Skip to main content

LogRhythmRest

LogRhythm security intelligence. This integration was integrated and tested with version 7.4.6 of LogRhythmRest

Configure LogRhythmRest on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for LogRhythmRest.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Hostname, IP address, or server URLTrue
    API TokenTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Search API cluster IDFalse
    Entity IDFalse
    Fetch incidentsFalse
    Incidents Fetch IntervalFalse
    Incident typeFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

lr-execute-query#


Executes a query for logs that match the query parameters.

Base Command#

lr-execute-query

Input#

Argument NameDescriptionRequired
keywordThe value by which to filter log messages.Required
page-sizeNumber of logs to return. Default is 100.Optional
time-frameThe time range from which to return log messages. If time_frame is "Custom", specify the start and end time for the time range. Possible values: "Today", "Last2Days", "LastWeek", "LastMonth", and "Custom". Possible values are: Today, Last2Days, LastWeek, LastMonth, Custom. Default is Custom.Optional
start-dateStart date for the data query, for example: "2018-04-20". Only use this argument if the time-frame argument is "Custom".Optional
end-dateEnd date for the data query, for example: "2018-04-20". Only use this argument if the time-frame argument is "Custom".Optional

Context Output#

PathTypeDescription
Logrhythm.Log.ChannelstringChannel of the log.
Logrhythm.Log.ComputerstringComputer for the log
Logrhythm.Log.EventDatastringEvent data of the log.
Logrhythm.Log.EventIDstringEvent ID of the log.
Logrhythm.Log.KeywordsstringKeywords of the log.
Logrhythm.Log.LevelstringLog level.
Logrhythm.Log.OpcodestringOpcode of the log.
Logrhythm.Log.TaskstringTask of the log.

Command Example#

!lr-execute-query keyword=Failure time-frame=Custom start-date=2019-05-15 end-date=2019-05-16 page-size=2

Context Example#

{
"Logrhythm.Log": [
{
"EventID": "4625",
"Task": "Logon",
"Level": "Information",
"Computer": "WIN-1234.lab",
"Opcode": "Info",
"Keywords": "Audit Failure",
"EventData": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\tGPWARD\n\tAccount Domain:\t\t\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
"Channel": "Security"
},
{
"EventID": "4625",
"Task": "Logon",
"Level": "Information",
"Computer": "WIN-1234.lab",
"Opcode": "Info",
"Keywords": "Audit Failure",
"EventData": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\tTMARTIN\n\tAccount Domain:\t\t\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
"Channel": "Security"
}
]
}

Human Readable Output#

Hosts for primary#

LevelComputerChannelKeywordsEventData
InformationWIN-1234.labSecurityAudit FailureAn account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\tGPWARD\n\tAccount Domain:\t\t\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
InformationWIN-1234.labSecurityAudit FailureAn account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\tTMARTIN\n\tAccount Domain:\t\t\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

lr-get-hosts-by-entity#


Retrieves a list of hosts for a given entity, or an empty list if none is found.

Base Command#

lr-get-hosts-by-entity

Input#

Argument NameDescriptionRequired
entity-nameThe entity name.Required
countNumber of hosts to return. Default is 100.Optional

Context Output#

PathTypeDescription
Logrhythm.Host.EntityIdStringThe entity ID.
Logrhythm.Host.EntityNameStringThe entity name.
Logrhythm.Host.OSStringThe host operating system.
Logrhythm.Host.ThreatLevelStringThe host threat level.
Logrhythm.Host.UseEventlogCredentialsStringWhether to use the event log credentials.
Logrhythm.Host.NameStringThe name of the host.
Logrhythm.Host.DateUpdatedStringThe last update date of the host.
Logrhythm.Host.HostZoneStringThe host zone.
Logrhythm.Host.RiskLevelStringThe risk level.
Logrhythm.Host.LocationStringThe host location.
Logrhythm.Host.StatusStringThe host status.
Logrhythm.Host.IDStringThe unique ID of the host object.
Logrhythm.Host.OSTypeStringThe type of the host operating system.

Command Example#

!lr-get-hosts-by-entity entity-name=primary count=2

Context Example#

{
"Logrhythm": {
"Host": [
{
"DateUpdated": "2019-04-24T09:58:32.003Z",
"EntityId": 1,
"EntityName": "Primary Site",
"HostZone": "Internal",
"ID": -1000002,
"Location": "NA",
"Name": "AI Engine Server",
"OS": "Unknown",
"OSType": "Other",
"RiskLevel": "None",
"Status": "Active",
"ThreatLevel": "None",
"UseEventlogCredentials": false
},
{
"DateUpdated": "2021-05-18T15:06:54.62Z",
"EntityId": 1,
"EntityName": "Primary Site",
"HostZone": "Internal",
"ID": 1,
"Location": "NA",
"Name": "WIN-JSBOL5ERCQA",
"OS": "Windows",
"OSType": "Other",
"RiskLevel": "Medium-Medium",
"Status": "Active",
"ThreatLevel": "None",
"UseEventlogCredentials": false
}
]
}
}

Human Readable Output#

Hosts for primary#

IDNameEntityIdEntityNameOSStatusLocationRiskLevelThreatLevelThreatLevelCommentsDateUpdatedHostZone
-1000002AI Engine Server1Primary SiteUnknownActiveNANoneNone2019-04-24T09:58:32.003ZInternal
1WIN-JSBOL5ERCQA1Primary SiteWindowsActiveNAMedium-MediumNone2021-05-18T15:06:54.62ZInternal

lr-add-host#


Add a new host to an entity.

Base Command#

lr-add-host

Input#

Argument NameDescriptionRequired
entity-idThe entity ID.Required
entity-nameThe entity name.Required
nameThe LogRhythm host name.Required
short-descriptionA short description of the host. Default is None.Optional
long-descriptionA long description of the host. Default is None.Optional
risk-levelThe host risk level. Possible values: "None", "Low-Low", "Low-Medium", "Low-High", "Medium-Low", "Medium-Medium", "Medium-High", "High-Low", "High-Medium", and "High-High". Possible values are: None, Low-Low, Low-Medium, Low-High, Medium-Low, Medium-Medium, Medium-High, High-Low, High-Medium, High-High. Default is None.Required
threat-levelThe host threat level. Possible values: "None", "Low-Low", "Low-Medium", "Low-High", "Medium-Low", "Medium-Medium", "Medium-High", "High-Low", "High-Medium", and "High-High". Possible values are: None, Low-Low, Low-Medium, Low-High, Medium-Low, Medium-Medium, Medium-High, High-Low, High-Medium, High-High. Default is None.Optional
threat-level-commentsComments for the host threat level. Default is None.Optional
host-statusThe host status. Possible values: "New", "Retired", and "Active". Possible values are: New, Retired, Active.Required
host-zoneThe host zone. Possible values: "Unknown", "Internal", "DMZ", and "External". Possible values are: Unknown, Internal, DMZ, External.Required
osThe host operating system.Required
use-eventlog-credentialsWhether to use the event log credentials. Possible values: "true" and "false". Possible values are: true, false.Required
os-typeThe host operating system type. Possible values are: Unknown, Other, WindowsNT4, Windows2000Professional, Windows2000Server, Windows2003Standard, Windows2003Enterprise, Windows95, WindowsXP, WindowsVista, Linux, Solaris, AIX, HPUX, Windows. Default is Unknown.Optional

Context Output#

PathTypeDescription
Logrhythm.Host.EntityIdstringThe entity ID for the host.
Logrhythm.Host.EntityNamestringThe entity name for the host.
Logrhythm.Host.OSstringThe host operating system.
Logrhythm.Host.ThreatLevelstringThe host threat level.
Logrhythm.Host.UseEventlogCredentialsstringWhether to use the event log credentials.
Logrhythm.Host.NamestringThe name of the host.
Logrhythm.Host.DateUpdatedstringThe last update date of the host.
Logrhythm.Host.HostZonestringThe host zone.
Logrhythm.Host.RiskLevelstringThe risk level of the host.
Logrhythm.Host.LocationstringThe host location.
Logrhythm.Host.StatusstringThe host status.
Logrhythm.Host.IDstringThe unique ID of the host object.
Logrhythm.Host.OSTypestringThe type of the host operating system.

Command Example#

!lr-add-host entity-id=1 entity-name=`Primary Site` host-status=New host-zone=Internal name=host11 os=Windows risk-level="High-Medium" use-eventlog-credentials=false

Context Example#

{
"Logrhythm": {
"Host": {
"DateUpdated": "2021-06-22T05:22:09.74Z",
"EntityId": 1,
"EntityName": "Primary Site",
"HostZone": "Internal",
"ID": 51,
"Location": "NA",
"Name": "host11",
"OS": "Windows",
"OSType": "Unknown",
"RiskLevel": "High-Medium",
"Status": "New",
"ThreatLevel": "None",
"ThreatLevelComments": "None",
"UseEventlogCredentials": true
}
}
}

Human Readable Output#

host11 added successfully to Primary Site

lr-update-host-status#


Updates an host status.

Base Command#

lr-update-host-status

Input#

Argument NameDescriptionRequired
host-idThe unique ID of the host.Required
statusThe enumeration status of the host. Possible values: "Retired" and "Active". Possible values are: Retired, Active.Required

Context Output#

PathTypeDescription
Logrhythm.Host.EntityIdstringThe entity ID of the host.
Logrhythm.Host.EntityNamestringThe entity name of the host.
Logrhythm.Host.OSstringThe host operating system.
Logrhythm.Host.ThreatLevelstringThe host threat level.
Logrhythm.Host.UseEventlogCredentialsstringWhether to use the event log credentials.
Logrhythm.Host.NamestringThe name of the host.
Logrhythm.Host.DateUpdatedstringThe last update date of the host.
Logrhythm.Host.HostZonestringThe host zone.
Logrhythm.Host.RiskLevelstringThe risk level of the host.
Logrhythm.Host.LocationstringThe host location.
Logrhythm.Host.StatusstringThe host status.
Logrhythm.Host.IDstringThe unique ID of the host object.
Logrhythm.Host.OSTypestringThe type of the host operating system.

Command Example#

!lr-update-host-status host-id=8 status=Retired

Context Example#

{
"Logrhythm": {
"Host": {
"DateUpdated": "2021-06-22T05:22:11.163Z",
"EntityId": 1,
"EntityName": "Primary Site",
"HostZone": "Internal",
"ID": 8,
"Location": "NA",
"Name": "test-host7",
"OS": "Linux",
"OSType": "Other",
"RiskLevel": "Low-Medium",
"Status": "Retired",
"ThreatLevel": "Low-High",
"UseEventlogCredentials": false
}
}
}

Human Readable Output#

Status updated to Retired

lr-get-persons#


Retrieves a list of LogRhythm persons.

