LogRhythmRest
This Integration is part of the LogRhythm Pack.#
LogRhythm security intelligence. This integration was integrated and tested with version 7.4.6 of LogRhythmRest
Configure LogRhythmRest in Cortex#
| Parameter | Required |
|---|---|
| Hostname, IP address, or server URL | True |
| API Token | True |
| Trust any certificate (not secure) | False |
| Use system proxy settings | False |
| Search API cluster ID | False |
| Entity ID | False |
| Fetch incidents | False |
| Incidents Fetch Interval | False |
| Incident type | False |
Commands#
You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
lr-execute-query#
Executes a query for logs that match the query parameters.
Base Command#
lr-execute-query
Input#
| Argument Name | Description | Required |
|---|---|---|
| keyword | The value by which to filter log messages. | Required |
| page-size | Number of logs to return. Default is 100. | Optional |
| time-frame | The time range from which to return log messages. If time_frame is "Custom", specify the start and end time for the time range. Possible values: "Today", "Last2Days", "LastWeek", "LastMonth", and "Custom". Possible values are: Today, Last2Days, LastWeek, LastMonth, Custom. Default is Custom. | Optional |
| start-date | Start date for the data query, for example: "2018-04-20". Only use this argument if the time-frame argument is "Custom". | Optional |
| end-date | End date for the data query, for example: "2018-04-20". Only use this argument if the time-frame argument is "Custom". | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Log.Channel | string | Channel of the log. |
| Logrhythm.Log.Computer | string | Computer for the log |
| Logrhythm.Log.EventData | string | Event data of the log. |
| Logrhythm.Log.EventID | string | Event ID of the log. |
| Logrhythm.Log.Keywords | string | Keywords of the log. |
| Logrhythm.Log.Level | string | Log level. |
| Logrhythm.Log.Opcode | string | Opcode of the log. |
| Logrhythm.Log.Task | string | Task of the log. |
Command Example#
!lr-execute-query keyword=Failure time-frame=Custom start-date=2019-05-15 end-date=2019-05-16 page-size=2
Context Example#
Human Readable Output#
Hosts for primary#
Level Computer Channel Keywords EventData Information WIN-1234.lab Security Audit Failure An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\tGPWARD\n\tAccount Domain:\t\t\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Information WIN-1234.lab Security Audit Failure An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\tTMARTIN\n\tAccount Domain:\t\t\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
lr-get-hosts-by-entity#
Retrieves a list of hosts for a given entity, or an empty list if none is found.
Base Command#
lr-get-hosts-by-entity
Input#
| Argument Name | Description | Required |
|---|---|---|
| entity-name | The entity name. | Required |
| count | Number of hosts to return. Default is 100. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Host.EntityId | String | The entity ID. |
| Logrhythm.Host.EntityName | String | The entity name. |
| Logrhythm.Host.OS | String | The host operating system. |
| Logrhythm.Host.ThreatLevel | String | The host threat level. |
| Logrhythm.Host.UseEventlogCredentials | String | Whether to use the event log credentials. |
| Logrhythm.Host.Name | String | The name of the host. |
| Logrhythm.Host.DateUpdated | String | The last update date of the host. |
| Logrhythm.Host.HostZone | String | The host zone. |
| Logrhythm.Host.RiskLevel | String | The risk level. |
| Logrhythm.Host.Location | String | The host location. |
| Logrhythm.Host.Status | String | The host status. |
| Logrhythm.Host.ID | String | The unique ID of the host object. |
| Logrhythm.Host.OSType | String | The type of the host operating system. |
Command Example#
!lr-get-hosts-by-entity entity-name=primary count=2
Context Example#
Human Readable Output#
Hosts for primary#
ID Name EntityId EntityName OS Status Location RiskLevel ThreatLevel ThreatLevelComments DateUpdated HostZone -1000002 AI Engine Server 1 Primary Site Unknown Active NA None None 2019-04-24T09:58:32.003Z Internal 1 WIN-JSBOL5ERCQA 1 Primary Site Windows Active NA Medium-Medium None 2021-05-18T15:06:54.62Z Internal
lr-add-host#
Add a new host to an entity.
Base Command#
lr-add-host
Input#
| Argument Name | Description | Required |
|---|---|---|
| entity-id | The entity ID. | Required |
| entity-name | The entity name. | Required |
| name | The LogRhythm host name. | Required |
| short-description | A short description of the host. Default is None. | Optional |
| long-description | A long description of the host. Default is None. | Optional |
| risk-level | The host risk level. Possible values: "None", "Low-Low", "Low-Medium", "Low-High", "Medium-Low", "Medium-Medium", "Medium-High", "High-Low", "High-Medium", and "High-High". Possible values are: None, Low-Low, Low-Medium, Low-High, Medium-Low, Medium-Medium, Medium-High, High-Low, High-Medium, High-High. Default is None. | Required |
| threat-level | The host threat level. Possible values: "None", "Low-Low", "Low-Medium", "Low-High", "Medium-Low", "Medium-Medium", "Medium-High", "High-Low", "High-Medium", and "High-High". Possible values are: None, Low-Low, Low-Medium, Low-High, Medium-Low, Medium-Medium, Medium-High, High-Low, High-Medium, High-High. Default is None. | Optional |
| threat-level-comments | Comments for the host threat level. Default is None. | Optional |
| host-status | The host status. Possible values: "New", "Retired", and "Active". Possible values are: New, Retired, Active. | Required |
| host-zone | The host zone. Possible values: "Unknown", "Internal", "DMZ", and "External". Possible values are: Unknown, Internal, DMZ, External. | Required |
| os | The host operating system. | Required |
| use-eventlog-credentials | Whether to use the event log credentials. Possible values: "true" and "false". Possible values are: true, false. | Required |
| os-type | The host operating system type. Possible values are: Unknown, Other, WindowsNT4, Windows2000Professional, Windows2000Server, Windows2003Standard, Windows2003Enterprise, Windows95, WindowsXP, WindowsVista, Linux, Solaris, AIX, HPUX, Windows. Default is Unknown. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Host.EntityId | string | The entity ID for the host. |
| Logrhythm.Host.EntityName | string | The entity name for the host. |
| Logrhythm.Host.OS | string | The host operating system. |
| Logrhythm.Host.ThreatLevel | string | The host threat level. |
| Logrhythm.Host.UseEventlogCredentials | string | Whether to use the event log credentials. |
| Logrhythm.Host.Name | string | The name of the host. |
| Logrhythm.Host.DateUpdated | string | The last update date of the host. |
| Logrhythm.Host.HostZone | string | The host zone. |
| Logrhythm.Host.RiskLevel | string | The risk level of the host. |
| Logrhythm.Host.Location | string | The host location. |
| Logrhythm.Host.Status | string | The host status. |
| Logrhythm.Host.ID | string | The unique ID of the host object. |
| Logrhythm.Host.OSType | string | The type of the host operating system. |
Command Example#
!lr-add-host entity-id=1 entity-name=`Primary Site` host-status=New host-zone=Internal name=host11 os=Windows risk-level="High-Medium" use-eventlog-credentials=false
Context Example#
Human Readable Output#
host11 added successfully to Primary Site
lr-update-host-status#
Updates an host status.
Base Command#
lr-update-host-status
Input#
| Argument Name | Description | Required |
|---|---|---|
| host-id | The unique ID of the host. | Required |
| status | The enumeration status of the host. Possible values: "Retired" and "Active". Possible values are: Retired, Active. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Host.EntityId | string | The entity ID of the host. |
| Logrhythm.Host.EntityName | string | The entity name of the host. |
| Logrhythm.Host.OS | string | The host operating system. |
| Logrhythm.Host.ThreatLevel | string | The host threat level. |
| Logrhythm.Host.UseEventlogCredentials | string | Whether to use the event log credentials. |
| Logrhythm.Host.Name | string | The name of the host. |
| Logrhythm.Host.DateUpdated | string | The last update date of the host. |
| Logrhythm.Host.HostZone | string | The host zone. |
| Logrhythm.Host.RiskLevel | string | The risk level of the host. |
| Logrhythm.Host.Location | string | The host location. |
| Logrhythm.Host.Status | string | The host status. |
| Logrhythm.Host.ID | string | The unique ID of the host object. |
| Logrhythm.Host.OSType | string | The type of the host operating system. |
Command Example#
!lr-update-host-status host-id=8 status=Retired
Context Example#
Human Readable Output#
Status updated to Retired
lr-get-persons#
Retrieves a list of LogRhythm persons.
Base Command#
lr-get-persons
Input#
| Argument Name | Description | Required |
|---|---|---|
| person-id | The LogRhythm person ID. | Optional |
| count | Number of persons to return. Default is 30. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Person.DateUpdated | String | Date that the person was updated. |
| Logrhythm.Person.FirstName | String | First name of the LogRhythm person. |
| Logrhythm.Person.LastName | String | Last name of the LogRhythm person. |
| Logrhythm.Person.HostStatus | string | Host status of the LogRhythm person. |
| Logrhythm.Person.ID | String | Logrhythm person ID. |
| Logrhythm.Person.IsAPIPerson | Boolean | Whether the API is a person. |
| Logrhythm.Person.UserID | String | User ID of the LogRhythm person. |
| Logrhythm.Person.UserLogin | String | User login of the LogRhythm person. |
Command Example#
!lr-get-persons person-id=7
Context Example#
Human Readable Output#
Persons information#
ID HostStatus IsAPIPerson FirstName LastName UserID UserLogin DateUpdated 7 Retired false logrhythm logrhythm 5 lrapi2 0001-01-01T00:00:00Z
lr-get-networks#
Retrieves a list of networks.
