LogRhythmRest
LogRhythm Pack.#
This Integration is part of theLogRhythm security intelligence. This integration was integrated and tested with version 7.4.6 of LogRhythmRest
#
Configure LogRhythmRest in CortexParameter | Required |
---|---|
Hostname, IP address, or server URL | True |
API Token | True |
Trust any certificate (not secure) | False |
Use system proxy settings | False |
Search API cluster ID | False |
Entity ID | False |
Fetch incidents | False |
Incidents Fetch Interval | False |
Incident type | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
lr-execute-queryExecutes a query for logs that match the query parameters.
#
Base Commandlr-execute-query
#
InputArgument Name | Description | Required |
---|---|---|
keyword | The value by which to filter log messages. | Required |
page-size | Number of logs to return. Default is 100. | Optional |
time-frame | The time range from which to return log messages. If time_frame is "Custom", specify the start and end time for the time range. Possible values: "Today", "Last2Days", "LastWeek", "LastMonth", and "Custom". Possible values are: Today, Last2Days, LastWeek, LastMonth, Custom. Default is Custom. | Optional |
start-date | Start date for the data query, for example: "2018-04-20". Only use this argument if the time-frame argument is "Custom". | Optional |
end-date | End date for the data query, for example: "2018-04-20". Only use this argument if the time-frame argument is "Custom". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Log.Channel | string | Channel of the log. |
Logrhythm.Log.Computer | string | Computer for the log |
Logrhythm.Log.EventData | string | Event data of the log. |
Logrhythm.Log.EventID | string | Event ID of the log. |
Logrhythm.Log.Keywords | string | Keywords of the log. |
Logrhythm.Log.Level | string | Log level. |
Logrhythm.Log.Opcode | string | Opcode of the log. |
Logrhythm.Log.Task | string | Task of the log. |
#
Command Example!lr-execute-query keyword=Failure time-frame=Custom start-date=2019-05-15 end-date=2019-05-16 page-size=2
#
Context Example#
Human Readable Output#
Hosts for primary
Level Computer Channel Keywords EventData Information WIN-1234.lab Security Audit Failure An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\tGPWARD\n\tAccount Domain:\t\t\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Information WIN-1234.lab Security Audit Failure An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\tTMARTIN\n\tAccount Domain:\t\t\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
#
lr-get-hosts-by-entityRetrieves a list of hosts for a given entity, or an empty list if none is found.
#
Base Commandlr-get-hosts-by-entity
#
InputArgument Name | Description | Required |
---|---|---|
entity-name | The entity name. | Required |
count | Number of hosts to return. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Host.EntityId | String | The entity ID. |
Logrhythm.Host.EntityName | String | The entity name. |
Logrhythm.Host.OS | String | The host operating system. |
Logrhythm.Host.ThreatLevel | String | The host threat level. |
Logrhythm.Host.UseEventlogCredentials | String | Whether to use the event log credentials. |
Logrhythm.Host.Name | String | The name of the host. |
Logrhythm.Host.DateUpdated | String | The last update date of the host. |
Logrhythm.Host.HostZone | String | The host zone. |
Logrhythm.Host.RiskLevel | String | The risk level. |
Logrhythm.Host.Location | String | The host location. |
Logrhythm.Host.Status | String | The host status. |
Logrhythm.Host.ID | String | The unique ID of the host object. |
Logrhythm.Host.OSType | String | The type of the host operating system. |
#
Command Example!lr-get-hosts-by-entity entity-name=primary count=2
#
Context Example#
Human Readable Output#
Hosts for primary
ID Name EntityId EntityName OS Status Location RiskLevel ThreatLevel ThreatLevelComments DateUpdated HostZone -1000002 AI Engine Server 1 Primary Site Unknown Active NA None None 2019-04-24T09:58:32.003Z Internal 1 WIN-JSBOL5ERCQA 1 Primary Site Windows Active NA Medium-Medium None 2021-05-18T15:06:54.62Z Internal
#
lr-add-hostAdd a new host to an entity.
#
Base Commandlr-add-host
#
InputArgument Name | Description | Required |
---|---|---|
entity-id | The entity ID. | Required |
entity-name | The entity name. | Required |
name | The LogRhythm host name. | Required |
short-description | A short description of the host. Default is None. | Optional |
long-description | A long description of the host. Default is None. | Optional |
risk-level | The host risk level. Possible values: "None", "Low-Low", "Low-Medium", "Low-High", "Medium-Low", "Medium-Medium", "Medium-High", "High-Low", "High-Medium", and "High-High". Possible values are: None, Low-Low, Low-Medium, Low-High, Medium-Low, Medium-Medium, Medium-High, High-Low, High-Medium, High-High. Default is None. | Required |
threat-level | The host threat level. Possible values: "None", "Low-Low", "Low-Medium", "Low-High", "Medium-Low", "Medium-Medium", "Medium-High", "High-Low", "High-Medium", and "High-High". Possible values are: None, Low-Low, Low-Medium, Low-High, Medium-Low, Medium-Medium, Medium-High, High-Low, High-Medium, High-High. Default is None. | Optional |
threat-level-comments | Comments for the host threat level. Default is None. | Optional |
host-status | The host status. Possible values: "New", "Retired", and "Active". Possible values are: New, Retired, Active. | Required |
host-zone | The host zone. Possible values: "Unknown", "Internal", "DMZ", and "External". Possible values are: Unknown, Internal, DMZ, External. | Required |
os | The host operating system. | Required |
use-eventlog-credentials | Whether to use the event log credentials. Possible values: "true" and "false". Possible values are: true, false. | Required |
os-type | The host operating system type. Possible values are: Unknown, Other, WindowsNT4, Windows2000Professional, Windows2000Server, Windows2003Standard, Windows2003Enterprise, Windows95, WindowsXP, WindowsVista, Linux, Solaris, AIX, HPUX, Windows. Default is Unknown. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Host.EntityId | string | The entity ID for the host. |
Logrhythm.Host.EntityName | string | The entity name for the host. |
Logrhythm.Host.OS | string | The host operating system. |
Logrhythm.Host.ThreatLevel | string | The host threat level. |
Logrhythm.Host.UseEventlogCredentials | string | Whether to use the event log credentials. |
Logrhythm.Host.Name | string | The name of the host. |
Logrhythm.Host.DateUpdated | string | The last update date of the host. |
Logrhythm.Host.HostZone | string | The host zone. |
Logrhythm.Host.RiskLevel | string | The risk level of the host. |
Logrhythm.Host.Location | string | The host location. |
Logrhythm.Host.Status | string | The host status. |
Logrhythm.Host.ID | string | The unique ID of the host object. |
Logrhythm.Host.OSType | string | The type of the host operating system. |
#
Command Example!lr-add-host entity-id=1 entity-name=`Primary Site` host-status=New host-zone=Internal name=host11 os=Windows risk-level="High-Medium" use-eventlog-credentials=false
#
Context Example#
Human Readable Outputhost11 added successfully to Primary Site
#
lr-update-host-statusUpdates an host status.
#
Base Commandlr-update-host-status
#
InputArgument Name | Description | Required |
---|---|---|
host-id | The unique ID of the host. | Required |
status | The enumeration status of the host. Possible values: "Retired" and "Active". Possible values are: Retired, Active. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Host.EntityId | string | The entity ID of the host. |
Logrhythm.Host.EntityName | string | The entity name of the host. |
Logrhythm.Host.OS | string | The host operating system. |
Logrhythm.Host.ThreatLevel | string | The host threat level. |
Logrhythm.Host.UseEventlogCredentials | string | Whether to use the event log credentials. |
Logrhythm.Host.Name | string | The name of the host. |
Logrhythm.Host.DateUpdated | string | The last update date of the host. |
Logrhythm.Host.HostZone | string | The host zone. |
Logrhythm.Host.RiskLevel | string | The risk level of the host. |
Logrhythm.Host.Location | string | The host location. |
Logrhythm.Host.Status | string | The host status. |
Logrhythm.Host.ID | string | The unique ID of the host object. |
Logrhythm.Host.OSType | string | The type of the host operating system. |
#
Command Example!lr-update-host-status host-id=8 status=Retired
#
Context Example#
Human Readable OutputStatus updated to Retired
#
lr-get-personsRetrieves a list of LogRhythm persons.
#
Base Commandlr-get-persons
#
InputArgument Name | Description | Required |
---|---|---|
person-id | The LogRhythm person ID. | Optional |
count | Number of persons to return. Default is 30. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Person.DateUpdated | String | Date that the person was updated. |
Logrhythm.Person.FirstName | String | First name of the LogRhythm person. |
Logrhythm.Person.LastName | String | Last name of the LogRhythm person. |
Logrhythm.Person.HostStatus | string | Host status of the LogRhythm person. |
Logrhythm.Person.ID | String | Logrhythm person ID. |
Logrhythm.Person.IsAPIPerson | Boolean | Whether the API is a person. |
Logrhythm.Person.UserID | String | User ID of the LogRhythm person. |
Logrhythm.Person.UserLogin | String | User login of the LogRhythm person. |
#
Command Example!lr-get-persons person-id=7
#
Context Example#
Human Readable Output#
Persons information
ID HostStatus IsAPIPerson FirstName LastName UserID UserLogin DateUpdated 7 Retired false logrhythm logrhythm 5 lrapi2 0001-01-01T00:00:00Z
#
lr-get-networksRetrieves a list of networks.