Base Command#

lr-get-persons

Input#

Argument NameDescriptionRequired
person-idThe LogRhythm person ID.Optional
countNumber of persons to return. Default is 30.Optional

Context Output#

PathTypeDescription
Logrhythm.Person.DateUpdatedStringDate that the person was updated.
Logrhythm.Person.FirstNameStringFirst name of the LogRhythm person.
Logrhythm.Person.LastNameStringLast name of the LogRhythm person.
Logrhythm.Person.HostStatusstringHost status of the LogRhythm person.
Logrhythm.Person.IDStringLogrhythm person ID.
Logrhythm.Person.IsAPIPersonBooleanWhether the API is a person.
Logrhythm.Person.UserIDStringUser ID of the LogRhythm person.
Logrhythm.Person.UserLoginStringUser login of the LogRhythm person.

Command Example#

!lr-get-persons person-id=7

Context Example#

{
"Logrhythm": {
"Person": {
"DateUpdated": "0001-01-01T00:00:00Z",
"FirstName": "logrhythm",
"HostStatus": "Retired",
"ID": 7,
"IsAPIPerson": false,
"LastName": "logrhythm",
"UserID": 5,
"UserLogin": "lrapi2"
}
}
}

Human Readable Output#

Persons information#

IDHostStatusIsAPIPersonFirstNameLastNameUserIDUserLoginDateUpdated
7Retiredfalselogrhythmlogrhythm5lrapi20001-01-01T00:00:00Z

lr-get-networks#


Retrieves a list of networks.

Base Command#

lr-get-networks

Input#

Argument NameDescriptionRequired
network-idThe LogRhythm network ID.Optional
countNumber of networks to return. Default is 30.Optional

Context Output#

PathTypeDescription
Logrhythm.Network.BIPStringBeginning IP address of the network.
Logrhythm.Network.ThreatLevelStringThreat level of the network.
Logrhythm.Network.NameStringNetwork name.
Logrhythm.Network.EIPStringEnd IP address of the network.
Logrhythm.Network.DateUpdatedStringDate network was updated.
Logrhythm.Network.EntityNameStringEntity name of the network.
Logrhythm.Network.HostZoneStringHost zone of the network.
Logrhythm.Network.RiskLevelStringRisk level of the network.
Logrhythm.Network.LocationStringNetwork location.
Logrhythm.Network.HostStatusStringHost status of the network.
Logrhythm.Network.IDStringNetwork ID.
Logrhythm.Network.EntityIdStringEntity ID of the network.

Command Example#

!lr-get-networks network-id=1

Context Example#

{
"Logrhythm": {
"Network": {
"BeganIP": "1.1.1.1",
"DateUpdated": "2019-02-20T10:57:13.983Z",
"EndIP": "2.2.2.2",
"EntityId": -100,
"EntityName": "Global Entity",
"HostStatus": "Active",
"HostZone": "External",
"ID": 1,
"Location": "NA",
"Name": "test",
"RiskLevel": "None",
"ThreatLevel": "None"
}
}
}

Human Readable Output#

Networks information#

IDBeganIPEndIPHostStatusNameRiskLevelEntityIdEntityNameLocationThreatLevelDateUpdatedHostZone
11.1.1.12.2.2.2ActivetestNone-100Global EntityNANone2019-02-20T10:57:13.983ZExternal

lr-get-hosts#


Returns a list of hosts.

Base Command#

lr-get-hosts

Input#

Argument NameDescriptionRequired
host-idThe LogRhythm host ID.Optional
countNumber of hosts to return. Default is 30.Optional

Context Output#

PathTypeDescription
Logrhythm.Host.EntityIdStringThe entity ID.
Logrhythm.Host.EntityNameStringThe entity name.
Logrhythm.Host.OSStringThe host operating system.
Logrhythm.Host.ThreatLevelStringThe host threat level.
Logrhythm.Host.UseEventlogCredentialsStringWhether to use the event log credentials.
Logrhythm.Host.NameStringThe name of the host.
Logrhythm.Host.DateUpdatedStringDate that the host was last updated.
Logrhythm.Host.HostZoneStringThe host zone.
Logrhythm.Host.RiskLevelStringThe risk level of the host.
Logrhythm.Host.LocationStringThe host location.
Logrhythm.Host.StatusStringThe host status.
Logrhythm.Host.IDStringThe unique ID of the host object.
Logrhythm.Host.OSTypeStringHost operating system type.

Command Example#

!lr-get-hosts host-id=1

Context Example#

{
"Logrhythm": {
"Host": {
"DateUpdated": "2021-05-18T15:06:54.62Z",
"EntityId": 1,
"EntityName": "Primary Site",
"HostZone": "Internal",
"ID": 1,
"Location": "NA",
"Name": "WIN-JSBOL5ERCQA",
"OS": "Windows",
"OSType": "Other",
"RiskLevel": "Medium-Medium",
"Status": "Active",
"ThreatLevel": "None",
"UseEventlogCredentials": false
}
}
}

Human Readable Output#

Hosts information:#

IDNameEntityIdEntityNameOSStatusLocationRiskLevelThreatLevelThreatLevelCommentsDateUpdatedHostZone
1WIN-JSBOL5ERCQA1Primary SiteWindowsActiveNAMedium-MediumNone2021-05-18T15:06:54.62ZInternal

lr-get-alarm-data#


Returns data for an alarm.

Base Command#

lr-get-alarm-data

Input#

Argument NameDescriptionRequired
alarm-idThe alarm ID.Required

Context Output#

PathTypeDescription
Logrhythm.Alarm.StatusStringThe alarm status.
Logrhythm.Alarm.EventIDStringThe alarm event ID.
Logrhythm.Alarm.LastDxTimeStampStringThe timestamp when the drilldown returned new results from the Data Indexer.
Logrhythm.Alarm.DateInsertedStringThe alarm date inserted.
Logrhythm.Alarm.AIERuleNameStringThe alarm AI engine (AIE) rule.
Logrhythm.Alarm.PriorityStringThe alarm priority.
Logrhythm.Alarm.AIERuleIDStringThe alarm AI engine (AIE) rule ID.
Logrhythm.Alarm.IDStringThe alarm ID.
Logrhythm.Alarm.NotificationSentBooleanWhether an alarm notification was sent.
Logrhythm.Alarm.AlarmGuidStringThe alarm GUID.
Logrhythm.Alarm.RetryCountStringThe alarm retry count.
Logrhythm.Alarm.NormalMessageDateStringThe alarm message date.
Logrhythm.Alarm.WebConsoleIdsStringThe alarm web console IDs.
Logrhythm.Alarm.Summary.PIFTypeStringAlarm Primary Inspection Field (the original name for "Summary Field").
Logrhythm.Alarm.Summary.DrillDownSummaryLogsStringDrilldown summary logs.

Command Example#

!lr-get-alarm-data alarm-id=1824

Context Example#

{
"Logrhythm": {
"Alarm": {
"AIEMsgXml": {
"_": {
"AIERuleID": "1000000003",
"DateEdited": "2019-06-20 11:54:42"
},
"_0": {
"FactCount": "1",
"Login": "administrator",
"NormalMsgDate": "2019-06-20 12:13:19",
"NormalMsgDateLower": "2019-06-20 12:13:19",
"NormalMsgDateUpper": "2019-06-20 12:13:20",
"RuleBlockType": "1"
},
"v": "1"
},
"AIERuleID": 1000000003,
"AIERuleName": "Use Of Admin User",
"AlarmGuid": "5a4d8d77-5ec6-4669-b455-fb0cdbeed7df",
"DateInserted": "2019-06-20T12:13:28.363",
"EventID": 337555,
"ID": 1824,
"LastDxTimeStamp": "0001-01-01T00:00:00",
"NormalMessageDate": "2019-06-20T12:13:20.243",
"NotificationSent": false,
"Priority": 85,
"RetryCount": 0,
"Status": "Completed",
"Summary": [
{
"DrillDownSummaryLogs": "administrator",
"PIFType": "User (Origin)"
}
],
"WebConsoleIds": [
"c272b5f5-1db6-461b-9e9c-78d171429494"
]
}
}
}

Human Readable Output#

Alarm information for alarm id 1824#

AIERuleIDAIERuleNameAlarmGuidDateInsertedEventIDIDLastDxTimeStampNormalMessageDateNotificationSentPriorityRetryCountStatusWebConsoleIds
1000000003Use Of Admin User5a4d8d77-5ec6-4669-b455-fb0cdbeed7df2019-06-20T12:13:28.36333755518240001-01-01T00:00:002019-06-20T12:13:20.243false850Completedc272b5f5-1db6-461b-9e9c-78d171429494

Alarm summaries#

PIFTypeDrillDownSummaryLogs
User (Origin)administrator

lr-get-alarm-events#


Returns a list of events, by alarm ID.

Base Command#

lr-get-alarm-events

Input#

Argument NameDescriptionRequired
alarm-idThe alarm ID.Required
countNumber of events to return. Default is 10.Optional
fieldsA comma-separated list of fields (outputs) to return to the context. If empty, all fields are returned. Possible values are: .Optional
get-log-messageWhether to return the log message from the event. Possible values: "True" and "False". Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
Logrhythm.Alarm.EventStringAlarm event information.
Logrhythm.Alarm.IDStringThe alarm ID.

