Use the LogRhythm integration to manage hosts and entities.
Use Cases
- Execute queries on logs data.
- Add new host.
- Get host information.
- Update host status.
Configure LogRhythmRest on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for LogRhythmRest.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Hostname, IP address, or server URL.
- API Token : see the LogRhythm documentation
- Trust any certificate (unsecure)
- Use system proxy settings
-
Search API cluster ID
: In the LogRhythm host, enter
http://localhost:8500/ui/#/dc1/services/lr-legacy-search-api, the cluster ID is under theTAGSheader
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Search for logs: lr-execute-query
- Get a list of hosts for an entity: lr-get-hosts-by-entity
- Add a host to an entity: lr-add-host
- Update the status of a host: lr-update-host-status
- Get a list of persons: lr-get-persons
- Get a list of networks: lr-get-networks
- Get a list of hosts: lr-get-hosts
- Get information for an alarm: lr-get-alarm-data
- Get a list of events: lr-get-alarm-events
1. Search for logs
Executes a query for logs that match query parameters.
Base Command
lr-execute-query
Input
| Argument Name | Description | Required |
|---|---|---|
| keyword | Filter log messages by this argument. | Required |
| page-size | Number of logs to return. | Optional |
| time-frame | If time_frame is “Custom”, specify the start time for the time range. | Optional |
| start-date | Start date for the data query, for example: “2018-04-20”. Only use this argument if the time-frame argument is “Custom”. | Optional |
| end-date | End date for the data query, for example: “2018-04-20”. Only use this argument if the time-frame argument is “Custom”. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Logrhythm.Log.Channel | string | Channel. |
| Logrhythm.Log.Computer | string | Computer. |
| Logrhythm.Log.EventData | string | Event data. |
| Logrhythm.Log.EventID | string | Event ID. |
| Logrhythm.Log.Keywords | string | Keywords. |
| Logrhythm.Log.Level | string | Level. |
| Logrhythm.Log.Opcode | string | Opcode. |
| Logrhythm.Log.Task | string | Task. |
Command Example
lr-execute-query keyword=Failure time-frame=Custom start-date=2019-05-15 end-date=2019-05-16 page-size=2
Context Example
{
"Logrhythm.Log": [
{
"EventID": "4625",
"Task": "Logon",
"Level": "Information",
"Computer": "WIN-1234.demisto.lab",
"Opcode": "Info",
"Keywords": "Audit Failure",
"EventData": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\tGPWARD\n\tAccount Domain:\t\t\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
"Channel": "Security"
},
{
"EventID": "4625",
"Task": "Logon",
"Level": "Information",
"Computer": "WIN-1234.demisto.lab",
"Opcode": "Info",
"Keywords": "Audit Failure",
"EventData": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\tTMARTIN\n\tAccount Domain:\t\t\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
"Channel": "Security"
}
]
}
Human Readable Output
Logs results
| Level | Computer | Channel | Keywords | EventData |
|---|---|---|---|---|
| Information | WIN-1234.demisto.lab | Security | Audit Failure |
An account failed to log on.
Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: GPWARD Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. |
| Information | WIN-1234.demisto.lab | Security | Audit Failure |
An account failed to log on.
Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: TMARTIN Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. |
2. Get a list of hosts for an entity
Retrieves a list of hosts for a given entity, or an empty list if none is found.