Base Command#
lr-get-networks
Input#
| Argument Name | Description | Required |
|---|---|---|
| network-id | The LogRhythm network ID. | Optional |
| count | Number of networks to return. Default is 30. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Network.BIP | String | Beginning IP address of the network. |
| Logrhythm.Network.ThreatLevel | String | Threat level of the network. |
| Logrhythm.Network.Name | String | Network name. |
| Logrhythm.Network.EIP | String | End IP address of the network. |
| Logrhythm.Network.DateUpdated | String | Date network was updated. |
| Logrhythm.Network.EntityName | String | Entity name of the network. |
| Logrhythm.Network.HostZone | String | Host zone of the network. |
| Logrhythm.Network.RiskLevel | String | Risk level of the network. |
| Logrhythm.Network.Location | String | Network location. |
| Logrhythm.Network.HostStatus | String | Host status of the network. |
| Logrhythm.Network.ID | String | Network ID. |
| Logrhythm.Network.EntityId | String | Entity ID of the network. |
Command Example#
!lr-get-networks network-id=1
Context Example#
Human Readable Output#
Networks information#
ID BeganIP EndIP HostStatus Name RiskLevel EntityId EntityName Location ThreatLevel DateUpdated HostZone 1 1.1.1.1 2.2.2.2 Active test None -100 Global Entity NA None 2019-02-20T10:57:13.983Z External
lr-get-hosts#
Returns a list of hosts.
Base Command#
lr-get-hosts
Input#
| Argument Name | Description | Required |
|---|---|---|
| host-id | The LogRhythm host ID. | Optional |
| count | Number of hosts to return. Default is 30. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Host.EntityId | String | The entity ID. |
| Logrhythm.Host.EntityName | String | The entity name. |
| Logrhythm.Host.OS | String | The host operating system. |
| Logrhythm.Host.ThreatLevel | String | The host threat level. |
| Logrhythm.Host.UseEventlogCredentials | String | Whether to use the event log credentials. |
| Logrhythm.Host.Name | String | The name of the host. |
| Logrhythm.Host.DateUpdated | String | Date that the host was last updated. |
| Logrhythm.Host.HostZone | String | The host zone. |
| Logrhythm.Host.RiskLevel | String | The risk level of the host. |
| Logrhythm.Host.Location | String | The host location. |
| Logrhythm.Host.Status | String | The host status. |
| Logrhythm.Host.ID | String | The unique ID of the host object. |
| Logrhythm.Host.OSType | String | Host operating system type. |
Command Example#
!lr-get-hosts host-id=1
Context Example#
Human Readable Output#
Hosts information#
ID Name EntityId EntityName OS Status Location RiskLevel ThreatLevel ThreatLevelComments DateUpdated HostZone 1 WIN-JSBOL5ERCQA 1 Primary Site Windows Active NA Medium-Medium None 2021-05-18T15:06:54.62Z Internal
lr-get-alarm-data#
Returns data for an alarm.
Base Command#
lr-get-alarm-data
Input#
| Argument Name | Description | Required |
|---|---|---|
| alarm-id | The alarm ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Alarm.Status | String | The alarm status. |
| Logrhythm.Alarm.EventID | String | The alarm event ID. |
| Logrhythm.Alarm.LastDxTimeStamp | String | The timestamp when the drilldown returned new results from the Data Indexer. |
| Logrhythm.Alarm.DateInserted | String | The alarm date inserted. |
| Logrhythm.Alarm.AIERuleName | String | The alarm AI engine (AIE) rule. |
| Logrhythm.Alarm.Priority | String | The alarm priority. |
| Logrhythm.Alarm.AIERuleID | String | The alarm AI engine (AIE) rule ID. |
| Logrhythm.Alarm.ID | String | The alarm ID. |
| Logrhythm.Alarm.NotificationSent | Boolean | Whether an alarm notification was sent. |
| Logrhythm.Alarm.AlarmGuid | String | The alarm GUID. |
| Logrhythm.Alarm.RetryCount | String | The alarm retry count. |
| Logrhythm.Alarm.NormalMessageDate | String | The alarm message date. |
| Logrhythm.Alarm.WebConsoleIds | String | The alarm web console IDs. |
| Logrhythm.Alarm.Summary.PIFType | String | Alarm Primary Inspection Field (the original name for "Summary Field"). |
| Logrhythm.Alarm.Summary.DrillDownSummaryLogs | String | Drilldown summary logs. |
Command Example#
!lr-get-alarm-data alarm-id=1824
Context Example#
Human Readable Output#
Alarm information for alarm id 1824#
AIERuleID AIERuleName AlarmGuid DateInserted EventID ID LastDxTimeStamp NormalMessageDate NotificationSent Priority RetryCount Status WebConsoleIds 1000000003 Use Of Admin User 5a4d8d77-5ec6-4669-b455-fb0cdbeed7df 2019-06-20T12:13:28.363 337555 1824 0001-01-01T00:00:00 2019-06-20T12:13:20.243 false 85 0 Completed c272b5f5-1db6-461b-9e9c-78d171429494 Alarm summaries#
PIFType DrillDownSummaryLogs User (Origin) administrator
lr-get-alarm-events#
Returns a list of events, by alarm ID.
Base Command#
lr-get-alarm-events
Input#
| Argument Name | Description | Required |
|---|---|---|
| alarm-id | The alarm ID. | Required |
| count | Number of events to return. Default is 10. | Optional |
| fields | A comma-separated list of fields (outputs) to return to the context. If empty, all fields are returned. Possible values are: . | Optional |
| get-log-message | Whether to return the log message from the event. Possible values: "True" and "False". Possible values are: True, False. Default is False. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Alarm.Event | String | Alarm event information. |
| Logrhythm.Alarm.ID | String | The alarm ID. |
Command Example#
!lr-get-alarm-events alarm-id=1835
Context Example#
Human Readable Output#
Events information for alarm 1835#
classificationId classificationName classificationTypeName command commonEventId commonEventName count direction directionName entityId entityName impactedEntityId impactedEntityName impactedHost impactedHostName impactedName impactedZoneName keyField logDate logSourceHost logSourceHostId logSourceHostName logSourceId logSourceName logSourceType logSourceTypeName login messageId messageTypeEnum mpeRuleId mpeRuleName normalDate normalDateMin normalMsgDateMax object objectName originEntityId originEntityName originHostId originZone originZoneName parentProcessId priority protocolId reason rootEntityId rootEntityName ruleBlockNumber sequenceNumber session severity status subject vendorInfo vendorMessageId 1040 Authentication Failure Audit 3 19812 User Logon Failure : Bad Password 1 0 Unknown 1 Primary Site 1 Primary Site win-jsbol5ercqa.lab win-jsbol5ercqa.lab Unknown messageId 2019-06-20 05:27:03 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA MS Security Log 1000030 MS Windows Event Logging - Security administrator 1e28712d-4af4-4e82-9403-a2ebfda82f2d 1 1060400 EVID 4625 : User Logon Type 3: Wrong Password 2019-06-20 12:27:03 2019-06-20 12:27:03 2019-06-20 12:27:03 NtLmSsp 0xC000006A 1 Primary Site -1 0 Unknown 0x0 3 -1 Unknown user name or bad password 1 Primary Site 1 211157 0x0 Information 0xC000006D Unknown user name or bad password An account failed to log on 4625 1040 Authentication Failure Audit 3 19812 User Logon Failure : Bad Password 1 0 Unknown 1 Primary Site 1 Primary Site win-jsbol5ercqa.lab win-jsbol5ercqa.lab Unknown messageId 2019-06-20 05:27:03 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA MS Security Log 1000030 MS Windows Event Logging - Security administrator ec975fad-44fd-42cd-be8e-1573742c6d7a 1 1060400 EVID 4625 : User Logon Type 3: Wrong Password 2019-06-20 12:27:03 2019-06-20 12:27:03 2019-06-20 12:27:03 NtLmSsp 0xC000006A 1 Primary Site -1 0 Unknown 0x0 3 -1 Unknown user name or bad password 1 Primary Site 1 211156 0x0 Information 0xC000006D Unknown user name or bad password An account failed to log on 4625 1040 Authentication Failure Audit 3 19812 User Logon Failure : Bad Password 1 0 Unknown 1 Primary Site 1 Primary Site win-jsbol5ercqa.lab win-jsbol5ercqa.lab Unknown messageId 2019-06-20 05:27:03 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA MS Security Log 1000030 MS Windows Event Logging - Security administrator 21318d09-2b01-4b88-8b18-efc48c597e1f 1 1060400 EVID 4625 : User Logon Type 3: Wrong Password 2019-06-20 12:27:03 2019-06-20 12:27:03 2019-06-20 12:27:03 NtLmSsp 0xC000006A 1 Primary Site -1 0 Unknown 0x0 3 -1 Unknown user name or bad password 1 Primary Site 1 211155 0x0 Information 0xC000006D Unknown user name or bad password An account failed to log on 4625 1040 Authentication Failure Audit 3 19812 User Logon Failure : Bad Password 1 0 Unknown 1 Primary Site 1 Primary Site win-jsbol5ercqa.lab win-jsbol5ercqa.lab Unknown messageId 2019-06-20 05:27:03 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA MS Security Log 1000030 MS Windows Event Logging - Security administrator 20384578-60c1-4828-bdea-68cdc202d719 1 1060400 EVID 4625 : User Logon Type 3: Wrong Password 2019-06-20 12:27:03 2019-06-20 12:27:03 2019-06-20 12:27:03 NtLmSsp 0xC000006A 1 Primary Site -1 0 Unknown 0x0 3 -1 Unknown user name or bad password 1 Primary Site 1 211154 0x0 Information 0xC000006D Unknown user name or bad password An account failed to log on 4625 1040 Authentication Failure Audit 3 19812 User Logon Failure : Bad Password 1 0 Unknown 1 Primary Site 1 Primary Site win-jsbol5ercqa.lab win-jsbol5ercqa.lab Unknown messageId 2019-06-20 05:27:03 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA 1 WIN-JSBOL5ERCQA MS Security Log 1000030 MS Windows Event Logging - Security administrator dd2c2251-ede1-4559-916b-0422ea8c0f9e 1 1060400 EVID 4625 : User Logon Type 3: Wrong Password 2019-06-20 12:27:03 2019-06-20 12:27:03 2019-06-20 12:27:03 NtLmSsp 0xC000006A 1 Primary Site -1 0 Unknown 0x0 3 -1 Unknown user name or bad password 1 Primary Site 1 211153 0x0 Information 0xC000006D Unknown user name or bad password An account failed to log on 4625
lr-get-case-evidence#
Execute evidence query for a specific case ID.