Command Example#

!lr-get-alarm-events alarm-id=1835

Context Example#

{
"Logrhythm": {
"Alarm": {
"Event": [
{
"classificationId": 1040,
"classificationName": "Authentication Failure",
"classificationTypeName": "Audit",
"command": "3",
"commonEventId": 19812,
"commonEventName": "User Logon Failure : Bad Password",
"count": 1,
"direction": 0,
"directionName": "Unknown",
"entityId": 1,
"entityName": "Primary Site",
"impactedEntityId": 1,
"impactedEntityName": "Primary Site",
"impactedHost": "win-jsbol5ercqa.lab",
"impactedHostName": "",
"impactedName": "win-jsbol5ercqa.lab",
"impactedZoneName": "Unknown",
"keyField": "messageId",
"logDate": "2019-06-20 05:27:03",
"logSourceHost": "WIN-JSBOL5ERCQA",
"logSourceHostId": 1,
"logSourceHostName": "WIN-JSBOL5ERCQA",
"logSourceId": 1,
"logSourceName": "WIN-JSBOL5ERCQA MS Security Log",
"logSourceType": 1000030,
"logSourceTypeName": "MS Windows Event Logging - Security",
"login": "administrator",
"messageId": "1e28712d-4af4-4e82-9403-a2ebfda82f2d",
"messageTypeEnum": 1,
"mpeRuleId": 1060400,
"mpeRuleName": "EVID 4625 : User Logon Type 3: Wrong Password",
"normalDate": "2019-06-20 12:27:03",
"normalDateMin": "2019-06-20 12:27:03",
"normalMsgDateMax": "2019-06-20 12:27:03",
"object": "NtLmSsp",
"objectName": "0xC000006A",
"originEntityId": 1,
"originEntityName": "Primary Site",
"originHostId": -1,
"originZone": 0,
"originZoneName": "Unknown",
"parentProcessId": "0x0",
"priority": 3,
"protocolId": -1,
"reason": "Unknown user name or bad password",
"rootEntityId": 1,
"rootEntityName": "Primary Site",
"ruleBlockNumber": 1,
"sequenceNumber": 211157,
"session": "0x0",
"severity": "Information",
"status": "0xC000006D",
"subject": "Unknown user name or bad password",
"vendorInfo": "An account failed to log on",
"vendorMessageId": "4625"
},
{
"classificationId": 1040,
"classificationName": "Authentication Failure",
"classificationTypeName": "Audit",
"command": "3",
"commonEventId": 19812,
"commonEventName": "User Logon Failure : Bad Password",
"count": 1,
"direction": 0,
"directionName": "Unknown",
"entityId": 1,
"entityName": "Primary Site",
"impactedEntityId": 1,
"impactedEntityName": "Primary Site",
"impactedHost": "win-jsbol5ercqa.lab",
"impactedHostName": "",
"impactedName": "win-jsbol5ercqa.lab",
"impactedZoneName": "Unknown",
"keyField": "messageId",
"logDate": "2019-06-20 05:27:03",
"logSourceHost": "WIN-JSBOL5ERCQA",
"logSourceHostId": 1,
"logSourceHostName": "WIN-JSBOL5ERCQA",
"logSourceId": 1,
"logSourceName": "WIN-JSBOL5ERCQA MS Security Log",
"logSourceType": 1000030,
"logSourceTypeName": "MS Windows Event Logging - Security",
"login": "administrator",
"messageId": "ec975fad-44fd-42cd-be8e-1573742c6d7a",
"messageTypeEnum": 1,
"mpeRuleId": 1060400,
"mpeRuleName": "EVID 4625 : User Logon Type 3: Wrong Password",
"normalDate": "2019-06-20 12:27:03",
"normalDateMin": "2019-06-20 12:27:03",
"normalMsgDateMax": "2019-06-20 12:27:03",
"object": "NtLmSsp",
"objectName": "0xC000006A",
"originEntityId": 1,
"originEntityName": "Primary Site",
"originHostId": -1,
"originZone": 0,
"originZoneName": "Unknown",
"parentProcessId": "0x0",
"priority": 3,
"protocolId": -1,
"reason": "Unknown user name or bad password",
"rootEntityId": 1,
"rootEntityName": "Primary Site",
"ruleBlockNumber": 1,
"sequenceNumber": 211156,
"session": "0x0",
"severity": "Information",
"status": "0xC000006D",
"subject": "Unknown user name or bad password",
"vendorInfo": "An account failed to log on",
"vendorMessageId": "4625"
},
{
"classificationId": 1040,
"classificationName": "Authentication Failure",
"classificationTypeName": "Audit",
"command": "3",
"commonEventId": 19812,
"commonEventName": "User Logon Failure : Bad Password",
"count": 1,
"direction": 0,
"directionName": "Unknown",
"entityId": 1,
"entityName": "Primary Site",
"impactedEntityId": 1,
"impactedEntityName": "Primary Site",
"impactedHost": "win-jsbol5ercqa.lab",
"impactedHostName": "",
"impactedName": "win-jsbol5ercqa.lab",
"impactedZoneName": "Unknown",
"keyField": "messageId",
"logDate": "2019-06-20 05:27:03",
"logSourceHost": "WIN-JSBOL5ERCQA",
"logSourceHostId": 1,
"logSourceHostName": "WIN-JSBOL5ERCQA",
"logSourceId": 1,
"logSourceName": "WIN-JSBOL5ERCQA MS Security Log",
"logSourceType": 1000030,
"logSourceTypeName": "MS Windows Event Logging - Security",
"login": "administrator",
"messageId": "21318d09-2b01-4b88-8b18-efc48c597e1f",
"messageTypeEnum": 1,
"mpeRuleId": 1060400,
"mpeRuleName": "EVID 4625 : User Logon Type 3: Wrong Password",
"normalDate": "2019-06-20 12:27:03",
"normalDateMin": "2019-06-20 12:27:03",
"normalMsgDateMax": "2019-06-20 12:27:03",
"object": "NtLmSsp",
"objectName": "0xC000006A",
"originEntityId": 1,
"originEntityName": "Primary Site",
"originHostId": -1,
"originZone": 0,
"originZoneName": "Unknown",
"parentProcessId": "0x0",
"priority": 3,
"protocolId": -1,
"reason": "Unknown user name or bad password",
"rootEntityId": 1,
"rootEntityName": "Primary Site",
"ruleBlockNumber": 1,
"sequenceNumber": 211155,
"session": "0x0",
"severity": "Information",
"status": "0xC000006D",
"subject": "Unknown user name or bad password",
"vendorInfo": "An account failed to log on",
"vendorMessageId": "4625"
},
{
"classificationId": 1040,
"classificationName": "Authentication Failure",
"classificationTypeName": "Audit",
"command": "3",
"commonEventId": 19812,
"commonEventName": "User Logon Failure : Bad Password",
"count": 1,
"direction": 0,
"directionName": "Unknown",
"entityId": 1,
"entityName": "Primary Site",
"impactedEntityId": 1,
"impactedEntityName": "Primary Site",
"impactedHost": "win-jsbol5ercqa.lab",
"impactedHostName": "",
"impactedName": "win-jsbol5ercqa.lab",
"impactedZoneName": "Unknown",
"keyField": "messageId",
"logDate": "2019-06-20 05:27:03",
"logSourceHost": "WIN-JSBOL5ERCQA",
"logSourceHostId": 1,
"logSourceHostName": "WIN-JSBOL5ERCQA",
"logSourceId": 1,
"logSourceName": "WIN-JSBOL5ERCQA MS Security Log",
"logSourceType": 1000030,
"logSourceTypeName": "MS Windows Event Logging - Security",
"login": "administrator",
"messageId": "20384578-60c1-4828-bdea-68cdc202d719",
"messageTypeEnum": 1,
"mpeRuleId": 1060400,
"mpeRuleName": "EVID 4625 : User Logon Type 3: Wrong Password",
"normalDate": "2019-06-20 12:27:03",
"normalDateMin": "2019-06-20 12:27:03",
"normalMsgDateMax": "2019-06-20 12:27:03",
"object": "NtLmSsp",
"objectName": "0xC000006A",
"originEntityId": 1,
"originEntityName": "Primary Site",
"originHostId": -1,
"originZone": 0,
"originZoneName": "Unknown",
"parentProcessId": "0x0",
"priority": 3,
"protocolId": -1,
"reason": "Unknown user name or bad password",
"rootEntityId": 1,
"rootEntityName": "Primary Site",
"ruleBlockNumber": 1,
"sequenceNumber": 211154,
"session": "0x0",
"severity": "Information",
"status": "0xC000006D",
"subject": "Unknown user name or bad password",
"vendorInfo": "An account failed to log on",
"vendorMessageId": "4625"
},
{
"classificationId": 1040,
"classificationName": "Authentication Failure",
"classificationTypeName": "Audit",
"command": "3",
"commonEventId": 19812,
"commonEventName": "User Logon Failure : Bad Password",
"count": 1,
"direction": 0,
"directionName": "Unknown",
"entityId": 1,
"entityName": "Primary Site",
"impactedEntityId": 1,
"impactedEntityName": "Primary Site",
"impactedHost": "win-jsbol5ercqa.lab",
"impactedHostName": "",
"impactedName": "win-jsbol5ercqa.lab",
"impactedZoneName": "Unknown",
"keyField": "messageId",
"logDate": "2019-06-20 05:27:03",
"logSourceHost": "WIN-JSBOL5ERCQA",
"logSourceHostId": 1,
"logSourceHostName": "WIN-JSBOL5ERCQA",
"logSourceId": 1,
"logSourceName": "WIN-JSBOL5ERCQA MS Security Log",
"logSourceType": 1000030,
"logSourceTypeName": "MS Windows Event Logging - Security",
"login": "administrator",
"messageId": "dd2c2251-ede1-4559-916b-0422ea8c0f9e",
"messageTypeEnum": 1,
"mpeRuleId": 1060400,
"mpeRuleName": "EVID 4625 : User Logon Type 3: Wrong Password",
"normalDate": "2019-06-20 12:27:03",
"normalDateMin": "2019-06-20 12:27:03",
"normalMsgDateMax": "2019-06-20 12:27:03",
"object": "NtLmSsp",
"objectName": "0xC000006A",
"originEntityId": 1,
"originEntityName": "Primary Site",
"originHostId": -1,
"originZone": 0,
"originZoneName": "Unknown",
"parentProcessId": "0x0",
"priority": 3,
"protocolId": -1,
"reason": "Unknown user name or bad password",
"rootEntityId": 1,
"rootEntityName": "Primary Site",
"ruleBlockNumber": 1,
"sequenceNumber": 211153,
"session": "0x0",
"severity": "Information",
"status": "0xC000006D",
"subject": "Unknown user name or bad password",
"vendorInfo": "An account failed to log on",
"vendorMessageId": "4625"
}
],
"ID": 1835
}
}
}