Base Command
lr-get-hosts-by-entity
Input
| Argument Name | Description | Required |
|---|---|---|
| entity-name | The entity name. | Required |
| count | Number of hosts to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Logrhythm.Host.EntityId | string | The entity ID. |
| Logrhythm.Host.EntityName | string | The entity name. |
| Logrhythm.Host.OS | string | The host OS. |
| Logrhythm.Host.ThreatLevel | string | The host threat level. |
| Logrhythm.Host.UseEventlogCredentials | string | Use event log credentials |
| Logrhythm.Host.Name | string | The name of the host. |
| Logrhythm.Host.DateUpdated | string | The last update date of the host. |
| Logrhythm.Host.HostZone | string | The host zone. |
| Logrhythm.Host.RiskLevel | string | The risk level. |
| Logrhythm.Host.Location | string | The host location. |
| Logrhythm.Host.Status | string | The host status. |
| Logrhythm.Host.ID | string | The unique ID of the host object. |
| Logrhythm.Host.OSType | string | The type of the host OS. |
Command Example
lr-get-hosts-by-entity entity-name=primary count=2
Context Example
{
"Logrhythm.Host": [
{
"Status": "Active",
"Name": "AI Engine Server",
"RiskLevel": "None",
"OS": "Unknown",
"EntityName": "Primary Site",
"ID": -1000002,
"Location": "NA",
"OSType": "Other",
"ThreatLevel": "None",
"DateUpdated": "2019-04-24T09:58:32.003Z",
"HostZone": "Internal",
"EntityId": 1,
"UseEventlogCredentials": false
},
{
"Status": "Active",
"Name": "WIN-JSBOL5ERCQA",
"RiskLevel": "Medium-Medium",
"OS": "Windows",
"EntityName": "Primary Site",
"ID": 1,
"Location": "NA",
"OSType": "Other",
"ThreatLevel": "None",
"DateUpdated": "2018-10-04T05:02:01.893Z",
"HostZone": "Internal",
"EntityId": 1,
"UseEventlogCredentials": false
}
]
}
Human Readable Output
Hosts for primary
| ID | Name | EntityId | EntityName | OS | Status | Location | RiskLevel | ThreatLevel | ThreatLevelComments | DateUpdated | HostZone |
|---|---|---|---|---|---|---|---|---|---|---|---|
| -1000002 | AI Engine Server | 1 | Primary Site | Unknown | Active | NA | None | None | 2019-04-24T09:58:32.003Z | Internal | |
| 1 | WIN-1234 | 1 | Primary Site | Windows | Active | NA | Medium-Medium | None | 2018-10-04T05:02:01.893Z | Internal |
3. Add a host to an entity
Add a new host to an entity.
Base Command
lr-add-host
Input
| Argument Name | Description | Required |
|---|---|---|
| entity-id | The entity ID. | Required |
| entity-name | The entity name. | Required |
| name | The LogRhythm host name. | Required |
| short-description | The short description. | Optional |
| long-description | The long description. | Optional |
| risk-level | The short description. | Required |
| threat-level | The host threat level. | Optional |
| threat-level-comments | Comments for the host threat level. | Optional |
| host-status | The host status. | Required |
| host-zone | The host zone. | Required |
| os | The host OS. | Required |
| use-eventlog-credentials | Use eventlog credentials. | Required |
| os-type | The host OS. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Logrhythm.Host.EntityId | string | The entity ID. |
| Logrhythm.Host.EntityName | string | The entity name. |
| Logrhythm.Host.OS | string | The host OS. |
| Logrhythm.Host.ThreatLevel | string | The host threat level. |
| Logrhythm.Host.UseEventlogCredentials | string | Use event log credentials |
| Logrhythm.Host.Name | string | The name of the host. |
| Logrhythm.Host.DateUpdated | string | The last update date of the host. |
| Logrhythm.Host.HostZone | string | The host zone. |
| Logrhythm.Host.RiskLevel | string | The risk level. |
| Logrhythm.Host.Location | string | The host location. |
| Logrhythm.Host.Status | string | The host status. |
| Logrhythm.Host.ID | string | The unique ID of the host object. |
| Logrhythm.Host.OSType | string | The type of the host OS. |
Command Example
lr-add-host entity-id=1 entity-name=`Primary Site` host-status=New host-zone=Internal name=host-name os=Windows risk-level="High-Medium" use-eventlog-credentials=false
Context Example
{
"Logrhythm.Host": [
{
"Status": "New",
"Name": "host-name",
"RiskLevel": "High-Medium",
"OS": "Windows",
"EntityName": "Primary Site",
"ThreatLevelComments": "None",
"ID": 46,
"Location": "NA",
"OSType": "Unknown",
"ThreatLevel": "None",
"DateUpdated": "2019-05-28T14:26:19.543Z",
"HostZone": "Internal",
"EntityId": 1,
"UseEventlogCredentials": true
}
]
}
Human Readable Output
host-name added successfully to Primary Site
4. Update the status of a host
Updates an host status.