#
Base Commandlr-get-networks
#
InputArgument Name | Description | Required |
---|---|---|
network-id | The LogRhythm network ID. | Optional |
count | Number of networks to return. Default is 30. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Network.BIP | String | Beginning IP address of the network. |
Logrhythm.Network.ThreatLevel | String | Threat level of the network. |
Logrhythm.Network.Name | String | Network name. |
Logrhythm.Network.EIP | String | End IP address of the network. |
Logrhythm.Network.DateUpdated | String | Date network was updated. |
Logrhythm.Network.EntityName | String | Entity name of the network. |
Logrhythm.Network.HostZone | String | Host zone of the network. |
Logrhythm.Network.RiskLevel | String | Risk level of the network. |
Logrhythm.Network.Location | String | Network location. |
Logrhythm.Network.HostStatus | String | Host status of the network. |
Logrhythm.Network.ID | String | Network ID. |
Logrhythm.Network.EntityId | String | Entity ID of the network. |
#
Command Example!lr-get-networks network-id=1
#
Context Example#
Human Readable Output#
Networks information
ID BeganIP EndIP HostStatus Name RiskLevel EntityId EntityName Location ThreatLevel DateUpdated HostZone 1 1.1.1.1 2.2.2.2 Active test None -100 Global Entity NA None 2019-02-20T10:57:13.983Z External
#
lr-get-hostsReturns a list of hosts.
#
Base Commandlr-get-hosts
#
InputArgument Name | Description | Required |
---|---|---|
host-id | The LogRhythm host ID. | Optional |
count | Number of hosts to return. Default is 30. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Host.EntityId | String | The entity ID. |
Logrhythm.Host.EntityName | String | The entity name. |
Logrhythm.Host.OS | String | The host operating system. |
Logrhythm.Host.ThreatLevel | String | The host threat level. |
Logrhythm.Host.UseEventlogCredentials | String | Whether to use the event log credentials. |
Logrhythm.Host.Name | String | The name of the host. |
Logrhythm.Host.DateUpdated | String | Date that the host was last updated. |
Logrhythm.Host.HostZone | String | The host zone. |
Logrhythm.Host.RiskLevel | String | The risk level of the host. |
Logrhythm.Host.Location | String | The host location. |
Logrhythm.Host.Status | String | The host status. |
Logrhythm.Host.ID | String | The unique ID of the host object. |
Logrhythm.Host.OSType | String | Host operating system type. |
#
Command Example!lr-get-hosts host-id=1
#
Context Example#
Human Readable Output#
Hosts information:
ID Name EntityId EntityName OS Status Location RiskLevel ThreatLevel ThreatLevelComments DateUpdated HostZone 1 WIN-JSBOL5ERCQA 1 Primary Site Windows Active NA Medium-Medium None 2021-05-18T15:06:54.62Z Internal
#
lr-get-alarm-dataReturns data for an alarm.
#
Base Commandlr-get-alarm-data
#
InputArgument Name | Description | Required |
---|---|---|
alarm-id | The alarm ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Alarm.Status | String | The alarm status. |
Logrhythm.Alarm.EventID | String | The alarm event ID. |
Logrhythm.Alarm.LastDxTimeStamp | String | The timestamp when the drilldown returned new results from the Data Indexer. |
Logrhythm.Alarm.DateInserted | String | The alarm date inserted. |
Logrhythm.Alarm.AIERuleName | String | The alarm AI engine (AIE) rule. |
Logrhythm.Alarm.Priority | String | The alarm priority. |
Logrhythm.Alarm.AIERuleID | String | The alarm AI engine (AIE) rule ID. |
Logrhythm.Alarm.ID | String | The alarm ID. |
Logrhythm.Alarm.NotificationSent | Boolean | Whether an alarm notification was sent. |
Logrhythm.Alarm.AlarmGuid | String | The alarm GUID. |
Logrhythm.Alarm.RetryCount | String | The alarm retry count. |
Logrhythm.Alarm.NormalMessageDate | String | The alarm message date. |
Logrhythm.Alarm.WebConsoleIds | String | The alarm web console IDs. |
Logrhythm.Alarm.Summary.PIFType | String | Alarm Primary Inspection Field (the original name for "Summary Field"). |
Logrhythm.Alarm.Summary.DrillDownSummaryLogs | String | Drilldown summary logs. |
#
Command Example!lr-get-alarm-data alarm-id=1824
#
Context Example#
Human Readable Output#
Alarm information for alarm id 1824
AIERuleID AIERuleName AlarmGuid DateInserted EventID ID LastDxTimeStamp NormalMessageDate NotificationSent Priority RetryCount Status WebConsoleIds 1000000003 Use Of Admin User 5a4d8d77-5ec6-4669-b455-fb0cdbeed7df 2019-06-20T12:13:28.363 337555 1824 0001-01-01T00:00:00 2019-06-20T12:13:20.243 false 85 0 Completed c272b5f5-1db6-461b-9e9c-78d171429494 #
Alarm summaries
PIFType DrillDownSummaryLogs User (Origin) administrator
#
lr-get-alarm-eventsReturns a list of events, by alarm ID.
#
Base Commandlr-get-alarm-events
#
InputArgument Name | Description | Required |
---|---|---|
alarm-id | The alarm ID. | Required |
count | Number of events to return. Default is 10. | Optional |
fields | A comma-separated list of fields (outputs) to return to the context. If empty, all fields are returned. Possible values are: . | Optional |
get-log-message | Whether to return the log message from the event. Possible values: "True" and "False". Possible values are: True, False. Default is False. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Alarm.Event | String | Alarm event information. |
Logrhythm.Alarm.ID | String | The alarm ID. |
#
Command Example!lr-get-alarm-events alarm-id=1835
#
Context Example#
Human Readable Output#
Events information for alarm 1835
classificationId classificationName classificationTypeName command commonEventId commonEventName count direction directionName entityId entityName impactedEntityId impactedEntityName impactedHost impactedHostName impactedName impactedZoneName keyField logDate logSourceHost logSourceHostId logSourceHostName logSourceId logSourceName logSourceType logSourceTypeName login messageId messageTypeEnum mpeRuleId mpeRuleName normalDate normalDateMin normalMsgDateMax object objectName originEntityId originEntityName originHostId originZone originZoneName parentProcessId priority protocolId reason rootEntityId rootEntityName ruleBlockNumber sequenceNumber session severity status subject vendorInfo vendorMessageId 1040 Authentication Failure Audit 3 19812 User Logon Failure : Bad Password 1 0 Unknown 1 Primary Site 1 Primary Site win-jsbol5ercqa.lab win-jsbol5ercqa.lab Unknown messageId 2019-06-20 05:27:03 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA MS Security Log 1000030 MS Windows Event Logging - Security administrator 1e28712d-4af4-4e82-9403-a2ebfda82f2d 1 1060400 EVID 4625 : User Logon Type 3: Wrong Password 2019-06-20 12:27:03 2019-06-20 12:27:03 2019-06-20 12:27:03 NtLmSsp 0xC000006A 1 Primary Site -1 0 Unknown 0x0 3 -1 Unknown user name or bad password 1 Primary Site 1 211157 0x0 Information 0xC000006D Unknown user name or bad password An account failed to log on 4625 1040 Authentication Failure Audit 3 19812 User Logon Failure : Bad Password 1 0 Unknown 1 Primary Site 1 Primary Site win-jsbol5ercqa.lab win-jsbol5ercqa.lab Unknown messageId 2019-06-20 05:27:03 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA MS Security Log 1000030 MS Windows Event Logging - Security administrator ec975fad-44fd-42cd-be8e-1573742c6d7a 1 1060400 EVID 4625 : User Logon Type 3: Wrong Password 2019-06-20 12:27:03 2019-06-20 12:27:03 2019-06-20 12:27:03 NtLmSsp 0xC000006A 1 Primary Site -1 0 Unknown 0x0 3 -1 Unknown user name or bad password 1 Primary Site 1 211156 0x0 Information 0xC000006D Unknown user name or bad password An account failed to log on 4625 1040 Authentication Failure Audit 3 19812 User Logon Failure : Bad Password 1 0 Unknown 1 Primary Site 1 Primary Site win-jsbol5ercqa.lab win-jsbol5ercqa.lab Unknown messageId 2019-06-20 05:27:03 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA MS Security Log 1000030 MS Windows Event Logging - Security administrator 21318d09-2b01-4b88-8b18-efc48c597e1f 1 1060400 EVID 4625 : User Logon Type 3: Wrong Password 2019-06-20 12:27:03 2019-06-20 12:27:03 2019-06-20 12:27:03 NtLmSsp 0xC000006A 1 Primary Site -1 0 Unknown 0x0 3 -1 Unknown user name or bad password 1 Primary Site 1 211155 0x0 Information 0xC000006D Unknown user name or bad password An account failed to log on 4625 1040 Authentication Failure Audit 3 19812 User Logon Failure : Bad Password 1 0 Unknown 1 Primary Site 1 Primary Site win-jsbol5ercqa.lab win-jsbol5ercqa.lab Unknown messageId 2019-06-20 05:27:03 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA MS Security Log 1000030 MS Windows Event Logging - Security administrator 20384578-60c1-4828-bdea-68cdc202d719 1 1060400 EVID 4625 : User Logon Type 3: Wrong Password 2019-06-20 12:27:03 2019-06-20 12:27:03 2019-06-20 12:27:03 NtLmSsp 0xC000006A 1 Primary Site -1 0 Unknown 0x0 3 -1 Unknown user name or bad password 1 Primary Site 1 211154 0x0 Information 0xC000006D Unknown user name or bad password An account failed to log on 4625 1040 Authentication Failure Audit 3 19812 User Logon Failure : Bad Password 1 0 Unknown 1 Primary Site 1 Primary Site win-jsbol5ercqa.lab win-jsbol5ercqa.lab Unknown messageId 2019-06-20 05:27:03 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA MS Security Log 1000030 MS Windows Event Logging - Security administrator dd2c2251-ede1-4559-916b-0422ea8c0f9e 1 1060400 EVID 4625 : User Logon Type 3: Wrong Password 2019-06-20 12:27:03 2019-06-20 12:27:03 2019-06-20 12:27:03 NtLmSsp 0xC000006A 1 Primary Site -1 0 Unknown 0x0 3 -1 Unknown user name or bad password 1 Primary Site 1 211153 0x0 Information 0xC000006D Unknown user name or bad password An account failed to log on 4625
#
lr-get-case-evidenceExecute evidence query for a specific case ID.