Human Readable Output#

Events information for alarm 1835#

classificationIdclassificationNameclassificationTypeNamecommandcommonEventIdcommonEventNamecountdirectiondirectionNameentityIdentityNameimpactedEntityIdimpactedEntityNameimpactedHostimpactedHostNameimpactedNameimpactedZoneNamekeyFieldlogDatelogSourceHostlogSourceHostIdlogSourceHostNamelogSourceIdlogSourceNamelogSourceTypelogSourceTypeNameloginmessageIdmessageTypeEnummpeRuleIdmpeRuleNamenormalDatenormalDateMinnormalMsgDateMaxobjectobjectNameoriginEntityIdoriginEntityNameoriginHostIdoriginZoneoriginZoneNameparentProcessIdpriorityprotocolIdreasonrootEntityIdrootEntityNameruleBlockNumbersequenceNumbersessionseveritystatussubjectvendorInfovendorMessageId
1040Authentication FailureAudit319812User Logon Failure : Bad Password10Unknown1Primary Site1Primary Sitewin-jsbol5ercqa.labwin-jsbol5ercqa.labUnknownmessageId2019-06-20 05:27:03WIN-JSBOL5ERCQA1WIN-JSBOL5ERCQA1WIN-JSBOL5ERCQA MS Security Log1000030MS Windows Event Logging - Securityadministrator1e28712d-4af4-4e82-9403-a2ebfda82f2d11060400EVID 4625 : User Logon Type 3: Wrong Password2019-06-20 12:27:032019-06-20 12:27:032019-06-20 12:27:03NtLmSsp0xC000006A1Primary Site-10Unknown0x03-1Unknown user name or bad password1Primary Site12111570x0Information0xC000006DUnknown user name or bad passwordAn account failed to log on4625
1040Authentication FailureAudit319812User Logon Failure : Bad Password10Unknown1Primary Site1Primary Sitewin-jsbol5ercqa.labwin-jsbol5ercqa.labUnknownmessageId2019-06-20 05:27:03WIN-JSBOL5ERCQA1WIN-JSBOL5ERCQA1WIN-JSBOL5ERCQA MS Security Log1000030MS Windows Event Logging - Securityadministratorec975fad-44fd-42cd-be8e-1573742c6d7a11060400EVID 4625 : User Logon Type 3: Wrong Password2019-06-20 12:27:032019-06-20 12:27:032019-06-20 12:27:03NtLmSsp0xC000006A1Primary Site-10Unknown0x03-1Unknown user name or bad password1Primary Site12111560x0Information0xC000006DUnknown user name or bad passwordAn account failed to log on4625
1040Authentication FailureAudit319812User Logon Failure : Bad Password10Unknown1Primary Site1Primary Sitewin-jsbol5ercqa.labwin-jsbol5ercqa.labUnknownmessageId2019-06-20 05:27:03WIN-JSBOL5ERCQA1WIN-JSBOL5ERCQA1WIN-JSBOL5ERCQA MS Security Log1000030MS Windows Event Logging - Securityadministrator21318d09-2b01-4b88-8b18-efc48c597e1f11060400EVID 4625 : User Logon Type 3: Wrong Password2019-06-20 12:27:032019-06-20 12:27:032019-06-20 12:27:03NtLmSsp0xC000006A1Primary Site-10Unknown0x03-1Unknown user name or bad password1Primary Site12111550x0Information0xC000006DUnknown user name or bad passwordAn account failed to log on4625
1040Authentication FailureAudit319812User Logon Failure : Bad Password10Unknown1Primary Site1Primary Sitewin-jsbol5ercqa.labwin-jsbol5ercqa.labUnknownmessageId2019-06-20 05:27:03WIN-JSBOL5ERCQA1WIN-JSBOL5ERCQA1WIN-JSBOL5ERCQA MS Security Log1000030MS Windows Event Logging - Securityadministrator20384578-60c1-4828-bdea-68cdc202d71911060400EVID 4625 : User Logon Type 3: Wrong Password2019-06-20 12:27:032019-06-20 12:27:032019-06-20 12:27:03NtLmSsp0xC000006A1Primary Site-10Unknown0x03-1Unknown user name or bad password1Primary Site12111540x0Information0xC000006DUnknown user name or bad passwordAn account failed to log on4625
1040Authentication FailureAudit319812User Logon Failure : Bad Password10Unknown1Primary Site1Primary Sitewin-jsbol5ercqa.labwin-jsbol5ercqa.labUnknownmessageId2019-06-20 05:27:03WIN-JSBOL5ERCQA1WIN-JSBOL5ERCQA1WIN-JSBOL5ERCQA MS Security Log1000030MS Windows Event Logging - Securityadministratordd2c2251-ede1-4559-916b-0422ea8c0f9e11060400EVID 4625 : User Logon Type 3: Wrong Password2019-06-20 12:27:032019-06-20 12:27:032019-06-20 12:27:03NtLmSsp0xC000006A1Primary Site-10Unknown0x03-1Unknown user name or bad password1Primary Site12111530x0Information0xC000006DUnknown user name or bad passwordAn account failed to log on4625

lr-get-case-evidence#


Execute evidence query for a specific case ID.

Base Command#

lr-get-case-evidence

Input#

Argument NameDescriptionRequired
case_idThe case ID.Required

Context Output#

PathTypeDescription
Logrhythm.Search.Evidence.statusStringEvidence status.
Logrhythm.Search.Evidence.textStringEvidence text.
Logrhythm.Search.Evidence.numberNumberEvidence ID.
Logrhythm.Search.Evidence.dateCreatedDateDate the evidence was created.
Logrhythm.Search.Evidence.pinnedBooleanWhether evidence is pinned.
Logrhythm.Search.Evidence.lastUpdatedBy.nameStringThe name of the person who last updated the evidence.
Logrhythm.Search.Evidence.createdBy.nameStringThe name of the person who created the evidence.
Logrhythm.Search.Evidence.dateUpdatedDateThe date the evidence was last updated.
Logrhythm.Search.Evidence.typeStringEvidence type.

Command Example#

!lr-get-case-evidence case_id=12345

Context Example#

{
"Logrhythm": {
"Evidence": {
"alarm": {
"alarmDate": "2019-04-15T00:02:52.847Z",
"alarmId": 190,
"alarmRuleId": 1098,
"alarmRuleName": "LogRhythm Data Indexer Max Index Exceeded",
"dateInserted": "2019-04-15T00:02:52.86Z",
"entityId": 1,
"entityName": "Primary Site",
"riskBasedPriorityMax": 37
},
"createdBy": {
"disabled": false,
"name": "LogRhythm Administrator",
"number": -100
},
"dateCreated": "2019-04-15T21:41:34.61Z",
"datePinned": null,
"dateUpdated": "2019-04-15T21:41:34.61Z",
"lastUpdatedBy": {
"disabled": false,
"name": "LogRhythm Administrator",
"number": -100
},
"number": 3,
"pinned": false,
"status": "completed",
"statusMessage": null,
"text": "",
"type": "alarm"
}
}
}

Human Readable Output#

Evidences for case FD05A0D9-6749-45F7-BB5D-596FBA68E731#

AlarmCreatedbyDatecreatedDatepinnedDateupdatedLastupdatedbyNumberPinnedStatusStatusmessageTextType
alarmDate: 2019-04-15T00:02:52.847Z
dateInserted: 2019-04-15T00:02:52.86Z
alarmRuleId: 1098
entityName: Primary Site
alarmId: 190
riskBasedPriorityMax: 37
entityId: 1
alarmRuleName: LogRhythm Data Indexer Max Index Exceeded
disabled: false
number: -100
name: LogRhythm Administrator
2019-04-15T21:41:34.61Z2019-04-15T21:41:34.61Zdisabled: false
number: -100
name: LogRhythm Administrator
3falsecompletedalarm

lr-execute-search-query#


Execute search query to LogRhythm log database.