Base Command
lr-update-host-status
Input
| Argument Name | Description | Required |
|---|---|---|
| host-id | The unique ID of the host. | Required |
| status | The enumeration status of the host. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Logrhythm.Host.EntityId | string | The entity ID. |
| Logrhythm.Host.EntityName | string | The entity name. |
| Logrhythm.Host.OS | string | The host OS. |
| Logrhythm.Host.ThreatLevel | string | The host threat level. |
| Logrhythm.Host.UseEventlogCredentials | string | Use event log credentials |
| Logrhythm.Host.Name | string | The name of the host. |
| Logrhythm.Host.DateUpdated | string | The last update date of the host. |
| Logrhythm.Host.HostZone | string | The host zone. |
| Logrhythm.Host.RiskLevel | string | The risk level. |
| Logrhythm.Host.Location | string | The host location. |
| Logrhythm.Host.Status | string | The host status. |
| Logrhythm.Host.ID | string | The unique ID of the host object. |
| Logrhythm.Host.OSType | string | The type of the host OS. |
Command Example
lr-update-host-status host-id=8 status=Retired
Context Example
{
"Logrhythm": {
"Host": {
"Status": "Retired",
"Name": "test-host7",
"RiskLevel": "Low-Medium",
"OS": "Linux",
"EntityName": "Primary Site",
"ID": 8,
"Location": "NA",
"OSType": "Other",
"ThreatLevel": "Low-High",
"DateUpdated": "2019-05-28T14:32:39.43Z",
"HostZone": "Internal",
"EntityId": 1,
"UseEventlogCredentials": false
}
}
}
Human Readable Output
Status updated to Retired
5. Get a list of persons
Retrieves a list of persons.
Base Command
lr-get-persons
Input
| Argument Name | Description | Required |
|---|---|---|
| person-id | The LogRhythm person id. | Optional |
| count | Number of persons to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Logrhythm.Person.DateUpdated | String | Date updated |
| Logrhythm.Person.FirstName | String | First name |
| Logrhythm.Person.LastName | String | Last name |
| Logrhythm.Person.HostStatus | string | Host status |
| Logrhythm.Person.ID | String | Person ID |
| Logrhythm.Person.IsAPIPerson | Boolean | Is API person |
| Logrhythm.Person.UserID | String | User ID |
| Logrhythm.Person.UserLogin | String | User login |
Command Example
!lr-get-persons person-id=7
Context Example
{
"Logrhythm.Person": [
{
"IsAPIPerson": false,
"FirstName": "demisto",
"LastName": "demisto",
"UserID": 5,
"UserLogin": "DEMISTO\\lrapi",
"DateUpdated": "0001-01-01T00:00:00Z",
"ID": 7,
"HostStatus": "Retired"
}
]
}
Human Readable Output
Persons information
| ID | HostStatus | IsAPIPerson | FirstName | LastName | UserID | UserLogin | DateUpdated |
|---|---|---|---|---|---|---|---|
| 7 | Retired | false | demisto | demisto | 5 | DEMISTO\lrapi | 0001-01-01T00:00:00Z |
6. Get a list of networks
Retrieves a list of networks.