#
Base Commandlr-get-case-evidence
#
InputArgument Name | Description | Required |
---|---|---|
case_id | The case ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Search.Evidence.status | String | Evidence status. |
Logrhythm.Search.Evidence.text | String | Evidence text. |
Logrhythm.Search.Evidence.number | Number | Evidence ID. |
Logrhythm.Search.Evidence.dateCreated | Date | Date the evidence was created. |
Logrhythm.Search.Evidence.pinned | Boolean | Whether evidence is pinned. |
Logrhythm.Search.Evidence.lastUpdatedBy.name | String | The name of the person who last updated the evidence. |
Logrhythm.Search.Evidence.createdBy.name | String | The name of the person who created the evidence. |
Logrhythm.Search.Evidence.dateUpdated | Date | The date the evidence was last updated. |
Logrhythm.Search.Evidence.type | String | Evidence type. |
#
Command Example!lr-get-case-evidence case_id=12345
#
Context Example#
Human Readable Output#
Evidences for case FD05A0D9-6749-45F7-BB5D-596FBA68E731
Alarm Createdby Datecreated Datepinned Dateupdated Lastupdatedby Number Pinned Status Statusmessage Text Type alarmDate: 2019-04-15T00:02:52.847Z
dateInserted: 2019-04-15T00:02:52.86Z
alarmRuleId: 1098
entityName: Primary Site
alarmId: 190
riskBasedPriorityMax: 37
entityId: 1
alarmRuleName: LogRhythm Data Indexer Max Index Exceededdisabled: false
number: -100
name: LogRhythm Administrator2019-04-15T21:41:34.61Z 2019-04-15T21:41:34.61Z disabled: false
number: -100
name: LogRhythm Administrator3 false completed alarm
#
lr-execute-search-queryExecute search query to LogRhythm log database.
#
Base Commandlr-execute-search-query
#
InputArgument Name | Description | Required |
---|---|---|
number_of_days | Number of days to search. | Required |
source_type | Log source type. Possible values are: API-_AWS_CloudTrail, API-AWS_CloudWatch_Alarm, API-AWS_Config_Event, API-AWS_S3_Flat_File, API-AWS_S3_Server_Access_Event, API-BeyondTrust_Retina_Vulnerability_Management, API-Box_Event, API-Cisco_IDS/IPS, API-Cradlepoint_ECM, API-IP360_Vulnerability_Scanner, API-Metasploit_Penetration_Scanner, API-Nessus_Vulnerability_Scanner, API-NetApp_CIFS_Security_Audit_Event_Log, API-NeXpose_Vulnerability_Scanner, API-Office_365_Management_Activity, API-Office_365_Message_Tracking, API-Okta_Event, API-Qualys_Vulnerability_Scanner, API-Salesforce_EventLogFile, API-Sourcefire_eStreamer, API-Tenable_SecurityCenter, API-Tenable.io_Scanner, Flat_File-ActivIdentity_CMS, Flat_File-Airwatch_MDM, Flat_File-Alfresco, Flat_File-AllScripts, Flat_File-Apache_Access_Log, Flat_File-Apache_Error_Log, Flat_File-Apache_SSL_Access_Log, Flat_File-Apache_SSL_Error_Log, Flat_File-Apache_Tomcat_Access_Log, Flat_File-Apache_Tomcat_Console_Log, Flat_File-Avaya_Secure_Access_Link_Remote_Access_Log, Flat_File-Avaya_Voice_Mail_Log, Flat_File-Axway_SFTP, Flat_File-Beacon_Endpoint_Profiler, Flat_File-Bind_9, Flat_File-BlackBerry_Enterprise_Server, Flat_File-Blue_Coat_Proxy_BCREPORTERMAIN_Format, Flat_File-Blue_Coat_Proxy_CSV_Format, Flat_File-Blue_Coat_Proxy_SQUID-1_Format, Flat_File-Blue_Coat_Proxy_W3C_Format, Flat_File-Bro_IDS_Critical_Stack_Intel_Log, Flat_File-Broadcom_SiteMinder, Flat_File-CA_ACF2_for_z/OS-ACFRPTDS, Flat_File-CA_ACF2_for_z/OS-ACFRPTEL, Flat_File-CA_ACF2_for_z/OS-ACFRPTJL, Flat_File-CA_ACF2_for_z/OS-ACFRPTLL, Flat_File-CA_ACF2_for_z/OS-ACFRPTNV, Flat_File-CA_ACF2_for_z/OS-ACFRPTOM, Flat_File-CA_ACF2_for_z/OS-ACFRPTPW, Flat_File-CA_ACF2_for_z/OS-ACFRPTRL, Flat_File-CA_ACF2_for_z/OS-ACFRPTRV, Flat_File-CA_ControlMinder, Flat_File-Cerberus_FTP_Server, Flat_File-Cerner, Flat_File-Cisco_AMP_for_Endpoints, Flat_File-Cisco_Email_Security_Appliance, Flat_File-Cisco_LMS(cwcli), FlatFile-Cisco_LMS(Syslog), FlatFile-Cisco_NGFW, Flat_File-Cisco_Secure_ACS_CSV_File, Flat_File-Cisco_Security_Agent, Flat_File-Cisco_Umbrella_DNS, Flat_File-Cisco_Web_Security_aclog, Flat_File-Citrix_Access_Gateway_IIS_Format, Flat_File-Citrix_Access_Gateway_NCSA_Common_Format, Flat_File-Citrix_Access_Gateway_W3C_Format, Flat_File-Citrix_Presentation_Server, Flat_File-Citrix_Secure_Gateway, Flat_File-ClamAV_Anti-Virus, Flat_File-ColdFusion_Application_Log, Flat_File-ColdFusion_Exception_Log, Flat_File-ColdFusion_Mail_Log, Flat_File-ColdFusion_Mailsent_Log, Flat_File-ColdFusion_Server_Log, Flat_File-Cornerstone_Managed_File_Transfer, Flat_File-Coyote_Point_Equalizer, Flat_File-DB2_Audit_Log, Flat_File-DB2_via_BMC_Log_Master, Flat_File-Defender_Server, Flat_File-DocWorks, Flat_File-eClinicalWorks_Audit_Log, Flat_File-EMC_Isilon, Flat_File-Epicor_Coalition, Flat_File-FairWarning_Ready-For-Healthcare, Flat_File-FileZilla_System_Log, Flat_File-FireEye_Web_MPS, Flat_File-Forcepoint_Web_Security_CEF_Cloud_Format, Flat_File-Forescout_CounterACT, Flat_File-FoxT_BoKS_Server_Access_Control, Flat_File-FundsXpress, Flat_File-Gene6_FTP, Flat_File-GlobalSCAPE_EFT, Flat_File-Hadoop, Flat_File-HMC, Flat_File-HP-UX_Audit_Log, Flat_File-IBM_4690_POS, Flat_File-IBM_Informix_Application_Log, Flat_File-IBM_Informix_Audit_Log, Flat_File-IBM_Tivoli_Storage_Manager, Flat_File-IBM_WebSphere_App_Server_v7_Audit_Log, Flat_File-IBM_WebSphere_Cast_Iron_Cloud_Integration, Flat_File-IBM_ZOS_Batch_Decryption_Log, Flat_File-IBM_ZOS_CICS_Decryption_Log, Flat_File-IBM_ZOS_RACF_Access_Log, Flat_File-IBM_ZOS_RACF_SMF_Type_80, Flat_File-IPSwitch_WS_FTP, Flat_File-Irix_Audit_Logs, Flat_File-IT-CUBE_AgileSI, Flat_File-JBoss_Log_File, Flat_File-Juniper_Steel_Belted_Radius_Server, Flat_File-Kerio_Mail_Server, Flat_File-KERISYS_Doors_Event_Export_Format, Flat_File-Kippo_Honeypot, Flat_File-Linux_Audit_ASCII, Flat_File-Linux_Audit_Log, Flat_File-Linux_Host_Secure_Log, Flat_File-LOGbinder_EX, Flat_File-LogRhythm_Alarm_Reingest, Flat_File-LogRhythm_Data_Indexer_Monitor, Flat_File-LogRhythm_Oracle_Log, Flat_File-LogRhythm_System_Monitor, Flat_File-LogRhythm_System_Monitor_Log_File, Flat_File-LogRhythm_Trebek_Log, Flat_File-LogRhythm_Zeus_Log, Flat_File-Lotus_Domino_Client_Log, Flat_File-McAfee_Cloud_Proxy_do_not_use, Flat_File-McAfee_ePO_HIPS, Flat_File-McAfee_Foundstone, Flat_File-McAfee_Proxy_Cloud, Flat_File-McAfee_SaaS_Web_Protection, Flat_File-McAfee_Web_Gateway_Audit_Log, Flat_File-Merak, Flat_File-Meridian, Flat_File-Microsoft_ActiveSync_2010, Flat_File-Microsoft_CRM, Flat_File-Microsoft_DHCP_Server_Log, Flat_File-Microsoft_Forefront_TMG, Flat_File-Microsoft_Forefront_TMG_Web_Proxy, Flat_File-Microsoft_IIS(IISFormat)_File, Flat_File-Microsoft_IIS_7.x_W3C_Extended_Format, Flat_File-Microsoft_IIS_Error_Log_V6, Flat_File-Microsoft_IIS_FTP_IIS_Log_File_Format, Flat_File-Microsoft_IIS_FTP_W3C_Extended_Format, Flat_File-Microsoft_IIS_NCSA_Common_Format_File, Flat_File-Microsoft_IIS_SMTP_W3C_Format, Flat_File-Microsoft_IIS_URL_Scan_Log, Flat_File-Microsoft_IIS_W3C_File, Flat_File-Microsoft_ISA_Server_2004, Flat_File-Microsoft_ISA_Server_W3C_File, Flat_File-Microsoft_Netlogon, Flat_File-Microsoft_Port_Reporter_PR-PORTS_Log, Flat_File-Microsoft_Semantic_Logging, Flat_File-Microsoft_SQL_Server_2000_Error_Log, Flat_File-Microsoft_SQL_Server_2005_Error_Log, Flat_File-Microsoft_SQL_Server_2008_Error_Log, Flat_File-Microsoft_SQL_Server_2012_Error_Log, Flat_File-Microsoft_SQL_Server_2014_Error_Log, Flat_File-Microsoft_Windows_2003_DNS, Flat