Base Command#
lr-get-case-evidence
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | The case ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Search.Evidence.status | String | Evidence status. |
| Logrhythm.Search.Evidence.text | String | Evidence text. |
| Logrhythm.Search.Evidence.number | Number | Evidence ID. |
| Logrhythm.Search.Evidence.dateCreated | Date | Date the evidence was created. |
| Logrhythm.Search.Evidence.pinned | Boolean | Whether evidence is pinned. |
| Logrhythm.Search.Evidence.lastUpdatedBy.name | String | The name of the person who last updated the evidence. |
| Logrhythm.Search.Evidence.createdBy.name | String | The name of the person who created the evidence. |
| Logrhythm.Search.Evidence.dateUpdated | Date | The date the evidence was last updated. |
| Logrhythm.Search.Evidence.type | String | Evidence type. |
Command Example#
!lr-get-case-evidence case_id=12345
Context Example#
Human Readable Output#
Evidences for case FD05A0D9-6749-45F7-BB5D-596FBA68E731#
Alarm Createdby Datecreated Datepinned Dateupdated Lastupdatedby Number Pinned Status Statusmessage Text Type alarmDate: 2019-04-15T00:02:52.847Z
dateInserted: 2019-04-15T00:02:52.86Z
alarmRuleId: 1098
entityName: Primary Site
alarmId: 190
riskBasedPriorityMax: 37
entityId: 1
alarmRuleName: LogRhythm Data Indexer Max Index Exceededdisabled: false
number: -100
name: LogRhythm Administrator2019-04-15T21:41:34.61Z 2019-04-15T21:41:34.61Z disabled: false
number: -100
name: LogRhythm Administrator3 false completed alarm
lr-execute-search-query#
Execute search query to LogRhythm log database.
Base Command#
lr-execute-search-query
Input#
| Argument Name | Description | Required |
|---|---|---|
| number_of_days | Number of days to search. | Required |
| source_type | Log source type. Possible values are: API-_AWS_CloudTrail, API-AWS_CloudWatch_Alarm, API-AWS_Config_Event, API-AWS_S3_Flat_File, API-AWS_S3_Server_Access_Event, API-BeyondTrust_Retina_Vulnerability_Management, API-Box_Event, API-Cisco_IDS/IPS, API-Cradlepoint_ECM, API-IP360_Vulnerability_Scanner, API-Metasploit_Penetration_Scanner, API-Nessus_Vulnerability_Scanner, API-NetApp_CIFS_Security_Audit_Event_Log, API-NeXpose_Vulnerability_Scanner, API-Office_365_Management_Activity, API-Office_365_Message_Tracking, API-Okta_Event, API-Qualys_Vulnerability_Scanner, API-Salesforce_EventLogFile, API-Sourcefire_eStreamer, API-Tenable_SecurityCenter, API-Tenable.io_Scanner, Flat_File-ActivIdentity_CMS, Flat_File-Airwatch_MDM, Flat_File-Alfresco, Flat_File-AllScripts, Flat_File-Apache_Access_Log, Flat_File-Apache_Error_Log, Flat_File-Apache_SSL_Access_Log, Flat_File-Apache_SSL_Error_Log, Flat_File-Apache_Tomcat_Access_Log, Flat_File-Apache_Tomcat_Console_Log, Flat_File-Avaya_Secure_Access_Link_Remote_Access_Log, Flat_File-Avaya_Voice_Mail_Log, Flat_File-Axway_SFTP, Flat_File-Beacon_Endpoint_Profiler, Flat_File-Bind_9, Flat_File-BlackBerry_Enterprise_Server, Flat_File-Blue_Coat_Proxy_BCREPORTERMAIN_Format, Flat_File-Blue_Coat_Proxy_CSV_Format, Flat_File-Blue_Coat_Proxy_SQUID-1_Format, Flat_File-Blue_Coat_Proxy_W3C_Format, Flat_File-Bro_IDS_Critical_Stack_Intel_Log, Flat_File-Broadcom_SiteMinder, Flat_File-CA_ACF2_for_z/OS-ACFRPTDS, Flat_File-CA_ACF2_for_z/OS-ACFRPTEL, Flat_File-CA_ACF2_for_z/OS-ACFRPTJL, Flat_File-CA_ACF2_for_z/OS-ACFRPTLL, Flat_File-CA_ACF2_for_z/OS-ACFRPTNV, Flat_File-CA_ACF2_for_z/OS-ACFRPTOM, Flat_File-CA_ACF2_for_z/OS-ACFRPTPW, Flat_File-CA_ACF2_for_z/OS-ACFRPTRL, Flat_File-CA_ACF2_for_z/OS-ACFRPTRV, Flat_File-CA_ControlMinder, Flat_File-Cerberus_FTP_Server, Flat_File-Cerner, Flat_File-Cisco_AMP_for_Endpoints, Flat_File-Cisco_Email_Security_Appliance, Flat_File-Cisco_LMS(cwcli), FlatFile-Cisco_LMS(Syslog), FlatFile-Cisco_NGFW, Flat_File-Cisco_Secure_ACS_CSV_File, Flat_File-Cisco_Security_Agent, Flat_File-Cisco_Umbrella_DNS, Flat_File-Cisco_Web_Security_aclog, Flat_File-Citrix_Access_Gateway_IIS_Format, Flat_File-Citrix_Access_Gateway_NCSA_Common_Format, Flat_File-Citrix_Access_Gateway_W3C_Format, Flat_File-Citrix_Presentation_Server, Flat_File-Citrix_Secure_Gateway, Flat_File-ClamAV_Anti-Virus, Flat_File-ColdFusion_Application_Log, Flat_File-ColdFusion_Exception_Log, Flat_File-ColdFusion_Mail_Log, Flat_File-ColdFusion_Mailsent_Log, Flat_File-ColdFusion_Server_Log, Flat_File-Cornerstone_Managed_File_Transfer, Flat_File-Coyote_Point_Equalizer, Flat_File-DB2_Audit_Log, Flat_File-DB2_via_BMC_Log_Master, Flat_File-Defender_Server, Flat_File-DocWorks, Flat_File-eClinicalWorks_Audit_Log, Flat_File-EMC_Isilon, Flat_File-Epicor_Coalition, Flat_File-FairWarning_Ready-For-Healthcare, Flat_File-FileZilla_System_Log, Flat_File-FireEye_Web_MPS, Flat_File-Forcepoint_Web_Security_CEF_Cloud_Format, Flat_File-Forescout_CounterACT, Flat_File-FoxT_BoKS_Server_Access_Control, Flat_File-FundsXpress, Flat_File-Gene6_FTP, Flat_File-GlobalSCAPE_EFT, Flat_File-Hadoop, Flat_File-HMC, Flat_File-HP-UX_Audit_Log, Flat_File-IBM_4690_POS, Flat_File-IBM_Informix_Application_Log, Flat_File-IBM_Informix_Audit_Log, Flat_File-IBM_Tivoli_Storage_Manager, Flat_File-IBM_WebSphere_App_Server_v7_Audit_Log, Flat_File-IBM_WebSphere_Cast_Iron_Cloud_Integration, Flat_File-IBM_ZOS_Batch_Decryption_Log, Flat_File-IBM_ZOS_CICS_Decryption_Log, Flat_File-IBM_ZOS_RACF_Access_Log, Flat_File-IBM_ZOS_RACF_SMF_Type_80, Flat_File-IPSwitch_WS_FTP, Flat_File-Irix_Audit_Logs, Flat_File-IT-CUBE_AgileSI, Flat_File-JBoss_Log_File, Flat_File-Juniper_Steel_Belted_Radius_Server, Flat_File-Kerio_Mail_Server, Flat_File-KERISYS_Doors_Event_Export_Format, Flat_File-Kippo_Honeypot, Flat_File-Linux_Audit_ASCII, Flat_File-Linux_Audit_Log, Flat_File-Linux_Host_Secure_Log, Flat_File-LOGbinder_EX, Flat_File-LogRhythm_Alarm_Reingest, Flat_File-LogRhythm_Data_Indexer_Monitor, Flat_File-LogRhythm_Oracle_Log, Flat_File-LogRhythm_System_Monitor, Flat_File-LogRhythm_System_Monitor_Log_File, Flat_File-LogRhythm_Trebek_Log, Flat_File-LogRhythm_Zeus_Log, Flat_File-Lotus_Domino_Client_Log, Flat_File-McAfee_Cloud_Proxy_do_not_use, Flat_File-McAfee_ePO_HIPS, Flat_File-McAfee_Foundstone, Flat_File-McAfee_Proxy_Cloud, Flat_File-McAfee_SaaS_Web_Protection, Flat_File-McAfee_Web_Gateway_Audit_Log, Flat_File-Merak, Flat_File-Meridian, Flat_File-Microsoft_ActiveSync_2010, Flat_File-Microsoft_CRM, Flat_File-Microsoft_DHCP_Server_Log, Flat_File-Microsoft_Forefront_TMG, Flat_File-Microsoft_Forefront_TMG_Web_Proxy, Flat_File-Microsoft_IIS(IISFormat)_File, Flat_File-Microsoft_IIS_7.x_W3C_Extended_Format, Flat_File-Microsoft_IIS_Error_Log_V6, Flat_File-Microsoft_IIS_FTP_IIS_Log_File_Format, Flat_File-Microsoft_IIS_FTP_W3C_Extended_Format, Flat_File-Microsoft_IIS_NCSA_Common_Format_File, Flat_File-Microsoft_IIS_SMTP_W3C_Format, Flat_File-Microsoft_IIS_URL_Scan_Log, Flat_File-Microsoft_IIS_W3C_File, Flat_File-Microsoft_ISA_Server_2004, Flat_File-Microsoft_ISA_Server_W3C_File, Flat_File-Microsoft_Netlogon, Flat_File-Microsoft_Port_Reporter_PR-PORTS_Log, Flat_File-Microsoft_Semantic_Logging, Flat_File-Microsoft_SQL_Server_2000_Error_Log, Flat_File-Microsoft_SQL_Server_2005_Error_Log, Flat_File-Microsoft_SQL_Server_2008_Error_Log, Flat_File-Microsoft_SQL_Server_2012_Error_Log, Flat_File-Microsoft_SQL_Server_2014_Error_Log, Flat_File-Microsoft_Windows_2003_DNS, Flat_File-Microsoft_Windows_2008_DNS, Flat_File-Microsoft_Windows_2012_DNS, Flat_File-Microsoft_Windows_Firewall, Flat_File-MicroStrategy, Flat_File-Mimecast_Audit, Flat_File-Mimecast_Email, Flat_File-Monetra, Flat_File-MongoDB, Flat_File-MS_Exchange_2003_Message_Tracking_Log, Flat_File-MS_Exchange_2007_Message_Tracking_Log, Flat_File-MS_Exchange_2010_Message_Tracking_Log, Flat_File-MS_Exchange_2013_Message_Tracking_Log, Flat_File-MS_Exchange_2016_Message_Tracking_Log, Flat_File-MS_Exchange_RPC_Client_Access, Flat_File-MS_IAS/RAS_Server_NPS_DB_Log_Format, Flat_File-MS_IAS/RAS_Server_Standard_Log_Format, Flat_File-MS_ISA_Server_2006_ISA_All_Fields, Flat_File-MS_ISA_Server_2006_W3C_All_Fields, Flat_File-MS_SQL_Server_Reporting_Services_2008, Flat_File-MySQL, Flat_File-MySQL_error.log, Flat_File-MySQL_mysql.log, Flat_File-MySQL_mysql-slow.log, Flat_File-Nessus_System_Log, Flat_File-NetApp_Cluster, Flat_File-Nginx_Log, Flat_File-Novell_Audit, Flat_File-Novell_GroupWise, Flat_File-Novell_LDAP, Flat_File-ObserveIT_Enterprise, Flat_File-Office_365_Message_Tracking, Flat_File-OpenDJ, Flat_File-OpenVMS, Flat_File-OpenVPN, Flat_File-Oracle_11g_Fine_Grained_Audit_Trail, Flat_File-Oracle_9i, Flat_File-Oracle_BRM_CM_Log, Flat_File-Oracle_BRM_DM_Log, Flat_File-Oracle_Listener_Audit_Trail, Flat_File-Oracle_SunOne_Directory_Server, Flat_File-Oracle_SunOne_Web_Server_Access_Log, Flat_File-Oracle_Virtual_Directory, Flat_File-Oracle_WebLogic_11g_Access_Log, Flat_File-Other, Flat_File-PeopleSoft, Flat_File-PhpMyAdmin_Honeypot, Flat_File-Postfix, Flat_File-PowerBroker_Servers, Flat_File-Princeton_Card_Secure, Flat_File-ProFTPD, Flat_File-PureMessage_For_Exchange_SMTP_Log, Flat_File-PureMessage_For_UNIX_Blocklist_Log, Flat_File-PureMessage_For_UNIX_Message_Log, Flat_File-RACF(SMF), FlatFile-Radmin, Flat_File-Restic_Backup_Log, Flat_File-RL_Patient_Feedback, Flat_File-RSA_Adaptive_Authentication, Flat_File-RSA_Authentication_Manager_6.1, Flat_File-S2_Badge_Reader, Flat_File-Safenet, Flat_File-Sendmail_File, Flat_File-Sharepoint_ULS, Flat_File-ShoreTel_VOIP, Flat_File-Siemens_Radiology_Information_System, Flat_File-Snort_Fast_Alert_File, Flat_File-Solaris-Sulog, Flat_File-Solaris_Audit_Log, Flat_File-SpamAssassin, Flat_File-Squid_Proxy, Flat_File-Subversion, Flat_File-Sudo.Log, Flat_File-Swift_Alliance, Flat_File-Symantec_Antivirus_10.x_Corporate_Edtn, Flat_File-Symantec_Antivirus_12.x_Corporate_Edtn, Flat_File-Symitar_Episys_Console_Log, Flat_File-Symitar_Episys_Sysevent_Log, Flat_File-Tandem_EMSOUT_Log_File, Flat_File-Tandem_XYGATE, Flat_File-Tectia_SSH_Server, Flat_File-Trade_Innovations_CSCS, Flat_File-Trend_Micro_IMSS, Flat_File-Trend_Micro_Office_Scan, Flat_File-Tumbleweed_Mailgate_Server, Flat_File-Verint_Audit_Trail_File, Flat_File-VMWare_Virtual_Machine, Flat_File-Voltage_Securemail, Flat_File-Vormetric_Log_File, Flat_File-vsFTP_Daemon_Log, Flat_File-Vyatta_Firewall_Kernel_Log, Flat_File-WordPot_Honeypot, Flat_File-X-NetStat_Log, Flat_File-XPient_POS_CCA_Manager, Flat_File-XPIENT_POS_POSLOG, Flat_File-XPIENT_POS_Shell_Log, IPFIX-IP_Flow_Information_Export, J-Flow-Juniper_J-Flow_Version_5, J-Flow-Juniper_J-Flow_Version_9, LogRhythm_CloudAI, LogRhythm_Data_Loss_Defender, LogRhythm_Demo_File-Application_Server_Log, LogRhythm_Demo_File-Content_Inspection_Log, LogRhythm_Demo_File-Database_Audit_Log, LogRhythm_Demo_File-Ecom_Server_Log, LogRhythm_Demo_File-File_Server_Log, LogRhythm_Demo_File-Firewall_Log, LogRhythm_Demo_File-FTP_Log, LogRhythm_Demo_File-IDS_Alarms_Log, LogRhythm_Demo_File-Mail_Server_Log, LogRhythm_Demo_File-Netflow_Log, LogRhythm_Demo_File-Network_Device_Log, LogRhythm_Demo_File-Network_Server_Log, LogRhythm_Demo_File-VPN_Log, LogRhythm_Demo_File-Web_Access_Log, LogRhythm_File_Monitor(AIX), LogRhythmFile_Monitor(HP-UX), LogRhythmFile_Monitor(Linux), LogRhythmFile_Monitor(Solaris), LogRhythmFile_Monitor(Windows), LogRhythmFilter, LogRhythm_Network_Connection_Monitor(AIX), LogRhythmNetwork_Connection_Monitor(HP-UX), LogRhythmNetwork_Connection_Monitor(Linux), LogRhythmNetwork_Connection_Monitor(Solaris), LogRhythmNetwork_Connection_Monitor(Windows), LogRhythmProcess_Monitor(AIX), LogRhythmProcess_Monitor(HP-UX), LogRhythmProcess_Monitor(Linux), LogRhythmProcess_Monitor(Solaris), LogRhythmProcess_Monitor(Windows), LogRhythmRegistry_Integrity_Monitor, LogRhythm_SQL_Server_2000_C2_Audit_Log, LogRhythm_SQL_Server_2005_C2_Audit_Log, LogRhythm_SQL_Server_2008_C2_Audit_Log, LogRhythm_SQL_Server_2012+_C2_Audit_Log, LogRhythm_User_Activity_Monitor(AIX), LogRhythmUser_Activity_Monitor(HP-UX), LogRhythmUser_Activity_Monitor(Linux), LogRhythmUser_Activity_Monitor(Solaris), LogRhythmUser_Activity_Monitor(Windows), MSEvent_Log_for_XP/2000/2003-Application, MS_Event_Log_for_XP/2000/2003-Application-Espaniol, MS_Event_Log_for_XP/2000/2003-BioPassword, MS_Event_Log_for_XP/2000/2003-DFS, MS_Event_Log_for_XP/2000/2003-Directory_Service, MS_Event_Log_for_XP/2000/2003-DNS, MS_Event_Log_for_XP/2000/2003-DotDefender, MS_Event_Log_for_XP/2000/2003-EMC_Celerra_NAS, MS_Event_Log_for_XP/2000/2003-File_Rep_Service, MS_Event_Log_for_XP/2000/2003-HA, MS_Event_Log_for_XP/2000/2003-Kaspersky, MS_Event_Log_for_XP/2000/2003-Micros_POS, MS_Event_Log_for_XP/2000/2003-PatchLink, MS_Event_Log_for_XP/2000/2003-SafeWord_2008, MS_Event_Log_for_XP/2000/2003-SCE, MS_Event_Log_for_XP/2000/2003-Security, MS_Event_Log_for_XP/2000/2003-Security-Espaniol, MS_Event_Log_for_XP/2000/2003-SMS_2003, MS_Event_Log_for_XP/2000/2003-System, MS_Event_Log_for_XP/2000/2003-System-Espaniol, MS_Event_Log_for_XP/2000/2003-Virtual_Server, MS_Windows_Event_Logging-ADFS_Admin, MS_Windows_Event_Logging-Application, MS_Windows_Event_Logging-AppLockerApp, MS_Windows_Event_Logging-Backup, MS_Windows_Event_Logging-Citrix_Delivery_Services, MS_Windows_Event_Logging-Citrix_XenApp, MS_Windows_Event_Logging-DFS, MS_Windows_Event_Logging-DHCP_Admin, MS_Windows_Event_Logging-DHCP_Operational, MS_Windows_Event_Logging-Diagnosis-PLA, MS_Windows_Event_Logging-Digital_Persona, MS_Windows_Event_Logging-Dir_Service, MS_Windows_Event_Logging-DNS, MS_Windows_Event_Logging-Dot_Defender, MS_Windows_Event_Logging-ESD_Data_Flow_Track, MS_Windows_Event_Logging-Exchange_Mailbox_DB_Failures, MS_Windows_Event_Logging-FailoverClustering/Operational, MS_Windows_Event_Logging-Firewall_With_Advanced_Security, MS_Windows_Event_Logging-Forefront_AV, MS_Windows_Event_Logging-Group_Policy_Operational, MS_Windows_Event_Logging-Hyper-V_Hvisor, MS_Windows_Event_Logging-Hyper-V_IMS, MS_Windows_Event_Logging-Hyper-V_Network, MS_Windows_Event_Logging-Hyper-V_SynthSt, MS_Windows_Event_Logging-Hyper-V_VMMS, MS_Windows_Event_Logging-Hyper-V_Worker, MS_Windows_Event_Logging-Kaspersky, MS_Windows_Event_Logging-Kernel_PnP_Configuration, MS_Windows_Event_Logging-Lync_Server, MS_Windows_Event_Logging-MSExchange_Management, MS_Windows_Event_Logging-Operations_Manager, MS_Windows_Event_Logging-PowerShell, MS_Windows_Event_Logging-Print_Services, MS_Windows_Event_Logging-Quest_ActiveRoles_EDM_Server, MS_Windows_Event_Logging-Replication, MS_Windows_Event_Logging-SafeWord_2008, MS_Windows_Event_Logging-Security, MS_Windows_Event_Logging-Setup, MS_Windows_Event_Logging-Sysmon, MS_Windows_Event_Logging-System, MS_Windows_Event_Logging-Task_Scheduler, MS_Windows_Event_Logging-TS_Gateway, MS_Windows_Event_Logging-TS_Licensing, MS_Windows_Event_Logging-TS_Local_Session_Manager, MS_Windows_Event_Logging-TS_Remote_Connection_Manager, MS_Windows_Event_Logging-TS_Session_Broker, MS_Windows_Event_Logging-TS_Session_Broker_Client, MS_Windows_Event_Logging-VisualSVN, MS_Windows_Event_Logging:Deutsch-Security, MS_Windows_Event_Logging:Espaniol-Application, MS_Windows_Event_Logging:Espaniol-Security, MS_Windows_Event_Logging:Espaniol-System, MS_Windows_Event_Logging:Francais-System, MS_Windows_Event_Logging:Francais-Security, MS_Windows_Event_Logging_XML-ADFS, MS_Windows_Event_Logging_XML-Application, MS_Windows_Event_Logging_XML-Forwarded_Events, MS_Windows_Event_Logging_XML-Generic, MS_Windows_Event_Logging_XML-Microsoft-Windows-NTLM/Operational, MS_Windows_Event_Logging_XML-Security, MS_Windows_Event_Logging_XML-Sysmon, MS_Windows_Event_Logging_XML-Sysmon_7.01, MS_Windows_Event_Logging_XML-Sysmon_8/9/10, MS_Windows_Event_Logging_XML-System, MS_Windows_Event_Logging_XML-Unisys_Stealth, MS_Windows_Event_Logging_XML-Windows_Defender, Netflow-Cisco_Netflow_Version_1, Netflow-Cisco_Netflow_Version_5, Netflow-Cisco_Netflow_Version_9, Netflow-Palo_Alto_Version_9, Netflow-SonicWALL_Version_5, Netflow-SonicWALL_Version_9, OPSEC_LEA-Checkpoint_Firewall, OPSEC_LEA-Checkpoint_Firewall_Audit_Log, OPSEC_LEA-Checkpoint_For_LR_7.4.1+, OPSEC_LEA-Checkpoint_Log_Server, sFlow-Version_5, SNMP_Trap-Audiolog, SNMP_Trap-Autoregistered, SNMP_Trap-Brocade_Switch, SNMP_Trap-Cisco_5508_Wireless_Controller, SNMP_Trap-Cisco_IP_SLA, SNMP_Trap-Cisco_Prime, SNMP_Trap-Cisco_Router-Switch, SNMP_Trap-CyberArk, SNMP_Trap-Dell_OpenManage, SNMP_Trap-HP_Network_Node_Manager, SNMP_Trap-IBM_TS3000_Series_Tape_Drive, SNMP_Trap-Riverbed_SteelCentral_NetShark, SNMP_Trap-RSA_Authentication_Manager, SNMP_Trap-Swift_Alliance, SNMP_Trap-Trend_Micro_Control_Manager, Syslog-3Com_Switch, Syslog-A10_Networks_AX1000_Load_Balancer, Syslog-A10_Networks_Web_Application_Firewall, Syslog-Accellion_Secure_File_Transfer_Application, Syslog-Active_Scout_IPS, Syslog-Adallom, Syslog-Adtran_Switch, Syslog-Aerohive_Access_Point, Syslog-Aerohive_Firewall, Syslog-AIMIA_Tomcat, Syslog-AirDefense_Enterprise, Syslog-Airmagnet_Wireless_IDS, Syslog-AirTight_IDS/IPS, Syslog-AirWatch_MDM, Syslog-Airwave_Management_System_Log, Syslog-AIX_Host, Syslog-Alcatel-Lucent_Switch, Syslog-Alcatel-Lucent_Wireless_Controller, Syslog-AlertLogic, Syslog-AMX_AV_Controller, Syslog-Apache_Access_Log, Syslog-Apache_Error_Log, Syslog-Apache_Tomcat_Request_Parameters, Syslog-Apache_Tomcat_Service_Clients_Log, Syslog-APC_ATS, Syslog-APC_NetBotz_Environmental_Monitoring, Syslog-APC_PDU, Syslog-APC_UPS, Syslog-Apcon_Network_Monitor, Syslog-Apex_One, Syslog-Arbor_Networks_Peakflow, Syslog-Arbor_Networks_Spectrum, Syslog-Arbor_Pravail_APS, Syslog-Arista_Switch, Syslog-Array_TMX_Load_Balancer, Syslog-Arris_CMTS, Syslog-Aruba_Clear_Pass, Syslog-Aruba_Mobility_Controller, Syslog-Aruba_Wireless_Access_Point, Syslog-AS/400_via_Powertech_Interact, Syslog-Asus_WRT_Router, Syslog-Avatier_Identity_Management_Suite(AIMS), Syslog-_Avaya_Communications_Manager, Syslog-Avaya_Ethernet_Routing_Switch, Syslog-Avaya_G450_Media_Gateway, Syslog-Avaya_Router, Syslog-Aventail_SSL/VPN, Syslog-Avocent_Cyclades_Terminal_Server, Syslog-Azul_Java_Appliance, Syslog-Barracuda_Load_Balancer, Syslog-Barracuda_Mail_Archiver, Syslog-Barracuda_NG_Firewall, Syslog-Barracuda_NG_Firewall_6.x, Syslog-Barracuda_Spam_Firewall, Syslog-Barracuda_Web_Application_Firewall, Syslog-Barracuda_Webfilter, Syslog-BeyondTrust_BeyondInsight_LEEF, Syslog-Bind_DNS, Syslog-Bit9_Parity_Suite, Syslog-Bit9_Security_Platform_CEF, Syslog-Bit9+Carbon_Black(Deprecated), Syslog-_BitDefender, Syslog-Black_Diamond_Switch, Syslog-Blue_Coat_CAS, Syslog-Blue_Coat_Forward_Proxy, Syslog-Blue_Coat_PacketShaper, Syslog-Blue_Coat_ProxyAV_ISA_W3C_Format, Syslog-Blue_Coat_ProxyAV_MS_Proxy_2.0_Format, Syslog-Blue_Coat_ProxySG, Syslog-Blue_Socket_Wireless_Controller, Syslog-Bluecat_Adonis, Syslog-BlueCedar, Syslog-BluVector, Syslog-Bomgar, Syslog-Bradford_Networks_NAC, Syslog-Bradford_Remediation&Registration_Svr, Syslog-Bro_IDS, Syslog-Brocade_Switch, Syslog-Bromium_vSentry_CEF, Syslog-BSD_Host, Syslog-CA_Privileged_Access_Manager, Syslog-Cb_Defense_CEF, Syslog-Cb_Protection_CEF, Syslog-Cb_Response_LEEF, Syslog-Cell_Relay, Syslog-Certes_Networks_CEP, Syslog-Check_Point_Log_Exporter, Syslog-Checkpoint_Site-to-Site_VPN, Syslog-Cisco_ACS, Syslog-Cisco_Aironet_WAP, Syslog-Cisco_APIC, Syslog-Cisco_Application_Control_Engine, Syslog-Cisco_ASA, Syslog-Cisco_Clean_Access(CCA)Appliance, Syslog-Cisco_CSS_Load_Balancer, Syslog-Cisco_Email_Security_Appliance, Syslog-Cisco_FirePOWER, Syslog-Cisco_Firepower_Threat_Defense, Syslog-Cisco_FireSIGHT, Syslog-Cisco_FWSM, Syslog-Cisco_Global_Site_Selector, Syslog-Cisco_ISE, Syslog-Cisco_Meraki, Syslog-Cisco_Nexus_Switch, Syslog-Cisco_PIX, Syslog-Cisco_Prime_Infrastructure, Syslog-Cisco_Router, Syslog-Cisco_Secure_ACS_5, Syslog-Cisco_Session_Border_Controller, Syslog-Cisco_Switch, Syslog-Cisco_Telepresence_Video_Communications_Server, Syslog-Cisco_UCS, Syslog-Cisco_Unified_Comm_Mgr(CallMgr), Syslog-Cisco_VPN_Concentrator, Syslog-Cisco_WAAS, Syslog-Cisco_Web_Security, Syslog-Cisco_Wireless_Access_Point, Syslog-Cisco_Wireless_Control_System, Syslog-CiscoWorks, Syslog-Citrix_Access_Gateway_Server, Syslog-Citrix_Netscaler, Syslog-Citrix_XenServer, Syslog-Claroty_CTD_CEF, Syslog-Clearswift_Secure_Email_Gateway, Syslog-CloudLock, Syslog-CodeGreen_Data_Loss_Prevention, Syslog-Cofense_Triage_CEF, Syslog-Consentry_NAC, Syslog-Corero_IPS, Syslog-Corero_SmartWall_DDoS, Syslog-CoyotePoint_Equalizer, Syslog-Crowdstrike_Falconhost_CEF, Syslog-CyberArk, Syslog-CyberArk_Privileged_Threat_Analytics, Syslog-Cylance_CEF, Syslog-CylancePROTECT, Syslog-DarkTrace_CEF, Syslog-Dell_Force_10, Syslog-Dell_PowerConnect_Switch, Syslog-Dell_Remote_Access_Controller, Syslog-Dell_SecureWorks_iSensor_IPS, Syslog-Dialogic_Media_Gateway, Syslog-Digital_Guardian_CEF, Syslog-D-Link_Switch, Syslog-Don_not_use, Syslog-Dragos_Platform_CEF, Syslog-Ecessa_ShieldLink, Syslog-EfficientIP, Syslog-EMC_Avamar, Syslog-EMC_Centera, Syslog-EMC_Data_Domain, Syslog-EMC_Isilon, Syslog-EMC_Unity_Array, Syslog-EMC_VNX, Syslog-Ensilo_NGAV, Syslog-Enterasys_Dragon_IDS, Syslog-Enterasys_Router, Syslog-Enterasys_Switch, Syslog-Entrust_Entelligence_Messaging_Server, Syslog-Entrust_IdentityGuard, Syslog-Epic_Hyperspace_CEF, Syslog-EqualLogic_SAN, Syslog-eSafe_Email_Security, Syslog-ESET_Remote_Administrator(ERA)LEEF, Syslog-Event_Reporter(Win2000/XP/2003), Syslog-Exabeam, Syslog-Exchange_Message_Tracking, Syslog-ExtraHop, Syslog-Extreme_Wireless_LAN, Syslog-ExtremeWare, Syslog-ExtremeXOS, Syslog-F5_BIG-IP_Access_Policy_Manager, Syslog-F5_BIG-IP_AFM, Syslog-F5_BIG-IP_ASM, Syslog-F5_BIG-IP_ASM_Key-Value_Pairs, Syslog-F5_BIG-IP_ASM_v12, Syslog-F5_Big-IP_GTM&DNS, Syslog-F5_Big-IP_LTM, Syslog-F5_FirePass_Firewall, Syslog-F5_Silverline_DDoS_Protection, Syslog-Fargo_HDP_Card_Printer_and_Encoder, Syslog-Fat_Pipe_Load_Balancer, Syslog-Fidelis_XPS, Syslog-FireEye_E-Mail_MPS, Syslog-FireEye_EX, Syslog-FireEye_Web_MPS/CMS/ETP/HX, Syslog-Forcepoint_DLP, Syslog-Forcepoint_Email_Security_Gateway, Syslog-Forcepoint_Stonesoft_NGFW, Syslog-Forcepoint_SureView_Insider_Threat, Syslog-Forcepoint_Web_Security, Syslog-Forcepoint_Web_Security_CEF_Format, Syslog-Forescout_CounterACT_NAC, Syslog-Fortinet_FortiAnalyzer, Syslog-Fortinet_FortiAuthenticator, Syslog-Fortinet_FortiDDoS, Syslog-Fortinet_FortiGate, Syslog-Fortinet_FortiGate_v4.0, Syslog-Fortinet_FortiGate_v5.0, Syslog-Fortinet_FortiGate_v5.2, Syslog-Fortinet_FortiGate_v5.4/v5.6, Syslog-Fortinet_FortiGate_v5.6_CEF, Syslog-Fortinet_Fortigate_v6.0, Syslog-Fortinet_FortiMail, Syslog-Fortinet_FortiWeb, Syslog-Foundry_Switch, Syslog-Gene6_FTP, Syslog-Generic_CEF, Syslog-Generic_ISC_DHCP, Syslog-Generic_LEEF, Syslog-Guardium_Database_Activity_Monitor, Syslog-H3C_Router, Syslog-Hitachi_Universal_Storage_Platform, Syslog-HP_BladeSystem, Syslog-HP_iLO, Syslog-HP_Procurve_Switch, Syslog-HP_Router, Syslog-HP_Switch, Syslog-HP_Unix_Tru64, Syslog-HP_Virtual_Connect_Switch, Syslog-HP-UX_Host, Syslog-Huawei_Access_Router, Syslog-IBM_Blade_Center, Syslog-IBM_Security_Network_Protection, Syslog-IBM_Virtual_Tape_Library_Server, Syslog-IBM_WebSphere_DataPower_Integration, Syslog-IBM_zSecure_Alert_for_ACF2_2.1.0, Syslog-IceWarp_Server, Syslog-Imperva_Incapsula_CEF, Syslog-Imperva_SecureSphere, Syslog-Imprivata_OneSign_SSO, Syslog-InfoBlox, Syslog-Invincea(LEEF), Syslog-_iPrism_Proxy_Log, Syslog-IPSWITCH_MOVEit_Server, Syslog-IPTables, Syslog-IRIX_Host, Syslog-iSeries_via_Powertech_Interact, Syslog-Ivanti_FileDirector, Syslog-JetNexus_Load_Balancer, Syslog-Juniper_DX_Application_Accelerator, Syslog-Juniper_Firewall, Syslog-Juniper_Firewall_3400, Syslog-Juniper_Host_Checker, Syslog-Juniper_IDP, Syslog-Juniper_NSM, Syslog-Juniper_Router, Syslog-Juniper_SSL_VPN, Syslog-Juniper_SSL_VPN_WELF_Format, Syslog-Juniper_Switch, Syslog-Juniper_Trapeze, Syslog-Juniper_vGW_Virtual_Gateway, Syslog-Kaspersky_Security_Center, Syslog-Kea_DHCP_Server, Syslog-Kemp_Load_Balancer, Syslog-KFSensor_Honeypot, Syslog-KFSensor_Honeypot_CEF, Syslog-Lancope_StealthWatch, Syslog-Lancope_StealthWatch_CEF, Syslog-Layer_7_SecureSpan_SOA_Gateway, Syslog-Legacy_Checkpoint_Firewall(NotLog_Exporter), Syslog-Legacy_Checkpoint_IPS(NotLog_Exporter), Syslog-Lieberman_Enterprise_Random_Password_Manager, Syslog-Linux_Audit, Syslog-Linux_Host, Syslog-Linux_TACACS_Plus, Syslog-LOGbinder_EX, Syslog-LOGbinder_SP, Syslog-LOGbinder_SQL, Syslog-LogRhythm_Data_Indexer_Monitor, Syslog-LogRhythm_Inter_Deployment_Data_Sharing, Syslog-LogRhythm_Log_Distribution_Services, Syslog-LogRhythm_Network_Monitor, Syslog-LogRhythm_Syslog_Generator, Syslog-Lumension, Syslog-MacOS_X, Syslog-Malwarebytes_Endpoint_Security_CEF, Syslog-Mandiant_MIR, Syslog-McAfee_Advanced_Threat_Defense, Syslog-McAfee_Email_And_Web_Security, Syslog-McAfee_ePO, Syslog-McAfee_Firewall_Enterprise, Syslog-McAfee_Network_Security_Manager, Syslog-McAfee_Secure_Internet_Gateway, Syslog-McAfee_SecureMail, Syslog-McAfee_Skyhigh_for_Shadow_IT_LEEF, Syslog-McAfee_Web_Gateway, Syslog-mGuard_Firewall, Syslog-Microsoft_Advanced_Threat_Analytics(ATA)CEF, Syslog-Microsoft_Azure_