0
11.2.2
Australia, Zurich, Yokohama, Xanadu
Integration
The Security Operations LogRhythm integration allows Security Operations Center (SOC) analysts to automatically generate Security Incident Response (SIR) incidents when certain configured LogRhythm alarms are triggered. The SOC analyst responds to the incidents using workflows that automate incident response activities and close out the LogRhythm alarms after closing the SIR incident.
The integration includes the following key features:
- Flexibility to create multiple alarm profiles such as phishing and malware.
- Drag-and-drop mapping of LogRhythm alarm field values to associated SIR security incident fields.
- A preview of the SIR security incident layout based on sample alarms to validate configuration setup.
- Ingest historical alarms as well as ongoing, future alarms on configurable intervals.
- Automated alarm closeout upon incident closure, which includes a SIR security incident ID and URL for easy linking.
Fixed:
- SIRs are not created from SIEM ingestion due to "Secure Notes" access issue to the Crypto module since the Yokohama upgrade was fixed.
- Access issues for Security Analyst on querying tables.
The following Security Incident Response plugins must be installed and activated:
- Security Incident Response (com.snc.security_incident)
- Security Support Orchestration (com.snc.secops.orchestration)
List of Business Rules:
- LogRhythm Default Profile
- Initialize pulling tracker
- getAlarmRules
- Show schedule job status
- closeLogRhythmAlarm
List of Scripts includes:
- LogRhythmIntegration
- LogRhythmSOAPEnvelope
- LogRhythmProfileAjax
- LogRhythmFieldMapProcessor
- LogRhythmAlarmLogic
- LogRhythmAlarmRuleLogic
- LogRhythmCacheDrillDown
Modules:
LogRhythm Integration:
- LogRhythm Configurations
- Alarm Profiles
- LogRhythm Field Translations
Tables:
- LogRhythm Alarm Event
- Alarm Profile
- Alarm Rule
- LogRhythm Configuration
- LogRhythm Field Translation
- LogRhythm Source to Task
List of Client Scripts:
- Profile Refresh Alarm Rules
- LogRhythm Profile Review Logic
- LogRhythm Profile Nav Buttons
- LogRhythm Profile Slush Filter Logic
- addSecurityIncidentFields
The Scope(s) used:
- sn_sec_logrhythm
List of properties (including system properties):
- sn_sec_logrhythm.glide.script.block.client.globals
List of transformation maps:
- LogRhythm Alarm Transform
List of Scheduled jobs for data imports:
- Process LogRhythm Integration
This integration requires the LogRhythm Enterprise version 7.3.2x or higher. Earlier versions are not supported due to API limitations.
The Now Platform Security Operations (SecOps) – LogRhythm Enterprise integration requires the LogRhythm AI Engine Drilldown Cache API.