Base Command#

lr-execute-search-query

Input#

Argument NameDescriptionRequired
number_of_daysNumber of days to search.Required
source_typeLog source type. Possible values are: API-_AWS_CloudTrail, API-AWS_CloudWatch_Alarm, API-AWS_Config_Event, API-AWS_S3_Flat_File, API-AWS_S3_Server_Access_Event, API-BeyondTrust_Retina_Vulnerability_Management, API-Box_Event, API-Cisco_IDS/IPS, API-Cradlepoint_ECM, API-IP360_Vulnerability_Scanner, API-Metasploit_Penetration_Scanner, API-Nessus_Vulnerability_Scanner, API-NetApp_CIFS_Security_Audit_Event_Log, API-NeXpose_Vulnerability_Scanner, API-Office_365_Management_Activity, API-Office_365_Message_Tracking, API-Okta_Event, API-Qualys_Vulnerability_Scanner, API-Salesforce_EventLogFile, API-Sourcefire_eStreamer, API-Tenable_SecurityCenter, API-Tenable.io_Scanner, Flat_File-ActivIdentity_CMS, Flat_File-Airwatch_MDM, Flat_File-Alfresco, Flat_File-AllScripts, Flat_File-Apache_Access_Log, Flat_File-Apache_Error_Log, Flat_File-Apache_SSL_Access_Log, Flat_File-Apache_SSL_Error_Log, Flat_File-Apache_Tomcat_Access_Log, Flat_File-Apache_Tomcat_Console_Log, Flat_File-Avaya_Secure_Access_Link_Remote_Access_Log, Flat_File-Avaya_Voice_Mail_Log, Flat_File-Axway_SFTP, Flat_File-Beacon_Endpoint_Profiler, Flat_File-Bind_9, Flat_File-BlackBerry_Enterprise_Server, Flat_File-Blue_Coat_Proxy_BCREPORTERMAIN_Format, Flat_File-Blue_Coat_Proxy_CSV_Format, Flat_File-Blue_Coat_Proxy_SQUID-1_Format, Flat_File-Blue_Coat_Proxy_W3C_Format, Flat_File-Bro_IDS_Critical_Stack_Intel_Log, Flat_File-Broadcom_SiteMinder, Flat_File-CA_ACF2_for_z/OS-ACFRPTDS, Flat_File-CA_ACF2_for_z/OS-ACFRPTEL, Flat_File-CA_ACF2_for_z/OS-ACFRPTJL, Flat_File-CA_ACF2_for_z/OS-ACFRPTLL, Flat_File-CA_ACF2_for_z/OS-ACFRPTNV, Flat_File-CA_ACF2_for_z/OS-ACFRPTOM, Flat_File-CA_ACF2_for_z/OS-ACFRPTPW, Flat_File-CA_ACF2_for_z/OS-ACFRPTRL, Flat_File-CA_ACF2_for_z/OS-ACFRPTRV, Flat_File-CA_ControlMinder, Flat_File-Cerberus_FTP_Server, Flat_File-Cerner, Flat_File-Cisco_AMP_for_Endpoints, Flat_File-Cisco_Email_Security_Appliance, Flat_File-Cisco_LMS(cwcli), FlatFile-Cisco_LMS(Syslog), FlatFile-Cisco_NGFW, Flat_File-Cisco_Secure_ACS_CSV_File, Flat_File-Cisco_Security_Agent, Flat_File-Cisco_Umbrella_DNS, Flat_File-Cisco_Web_Security_aclog, Flat_File-Citrix_Access_Gateway_IIS_Format, Flat_File-Citrix_Access_Gateway_NCSA_Common_Format, Flat_File-Citrix_Access_Gateway_W3C_Format, Flat_File-Citrix_Presentation_Server, Flat_File-Citrix_Secure_Gateway, Flat_File-ClamAV_Anti-Virus, Flat_File-ColdFusion_Application_Log, Flat_File-ColdFusion_Exception_Log, Flat_File-ColdFusion_Mail_Log, Flat_File-ColdFusion_Mailsent_Log, Flat_File-ColdFusion_Server_Log, Flat_File-Cornerstone_Managed_File_Transfer, Flat_File-Coyote_Point_Equalizer, Flat_File-DB2_Audit_Log, Flat_File-DB2_via_BMC_Log_Master, Flat_File-Defender_Server, Flat_File-DocWorks, Flat_File-eClinicalWorks_Audit_Log, Flat_File-EMC_Isilon, Flat_File-Epicor_Coalition, Flat_File-FairWarning_Ready-For-Healthcare, Flat_File-FileZilla_System_Log, Flat_File-FireEye_Web_MPS, Flat_File-Forcepoint_Web_Security_CEF_Cloud_Format, Flat_File-Forescout_CounterACT, Flat_File-FoxT_BoKS_Server_Access_Control, Flat_File-FundsXpress, Flat_File-Gene6_FTP, Flat_File-GlobalSCAPE_EFT, Flat_File-Hadoop, Flat_File-HMC, Flat_File-HP-UX_Audit_Log, Flat_File-IBM_4690_POS, Flat_File-IBM_Informix_Application_Log, Flat_File-IBM_Informix_Audit_Log, Flat_File-IBM_Tivoli_Storage_Manager, Flat_File-IBM_WebSphere_App_Server_v7_Audit_Log, Flat_File-IBM_WebSphere_Cast_Iron_Cloud_Integration, Flat_File-IBM_ZOS_Batch_Decryption_Log, Flat_File-IBM_ZOS_CICS_Decryption_Log, Flat_File-IBM_ZOS_RACF_Access_Log, Flat_File-IBM_ZOS_RACF_SMF_Type_80, Flat_File-IPSwitch_WS_FTP, Flat_File-Irix_Audit_Logs, Flat_File-IT-CUBE_AgileSI, Flat_File-JBoss_Log_File, Flat_File-Juniper_Steel_Belted_Radius_Server, Flat_File-Kerio_Mail_Server, Flat_File-KERISYS_Doors_Event_Export_Format, Flat_File-Kippo_Honeypot, Flat_File-Linux_Audit_ASCII, Flat_File-Linux_Audit_Log, Flat_File-Linux_Host_Secure_Log, Flat_File-LOGbinder_EX, Flat_File-LogRhythm_Alarm_Reingest, Flat_File-LogRhythm_Data_Indexer_Monitor, Flat_File-LogRhythm_Oracle_Log, Flat_File-LogRhythm_System_Monitor, Flat_File-LogRhythm_System_Monitor_Log_File, Flat_File-LogRhythm_Trebek_Log, Flat_File-LogRhythm_Zeus_Log, Flat_File-Lotus_Domino_Client_Log, Flat_File-McAfee_Cloud_Proxy_do_not_use, Flat_File-McAfee_ePO_HIPS, Flat_File-McAfee_Foundstone, Flat_File-McAfee_Proxy_Cloud, Flat_File-McAfee_SaaS_Web_Protection, Flat_File-McAfee_Web_Gateway_Audit_Log, Flat_File-Merak, Flat_File-Meridian, Flat_File-Microsoft_ActiveSync_2010, Flat_File-Microsoft_CRM, Flat_File-Microsoft_DHCP_Server_Log, Flat_File-Microsoft_Forefront_TMG, Flat_File-Microsoft_Forefront_TMG_Web_Proxy, Flat_File-Microsoft_IIS(IISFormat)_File, Flat_File-Microsoft_IIS_7.x_W3C_Extended_Format, Flat_File-Microsoft_IIS_Error_Log_V6, Flat_File-Microsoft_IIS_FTP_IIS_Log_File_Format, Flat_File-Microsoft_IIS_FTP_W3C_Extended_Format, Flat_File-Microsoft_IIS_NCSA_Common_Format_File, Flat_File-Microsoft_IIS_SMTP_W3C_Format, Flat_File-Microsoft_IIS_URL_Scan_Log, Flat_File-Microsoft_IIS_W3C_File, Flat_File-Microsoft_ISA_Server_2004, Flat_File-Microsoft_ISA_Server_W3C_File, Flat_File-Microsoft_Netlogon, Flat_File-Microsoft_Port_Reporter_PR-PORTS_Log, Flat_File-Microsoft_Semantic_Logging, Flat_File-Microsoft_SQL_Server_2000_Error_Log, Flat_File-Microsoft_SQL_Server_2005_Error_Log, Flat_File-Microsoft_SQL_Server_2008_Error_Log, Flat_File-Microsoft_SQL_Server_2012_Error_Log, Flat_File-Microsoft_SQL_Server_2014_Error_Log, Flat_File-Microsoft_Windows_2003_DNS, Flat_File-Microsoft_Windows_2008_DNS, Flat_File-Microsoft_Windows_2012_DNS, Flat_File-Microsoft_Windows_Firewall, Flat_File-MicroStrategy, Flat_File-Mimecast_Audit, Flat_File-Mimecast_Email, Flat_File-Monetra, Flat_File-MongoDB, Flat_File-MS_Exchange_2003_Message_Tracking_Log, Flat_File-MS_Exchange_2007_Message_Tracking_Log, Flat_File-MS_Exchange_2010_Message_Tracking_Log, Flat_File-MS_Exchange_2013_Message_Tracking_Log, Flat_File-MS_Exchange_2016_Message_Tracking_Log, Flat_File-MS_Exchange_RPC_Client_Access, Flat_File-MS_IAS/RAS_Server_NPS_DB_Log_Format, Flat_File-MS_IAS/RAS_Server_Standard_Log_Format, Flat_File-MS_ISA_Server_2006_ISA_All_Fields, Flat_File-MS_ISA_Server_2006_W3C_All_Fields, Flat_File-MS_SQL_Server_Reporting_Services_2008, Flat_File-MySQL, Flat_File-MySQL_error.log, Flat_File-MySQL_mysql.log, Flat_File-MySQL_mysql-slow.log, Flat_File-Nessus_System_Log, Flat_File-NetApp_Cluster, Flat_File-Nginx_Log, Flat_File-Novell_Audit, Flat_File-Novell_GroupWise, Flat_File-Novell_LDAP, Flat_File-ObserveIT_Enterprise, Flat_File-Office_365_Message_Tracking, Flat_File-OpenDJ, Flat_File-OpenVMS, Flat_File-OpenVPN, Flat_File-Oracle_11g_Fine_Grained_Audit_Trail, Flat_File-Oracle_9i, Flat_File-Oracle_BRM_CM_Log, Flat_File-Oracle_BRM_DM_Log, Flat_File-Oracle_Listener_Audit_Trail, Flat_File-Oracle_SunOne_Directory_Server, Flat_File-Oracle_SunOne_Web_Server_Access_Log, Flat_File-Oracle_Virtual_Directory, Flat_File-Oracle_WebLogic_11g_Access_Log, Flat_File-Other, Flat_File-PeopleSoft, Flat_File-PhpMyAdmin_Honeypot, Flat_File-Postfix, Flat_File-PowerBroker_Servers, Flat_File-Princeton_Card_Secure, Flat_File-ProFTPD, Flat_File-PureMessage_For_Exchange_SMTP_Log, Flat_File-PureMessage_For_UNIX_Blocklist_Log, Flat_File-PureMessage_For_UNIX_Message_Log, Flat_File-RACF(SMF), FlatFile-Radmin, Flat_File-Restic_Backup_Log, Flat_File-RL_Patient_Feedback, Flat_File-RSA_Adaptive_Authentication, Flat_File-RSA_Authentication_Manager_6.1, Flat_File-S2_Badge_Reader, Flat_File-Safenet, Flat_File-Sendmail_File, Flat_File-Sharepoint_ULS, Flat_File-ShoreTel_VOIP, Flat_File-Siemens_Radiology_Information_System, Flat_File-Snort_Fast_Alert_File, Flat_File-Solaris-Sulog, Flat_File-Solaris_Audit_Log, Flat_File-SpamAssassin, Flat_File-Squid_Proxy, Flat_File-Subversion, Flat_File-Sudo.Log, Flat_File-Swift_Alliance, Flat_File-Symantec_Antivirus_10.x_Corporate_Edtn, Flat_File-Symantec_Antivirus_12.x_Corporate_Edtn, Flat_File-Symitar_Episys_Console_Log, Flat_File-Symitar_Episys_Sysevent_Log, Flat_File-Tandem_EMSOUT_Log_File, Flat_File-Tandem_XYGATE, Flat_File-Tectia_SSH_Server, Flat_File-Trade_Innovations_CSCS, Flat_File-Trend_Micro_IMSS, Flat_File-Trend_Micro_Office_Scan, Flat_File-Tumbleweed_Mailgate_Server, Flat_File-Verint_Audit_Trail_File, Flat_File-VMWare_Virtual_Machine, Flat_File-Voltage_Securemail, Flat_File-Vormetric_Log_File, Flat_File-vsFTP_Daemon_Log, Flat_File-Vyatta_Firewall_Kernel_Log, Flat_File-WordPot_Honeypot, Flat_File-X-NetStat_Log, Flat_File-XPient_POS_CCA_Manager, Flat_File-XPIENT_POS_POSLOG, Flat_File-XPIENT_POS_Shell_Log, IPFIX-IP_Flow_Information_Export, J-Flow-Juniper_J-Flow_Version_5, J-Flow-Juniper_J-Flow_Version_9, LogRhythm_CloudAI, LogRhythm_Data_Loss_Defender, LogRhythm_Demo_File-Application_Server_Log, LogRhythm_Demo_File-Content_Inspection_Log, LogRhythm_Demo_File-Database_Audit_Log, LogRhythm_Demo_File-Ecom_Server_Log, LogRhythm_Demo_File-File_Server_Log, LogRhythm_Demo_File-Firewall_Log, LogRhythm_Demo_File-FTP_Log, LogRhythm_Demo_File-IDS_Alarms_Log, LogRhythm_Demo_File-Mail_Server_Log, LogRhythm_Demo_File-Netflow_Log, LogRhythm_Demo_File-Network_Device_Log, LogRhythm_Demo_File-Network_Server_Log, LogRhythm_Demo_File-VPN_Log, LogRhythm_Demo_File-Web_Access_Log, LogRhythm_File_Monitor(AIX), LogRhythmFile_Monitor(HP-UX), LogRhythmFile_Monitor(Linux), LogRhythmFile_Monitor(Solaris), LogRhythmFile_Monitor(Windows), LogRhythmFilter, LogRhythm_Network_Connection_Monitor(AIX), LogRhythmNetwork_Connection_Monitor(HP-UX), LogRhythmNetwork_Connection_Monitor(Linux), LogRhythmNetwork_Connection_Monitor(Solaris), LogRhythmNetwork_Connection_Monitor(Windows), LogRhythmProcess_Monitor(AIX), LogRhythmProcess_Monitor(HP-UX), LogRhythmProcess_Monitor(Linux), LogRhythmProcess_Monitor(Solaris), LogRhythmProcess_Monitor(Windows), LogRhythmRegistry_Integrity_Monitor, LogRhythm_SQL_Server_2000_C2_Audit_Log, LogRhythm_SQL_Server_2005_C2_Audit_Log, LogRhythm_SQL_Server_2008_C2_Audit_Log, LogRhythm_SQL_Server_2012+_C2_Audit_Log, LogRhythm_User_Activity_Monitor(AIX), LogRhythmUser_Activity_Monitor(HP-UX), LogRhythmUser_Activity_Monitor(Linux), LogRhythmUser_Activity_Monitor(Solaris), LogRhythmUser_Activity_Monitor(Windows), MSEvent_Log_for_XP/2000/2003-Application, MS_Event_Log_for_XP/2000/2003-Application-Espaniol, MS_Event_Log_for_XP/2000/2003-BioPassword, MS_Event_Log_for_XP/2000/2003-DFS, MS_Event_Log_for_XP/2000/2003-Directory_Service, MS_