Base Command
lr-get-networks
Input
| Argument Name | Description | Required |
|---|---|---|
| network-id | The LogRhythm network ID. | Optional |
| count | Number of networks to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Logrhythm.Network.BIP | String | Began ip address |
| Logrhythm.Network.ThreatLevel | String | Threat level |
| Logrhythm.Network.Name | String | Network name |
| Logrhythm.Network.EIP | String | End ip address |
| Logrhythm.Network.DateUpdated | String | Date updated |
| Logrhythm.Network.EntityName | String | Entity name |
| Logrhythm.Network.HostZone | String | Host zone |
| Logrhythm.Network.RiskLevel | String | Risk level |
| Logrhythm.Network.Location | String | Network location |
| Logrhythm.Network.HostStatus | String | Host status |
| Logrhythm.Network.ID | String | Network ID |
| Logrhythm.Network.EntityId | String | Entity ID |
Command Example
!lr-get-networks network-id=1
Context Example
{
"Logrhythm.Network": [
{
"EndIP": "2.2.2.2",
"Name": "test",
"RiskLevel": "None",
"EntityName": "Global Entity",
"ID": 1,
"Location": {
"id": -1
},
"ThreatLevel": "None",
"DateUpdated": "2019-02-20T10:57:13.983Z",
"BeganIP": "1.1.1.1",
"HostZone": "External",
"EntityId": -100,
"HostStatus": "Active"
}
]
}
Human Readable Output
Networks information
| ID | BeganIP | EndIP | HostStatus | Name | RiskLevel | EntityId | EntityName | Location | ThreatLevel | DateUpdated | HostZone |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | 1.1.1.1 | 2.2.2.2 | Active | test | None | -100 | Global Entity | id: -1 | None | 2019-02-20T10:57:13.983Z | External |
7. Get a list of hosts
Retrieves a list of hosts.
Base Command
lr-get-hosts
Input
| Argument Name | Description | Required |
|---|---|---|
| host-id | The LogRhythm host ID. | Optional |
| count | Number of hosts to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Logrhythm.Host.EntityId | String | The entity ID. |
| Logrhythm.Host.EntityName | String | The entity name. |
| Logrhythm.Host.OS | String | The host OS. |
| Logrhythm.Host.ThreatLevel | String | The host threat level. |
| Logrhythm.Host.UseEventlogCredentials | String | Use event log credentials |
| Logrhythm.Host.Name | String | The name of the host. |
| Logrhythm.Host.DateUpdated | String | The last update date of the host. |
| Logrhythm.Host.HostZone | String | The host zone. |
| Logrhythm.Host.RiskLevel | String | The risk level. |
| Logrhythm.Host.Location | String | The host location. |
| Logrhythm.Host.Status | String | The host status. |
| Logrhythm.Host.ID | String | The unique ID of the host object. |
| Logrhythm.Host.OSType | String | The type of the host OS. |
Command Example
!lr-get-hosts host-id=1
Context Example
{
"Logrhythm.Host": [
{
"Status": "Active",
"Name": "WIN-JSBOL5ERCQA",
"RiskLevel": "Medium-Medium",
"OS": "Windows",
"EntityName": "Primary Site",
"ID": 1,
"Location": {
"id": -1
},
"OSType": "Other",
"ThreatLevel": "None",
"DateUpdated": "2019-07-03T07:20:24.44Z",
"HostZone": "Internal",
"EntityId": 1,
"UseEventlogCredentials": false
}
]
}
Human Readable Output
Hosts information:
| ID | Name | EntityId | EntityName | OS | Status | Location | RiskLevel | ThreatLevel | ThreatLevelComments | DateUpdated | HostZone |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | WIN-JSBOL5ERCQA | 1 | Primary Site | Windows | Active | id: -1 | Medium-Medium | None | 2019-07-03T07:20:24.44Z | Internal |
8. Get information for an alarm
Retrieves alarm data.