Log_Integration, Syslog-Microsoft_Azure_MFA, Syslog-Microsoft_Forefront_UAG, Syslog-Mirapoint, Syslog-MobileIron, Syslog-Motorola_Access_Point, Syslog-MS_IIS_Web_Log_W3C_Format(Snare), Syslog-_MS_Windows_Event_Logging_XML-Application, Syslog-MS_Windows_Event_Logging_XML-Security, Syslog-MS_Windows_Event_Logging_XML-System, Syslog-Nagios, Syslog-nCircle_Configuration_Compliance_Manager, Syslog-NetApp_Filer, Syslog-NETASQ_Firewall, Syslog-NetGate_Router, Syslog-NetMotion_VPN, Syslog-Netscout_nGenius_InfiniStream, Syslog-NetScreen_Firewall, Syslog-Netskope, Syslog-Netskope_CEF, Syslog-Network_Chemistry_RFprotect, Syslog-Nginx_Web_Log, Syslog-Nimble_Storage, Syslog-Nortel_8600_Switch, Syslog-Nortel_BayStack_Switch, Syslog-Nortel_Contivity, Syslog-Nortel_Firewall, Syslog-Nortel_IP_1220, Syslog-Nortel_Passport_Switch, Syslog-Nozomi_Networks_Guardian_CEF, Syslog-NuSecure_Gateway, Syslog-Nutanix, Syslog-Open_Collector, Syslog-Open_Collector-AWS_CloudTrail, Syslog-Open_Collector-AWS_CloudWatch, Syslog-Open_Collector-AWS_Config_Events, Syslog-Open_Collector-AWS_Guard_Duty, Syslog-Open_Collector-AWS_S3, Syslog-Open_Collector-Azure_Event_Hub, Syslog-Open_Collector-Carbon_Black_Cloud, Syslog-Open_Collector-CarbonBlackBeat_Heartbeat, Syslog-Open_Collector-Cisco_AMP, Syslog-Open_Collector-Cisco_Umbrella, Syslog-Open_Collector-CiscoAMPBeat_Heartbeat, Syslog-Open_Collector-Duo_Authentication_Security, Syslog-Open_Collector-DuoBeat_Heartbeat, Syslog-Open_Collector-EventHubBeat_Heartbeat, Syslog-Open_Collector-GCP_Audit, Syslog-Open_Collector-GCP_Cloud_Key_Management_Service, Syslog-Open_Collector-GCP_Http_Load_Balancer, Syslog-Open_Collector-GCP_Pub_Sub, Syslog-Open_Collector-GCP_Security_Command_Center, Syslog-Open_Collector-GCP_Virtual_Private_Cloud, Syslog-Open_Collector-Gmail_Message_Tracking, Syslog-Open_Collector-GMTBeat_Heartbeat, Syslog-Open_Collector-GSuite, Syslog-Open_Collector-GSuiteBeat_Heartbeat, Syslog-Open_Collector-Metricbeat, Syslog-Open_Collector-Okta_System_Log, Syslog-Open_Collector-OktaSystemLogBeat_Heartbeat, Syslog-Open_Collector-PubSubBeat_Heartbeat, Syslog-Open_Collector-S3Beat_Heartbeat, Syslog-Open_Collector-Sophos_Central, Syslog-Open_Collector-SophosCentralBeat_Heartbeat, Syslog-Open_Collector-Webhook, Syslog-Open_Collector-Webhook_OneLogin, Syslog-Open_Collector-Webhook_Zoom, Syslog-Open_Collector-WebhookBeat_Heartbeat, Syslog-Opengear_Console, Syslog-OpenLDAP, Syslog-Oracle_10g_Audit_Trail, Syslog-Oracle_11g_Audit_Trail, Syslog-OSSEC_Alerts, Syslog-Other, Syslog-Outpost24, Syslog-Palo_Alto_Cortex_XDR, Syslog-Palo_Alto_Custom_Pipe, Syslog-Palo_Alto_Firewall, Syslog-Palo_Alto_Traps_CEF, Syslog-Palo_Alto_Traps_Management_Service, Syslog-Password_Manager_Pro, Syslog-pfSense_Firewall, Syslog-PingFederate_7.2, Syslog-PingFederate_CEF, Syslog-Polycom, Syslog-Postfix, Syslog-Procera_PacketLogic, Syslog-Proofpoint_Spam_Firewall, Syslog-Protegrity_Defiance_DPS, Syslog-QLogic_Infiniband_Switch, Syslog-Quest_Defender, Syslog-Radiator_Radius, Syslog-RADiFlow_3180_Switch, Syslog-Radware_Alteon_Load_Balancer, Syslog-Radware_DefensePro, Syslog-Radware_Web_Server_Director_Audit_Log, Syslog-Raritan_KVM, Syslog-Raz-Lee, Syslog-RedSeal, Syslog-Riverbed, Syslog-RSA_ACE, Syslog-RSA_Authentication_Manager_v7.1, Syslog-RSA_Authentication_Manager_v8.x, Syslog-RSA_Web_Threat_Detection, Syslog-RSA_Web_Threat_Detection_5.1, Syslog-RuggedRouter, Syslog-Safenet, Syslog-Sailpoint, Syslog-Sauce_Labs, Syslog-SecureAuth_IdP, Syslog-SecureAuth_IdP_v9, Syslog-SecureLink, Syslog-SecureTrack, Syslog-SEL_3610_Port_Switch, Syslog-SEL_3620_Ethernet_Security_Gateway, Syslog-Sentinel_IPS, Syslog-SentinelOne_CEF, Syslog-Sguil, Syslog-Siemens_Scalance_X400, Syslog-Smoothwall_Firewall, Syslog-SnapGear_Firewall, Syslog-Snare_Windows_2003_Event_Log, Syslog-Snare_Windows_2008_Event_Log, Syslog-Snort_IDS, Syslog-Solaris(Snare), Syslog-_Solaris_Host, Syslog-SonicWALL, Syslog-SonicWALL_SSL-VPN, Syslog-Sophos_Email_Encryption_Appliance, Syslog-Sophos_UTM, Syslog-Sophos_Web_Proxy, Syslog-Sophos_XG_Firewall, Syslog-Sourcefire_IDS_3D, Syslog-Sourcefire_RNA, Syslog-Spectracom_Network_Time_Server, Syslog-Splunk_API-Checkpoint_Firewall, Syslog-Splunk_API-Cisco_Netflow_V9, Syslog-Splunk_API-Nessus_Vulnerability_Scanner, Syslog-Squid_Proxy, Syslog-StealthBits_Activity_Monitor, Syslog-STEALTHbits_StealthINTERCEPT, Syslog-StoneGate_Firewall, Syslog-Stonesoft_IPS, Syslog-Stormshield_Network_Security_Firewall, Syslog-Sycamore_Networks_DNX-88, Syslog-Sygate_Firewall, Syslog-Symantec_Advanced_Threat_Protection(ATP)CEF, Syslog-Symantec_DLP_CEF, Syslog-Symantec_Endpoint_Server, Syslog-Symantec_Messaging_Gateway, Syslog-Symantec_PGP_Gateway, Syslog-Symbol_Wireless_Access_Point, Syslog-Tanium, Syslog-Temporary_LST-2, Syslog-Tenable_SecurityCenter, Syslog-Thycotic_Secret_Server, Syslog-Tipping_Point_IPS, Syslog-Tipping_Point_SSL_Reverse_Proxy, Syslog-Top_Layer_IPS, Syslog-Townsend_Alliance_LogAgent, Syslog-Trend_Micro_Control_Manager_CEF, Syslog-Trend_Micro_Deep_Discovery_Inspector, Syslog-Trend_Micro_Deep_Security_CEF, Syslog-Trend_Micro_Deep_Security_LEEF, Syslog-Trend_Micro_IWSVA, Syslog-Trend_Micro_Vulnerability_Protection_Manager, Syslog-Tripwire, Syslog-Trustwave_NAC, Syslog-Trustwave_Secure_Web_Gateway, Syslog-Trustwave_Web_Application_Firewall, Syslog-Tufin, Syslog-Tumbleweed_Mailgate_Server, Syslog-Ubiquiti_UniFi_Security_Gateway, Syslog-Ubiquiti_UniFi_Switch, Syslog-Ubiquiti_UniFi_WAP, Syslog-Untangle, Syslog-Vamsoft_ORF, Syslog-Vanguard_Active_Alerts, Syslog-Varonis_DatAlert, Syslog-Vasco_Digipass_Identikey_Server, Syslog-Vectra_Networks, Syslog-Versa_Networks_SD-WAN, Syslog-VMWare_ESX/ESXi_Server, Syslog-VMware_Horizon_View, Syslog-VMWare_NSX/NSX-T, Syslog-VMWare_Unified_Access_Gateway, Syslog-VMWare_vCenter_Server, Syslog-VMWare_vShield, Syslog-Voltage_Securemail, Syslog-Vormetric_CoreGuard, Syslog-Vormetric_Data_Security_Manager, Syslog-WALLIX_Bastion, Syslog-Watchguard_FireBox, Syslog-WS2000_Wireless_Access_Point, Syslog-Wurldtech_SmartFirewall, Syslog-Xirrus_Wireless_Array, Syslog-Zimbra_System_Log, Syslog-Zix_E-mail_Encryption, Syslog-Zscaler_Nano_Streaming_Service, Syslog-ZXT_Load_Balancer, Syslog-ZyWALL_VPN_Firewall, Syslog_Avaya_G