Event_Log_for_XP/2000/2003-DNS, MS_Event_Log_for_XP/2000/2003-DotDefender, MS_Event_Log_for_XP/2000/2003-EMC_Celerra_NAS, MS_Event_Log_for_XP/2000/2003-File_Rep_Service, MS_Event_Log_for_XP/2000/2003-HA, MS_Event_Log_for_XP/2000/2003-Kaspersky, MS_Event_Log_for_XP/2000/2003-Micros_POS, MS_Event_Log_for_XP/2000/2003-PatchLink, MS_Event_Log_for_XP/2000/2003-SafeWord_2008, MS_Event_Log_for_XP/2000/2003-SCE, MS_Event_Log_for_XP/2000/2003-Security, MS_Event_Log_for_XP/2000/2003-Security-Espaniol, MS_Event_Log_for_XP/2000/2003-SMS_2003, MS_Event_Log_for_XP/2000/2003-System, MS_Event_Log_for_XP/2000/2003-System-Espaniol, MS_Event_Log_for_XP/2000/2003-Virtual_Server, MS_Windows_Event_Logging-ADFS_Admin, MS_Windows_Event_Logging-Application, MS_Windows_Event_Logging-AppLockerApp, MS_Windows_Event_Logging-Backup, MS_Windows_Event_Logging-Citrix_Delivery_Services, MS_Windows_Event_Logging-Citrix_XenApp, MS_Windows_Event_Logging-DFS, MS_Windows_Event_Logging-DHCP_Admin, MS_Windows_Event_Logging-DHCP_Operational, MS_Windows_Event_Logging-Diagnosis-PLA, MS_Windows_Event_Logging-Digital_Persona, MS_Windows_Event_Logging-Dir_Service, MS_Windows_Event_Logging-DNS, MS_Windows_Event_Logging-Dot_Defender, MS_Windows_Event_Logging-ESD_Data_Flow_Track, MS_Windows_Event_Logging-Exchange_Mailbox_DB_Failures, MS_Windows_Event_Logging-FailoverClustering/Operational, MS_Windows_Event_Logging-Firewall_With_Advanced_Security, MS_Windows_Event_Logging-Forefront_AV, MS_Windows_Event_Logging-Group_Policy_Operational, MS_Windows_Event_Logging-Hyper-V_Hvisor, MS_Windows_Event_Logging-Hyper-V_IMS, MS_Windows_Event_Logging-Hyper-V_Network, MS_Windows_Event_Logging-Hyper-V_SynthSt, MS_Windows_Event_Logging-Hyper-V_VMMS, MS_Windows_Event_Logging-Hyper-V_Worker, MS_Windows_Event_Logging-Kaspersky, MS_Windows_Event_Logging-Kernel_PnP_Configuration, MS_Windows_Event_Logging-Lync_Server, MS_Windows_Event_Logging-MSExchange_Management, MS_Windows_Event_Logging-Operations_Manager, MS_Windows_Event_Logging-PowerShell, MS_Windows_Event_Logging-Print_Services, MS_Windows_Event_Logging-Quest_ActiveRoles_EDM_Server, MS_Windows_Event_Logging-Replication, MS_Windows_Event_Logging-SafeWord_2008, MS_Windows_Event_Logging-Security, MS_Windows_Event_Logging-Setup, MS_Windows_Event_Logging-Sysmon, MS_Windows_Event_Logging-System, MS_Windows_Event_Logging-Task_Scheduler, MS_Windows_Event_Logging-TS_Gateway, MS_Windows_Event_Logging-TS_Licensing, MS_Windows_Event_Logging-TS_Local_Session_Manager, MS_Windows_Event_Logging-TS_Remote_Connection_Manager, MS_Windows_Event_Logging-TS_Session_Broker, MS_Windows_Event_Logging-TS_Session_Broker_Client, MS_Windows_Event_Logging-VisualSVN, MS_Windows_Event_Logging:Deutsch-Security, MS_Windows_Event_Logging:Espaniol-Application, MS_Windows_Event_Logging:Espaniol-Security, MS_Windows_Event_Logging:Espaniol-System, MS_Windows_Event_Logging:Francais-System, MS_Windows_Event_Logging:Francais-Security, MS_Windows_Event_Logging_XML-ADFS, MS_Windows_Event_Logging_XML-Application, MS_Windows_Event_Logging_XML-Forwarded_Events, MS_Windows_Event_Logging_XML-Generic, MS_Windows_Event_Logging_XML-Microsoft-Windows-NTLM/Operational, MS_Windows_Event_Logging_XML-Security, MS_Windows_Event_Logging_XML-Sysmon, MS_Windows_Event_Logging_XML-Sysmon_7.01, MS_Windows_Event_Logging_XML-Sysmon_8/9/10, MS_Windows_Event_Logging_XML-System, MS_Windows_Event_Logging_XML-Unisys_Stealth, MS_Windows_Event_Logging_XML-Windows_Defender, Netflow-Cisco_Netflow_Version_1, Netflow-Cisco_Netflow_Version_5, Netflow-Cisco_Netflow_Version_9, Netflow-Palo_Alto_Version_9, Netflow-SonicWALL_Version_5, Netflow-SonicWALL_Version_9, OPSEC_LEA-Checkpoint_Firewall, OPSEC_LEA-Checkpoint_Firewall_Audit_Log, OPSEC_LEA-Checkpoint_For_LR_7.4.1+, OPSEC_LEA-Checkpoint_Log_Server, sFlow-Version_5, SNMP_Trap-Audiolog, SNMP_Trap-Autoregistered, SNMP_Trap-Brocade_Switch, SNMP_Trap-Cisco_5508_Wireless_Controller, SNMP_Trap-Cisco_IP_SLA, SNMP_Trap-Cisco_Prime, SNMP_Trap-Cisco_Router-Switch, SNMP_Trap-CyberArk, SNMP_Trap-Dell_OpenManage, SNMP_Trap-HP_Network_Node_Manager, SNMP_Trap-IBM_TS3000_Series_Tape_Drive, SNMP_Trap-Riverbed_SteelCentral_NetShark, SNMP_Trap-RSA_Authentication_Manager, SNMP_Trap-Swift_Alliance, SNMP_Trap-Trend_Micro_Control_Manager, Syslog-3Com_Switch, Syslog-A10_Networks_AX1000_Load_Balancer, Syslog-A10_Networks_Web_Application_Firewall, Syslog-Accellion_Secure_File_Transfer_Application, Syslog-Active_Scout_IPS, Syslog-Adallom, Syslog-Adtran_Switch, Syslog-Aerohive_Access_Point, Syslog-Aerohive_Firewall, Syslog-AIMIA_Tomcat, Syslog-AirDefense_Enterprise, Syslog-Airmagnet_Wireless_IDS, Syslog-AirTight_IDS/IPS, Syslog-AirWatch_MDM, Syslog-Airwave_Management_System_Log, Syslog-AIX_Host, Syslog-Alcatel-Lucent_Switch, Syslog-Alcatel-Lucent_Wireless_Controller, Syslog-AlertLogic, Syslog-AMX_AV_Controller, Syslog-Apache_Access_Log, Syslog-Apache_Error_Log, Syslog-Apache_Tomcat_Request_Parameters, Syslog-Apache_Tomcat_Service_Clients_Log, Syslog-APC_ATS, Syslog-APC_NetBotz_Environmental_Monitoring, Syslog-APC_PDU, Syslog-APC_UPS, Syslog-Apcon_Network_Monitor, Syslog-Apex_One, Syslog-Arbor_Networks_Peakflow, Syslog-Arbor_Networks_Spectrum, Syslog-Arbor_Pravail_APS, Syslog-Arista_Switch, Syslog-Array_TMX_Load_Balancer, Syslog-Arris_CMTS, Syslog-Aruba_Clear_Pass, Syslog-Aruba_Mobility_Controller, Syslog-Aruba_Wireless_Access_Point, Syslog-AS/400_via_Powertech_Interact, Syslog-Asus_WRT_Router, Syslog-Avatier_Identity_Management_Suite(AIMS), Syslog-_Avaya_Communications_Manager, Syslog-Avaya_Ethernet_Routing_Switch, Syslog-Avaya_G450_Media_Gateway, Syslog-Avaya_Router, Syslog-Aventail_SSL/VPN, Syslog-Avocent_Cyclades_Terminal_Server, Syslog-Azul_Java_Appliance, Syslog-Barracuda_Load_Balancer, Syslog-Barracuda_Mail_Archiver, Syslog-Barracuda_NG_Firewall, Syslog-Barracuda_NG_Firewall_6.x, Syslog-Barracuda_Spam_Firewall, Syslog-Barracuda_Web_Application_Firewall, Syslog-Barracuda_Webfilter, Syslog-BeyondTrust_BeyondInsight_LEEF, Syslog-Bind_DNS, Syslog-Bit9_Parity_Suite, Syslog-Bit9_Security_Platform_CEF, Syslog-Bit9+Carbon_Black(Deprecated), Syslog-_BitDefender, Syslog-Black_Diamond_Switch, Syslog-Blue_Coat_CAS, Syslog-Blue_Coat_Forward_Proxy, Syslog-Blue_Coat_PacketShaper, Syslog-Blue_Coat_ProxyAV_ISA_W3C_Format, Syslog-Blue_Coat_ProxyAV_MS_Proxy_2.0_Format, Syslog-Blue_Coat_ProxySG, Syslog-Blue_Socket_Wireless_Controller, Syslog-Bluecat_Adonis, Syslog-BlueCedar, Syslog-BluVector, Syslog-Bomgar, Syslog-Bradford_Networks_NAC, Syslog-Bradford_Remediation&Registration_Svr, Syslog-Bro_IDS, Syslog-Brocade_Switch, Syslog-Bromium_vSentry_CEF, Syslog-BSD_Host, Syslog-CA_Privileged_Access_Manager, Syslog-Cb_Defense_CEF, Syslog-Cb_Protection_CEF, Syslog-Cb_Response_LEEF, Syslog-Cell_Relay, Syslog-Certes_Networks_CEP, Syslog-Check_Point_Log_Exporter, Syslog-Checkpoint_Site-to-Site_VPN, Syslog-Cisco_ACS, Syslog-Cisco_Aironet_WAP, Syslog-Cisco_APIC, Syslog-Cisco_Application_Control_Engine, Syslog-Cisco_ASA, Syslog-Cisco_Clean_Access(CCA)Appliance, Syslog-Cisco_CSS_Load_Balancer, Syslog-Cisco_Email_Security_Appliance, Syslog-Cisco_FirePOWER, Syslog-Cisco_Firepower_Threat_Defense, Syslog-Cisco_FireSIGHT, Syslog-Cisco_FWSM, Syslog-Cisco_Global_Site_Selector, Syslog-Cisco_ISE, Syslog-Cisco_Meraki, Syslog-Cisco_Nexus_Switch, Syslog-Cisco_PIX, Syslog-Cisco_Prime_Infrastructure, Syslog-Cisco_Router, Syslog-Cisco_Secure_ACS_5, Syslog-Cisco_Session_Border_Controller, Syslog-Cisco_Switch, Syslog-Cisco_Telepresence_Video_Communications_Server, Syslog-Cisco_UCS, Syslog-Cisco_Unified_Comm_Mgr(CallMgr), Syslog-Cisco_VPN_Concentrator, Syslog-Cisco_WAAS, Syslog-Cisco_Web_Security, Syslog-Cisco_Wireless_Access_Point, Syslog-Cisco_Wireless_Control_System, Syslog-CiscoWorks, Syslog-Citrix_Access_Gateway_Server, Syslog-Citrix_Netscaler, Syslog-Citrix_XenServer, Syslog-Claroty_CTD_CEF, Syslog-Clearswift_Secure_Email_Gateway, Syslog-CloudLock, Syslog-CodeGreen_Data_Loss_Prevention, Syslog-Cofense_Triage_CEF, Syslog-Consentry_NAC, Syslog-Corero_IPS, Syslog-Corero_SmartWall_DDoS, Syslog-CoyotePoint_Equalizer, Syslog-Crowdstrike_Falconhost_CEF, Syslog-CyberArk, Syslog-CyberArk_Privileged_Threat_Analytics, Syslog-Cylance_CEF, Syslog-CylancePROTECT, Syslog-DarkTrace_CEF, Syslog-Dell_Force_10, Syslog-Dell_PowerConnect_Switch, Syslog-Dell_Remote_Access_Controller, Syslog-Dell_SecureWorks_iSensor_IPS, Syslog-Dialogic_Media_Gateway, Syslog-Digital_Guardian_CEF, Syslog-D-Link_Switch, Syslog-Don_not_use, Syslog-Dragos_Platform_CEF, Syslog-Ecessa_ShieldLink, Syslog-EfficientIP, Syslog-EMC_Avamar, Syslog-EMC_Centera, Syslog-EMC_Data_Domain, Syslog-EMC_Isilon, Syslog-EMC_Unity_Array, Syslog-EMC_VNX, Syslog-Ensilo_NGAV, Syslog-Enterasys_Dragon_IDS, Syslog-Enterasys_Router, Syslog-Enterasys_Switch, Syslog-Entrust_Entelligence_Messaging_Server, Syslog-Entrust_IdentityGuard, Syslog-Epic_Hyperspace_CEF, Syslog-EqualLogic_SAN, Syslog-eSafe_Email_Security, Syslog-ESET_Remote_Administrator(ERA)LEEF, Syslog-Event_Reporter(Win2000/XP/2003), Syslog-Exabeam, Syslog-Exchange_Message_Tracking, Syslog-ExtraHop, Syslog-Extreme_Wireless_LAN, Syslog-ExtremeWare, Syslog-ExtremeXOS, Syslog-F5_BIG-IP_Access_Policy_Manager, Syslog-F5_BIG-IP_AFM, Syslog-F5_BIG-IP_ASM, Syslog-F5_BIG-IP_ASM_Key-Value_Pairs, Syslog-F5_BIG-IP_ASM_v12, Syslog-F5_Big-IP_GTM&DNS, Syslog-F5_Big-IP_LTM, Syslog-F5_FirePass_Firewall, Syslog-F5_Silverline_DDoS_Protection, Syslog-Fargo_HDP_Card_Printer_and_Encoder, Syslog-Fat_Pipe_Load_Balancer, Syslog-Fidelis_XPS, Syslog-FireEye_E-Mail_MPS, Syslog-FireEye_EX, Syslog-FireEye_Web_MPS/CMS/ETP/HX, Syslog-Forcepoint_DLP, Syslog-Forcepoint_Email_Security_Gateway, Syslog-Forcepoint_Stonesoft_NGFW, Syslog-Forcepoint_SureView_Insider_Threat, Syslog-Forcepoint_Web_Security, Syslog-Forcepoint_Web_Security_CEF_Format, Syslog-Forescout_CounterACT_NAC, Syslog-Fortinet_FortiAnalyzer, Syslog-Fortinet_FortiAuthenticator, Syslog-Fortinet_FortiDDoS, Syslog-Fortinet_FortiGate, Syslog-Fortinet_FortiGate_v4.0, Syslog-Fortinet_FortiGate_v5.0, Syslog-Fortinet_FortiGate_v5.2, Syslog-Fortinet_FortiGate_v5.4/v5.6, Syslog-Fortinet_FortiGate_v5.6_CEF, Syslog-Fortinet_Fortigate_v6.0, Syslog-Fortinet_FortiMail, Syslog-Fortinet_FortiWeb, Syslog-Foundry_Switch, Syslog-Gene6_FTP, Syslog-Generic_CEF, Syslog-Generic_ISC_DHCP, Syslog-Generic_LEEF, Syslog-Guardium_Database_Activity_Monitor, Syslog-H3C_Router, Syslog-Hitachi_Universal_Storage_Platform, Syslog-HP_BladeSystem, Syslog-HP_iLO, Syslog-HP_Procurve_Switch, Syslog-HP_Router, Syslog-HP_Switch, Syslog-HP_Unix_Tru64, Syslog-HP_Virtual_Connect_Switch, Syslog-HP-UX_Host, Syslog-Huawei_Access_Router, Syslog-IBM_Blade_Center, Syslog-IBM_Security_Network_Protection, Syslog-IBM_Virtual_Tape_Library_Server, Syslog-IBM_WebSphere_DataPower_Integration, Syslog-IBM_zSecure_Alert_for_ACF2_2.1.0, Syslog-IceWarp_Server, Syslog-Imperva_Incapsula_CEF, Syslog-Imperva_SecureSphere, Syslog-Imprivata_OneSign_SSO, Syslog-InfoBlox, Syslog-Invincea(LEEF), Syslog-_iPrism_Proxy_Log, Syslog-IPSWITCH_MOVEit_Server, Syslog-IPTables, Syslog-IRIX_Host, Syslog-iSeries_via_Powertech_Interact, Syslog-Ivanti_FileDirector, Syslog-JetNexus_Load_Balancer, Syslog-Juniper_DX_Application_Accelerator, Syslog-Juniper_Firewall, Syslog-Juniper_Firewall_3400, Syslog-Juniper_Host_Checker, Syslog-Juniper_IDP, Syslog-Juniper_NSM, Syslog-Juniper_Router, Syslog-Juniper_SSL_VPN, Syslog-Juniper_SSL_VPN_WELF_Format, Syslog-Juniper_Switch, Syslog-Juniper_Trapeze, Syslog-Juniper_vGW_Virtual_Gateway, Syslog-Kaspersky_Security_Center, Syslog-Kea_DHCP_Server, Syslog-Kemp_Load_Balancer, Syslog-KFSensor_Honeypot, Syslog-KFSensor_Honeypot_CEF, Syslog-Lancope_StealthWatch, Syslog-Lancope_StealthWatch_CEF, Syslog-Layer_7_SecureSpan_SOA_Gateway, Syslog-Legacy_Checkpoint_Firewall(NotLog_Exporter), Syslog-Legacy_Checkpoint_IPS(NotLog_Exporter), Syslog-Lieberman_Enterprise_Random_Password_Manager, Syslog-Linux_Audit, Syslog-Linux_Host, Syslog-Linux_TACACS_Plus, Syslog-LOGbinder_EX, Syslog-LOGbinder_SP, Syslog-LOGbinder_SQL, Syslog-LogRhythm_Data_Indexer_Monitor, Syslog-LogRhythm_Inter_Deployment_Data_Sharing, Syslog-LogRhythm_Log_Distribution_Services, Syslog-LogRhythm_Network_Monitor, Syslog-LogRhythm_Syslog_Generator, Syslog-Lumension, Syslog-MacOS_X, Syslog-Malwarebytes_Endpoint_Security_CEF, Syslog-Mandiant_MIR, Syslog-McAfee_Advanced_Threat_Defense, Syslog-McAfee_Email_And_Web_Security, Syslog-McAfee_ePO, Syslog-McAfee_Firewall_Enterprise, Syslog-McAfee_Network_Security_Manager, Syslog-McAfee_Secure_Internet_Gateway, Syslog-McAfee_SecureMail, Syslog-McAfee_Skyhigh_for_Shadow_IT_LEEF, Syslog-McAfee_Web_Gateway, Syslog-mGuard_Firewall, Syslog-Microsoft_Advanced_Threat_Analytics(ATA)CEF, Syslog-Microsoft_Azure_Log_Integration, Syslog-Microsoft_Azure_MFA, Syslog-Microsoft_Forefront_UAG, Syslog-Mirapoint, Syslog-MobileIron, Syslog-Motorola_Access_Point, Syslog-MS_IIS_Web_Log_W3C_Format(Snare), Syslog-_MS_Windows_Event_Logging_XML-Application, Syslog-MS_Windows_Event_Logging_XML-Security, Syslog-MS_Windows_Event_Logging_XML-System, Syslog-Nagios, Syslog-nCircle_Configuration_Compliance_Manager, Syslog-NetApp_Filer, Syslog-NETASQ_Firewall, Syslog-NetGate_Router, Syslog-NetMotion_VPN, Syslog-Netscout_nGenius_InfiniStream, Syslog-NetScreen_Firewall, Syslog-Netskope, Syslog-Netskope_CEF, Syslog-Network_Chemistry_RFprotect, Syslog-Nginx_Web_Log, Syslog-Nimble_Storage, Syslog-Nortel_8600_Switch, Syslog-Nortel_BayStack_Switch, Syslog-Nortel_Contivity, Syslog-Nortel_Firewall, Syslog-Nortel_IP_1220, Syslog-Nortel_Passport_Switch, Syslog-Nozomi_Networks_Guardian_CEF, Syslog-NuSecure_Gateway, Syslog-Nutanix, Syslog-Open_Collector, Syslog-Open_Collector-AWS_CloudTrail, Syslog-Open_Collector-AWS_CloudWatch, Syslog-Open_Collector-AWS_Config_Events, Syslog-Open_Collector-AWS_Guard_Duty, Syslog-Open_Collector-AWS_S3, Syslog-Open_Collector-Azure_Event_Hub, Syslog-Open_Collector-Carbon_Black_Cloud, Syslog-Open_Collector-CarbonBlackBeat_Heartbeat, Syslog-Open_Collector-Cisco_AMP, Syslog-Open_Collector-Cisco_Umbrella, Syslog-Open_Collector-CiscoAMPBeat_Heartbeat, Syslog-Open_Collector-Duo_Authentication_Security, Syslog-Open_Collector-DuoBeat_Heartbeat, Syslog-Open_Collector-EventHubBeat_Heartbeat, Syslog-Open_Collector-GCP_Audit, Syslog-Open_Collector-GCP_Cloud_Key_Management_Service, Syslog-Open_Collector-GCP_Http_Load_Balancer, Syslog-Open_Collector-GCP_Pub_Sub, Syslog-Open_Collector-GCP_Security_Command_Center, Syslog-Open_Collector-GCP_Virtual_Private_Cloud, Syslog-Open_Collector-Gmail_Message_Tracking, Syslog-Open_Collector-GMTBeat_Heartbeat, Syslog-Open_Collector-GSuite, Syslog-Open_Collector-GSuiteBeat_Heartbeat, Syslog-Open_Collector-Metricbeat, Syslog-Open_Collector-Okta_System_Log, Syslog-Open_Collector-OktaSystemLogBeat_Heartbeat, Syslog-Open_Collector-PubSubBeat_Heartbeat, Syslog-Open_Collector-S3Beat_Heartbeat, Syslog-Open_Collector-Sophos_Central, Syslog-Open_Collector-SophosCentralBeat_Heartbeat, Syslog-Open_Collector-Webhook, Syslog-Open_Collector-Webhook_OneLogin, Syslog-Open_Collector-Webhook_Zoom, Syslog-Open_Collector-WebhookBeat_Heartbeat, Syslog-Opengear_Console, Syslog-OpenLDAP, Syslog-Oracle_10g_Audit_Trail, Syslog-Oracle_11g_Audit_Trail, Syslog-OSSEC_Alerts, Syslog-Other, Syslog-Outpost24, Syslog-Palo_Alto_Cortex_XDR, Syslog-Palo_Alto_Custom_Pipe, Syslog-Palo_Alto_Firewall, Syslog-Palo_Alto_Traps_CEF, Syslog-Palo_Alto_Traps_Management_Service, Syslog-Password_Manager_Pro, Syslog-pfSense_Firewall, Syslog-PingFederate_7.2, Syslog-PingFederate_CEF, Syslog-Polycom, Syslog-Postfix, Syslog-Procera_PacketLogic, Syslog-Proofpoint_Spam_Firewall, Syslog-Protegrity_Defiance_DPS, Syslog-QLogic_Infiniband_Switch, Syslog-Quest_Defender, Syslog-Radiator_Radius, Syslog-RADiFlow_3180_Switch, Syslog-Radware_Alteon_Load_Balancer, Syslog-Radware_DefensePro, Syslog-Radware_Web_Server_Director_Audit_Log, Syslog-Raritan_KVM, Syslog-Raz-Lee, Syslog-RedSeal, Syslog-Riverbed, Syslog-RSA_ACE, Syslog-RSA_Authentication_Manager_v7.1, Syslog-RSA_Authentication_Manager_v8.x, Syslog-RSA_Web_Threat_Detection, Syslog-RSA_Web_Threat_Detection_5.1, Syslog-RuggedRouter, Syslog-Safenet, Syslog-Sailpoint, Syslog-Sauce_Labs, Syslog-SecureAuth_IdP, Syslog-SecureAuth_IdP_v9, Syslog-SecureLink, Syslog-SecureTrack, Syslog-SEL_3610_Port_Switch, Syslog-SEL_3620_Ethernet_Security_Gateway, Syslog-Sentinel_IPS, Syslog-SentinelOne_CEF, Syslog-Sguil, Syslog-Siemens_Scalance_X400, Syslog-Smoothwall_Firewall, Syslog-SnapGear_Firewall, Syslog-Snare_Windows_2003_Event_Log, Syslog-Snare_Windows_2008_Event_Log, Syslog-Snort_IDS, Syslog-Solaris(Snare), Syslog-_Solaris_Host, Syslog-SonicWALL, Syslog-SonicWALL_SSL-VPN, Syslog-Sophos_Email_Encryption_Appliance, Syslog-Sophos_UTM, Syslog-Sophos_Web_Proxy, Syslog-Sophos_XG_Firewall, Syslog-Sourcefire_IDS_3D, Syslog-Sourcefire_RNA, Syslog-Spectracom_Network_Time_Server, Syslog-Splunk_API-Checkpoint_Firewall, Syslog-Splunk_API-Cisco_Netflow_V9, Syslog-Splunk_API-Nessus_Vulnerability_Scanner, Syslog-Squid_Proxy, Syslog-StealthBits_Activity_Monitor, Syslog-STEALTHbits_StealthINTERCEPT, Syslog-StoneGate_Firewall, Syslog-Stonesoft_IPS, Syslog-Stormshield_Network_Security_Firewall, Syslog-Sycamore_Networks_DNX-88, Syslog-Sygate_Firewall, Syslog-Symantec_Advanced_Threat_Protection(ATP)CEF, Syslog-Symantec_DLP_CEF, Syslog-Symantec_Endpoint_Server, Syslog-Symantec_Messaging_Gateway, Syslog-Symantec_PGP_Gateway, Syslog-Symbol_Wireless_Access_Point, Syslog-Tanium, Syslog-Temporary_LST-2, Syslog-Tenable_SecurityCenter, Syslog-Thycotic_Secret_Server, Syslog-Tipping_Point_IPS, Syslog-Tipping_Point_SSL_Reverse_Proxy, Syslog-Top_Layer_IPS, Syslog-Townsend_Alliance_LogAgent, Syslog-Trend_Micro_Control_Manager_CEF, Syslog-Trend_Micro_Deep_Discovery_Inspector, Syslog-Trend_Micro_Deep_Security_CEF, Syslog-Trend_Micro_Deep_Security_LEEF, Syslog-Trend_Micro_IWSVA, Syslog-Trend_Micro_Vulnerability_Protection_Manager, Syslog-Tripwire, Syslog-Trustwave_NAC, Syslog-Trustwave_Secure_Web_Gateway, Syslog-Trustwave_Web_Application_Firewall, Syslog-Tufin, Syslog-Tumbleweed_Mailgate_Server, Syslog-Ubiquiti_UniFi_Security_Gateway, Syslog-Ubiquiti_UniFi_Switch, Syslog-Ubiquiti_UniFi_WAP, Syslog-Untangle, Syslog-Vamsoft_ORF, Syslog-Vanguard_Active_Alerts, Syslog-Varonis_DatAlert, Syslog-Vasco_Digipass_Identikey_Server, Syslog-Vectra_Networks, Syslog-Versa_Networks_SD-WAN, Syslog-VMWare_ESX/ESXi_Server, Syslog-VMware_Horizon_View, Syslog-VMWare_NSX/NSX-T, Syslog-VMWare_Unified_Access_Gateway, Syslog-VMWare_vCenter_Server, Syslog-VMWare_vShield, Syslog-Voltage_Securemail, Syslog-Vormetric_CoreGuard, Syslog-Vormetric_Data_Security_Manager, Syslog-WALLIX_Bastion, Syslog-Watchguard_FireBox, Syslog-WS2000_Wireless_Access_Point, Syslog-Wurldtech_SmartFirewall, Syslog-Xirrus_Wireless_Array, Syslog-Zimbra_System_Log, Syslog-Zix_E-mail_Encryption, Syslog-Zscaler_Nano_Streaming_Service, Syslog-ZXT_Load_Balancer, Syslog-ZyWALL_VPN_Firewall, Syslog_Avaya_G450_Media_Gateway, Syslog_File-AIX_Host, Syslog_File-BSD_Format, Syslog_File-HP-UX_Host, Syslog_File-IRIX_Host, Syslog_File-Linux_Host, Syslog_File-LogRhythm_Syslog_Generator, Syslog_File-MS_2003_Event_Log(Snare), SyslogFile-Oracle_10g_Audit_Trail, Syslog_File-Oracle_11g_Audit_Trail, Syslog_File-Solaris_Host, UDLA-CA_Single_Sign-On, UDLA-Deepnet_DualShield, UDLA-Drupal, UDLA-Finacle_Core, UDLA-Finacle_Treasury_Logs, UDLA-Forcepoint, UDLA-Gallagher_Command_Centre, UDLA-iManage_Worksite, UDLA-ISS_Proventia_SiteProtector-IPS, UDLA-LogRhythm_Enterprise_Monitoring_Solution, UDLA-LREnhancedAudit, UDLA-McAfee_ePolicy_Orchestrator-Universal_ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_3.6-Events, UDLA-McAfee_ePolicy_Orchestrator_4.0-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_4.5-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.0-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.1-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.3-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.9-ePOEvents, UDLA-McAfee_Network_Access_Control, UDLA-McAfee_Network_Security_Manager, UDLA-Microsoft_System_Center_2012_Endpoint_Protection, UDLA-ObserveIT, UDLA-Oracle_10g_Audit_Trail, UDLA-Oracle_11g_Audit_Trail, UDLA-Oracle_12C_Unified_Auditing, UDLA-Oracle_9i_Audit_Trail, UDLA-Other, UDLA-SEL_3530_RTAC, UDLA-SharePoint_2007_AuditData, UDLA-SharePoint_2010_EventData, UDLA-SharePoint_2013_EventData, UDLA-Siemens_Invision, UDLA-Sophos_Anti-Virus, UDLA-Sophos_Endpoint_Security_and_Control, UDLA-Symantec_CSP, UDLA-Symantec_SEP, UDLA-Symmetry_Access_Control, UDLA-VMWare_vCenter_Server, UDLA-VMWare_vCloud, VLS-Syslog-Infoblox-DNS_RPZ, VLS-Syslog-Infoblox-_Threat_Protection.Optional
host_nameImpacted host name.Optional
usernameUsername.Optional
subjectEmail subject.Optional
senderEmail sender.Optional
recipientEmail recipient.Optional
hashHash.Optional
urlURL.Optional
process_nameProcess name.Optional
objectLog object.Optional
ip_addressIP address.Optional
max_massageMaximum number of log message to query. Default is 10.Optional
query_timeoutThe query timeout in seconds. Default is 60.Optional

