • Enable the LogRhythm app by clicking on the toggle button under the Status column.

  • Configuration Name: <Name of Configuration>

  • URL: https:// <IP address of LogRhythm> :<Rest API Port>

  • Auth Token: <API token copied from LogRhythm>



​ LogRhythm API-based Alarm ingestion

To start ingesting Alarms from LogRhythm through API, you need to create a new ingestion source and enable it.

1. Go to the Administration section from the left-hand navigation bar

2. Go to Apps > Ingestion Sources

3. Click on Add Source

4. Fill the fields in the popup form as shown in the image above:

  • Name: LogRhythm (This can be any name to distinguish this ingestion source)

  • Ingestion Method: API

  • Ingestion Type: Incident (Because we want to ingest alerts into our Incident Management module)

  • Widget Name: Leave blank

  • Frequency: Every 5 minutes (SIRP will call LogRhythm API every 5 minutes to check for new offenses)

  • Opened By: Not Mandatory

  • Applications: Select the LogRhythm application

  • Configuration: Select the configuration name

  • Actions: Select GET ALERTS ALARMS

  • Format: JSON

Click the Create button to create the new ingestion source

5. The last step after creating an ingestion source is mapping the data fields ingested from LogRhythm with the fields available in SIRP. After you create the ingestion source, you will get a new configuration icon under the Actions column. Click on the icon to configure the fields.

6. Configure the field mapping as shown in the following screenshot and click Save.

After enabling the ingestion source, SIRP will start to call LogRhythm API every 5 minutes to check for any new offenses. If SIRP finds any offenses, it will start ingesting the records within its database.

The results will be visible in the Incident Management module. The Alerts tab will list all the ingested alerts.





Did this answer your question?