_File-Microsoft_Windows_2008_DNS, Flat_File-Microsoft_Windows_2012_DNS, Flat_File-Microsoft_Windows_Firewall, Flat_File-MicroStrategy, Flat_File-Mimecast_Audit, Flat_File-Mimecast_Email, Flat_File-Monetra, Flat_File-MongoDB, Flat_File-MS_Exchange_2003_Message_Tracking_Log, Flat_File-MS_Exchange_2007_Message_Tracking_Log, Flat_File-MS_Exchange_2010_Message_Tracking_Log, Flat_File-MS_Exchange_2013_Message_Tracking_Log, Flat_File-MS_Exchange_2016_Message_Tracking_Log, Flat_File-MS_Exchange_RPC_Client_Access, Flat_File-MS_IAS/RAS_Server_NPS_DB_Log_Format, Flat_File-MS_IAS/RAS_Server_Standard_Log_Format, Flat_File-MS_ISA_Server_2006_ISA_All_Fields, Flat_File-MS_ISA_Server_2006_W3C_All_Fields, Flat_File-MS_SQL_Server_Reporting_Services_2008, Flat_File-MySQL, Flat_File-MySQL_error.log, Flat_File-MySQL_mysql.log, Flat_File-MySQL_mysql-slow.log, Flat_File-Nessus_System_Log, Flat_File-NetApp_Cluster, Flat_File-Nginx_Log, Flat_File-Novell_Audit, Flat_File-Novell_GroupWise, Flat_File-Novell_LDAP, Flat_File-ObserveIT_Enterprise, Flat_File-Office_365_Message_Tracking, Flat_File-OpenDJ, Flat_File-OpenVMS, Flat_File-OpenVPN, Flat_File-Oracle_11g_Fine_Grained_Audit_Trail, Flat_File-Oracle_9i, Flat_File-Oracle_BRM_CM_Log, Flat_File-Oracle_BRM_DM_Log, Flat_File-Oracle_Listener_Audit_Trail, Flat_File-Oracle_SunOne_Directory_Server, Flat_File-Oracle_SunOne_Web_Server_Access_Log, Flat_File-Oracle_Virtual_Directory, Flat_File-Oracle_WebLogic_11g_Access_Log, Flat_File-Other, Flat_File-PeopleSoft, Flat_File-PhpMyAdmin_Honeypot, Flat_File-Postfix, Flat_File-PowerBroker_Servers, Flat_File-Princeton_Card_Secure, Flat_File-ProFTPD, Flat_File-PureMessage_For_Exchange_SMTP_Log, Flat_File-PureMessage_For_UNIX_Blocklist_Log, Flat_File-PureMessage_For_UNIX_Message_Log, Flat_File-RACF(SMF), FlatFile-Radmin, Flat_File-Restic_Backup_Log, Flat_File-RL_Patient_Feedback, Flat_File-RSA_Adaptive_Authentication, Flat_File-RSA_Authentication_Manager_6.1, Flat_File-S2_Badge_Reader, Flat_File-Safenet, Flat_File-Sendmail_File, Flat_File-Sharepoint_ULS, Flat_File-ShoreTel_VOIP, Flat_File-Siemens_Radiology_Information_System, Flat_File-Snort_Fast_Alert_File, Flat_File-Solaris-Sulog, Flat_File-Solaris_Audit_Log, Flat_File-SpamAssassin, Flat_File-Squid_Proxy, Flat_File-Subversion, Flat_File-Sudo.Log, Flat_File-Swift_Alliance, Flat_File-Symantec_Antivirus_10.x_Corporate_Edtn, Flat_File-Symantec_Antivirus_12.x_Corporate_Edtn, Flat_File-Symitar_Episys_Console_Log, Flat_File-Symitar_Episys_Sysevent_Log, Flat_File-Tandem_EMSOUT_Log_File, Flat_File-Tandem_XYGATE, Flat_File-Tectia_SSH_Server, Flat_File-Trade_Innovations_CSCS, Flat_File-Trend_Micro_IMSS, Flat_File-Trend_Micro_Office_Scan, Flat_File-Tumbleweed_Mailgate_Server, Flat_File-Verint_Audit_Trail_File, Flat_File-VMWare_Virtual_Machine, Flat_File-Voltage_Securemail, Flat_File-Vormetric_Log_File, Flat_File-vsFTP_Daemon_Log, Flat_File-Vyatta_Firewall_Kernel_Log, Flat_File-WordPot_Honeypot, Flat_File-X-NetStat_Log, Flat_File-XPient_POS_CCA_Manager, Flat_File-XPIENT_POS_POSLOG, Flat_File-XPIENT_POS_Shell_Log, IPFIX-IP_Flow_Information_Export, J-Flow-Juniper_J-Flow_Version_5, J-Flow-Juniper_J-Flow_Version_9, LogRhythm_CloudAI, LogRhythm_Data_Loss_Defender, LogRhythm_Demo_File-Application_Server_Log, LogRhythm_Demo_File-Content_Inspection_Log, LogRhythm_Demo_File-Database_Audit_Log, LogRhythm_Demo_File-Ecom_Server_Log, LogRhythm_Demo_File-File_Server_Log, LogRhythm_Demo_File-Firewall_Log, LogRhythm_Demo_File-FTP_Log, LogRhythm_Demo_File-IDS_Alarms_Log, LogRhythm_Demo_File-Mail_Server_Log, LogRhythm_Demo_File-Netflow_Log, LogRhythm_Demo_File-Network_Device_Log, LogRhythm_Demo_File-Network_Server_Log, LogRhythm_Demo_File-VPN_Log, LogRhythm_Demo_File-Web_Access_Log, LogRhythm_File_Monitor(AIX), LogRhythmFile_Monitor(HP-UX), LogRhythmFile_Monitor(Linux), LogRhythmFile_Monitor(Solaris), LogRhythmFile_Monitor(Windows), LogRhythmFilter, LogRhythm_Network_Connection_Monitor(AIX), LogRhythmNetwork_Connection_Monitor(HP-UX), LogRhythmNetwork_Connection_Monitor(Linux), LogRhythmNetwork_Connection_Monitor(Solaris), LogRhythmNetwork_Connection_Monitor(Windows), LogRhythmProcess_Monitor(AIX), LogRhythmProcess_Monitor(HP-UX), LogRhythmProcess_Monitor(Linux), LogRhythmProcess_Monitor(Solaris), LogRhythmProcess_Monitor(Windows), LogRhythmRegistry_Integrity_Monitor, LogRhythm_SQL_Server_2000_C2_Audit_Log, LogRhythm_SQL_Server_2005_C2_Audit_Log, LogRhythm_SQL_Server_2008_C2_Audit_Log, LogRhythm_SQL_Server_2012+_C2_Audit_Log, LogRhythm_User_Activity_Monitor(AIX), LogRhythmUser_Activity_Monitor(HP-UX), LogRhythmUser_Activity_Monitor(Linux), LogRhythmUser_Activity_Monitor(Solaris), LogRhythmUser_Activity_Monitor(Windows), MSEvent_Log_for_XP/2000/2003-Application, MS_Event_Log_for_XP/2000/2003-Application-Espaniol, MS_Event_Log_for_XP/2000/2003-BioPassword, MS_Event_Log_for_XP/2000/2003-DFS, MS_Event_Log_for_XP/2000/2003-Directory_Service, MS_Event_Log_for_XP/2000/2003-DNS, MS_Event_Log_for_XP/2000/2003-DotDefender, MS_Event_Log_for_XP/2000/2003-EMC_Celerra_NAS, MS_Event_Log_for_XP/2000/2003-File_Rep_Service, MS_Event_Log_for_XP/2000/2003-HA, MS_Event_Log_for_XP/2000/2003-Kaspersky, MS_Event_Log_for_XP/2000/2003-Micros_POS, MS_Event_Log_for_XP/2000/2003-PatchLink, MS_Event_Log_for_XP/2000/2003-SafeWord_2008, MS_Event_Log_for_XP/2000/2003-SCE, MS_Event_Log_for_XP/2000/2003-Security, MS_Event_Log_for_XP/2000/2003-Security-Espaniol, MS_Event_Log_for_XP/2000/2003-SMS_2003, MS_Event_Log_for_XP/2000/2003-System, MS_Event_Log_for_XP/2000/2003-System-Espaniol, MS_Event_Log_for_XP/2000/2003-Virtual_Server, MS_Windows_Event_Logging-ADFS_Admin, MS_Windows_Event_Logging-Application, MS_Windows_Event_Logging-AppLockerApp, MS_Windows_Event_Logging-Backup, MS_Windows_Event_Logging-Citrix_Delivery_Services, MS_Windows_Event_Logging-Citrix_XenApp, MS_Windows_Event_Logging-DFS, MS_Windows_Event_Logging-DHCP_Admin, MS_Windows_Event_Logging-DHCP_Operational, MS_Windows_Event_Logging-Diagnosis-PLA, MS_Windows_Event_Logging-Digital_Persona, MS_Windows_Event_Logging-Dir_Service, MS_Windows_Event_Logging-DNS, MS_Windows_Event_Logging-Dot_Defender, MS_Windows_Event_Logging-ESD_Data_Flow_Track, MS_Windows_Event_Logging-Exchange_Mailbox_DB_Failures, MS_Windows_Event_Logging-FailoverClustering/Operational, MS_Windows_Event_Logging-Firewall_With_Advanced_Security, MS_Windows_Event_Logging-Forefront_AV, MS_Windows_Event_Logging-Group_Policy_Operational, MS_Windows_Event_Logging-Hyper-V_Hvisor, MS_Windows_Event_Logging-Hyper-V_IMS, MS_Windows_Event_Logging-Hyper-V_Network, MS_Windows_Event_Logging-Hyper-V_SynthSt, MS_Windows_Event_Logging-Hyper-V_VMMS, MS_Windows_Event_Logging-Hyper-V_Worker, MS_Windows_Event_Logging-Kaspersky, MS_Windows_Event_Logging-Kernel_PnP_Configuration, MS_Windows_Event_Logging-Lync_Server, MS_Windows_Event_Logging-MSExchange_Management, MS_Windows_Event_Logging-Operations_Manager, MS_Windows_Event_Logging-PowerShell, MS_Windows_Event_Logging-Print_Services, MS_Windows_Event_Logging-Quest_ActiveRoles_EDM_Server, MS_Windows_Event_Logging-Replication, MS_Windows_Event_Logging-SafeWord_2008, MS_Windows_Event_Logging-Security, MS_Windows_Event_Logging-Setup, MS_Windows_Event_Logging-Sysmon, MS_Windows_Event_Logging-System, MS_Windows_Event_Logging-Task_Scheduler, MS_Windows_Event_Logging-TS_Gateway, MS_Windows_Event_Logging-TS_Licensing, MS_Windows_Event_Logging-TS_Local_Session_Manager, MS_Windows_Event_Logging-TS_Remote_Connection_Manager, MS_Windows_Event_Logging-TS_Session_Broker, MS_Windows_Event_Logging-TS_Session_Broker_Client, MS_Windows_Event_Logging-VisualSVN, MS_Windows_Event_Logging:Deutsch-Security, MS_Windows_Event_Logging:Espaniol-Application, MS_Windows_Event_Logging:Espaniol-Security, MS_Windows_Event_Logging:Espaniol-System, MS_Windows_Event_Logging:Francais-System, MS_Windows_Event_Logging:Francais-Security, MS_Windows_Event_Logging_XML-ADFS, MS_Windows_Event_Logging_XML-Application, MS_Windows_Event_Logging_XML-Forwarded_Events, MS_Windows_Event_Logging_XML-Generic, MS_Windows_Event_Logging_XML-Microsoft-Windows-NTLM/Operational, MS_Windows_Event_Logging_XML-Security, MS_Windows_Event_Logging_XML-Sysmon, MS_Windows_Event_Logging_XML-Sysmon_7.01, MS_Windows_Event_Logging_XML-Sysmon_8/9/10, MS_Windows_Event_Logging_XML-System, MS_Windows_Event_Logging_XML-Unisys_Stealth, MS_Windows_Event_Logging_XML-Windows_Defender, Netflow-Cisco_Netflow_Version_1, Netflow-Cisco_Netflow_Version_5, Netflow-Cisco_Netflow_Version_9, Netflow-Palo_Alto_Version_9, Netflow-SonicWALL_Version_5, Netflow-SonicWALL_Version_9, OPSEC_LEA-Checkpoint_Firewall, OPSEC_LEA-Checkpoint_Firewall_Audit_Log, OPSEC_LEA-Checkpoint_For_LR_7.4.1+, OPSEC_LEA-Checkpoint_Log_Server, sFlow-Version_5, SNMP_Trap-Audiolog, SNMP_Trap-Autoregistered, SNMP_Trap-Brocade_Switch, SNMP_Trap-Cisco_5508_Wireless_Controller, SNMP_Trap-Cisco_IP_SLA, SNMP_Trap-Cisco_Prime, SNMP_Trap-Cisco_Router-Switch, SNMP_Trap-CyberArk, SNMP_Trap-Dell_OpenManage, SNMP_Trap-HP_Network_Node_Manager, SNMP_Trap-IBM_TS3000_Series_Tape_Drive, SNMP_Trap-Riverbed_SteelCentral_NetShark, SNMP_Trap-RSA_Authentication_Manager, SNMP_Trap-Swift_Alliance, SNMP_Trap-Trend_Micro_Control_Manager, Syslog-3Com_Switch, Syslog-A10_Networks_AX1000_Load_Balancer, Syslog-A10_Networks_Web_Application_Firewall, Syslog-Accellion_Secure_File_Transfer_Application, Syslog-Active_Scout_IPS, Syslog-Adallom, Syslog-Adtran_Switch, Syslog-Aerohive_Access_Point, Syslog-Aerohive_Firewall, Syslog-AIMIA_Tomcat, Syslog-AirDefense_Enterprise, Syslog-Airmagnet_Wireless_IDS, Syslog-AirTight_IDS/IPS, Syslog-AirWatch_MDM, Syslog-Airwave_Management_System_Log, Syslog-AIX_Host, Syslog-Alcatel-Lucent_Switch, Syslog-Alcatel-Lucent_Wireless_Controller, Syslog-AlertLogic, Syslog-AMX_AV_Controller, Syslog-Apache_Access_Log, Syslog-Apache_Error_Log, Syslog-Apache_Tomcat_Request_Parameters, Syslog-Apache_Tomcat_Service_Clients_Log, Syslog-APC_ATS, Syslog-APC_NetBotz_Environmental_Monitoring, Syslog-APC_PDU, Syslog-APC_UPS, Syslog-Apcon_Network_Monitor, Syslog-Apex_One, Syslog-Arbor_Networks_Peakflow, Syslog-Arbor_Networks_Spectrum, Syslog-Arbor_Pravail_APS, Syslog-Arista_Switch, Syslog-Array_TMX_Load_Balancer, Syslog-Arris_CMTS, Syslog-Aruba_Clear_Pass, Syslog-Aruba_Mobility_Controller, Syslog-Aruba_Wireless_Access_Point, Syslog-AS/400_via_Powertech_Interact, Syslog-Asus_WRT_Router, Syslog-Avatier_Identity_Management_Suite(AIMS), Syslog-_Avaya_Communications_Manager, Syslog-Avaya_Ethernet_Routing_Switch, Syslog-Avaya_G450_Media_Gateway, Syslog-Avaya_Router, Syslog-Aventail_SSL/VPN, Syslog-Avocent_Cyclades_Terminal_Server, Syslog-Azul_Java_Appliance, Syslog-Barracuda_Load_Balancer, Syslog-Barracuda_Mail_Archiver, Syslog-Barracuda_NG_Firewall, Syslog-Barracuda_NG_Firewall_6.x, Syslog-Barracuda_Spam_Firewall, Syslog-Barracuda_Web_Application_Firewall, Syslog-Barracuda_Webfilter, Syslog-BeyondTrust_BeyondInsight_LEEF, Syslog-Bind_DNS, Syslog-Bit9_Parity_Suite, Syslog-Bit9_Security_Platform_CEF, Syslog-Bit9+Carbon_Black(Deprecated), Syslog-_BitDefender, Syslog-Black_Diamond_Switch, Syslog-Blue_Coat_CAS, Syslog-Blue_Coat_Forward_Proxy, Syslog-Blue_Coat_PacketShaper, Syslog-Blue_Coat_ProxyAV_ISA_W3C_Format, Syslog-Blue_Coat_ProxyAV_MS_Proxy_2.0_Format, Syslog-Blue_Coat_ProxySG, Syslog-Blue_Socket_Wireless_Controller, Syslog-Bluecat_Adonis, Syslog-BlueCedar, Syslog-BluVector, Syslog-Bomgar, Syslog-Bradford_Networks_NAC, Syslog-Bradford_Remediation&Registration_Svr, Syslog-Bro_IDS, Syslog-Brocade_Switch, Syslog-Bromium_vSentry_CEF, Syslog-BSD_Host, Syslog-CA_Privileged_Access_Manager, Syslog-Cb_Defense_CEF, Syslog-Cb_Protection_CEF, Syslog-Cb_Response_LEEF, Syslog-Cell_Relay, Syslog-Certes_Networks_CEP, Syslog-Check_Point_Log_Exporter, Syslog-Checkpoint_Site-to-Site_VPN, Syslog-Cisco_ACS, Syslog-Cisco_Aironet_WAP, Syslog-Cisco_APIC, Syslog-Cisco_Application_Control_Engine, Syslog-Cisco_ASA, Syslog-Cisco_Clean_Access(CCA)Appliance, Syslog-Cisco_CSS_Load_Balancer, Syslog-Cisco_Email_Security_Appliance, Syslog-Cisco_FirePOWER, Syslog-Cisco_Firepower_Threat_Defense, Syslog-Cisco_FireSIGHT, Syslog-Cisco_FWSM, Syslog-Cisco_Global_Site_Selector, Syslog-Cisco_ISE, Syslog-Cisco_Meraki, Syslog-Cisco_Nexus_Switch, Syslog-Cisco_PIX, Syslog-Cisco_Prime_Infrastructure, Syslog-Cisco_Router, Syslog-Cisco_Secure_ACS_5, Syslog-Cisco_Session_Border_Controller, Syslog-Cisco_Switch, Syslog-Cisco_Telepresence_Video_Communications_Server, Syslog-Cisco_UCS, Syslog-Cisco_Unified_Comm_Mgr(CallMgr), Syslog-Cisco_VPN_Concentrator, Syslog-Cisco_WAAS, Syslog-Cisco_Web_Security, Syslog-Cisco_Wireless_Access_Point, Syslog-Cisco_Wireless_Control_System, Syslog-CiscoWorks, Syslog-Citrix_Access_Gateway_Server, Syslog-Citrix_Netscaler, Syslog-Citrix_XenServer, Syslog-Claroty_CTD_CEF, Syslog-Clearswift_Secure_Email_Gateway, Syslog-CloudLock, Syslog-CodeGreen_Data_Loss_Prevention, Syslog-Cofense_Triage_CEF, Syslog-Consentry_NAC, Syslog-Corero_IPS, Syslog-Corero_SmartWall_DDoS, Syslog-CoyotePoint_Equalizer, Syslog-Crowdstrike_Falconhost_CEF, Syslog-CyberArk, Syslog-CyberArk_Privileged_Threat_Analytics, Syslog-Cylance_CEF, Syslog-CylancePROTECT, Syslog-DarkTrace_CEF, Syslog-Dell_Force_10, Syslog-Dell_PowerConnect_Switch, Syslog-Dell_Remote_Access_Controller, Syslog-Dell_SecureWorks_iSensor_IPS, Syslog-Dialogic_Media_Gateway, Syslog-Digital_Guardian_CEF, Syslog-D-Link_Switch, Syslog-Don_not_use, Syslog-Dragos_Platform_CEF, Syslog-Ecessa_ShieldLink, Syslog-EfficientIP, Syslog-EMC_Avamar, Syslog-EMC_Centera, Syslog-EMC_Data_Domain, Syslog-EMC_Isilon, Syslog-EMC_Unity_Array, Syslog-EMC_VNX, Syslog-Ensilo_NGAV, Syslog-Enterasys_Dragon_IDS, Syslog-Enterasys_Router, Syslog-Enterasys_Switch, Syslog-Entrust_Entelligence_Messaging_Server, Syslog-Entrust_IdentityGuard, Syslog-Epic_Hyperspace_CEF, Syslog-EqualLogic_SAN, Syslog-eSafe_Email_Security, Syslog-ESET_Remote_Administrator(ERA)LEEF, Syslog-Event_Reporter(Win2000/XP/2003), Syslog-Exabeam, Syslog-Exchange_Message_Tracking, Syslog-ExtraHop, Syslog-Extreme_Wireless_LAN, Syslog-ExtremeWare, Syslog-ExtremeXOS, Syslog-F5_BIG-IP_Access_Policy_Manager, Syslog-F5_BIG-IP_AFM, Syslog-F5_BIG-IP_ASM, Syslog-F5_BIG-IP_ASM_Key-Value_Pairs, Syslog-F5_BIG-IP_ASM_v12, Syslog-F5_Big-IP_GTM&DNS, Syslog-F5_Big-IP_LTM, Syslog-F5_FirePass_Firewall, Syslog-F5_Silverline_DDoS_Protection, Syslog-Fargo_HDP_Card_Printer_and_Encoder, Syslog-Fat_Pipe_Load_Balancer, Syslog-Fidelis_XPS, Syslog-FireEye_E-Mail_MPS, Syslog-FireEye_EX, Syslog-FireEye_Web_MPS/CMS/ETP/HX, Syslog-Forcepoint_DLP, Syslog-Forcepoint_Email_Security_Gateway, Syslog-Forcepoint_Stonesoft_NGFW, Syslog-Forcepoint_SureView_Insider_Threat, Syslog-Forcepoint_Web_Security, Syslog-Forcepoint_Web_Security_CEF_Format, Syslog-Forescout_CounterACT_NAC, Syslog-Fortinet_FortiAnalyzer, Syslog-Fortinet_FortiAuthenticator, Syslog-Fortinet_FortiDDoS, Syslog-Fortinet_FortiGate, Syslog-Fortinet_FortiGate_v4.0, Syslog-Fortinet_FortiGate_v5.0, Syslog-Fortinet_FortiGate_v5.2, Syslog-Fortinet_FortiGate_v5.4/v5.6, Syslog-Fortinet_FortiGate_v5.6_CEF, Syslog-Fortinet_Fortigate_v6.0, Syslog-Fortinet_FortiMail, Syslog-Fortinet_FortiWeb, Syslog-Foundry_Switch, Syslog-Gene6_FTP, Syslog-Generic_CEF, Syslog-Generic_ISC_DHCP, Syslog-Generic_LEEF, Syslog-Guardium_Database_Activity_Monitor, Syslog-H3C_Router, Syslog-Hitachi_Universal_Storage_Platform, Syslog-HP_BladeSystem, Syslog-HP_iLO, Syslog-HP_Procurve_Switch, Syslog-HP_Router, Syslog-HP_Switch, Syslog-HP_Unix_Tru64, Syslog-HP_Virtual_Connect_Switch, Syslog-HP-UX_Host, Syslog-Huawei_Access_Router, Syslog-IBM_Blade_Center, Syslog-IBM_Security_Network_Protection, Syslog-IBM_Virtual_Tape_Library_Server, Syslog-IBM_WebSphere_DataPower_Integration, Syslog-IBM_zSecure_Alert_for_ACF2_2.1.0, Syslog-IceWarp_Server, Syslog-Imperva_Incapsula_CEF, Syslog-Imperva_SecureSphere, Syslog-Imprivata_OneSign_SSO, Syslog-InfoBlox, Syslog-Invincea(LEEF), Syslog-_iPrism_Proxy_Log, Syslog-IPSWITCH_MOVEit_Server, Syslog-IPTables, Syslog-IRIX_Host, Syslog-iSeries_via_Powertech_Interact, Syslog-Ivanti_FileDirector, Syslog-JetNexus_Load_Balancer, Syslog-Juniper_DX_Application_Accelerator, Syslog-Juniper_Firewall, Syslog-Juniper_Firewall_3400, Syslog-Juniper_Host_Checker, Syslog-Juniper_IDP, Syslog-Juniper_NSM, Syslog-Juniper_Router, Syslog-Juniper_SSL_VPN, Syslog-Juniper_SSL_VPN_WELF_Format, Syslog-Juniper_Switch, Syslog-Juniper_Trapeze, Syslog-Juniper_vGW_Virtual_Gateway, Syslog-Kaspersky_Security_Center, Syslog-Kea_DHCP_Server, Syslog-Kemp_Load_Balancer, Syslog-KFSensor_Honeypot, Syslog-KFSensor_Honeypot_CEF, Syslog-Lancope_StealthWatch, Syslog-Lancope_StealthWatch_CEF, Syslog-Layer_7_SecureSpan_SOA_Gateway, Syslog-Legacy_Checkpoint_Firewall(NotLog_Exporter), Syslog-Legacy_Checkpoint_IPS(NotLog_Exporter), Syslog-Lieberman_Enterprise_Random_Password_Manager, Syslog-Linux_Audit, Syslog-Linux_Host, Syslog-Linux_TACACS_Plus, Syslog-LOGbinder_EX, Syslog-LOGbinder_SP, Syslog-LOGbinder_SQL, Syslog-LogRhythm_Data_Indexer_Monitor, Syslog-LogRhythm_Inter_Deployment_Data_Sharing, Syslog-LogRhythm_Log_Distribution_Services, Syslog-LogRhythm_Network_Monitor, Syslog-LogRhythm_Syslog_Generator, Syslog-Lumension, Syslog-MacOS_X, Syslog-Malwarebytes_Endpoint_Security_CEF, Syslog-Mandiant_MIR, Syslog-McAfee_Advanced_Threat_Defense, Syslog-McAfee_Email_And_Web_Security, Syslog-McAfee_ePO, Syslog-McAfee_Firewall_Enterprise, Syslog-McAfee_Network_Security_Manager, Syslog-McAfee_Secure_Internet_Gateway, Syslog-McAfee_SecureMail, Syslog-McAfee_Skyhigh_for_Shadow_IT_LEEF, Syslog-McAfee_Web_Gateway, Syslog-mGuard_Firewall, Syslog-Microsoft_Advanced_Threat_Analytics(ATA)CEF, Syslog-Microsoft_Azure_Log_Integration, Syslog-Microsoft_Azure_MFA, Syslog-Microsoft_Forefront_UAG, Syslog-Mirapoint, Syslog-MobileIron, Syslog-Motorola_Access_Point, Syslog-MS_IIS_Web_Log_W3C_Format(Snare), Syslog-_MS_Windows_Event_Logging_XML-Application, Syslog-MS_Windows_Event_Logging_XML-Security, Syslog-MS_Windows_Event_Logging_XML-System, Syslog-Nagios, Syslog-nCircle_Configuration_Compliance_Manager, Syslog-NetApp_Filer, Syslog-NETASQ_Firewall, Syslog-NetGate_Router, Syslog-NetMotion_VPN, Syslog-Netscout_nGenius_InfiniStream, Syslog-NetScreen_Firewall, Syslog-Netskope, Syslog-Netskope_CEF, Syslog-Network_Chemistry_RFprotect, Syslog-Nginx_Web_Log, Syslog-Nimble_Storage, Syslog-Nortel_8600_Switch, Syslog-Nortel_BayStack_Switch, Syslog-Nortel_Contivity, Syslog-Nortel_Firewall, Syslog-Nortel_IP_1220, Syslog-Nortel_Passport_Switch, Syslog-Nozomi_Networks_Guardian_CEF, Syslog-NuSecure_Gateway, Syslog-Nutanix, Syslog-Open_Collector, Syslog-Open_Collector-AWS_CloudTrail, Syslog-Open_Collector-AWS_CloudWatch, Syslog-Open_Collector-AWS_Config_Events, Syslog-Open_Collector-AWS_Guard_Duty, Syslog-Open_Collector-AWS_S3, Syslog-Open_Collector-Azure_Event_Hub, Syslog-Open_Collector-Carbon_Black_Cloud, Syslog-Open_Collector-CarbonBlackBeat_Heartbeat, Syslog-Open_Collector-Cisco_AMP, Syslog-Open_Collector-Cisco_Umbrella, Syslog-Open_Collector-CiscoAMPBeat_Heartbeat, Syslog-Open_Collector-Duo_Authentication_Security, Syslog-Open_Collector-DuoBeat_Heartbeat, Syslog-Open_Collector-EventHubBeat_Heartbeat, Syslog-Open_Collector-GCP_Audit, Syslog-Open_Collector-GCP_Cloud_Key_Management_Service, Syslog-Open_Collector-GCP_Http_Load_Balancer, Syslog-Open_Collector-GCP_Pub_Sub, Syslog-Open_Collector-GCP_Security_Command_Center, Syslog-Open_Collector-GCP_Virtual_Private_Cloud, Syslog-Open_Collector-Gmail_Message_Tracking, Syslog-Open_Collector-GMTBeat_Heartbeat, Syslog-Open_Collector-GSuite, Syslog-Open_Collector-GSuiteBeat_Heartbeat, Syslog-Open_Collector-Metricbeat, Syslog-Open_Collector-Okta_System_Log, Syslog-Open_Collector-OktaSystemLogBeat_Heartbeat, Syslog-Open_Collector-PubSubBeat_Heartbeat, Syslog-Open_Collector-S3Beat_Heartbeat, Syslog-Open_Collector-Sophos_Central, Syslog-Open_Collector-SophosCentralBeat_Heartbeat, Syslog-Open_Collector-Webhook, Syslog-Open_Collector-Webhook_OneLogin, Syslog-Open_Collector-Webhook_Zoom, Syslog-Open_Collector-WebhookBeat_Heartbeat, Syslog-Opengear_Console, Syslog-OpenLDAP, Syslog-Oracle_10g_Audit_Trail, Syslog-Oracle_11g_Audit_Trail, Syslog-OSSEC_Alerts, Syslog-Other, Syslog-Outpost24, Syslog-Palo_Alto_Cortex_XDR, Syslog-Palo_Alto_Custom_Pipe, Syslog-Palo_Alto_Firewall, Syslog-Palo_Alto_Traps_CEF, Syslog-Palo_Alto_Traps_Management_Service, Syslog-Password_Manager_Pro, Syslog-pfSense_Firewall, Syslog-PingFederate_7.2, Syslog-PingFederate_CEF, Syslog-Polycom, Syslog-Postfix, Syslog-Procera_PacketLogic, Syslog-Proofpoint_Spam_Firewall, Syslog-Protegrity_Defiance_DPS, Syslog-QLogic_Infiniband_Switch, Syslog-Quest_Defender, Syslog-Radiator_Radius, Syslog-RADiFlow_3180_Switch, Syslog-Radware_Alteon_Load_Balancer, Syslog-Radware_DefensePro, Syslog-Radware_Web_Server_Director_Audit_Log, Syslog-Raritan_KVM, Syslog-Raz-Lee, Syslog-RedSeal, Syslog-Riverbed, Syslog-RSA_ACE, Syslog-RSA_Authentication_Manager_v7.1, Syslog-RSA_Authentication_Manager_v8.x, Syslog-RSA_Web_Threat_Detection, Syslog-RSA_Web_Threat_Detection_5.1, Syslog-RuggedRouter, Syslog-Safenet, Syslog-Sailpoint, Syslog-Sauce_Labs, Syslog-SecureAuth_IdP, Syslog-SecureAuth_IdP_v9, Syslog-SecureLink, Syslog-SecureTrack, Syslog-SEL_3610_Port_Switch, Syslog-SEL_3620_Ethernet_Security_Gateway, Syslog-Sentinel_IPS, Syslog-SentinelOne_CEF, Syslog-Sguil, Syslog-Siemens_Scalance_X400, Syslog-Smoothwall_Firewall, Syslog-SnapGear_Firewall, Syslog-Snare_Windows_2003_Event_Log, Syslog-Snare_Windows_2008_Event_Log, Syslog-Snort_IDS, Syslog-Solaris(Snare), Syslog-_Solaris_Host, Syslog-SonicWALL, Syslog-SonicWALL_SSL-VPN, Syslog-Sophos_Email_Encryption_Appliance, Syslog-Sophos_UTM, Syslog-Sophos_Web_Proxy, Syslog-Sophos_XG_Firewall, Syslog-Sourcefire_IDS_3D, Syslog-Sourcefire_RNA, Syslog-Spectracom_Network_Time_Server, Syslog-Splunk_API-Checkpoint_Firewall, Syslog-Splunk_API-Cisco_Netflow_V9, Syslog-Splunk_API-Nessus_Vulnerability_Scanner, Syslog-Squid_Proxy, Syslog-StealthBits_Activity_Monitor, Syslog-STEALTHbits_StealthINTERCEPT, Syslog-StoneGate_Firewall, Syslog-Stonesoft_IPS, Syslog-Stormshield_Network_Security_Firewall, Syslog-Sycamore_Networks_DNX-88, Syslog-Sygate_Firewall, Syslog-Symantec_Advanced_Threat_Protection(ATP)CEF, Syslog-Symantec_DLP_CEF, Syslog-Symantec_Endpoint_Server, Syslog-Symantec_Messaging_Gateway, Syslog-Symantec_PGP_Gateway, Syslog-Symbol_Wireless_Access_Point, Syslog-Tanium, Syslog-Temporary_LST-2, Syslog-Tenable_SecurityCenter, Syslog-Thycotic_Secret_Server, Syslog-Tipping_Point_IPS, Syslog-Tipping_Point_SSL_Reverse_Proxy, Syslog-Top_Layer_IPS, Syslog-Townsend_Alliance_LogAgent, Syslog-Trend_Micro_Control_Manager_CEF, Syslog-Trend_Micro_Deep_Discovery_Inspector, Syslog-Trend_Micro_Deep_Security_CEF, Syslog-Trend_Micro_Deep_Security_LEEF, Syslog-Trend_Micro_IWSVA, Syslog-Trend_Micro_Vulnerability_Protection_Manager, Syslog-Tripwire, Syslog-Trustwave_NAC, Syslog-Trustwave_Secure_Web_Gateway, Syslog-Trustwave_Web_Application_Firewall, Syslog-Tufin, Syslog-Tumbleweed_Mailgate_Server, Syslog-Ubiquiti_UniFi_Security_Gateway, Syslog-Ubiquiti_UniFi_Switch, Syslog-Ubiquiti_UniFi_WAP, Syslog-Untangle, Syslog-Vamsoft_ORF, Syslog-Vanguard_Active_Alerts, Syslog-Varonis_DatAlert, Syslog-Vasco_Digipass_Identikey_Server, Syslog-Vectra_Networks, Syslog-Versa_Networks_SD-WAN, Syslog-VMWare_ESX/ESXi_Server, Syslog-VMware_Horizon_View, Syslog-VMWare_NSX/NSX-T, Syslog-VMWare_Unified_Access_Gateway, Syslog-VMWare_vCenter_Server, Syslog-VMWare_vShield, Syslog-Voltage_Securemail, Syslog-Vormetric_CoreGuard, Syslog-Vormetric_Data_Security_Manager, Syslog-WALLIX_Bastion, Syslog-Watchguard_FireBox, Syslog-WS2000_Wireless_Access_Point, Syslog-Wurldtech_SmartFirewall, Syslog-Xirrus_Wireless_Array, Syslog-Zimbra_System_Log, Syslog-Zix_E-mail_Encryption, Syslog-Zscaler_Nano_Streaming_Service, Syslog-ZXT_Load_Balancer, Syslog-ZyWALL_VPN_Firewall, Syslog_Avaya_G450_Media_Gateway, Syslog_File-AIX_Host, Syslog_File-BSD_Format, Syslog_File-HP-UX_Host, Syslog_File-IRIX_Host, Syslog_File-Linux_Host, Syslog_File-LogRhythm_Syslog_Generator, Syslog_File-MS_2003_Event_Log(Snare), SyslogFile-Oracle_10g_Audit_Trail, Syslog_File-Oracle_11g_Audit_Trail, Syslog_File-Solaris_Host, UDLA-CA_Single_Sign-On, UDLA-Deepnet_DualShield, UDLA-Drupal, UDLA-Finacle_Core, UDLA-Finacle_Treasury_Logs, UDLA-Forcepoint, UDLA-Gallagher_Command_Centre, UDLA-iManage_Worksite, UDLA-ISS_Proventia_SiteProtector-IPS, UDLA-LogRhythm_Enterprise_Monitoring_Solution, UDLA-LREnhancedAudit, UDLA-McAfee_ePolicy_Orchestrator-Universal_ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_3.6-Events, UDLA-McAfee_ePolicy_Orchestrator_4.0-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_4.5-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.0-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.1-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.3-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.9-ePOEvents, UDLA-McAfee_Network_Access_Control, UDLA-McAfee_Network_Security_Manager, UDLA-Microsoft_System_Center_2012_Endpoint_Protection, UDLA-ObserveIT, UDLA-Oracle_10g_Audit_Trail, UDLA-Oracle_11g_Audit_Trail, UDLA-Oracle_12C_Unified_Auditing, UDLA-Oracle_9i_Audit_Trail, UDLA-Other, UDLA-SEL_3530_RTAC, UDLA-SharePoint_2007_AuditData, UDLA-SharePoint_2010_EventData, UDLA-SharePoint_2013_EventData, UDLA-Siemens_Invision, UDLA-Sophos_Anti-Virus, UDLA-Sophos_Endpoint_Security_and_Control, UDLA-Symantec_CSP, UDLA-Symantec_SEP, UDLA-Symmetry_Access_Control, UDLA-VMWare_vCenter_Server, UDLA-VMWare_vCloud, VLS-Syslog-Infoblox-DNS_RPZ, VLS-Syslog-Infoblox-_Threat_Protection. | Optional |
host_name | Impacted host name. | Optional |
username | Username. | Optional |
subject | Email subject. | Optional |
sender | Email sender. | Optional |
recipient | Email recipient. | Optional |
hash | Hash. | Optional |
url | URL. | Optional |
process_name | Process name. | Optional |
object | Log object. | Optional |
ip_address | IP address. | Optional |
max_massage | Maximum number of log message to query. Default is 10. | Optional |
query_timeout | The query timeout in seconds. Default is 60. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Search.Task.TaskID | String | Task ID |
#
Command Example#
Human Readable OutputNew search query created, Task ID=e1c3f960-e1c3f960-e1c3f960
#
lr-get-query-resultGet search query result with task ID output from lr-execute-search-query command
#
Base Commandlr-get-query-result
#
InputArgument Name | Description | Required |
---|---|---|
task_id | Task ID from lr-execute-search-query command output. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Search.Results.TaskStatus | String | Task Status |
Logrhythm.Search.Results.TaskID | String | Task ID |
Logrhythm.Search.Results.Items.originEntityId | Number | Entity ID |
Logrhythm.Search.Results.Items.impactedIp | String | Impacted IP |
Logrhythm.Search.Results.Items.classificationTypeName | String | Classification Name |
Logrhythm.Search.Results.Items.logSourceName | String | Log Source Name |
Logrhythm.Search.Results.Items.entityName | String | Entity Name |
Logrhythm.Search.Results.Items.normalDate | Date | Date |
Logrhythm.Search.Results.Items.vendorMessageId | String | Vendor Log message |
Logrhythm.Search.Results.Items.priority | Number | Log priority |
Logrhythm.Search.Results.Items.sequenceNumber | String | Seq number |
Logrhythm.Search.Results.Items.originHostId | Number | Origin Host ID |
Logrhythm.Search.Results.Items.mpeRuleId | Number | Log Rhythm rule ID |
Logrhythm.Search.Results.Items.originIp | String | Origin IP |
Logrhythm.Search.Results.Items.mpeRuleName | String | Log Rhythm rule name |
Logrhythm.Search.Results.Items.logSourceHostId | Number | Log Source host ID |
Logrhythm.Search.Results.Items.originHost | String | Origin Host |
Logrhythm.Search.Results.Items.logDate | Date | Log Date |
Logrhythm.Search.Results.Items.classificationName | String | Log classification name |
#
Command Example#
Human Readable Output#
Search results for task e1c3f960-e1c3f960-e1c3f960
OriginEntityId ImpactedIp LogSourceName OriginHost EntityName 1 10.0.0.1 Linux Syslog 1.2.3.4 Nothing
#
lr-get-usersReturns a list of users
#
Base Commandlr-get-users
#
InputArgument Name | Description | Required |
---|---|---|
user_id | The LogRhythm user ID. | Optional |
count | Number of users to return. Default is 30. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.User.ID | string | LogRhythm user ID |
Logrhythm.User.DateUpdated | string | Date that the user was updated. |
Logrhythm.User.HostStatus | string | Host status of the LogRhythm user. |
Logrhythm.User.LastName | string | Last name of the LogRhythm user. |
Logrhythm.User.FirstName | string | First name of the LogRhythm user. |
Logrhythm.User.UserType | string | LogRhythm user type |
Logrhythm.User.Entity | string | LogRhythm entity information |
Logrhythm.User.Owner | string | LogRhythm owner information |
Logrhythm.User.ReadAccess | string | Read Access of the LogRhythm user. |
Logrhythm.User.WriteAccess | string | Write Access of the LogRhythm user. |