Base Command
lr-get-alarm-data
Input
| Argument Name | Description | Required |
|---|---|---|
| alarm-id | The alarm ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Logrhythm.Alarm.Status | String | The alarm status. |
| Logrhythm.Alarm.EventID | String | The alarm event ID. |
| Logrhythm.Alarm.LastDxTimeStamp | String | The timestamp of the last time the drilldown returned new results from the Data Indexer. |
| Logrhythm.Alarm.DateInserted | String | The alarm date inserted. |
| Logrhythm.Alarm.AIERuleName | String | The alarm AI engine (AIE) rule. |
| Logrhythm.Alarm.Priority | String | The alarm priority. |
| Logrhythm.Alarm.AIERuleID | String | The alarm AI engine (AIE) rule ID. |
| Logrhythm.Alarm.ID | String | The alarm ID. |
| Logrhythm.Alarm.NotificationSent | Boolean | Whether the alarm notification was sent. |
| Logrhythm.Alarm.AlarmGuid | String | The alarm GUID. |
| Logrhythm.Alarm.RetryCount | String | The alarm retry count. |
| Logrhythm.Alarm.NormalMessageDate | String | The alarm message date. |
| Logrhythm.Alarm.WebConsoleIds | String |
The alarm web console IDs |
| Logrhythm.Alarm.Summary.PIFType | String | Alarm Primary Inspection Field (the original name for “Summary Field”). |
| Logrhythm.Alarm.Summary.DrillDownSummaryLogs | String | Drill down summary logs. |
Command Example
!lr-get-alarm-data alarm-id=1824
Context Example
{
"Logrhythm.Alarm": {
"EventID": 337555,
"Priority": 85,
"LastDxTimeStamp": "0001-01-01T00:00:00",
"DateInserted": "2019-06-20T12:13:28.363",
"AIERuleName": "Use Of Admin User",
"AIERuleID": 1000000003,
"Status": "Completed",
"AIEMsgXml": {
"v": "1",
"_": {
"DateEdited": "2019-06-20 11:54:42",
"AIERuleID": "1000000003"
},
"_0": {
"FactCount": "1",
"RuleBlockType": "1",
"NormalMsgDate": "2019-06-20 12:13:19",
"NormalMsgDateLower": "2019-06-20 12:13:19",
"NormalMsgDateUpper": "2019-06-20 12:13:20",
"Login": "administrator"
}
},
"Summary": [
{
"DrillDownSummaryLogs": "administrator",
"PIFType": "User (Origin)"
}
],
"NotificationSent": false,
"AlarmGuid": "5a4d8d77-5ec6-4669-b455-fb0cdbeed7df",
"RetryCount": 0,
"NormalMessageDate": "2019-06-20T12:13:20.243",
"WebConsoleIds": [
"c272b5f5-1db6-461b-9e9c-78d171429494"
],
"ID": 1824
}
}
Human Readable Output
Alarm information for alarm id 1824
| AIERuleID | AIERuleName | Status | RetryCount | LastDxTimeStamp | DateInserted | AlarmGuid | NotificationSent | EventID | NormalMessageDate | WebConsoleIds | Priority | ID |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1000000003 | Use Of Admin User | Completed | 0 | 0001-01-01T00:00:00 | 2019-06-20T12:13:28.363 | 5a4d8d77-5ec6-4669-b455-fb0cdbeed7df | false | 337555 | 2019-06-20T12:13:20.243 | c272b5f5-1db6-461b-9e9c-78d171429494 | 85 | 1824 |
Alarm summaries
| PIFType | DrillDownSummaryLogs |
|---|---|
| User (Origin) | administrator |
9. Get a list of events
Retrieves a list of events by alarm ID.