Context Output#

PathTypeDescription
Logrhythm.Search.Task.TaskIDStringTask ID

Command Example#

{
"Logrhythm": {
"Search": {
"Task": {
"TaskID": "e1c3f960-e1c3f960-e1c3f960"
}
}
}
}

Human Readable Output#

New search query created, Task ID=e1c3f960-e1c3f960-e1c3f960

lr-get-query-result#


Get search query result with task ID output from lr-execute-search-query command

Base Command#

lr-get-query-result

Input#

Argument NameDescriptionRequired
task_idTask ID from lr-execute-search-query command output.Required

Context Output#

PathTypeDescription
Logrhythm.Search.Results.TaskStatusStringTask Status
Logrhythm.Search.Results.TaskIDStringTask ID
Logrhythm.Search.Results.Items.originEntityIdNumberEntity ID
Logrhythm.Search.Results.Items.impactedIpStringImpacted IP
Logrhythm.Search.Results.Items.classificationTypeNameStringClassification Name
Logrhythm.Search.Results.Items.logSourceNameStringLog Source Name
Logrhythm.Search.Results.Items.entityNameStringEntity Name
Logrhythm.Search.Results.Items.normalDateDateDate
Logrhythm.Search.Results.Items.vendorMessageIdStringVendor Log message
Logrhythm.Search.Results.Items.priorityNumberLog priority
Logrhythm.Search.Results.Items.sequenceNumberStringSeq number
Logrhythm.Search.Results.Items.originHostIdNumberOrigin Host ID
Logrhythm.Search.Results.Items.mpeRuleIdNumberLog Rhythm rule ID
Logrhythm.Search.Results.Items.originIpStringOrigin IP
Logrhythm.Search.Results.Items.mpeRuleNameStringLog Rhythm rule name
Logrhythm.Search.Results.Items.logSourceHostIdNumberLog Source host ID
Logrhythm.Search.Results.Items.originHostStringOrigin Host
Logrhythm.Search.Results.Items.logDateDateLog Date
Logrhythm.Search.Results.Items.classificationNameStringLog classification name

Command Example#

{
"Logrhythm": {
"Search": {
"Results": {
"TaskStatus": "Completed",
"TaskID": "e1c3f960-e1c3f960-e1c3f960",
"Items": [
{
"originEntityId": 1,
"impactedIp": "10.0.0.1",
"logSourceName": "Linux Syslog",
"originHost": "1.2.3.4",
"entityName": "Nothing"
}
]
}
}
}
}

Human Readable Output#

Search results for task e1c3f960-e1c3f960-e1c3f960#

OriginEntityIdImpactedIpLogSourceNameOriginHostEntityName
110.0.0.1Linux Syslog1.2.3.4Nothing