#
Command Example!lr-get-users user_id=5
#
Context Example#
Human Readable Output#
Users information
ID DateUpdated HostStatus LastName FirstName UserType Entity Owner ReadAccess WriteAccess 5 2021-10-11T15:04:50.757Z Retired testuser testuser Individual id: 1
name: Primary Siteid: 1
name: myadminPrivate Private
#
lr-get-loginsReturns a list of logins
#
Base Commandlr-get-logins
#
InputArgument Name | Description | Required |
---|---|---|
user_id | The LogRhythm user ID. | Optional |
count | Number of logins to return. Default is 30. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Login.Login | string | The login username |
Logrhythm.Login.UserProfileId | string | The profile ID for the LogRhythm user |
Logrhythm.Login.UserId | string | LogRhythm user ID |
Logrhythm.Login.DefaultEntityId | string | The default entity ID of the login |
Logrhythm.Login.HostStatus | string | Host status of the LogRhythm login. |
Logrhythm.Login.DateUpdated | string | Date that the login was updated. |
Logrhythm.Login.DateCreated | string | Date that the login was created. |
Logrhythm.Login.Entities | string | LogRhythm entities information |
#
Command Example!lr-get-logins user_id=5
#
Context Example#
Human Readable Output#
Logins information
Login UserProfileId UserId DefaultEntityId HostStatus DateUpdated DateCreated testusername -100 5 1 Retired 2021-10-11T15:04:50.753Z 2021-09-21T13:27:59.72Z
#
lr-get-privilegesReturns the privileges of a given user.
#
Base Commandlr-get-privileges
#
InputArgument Name | Description | Required |
---|---|---|
user_id | The LogRhythm user ID. | Required |
offset | The position to start at . Default is 0. | Optional |
count | Number of privileges to return. Default is 30. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Privileges.ID | string | The LogRhythm user ID |
Logrhythm.Privileges.Privileges | string | A list of the LogRhythm user's privileges. |
#
Command Example!lr-get-privileges user_id=5 count=15
#
Context Example#
Human Readable Output#
Privileges information
Privileges GlobalAIEEventsAccess,
SecondLookMgmt,
LogRhythmAPIAccess,
CaseMgmtAccess,
CloudAIAccess,
ShowDeploymentManager,
ShowEntityMgr,
EntityMgmt,
ShowAgentAgentMgr,
AgentMgmt,
ShowLSMgr,
LSMgmt,
DPMgmt,
PMMgmt,
NMMgmt
#
lr-get-profilesReturns a list of user profiles
#
Base Commandlr-get-profiles
#
InputArgument Name | Description | Required |
---|---|---|
profile_id | The LogRhythm profile ID. | Optional |
count | Number of profiles to return. Default is 30. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Profile.ID | string | ID of the LogRhythm user profile |
LogRhythm.Profile.Name | string | Name of the Logrhythm user profile |
LogRhythm.Profile.ShortDescription | string | Short description of the profile |
LogRhythm.Profile.LongDescription | string | Long description of the profile |
LogRhythm.Profile.DataProcessorAccessMode | string | Data processor access mode |
LogRhythm.Profile.SecurityRole | string | The user profile's security role |
LogRhythm.Profile.ProfileType | string | The user profile's type |
LogRhythm.Profile.DateUpdated | string | Date that the profile was updated. |
LogRhythm.Profile.TotalAssociatedUsers | string | Total number of users with this profile |
LogRhythm.Profile.NotificationGroupsPermissions | string | Permissions on notification groups |
LogRhythm.Profile.ADGroupsPermissions | string | Active Directory group permissions |
LogRhythm.Profile.EntityPermissions | string | Entity permissions for the profile |
LogRhythm.Profile.DataProcessorsPermissions | string | Profile's data processor permissions |
LogRhythm.Profile.LogsourceListPermissions | string | Profile's logsource list permissions |
LogRhythm.Profile.LogSourcePermissions | string | Profile's permissions for log sources |
LogRhythm.Profile.Privileges | string | Profile's privileges |
LogRhythm.Profile.SmartResponsePluginsPermissions | string | Profile's smart response plugin permissions |
#
Command Example!lr-get-profiles profile_id=-100
#
Context Example#
Human Readable Output#
Users information
ID Name ShortDescription LongDescription DataProcessorAccessMode SecurityRole ProfileType DateUpdated TotalAssociatedUsers -100 LogRhythm Global Administrator LogRhythm Global Administrators have full access to the system. The LogRhythm Global Administrator profile is a system record which cannot be modified or deleted. All GlobalAdmin Allow 2021-07-09T16:03:19.62Z 11
#
lr-add-userAdd a new user to the LogRhythm SIEM
#
Base Commandlr-add-user
#
InputArgument Name | Description | Required |
---|---|---|
first_name | First name of the LogRhythm user. | Required |
last_name | Last name of the LogRhythm user. | Required |
abbreviation | Abbreviation of the user name. Defaults to first letter of first name and then last name, all lowercase. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.User.ID | string | LogRhythm user ID |
Logrhythm.User.DateUpdated | string | Date that the user was updated. |
Logrhythm.User.HostStatus | string | Host status of the LogRhythm user. |
Logrhythm.User.LastName | string | Last name of the LogRhythm user. |
Logrhythm.User.FirstName | string | First name of the LogRhythm user. |
Logrhythm.User.UserType | string | LogRhythm user type |
Logrhythm.User.Entity | string | LogRhythm entity information |
Logrhythm.User.Owner | string | LogRhythm owner information |
Logrhythm.User.ReadAccess | string | Read Access of the LogRhythm user. |
Logrhythm.User.WriteAccess | string | Write Access of the LogRhythm user. |
#
Command Example!lr-add-user first_name=Alice last_name=Richards
#
Context Example#
Human Readable Output#
User added
ID DateUpdated HostStatus LastName FirstName UserType Entity Owner ReadAccess WriteAccess 13 2021-10-20T15:02:14.733Z Active Richards Alice Individual id: 1
name: Primary Siteid: 1
name: myadminPrivate Private
#
lr-add-loginAdd a new login to the LogRhythm user
#
Base Commandlr-add-login
#
InputArgument Name | Description | Required |
---|---|---|
user_id | ID of the user to attach the login to. | Required |
login | Login name for the user. | Required |
profile_id | ID of the user profile to associate with the login. | Required |
password | Password for the user. . | Required |
entity_id | ID of the entity to associate with the login. Defaults to 1. Default is 1. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Logrhythm.Login.Login | string | The login username |
Logrhythm.Login.UserProfileId | string | The profile ID for the LogRhythm user |
Logrhythm.Login.UserId | string | LogRhythm user ID |
Logrhythm.Login.DefaultEntityId | string | The default entity ID of the login |
Logrhythm.Login.HostStatus | string | Host status of the LogRhythm login. |
Logrhythm.Login.DateUpdated | string | Date that the login was updated. |
Logrhythm.Login.DateCreated | string | Date that the login was created. |
Logrhythm.Login.Entities | string | LogRhythm entities information |
#
Command Example!lr-add-login login=arichards password=Example0Password123!! profile_id=-100 user_id=13
#
Context Example#
Human Readable Output#
Login added
Login UserProfileId UserId DefaultEntityId HostStatus DateUpdated DateCreated arichards -100 13 1 Active 2021-10-20T15:02:17.783Z 2021-10-20T15:02:17.78Z