Base Command
lr-get-alarm-events
Input
| Argument Name | Description | Required |
|---|---|---|
| alarm-id | The alarm ID. | Required |
| count | Number of events to return. | Optional |
| fields | CSV list of fields (outputs) to return in the context. If empty, will return all fields. | Optional |
| get-log-message | Retrieves the log message from the event. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Logrhythm.Alarm.Event | String | Alarm event information. |
| Logrhythm.Alarm.ID | String | The alarm ID. |
Command Example
!lr-get-alarm-events alarm-id=1835
Context Example
{
"Logrhythm.Alarm": {
"Event": [
{
"originEntityId": 1,
"rootEntityId": 1,
"classificationTypeName": "Audit",
"logSourceName": "WIN-JSBOL5ERCQA MS Security Log",
"entityName": "Primary Site",
"originZone": 0,
"session": "0x0",
"normalDateMin": "2019-06-20 12:27:03",
"normalDate": "2019-06-20 12:27:03",
"vendorMessageId": "4625",
"entityId": 1,
"subject": "Unknown user name or bad password",
"priority": 3,
"sequenceNumber": 211157,
"impactedZoneName": "Unknown",
"originHostId": -1,
"mpeRuleId": 1060400,
"logSourceHostName": "WIN-JSBOL5ERCQA",
"logSourceHost": "WIN-JSBOL5ERCQA",
"originZoneName": "Unknown",
"logSourceType": 1000030,
"mpeRuleName": "EVID 4625 : User Logon Type 3: Wrong Password",
"impactedName": "win-jsbol5ercqa.demisto.lab",
"normalMsgDateMax": "2019-06-20 12:27:03",
"status": "0xC000006D",
"direction": 0,
"logSourceHostId": 1,
"ruleBlockNumber": 1,
"objectName": "0xC000006A",
"classificationId": 1040,
"impactedEntityId": 1,
"messageTypeEnum": 1,
"impactedEntityName": "Primary Site",
"reason": "Unknown user name or bad password",
"directionName": "Unknown",
"logDate": "2019-06-20 05:27:03",
"commonEventName": "User Logon Failure : Bad Password",
"impactedHostName": "",
"messageId": "1e28712d-4af4-4e82-9403-a2ebfda82f2d",
"originEntityName": "Primary Site",
"severity": "Information",
"count": 1,
"keyField": "messageId",
"rootEntityName": "Primary Site",
"parentProcessId": "0x0",
"protocolId": -1,
"logSourceTypeName": "MS Windows Event Logging - Security",
"object": "NtLmSsp",
"vendorInfo": "An account failed to log on",
"impactedHost": "win-jsbol5ercqa.demisto.lab",
"command": "3",
"commonEventId": 19812,
"login": "administrator",
"classificationName": "Authentication Failure",
"logSourceId": 1
},
],
"ID": 1835
}
}
Human Readable Output
Events information for alarm 1835
| classificationId | classificationName | classificationTypeName | command | commonEventName | commonEventId | direction | directionName | impactedEntityId | impactedEntityName | impactedHost | impactedHostName | impactedName | impactedZoneName | logDate | mpeRuleId | mpeRuleName | object | objectName | originEntityName | originEntityId | originHostId | login | originZone | originZoneName | priority | protocolId | ruleBlockNumber | session | severity | subject | vendorMessageId | sequenceNumber | vendorInfo | parentProcessId | reason | status | keyField | count | entityId | rootEntityId | rootEntityName | entityName | logSourceHostId | logSourceHost | logSourceHostName | logSourceId | logSourceName | logSourceType | logSourceTypeName | messageId | messageTypeEnum | normalDate | normalMsgDateMax | normalDateMin |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1040 | Authentication Failure | Audit | 3 | User Logon Failure : Bad Password | 19812 | 0 | Unknown | 1 | Primary Site | win-jsbol5ercqa.demisto.lab | win-jsbol5ercqa.demisto.lab | Unknown | 2019-06-20 05:27:03 | 1060400 | EVID 4625 : User Logon Type 3: Wrong Password | NtLmSsp | 0xC000006A | Primary Site | 1 | -1 | administrator | 0 | Unknown | 3 | -1 | 1 | 0x0 | Information | Unknown user name or bad password | 4625 | 211157 | An account failed to log on | 0x0 | Unknown user name or bad password | 0xC000006D | messageId | 1 | 1 | 1 | Primary Site | Primary Site | 1 | WIN-JSBOL5ERCQA | WIN-JSBOL5ERCQA | 1 | WIN-JSBOL5ERCQA MS Security Log | 1000030 | MS Windows Event Logging - Security | 1e28712d-4af4-4e82-9403-a2ebfda82f2d | 1 | 2019-06-20 12:27:03 | 2019-06-20 12:27:03 | 2019-06-20 12:27:03 |