450_Media_Gateway, Syslog_File-AIX_Host, Syslog_File-BSD_Format, Syslog_File-HP-UX_Host, Syslog_File-IRIX_Host, Syslog_File-Linux_Host, Syslog_File-LogRhythm_Syslog_Generator, Syslog_File-MS_2003_Event_Log(Snare), SyslogFile-Oracle_10g_Audit_Trail, Syslog_File-Oracle_11g_Audit_Trail, Syslog_File-Solaris_Host, UDLA-CA_Single_Sign-On, UDLA-Deepnet_DualShield, UDLA-Drupal, UDLA-Finacle_Core, UDLA-Finacle_Treasury_Logs, UDLA-Forcepoint, UDLA-Gallagher_Command_Centre, UDLA-iManage_Worksite, UDLA-ISS_Proventia_SiteProtector-IPS, UDLA-LogRhythm_Enterprise_Monitoring_Solution, UDLA-LREnhancedAudit, UDLA-McAfee_ePolicy_Orchestrator-Universal_ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_3.6-Events, UDLA-McAfee_ePolicy_Orchestrator_4.0-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_4.5-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.0-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.1-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.3-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.9-ePOEvents, UDLA-McAfee_Network_Access_Control, UDLA-McAfee_Network_Security_Manager, UDLA-Microsoft_System_Center_2012_Endpoint_Protection, UDLA-ObserveIT, UDLA-Oracle_10g_Audit_Trail, UDLA-Oracle_11g_Audit_Trail, UDLA-Oracle_12C_Unified_Auditing, UDLA-Oracle_9i_Audit_Trail, UDLA-Other, UDLA-SEL_3530_RTAC, UDLA-SharePoint_2007_AuditData, UDLA-SharePoint_2010_EventData, UDLA-SharePoint_2013_EventData, UDLA-Siemens_Invision, UDLA-Sophos_Anti-Virus, UDLA-Sophos_Endpoint_Security_and_Control, UDLA-Symantec_CSP, UDLA-Symantec_SEP, UDLA-Symmetry_Access_Control, UDLA-VMWare_vCenter_Server, UDLA-VMWare_vCloud, VLS-Syslog-Infoblox-DNS_RPZ, VLS-Syslog-Infoblox-_Threat_Protection. | Optional |
| host_name | Impacted host name. | Optional |
| username | Username. | Optional |
| subject | Email subject. | Optional |
| sender | Email sender. | Optional |
| recipient | Email recipient. | Optional |
| hash | Hash. | Optional |
| url | URL. | Optional |
| process_name | Process name. | Optional |
| object | Log object. | Optional |
| ip_address | IP address. | Optional |
| max_massage | Maximum number of log message to query. Default is 10. | Optional |
| query_timeout | The query timeout in seconds. Default is 60. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Search.Task.TaskID | String | Task ID |
Command Example#
Human Readable Output#
New search query created, Task ID=e1c3f960-e1c3f960-e1c3f960
lr-get-query-result#
Get search query result with task ID output from lr-execute-search-query command
Base Command#
lr-get-query-result
Input#
| Argument Name | Description | Required |
|---|---|---|
| task_id | Task ID from lr-execute-search-query command output. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Search.Results.TaskStatus | String | Task Status |
| Logrhythm.Search.Results.TaskID | String | Task ID |
| Logrhythm.Search.Results.Items.originEntityId | Number | Entity ID |
| Logrhythm.Search.Results.Items.impactedIp | String | Impacted IP |
| Logrhythm.Search.Results.Items.classificationTypeName | String | Classification Name |
| Logrhythm.Search.Results.Items.logSourceName | String | Log Source Name |
| Logrhythm.Search.Results.Items.entityName | String | Entity Name |
| Logrhythm.Search.Results.Items.normalDate | Date | Date |
| Logrhythm.Search.Results.Items.vendorMessageId | String | Vendor Log message |
| Logrhythm.Search.Results.Items.priority | Number | Log priority |
| Logrhythm.Search.Results.Items.sequenceNumber | String | Seq number |
| Logrhythm.Search.Results.Items.originHostId | Number | Origin Host ID |
| Logrhythm.Search.Results.Items.mpeRuleId | Number | Log Rhythm rule ID |
| Logrhythm.Search.Results.Items.originIp | String | Origin IP |
| Logrhythm.Search.Results.Items.mpeRuleName | String | Log Rhythm rule name |
| Logrhythm.Search.Results.Items.logSourceHostId | Number | Log Source host ID |
| Logrhythm.Search.Results.Items.originHost | String | Origin Host |
| Logrhythm.Search.Results.Items.logDate | Date | Log Date |
| Logrhythm.Search.Results.Items.classificationName | String | Log classification name |
Command Example#
Human Readable Output#
Search results for task e1c3f960-e1c3f960-e1c3f960#
OriginEntityId ImpactedIp LogSourceName OriginHost EntityName 1 10.0.0.1 Linux Syslog 1.2.3.4 Nothing
lr-get-users#
Returns a list of users
Base Command#
lr-get-users
Input#
| Argument Name | Description | Required |
|---|---|---|
| user_id | The LogRhythm user ID. | Optional |
| count | Number of users to return. Default is 30. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.User.ID | string | LogRhythm user ID |
| Logrhythm.User.DateUpdated | string | Date that the user was updated. |
| Logrhythm.User.HostStatus | string | Host status of the LogRhythm user. |
| Logrhythm.User.LastName | string | Last name of the LogRhythm user. |
| Logrhythm.User.FirstName | string | First name of the LogRhythm user. |
| Logrhythm.User.UserType | string | LogRhythm user type |
| Logrhythm.User.Entity | string | LogRhythm entity information |
| Logrhythm.User.Owner | string | LogRhythm owner information |
| Logrhythm.User.ReadAccess | string | Read Access of the LogRhythm user. |
| Logrhythm.User.WriteAccess | string | Write Access of the LogRhythm user. |
Command Example#
!lr-get-users user_id=5
Context Example#
Human Readable Output#
Users information#
ID DateUpdated HostStatus LastName FirstName UserType Entity Owner ReadAccess WriteAccess 5 2021-10-11T15:04:50.757Z Retired testuser testuser Individual id: 1
name: Primary Siteid: 1
name: myadminPrivate Private
lr-get-logins#
Returns a list of logins
Base Command#
lr-get-logins
Input#
| Argument Name | Description | Required |
|---|---|---|
| user_id | The LogRhythm user ID. | Optional |
| count | Number of logins to return. Default is 30. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Login.Login | string | The login username |
| Logrhythm.Login.UserProfileId | string | The profile ID for the LogRhythm user |
| Logrhythm.Login.UserId | string | LogRhythm user ID |
| Logrhythm.Login.DefaultEntityId | string | The default entity ID of the login |
| Logrhythm.Login.HostStatus | string | Host status of the LogRhythm login. |
| Logrhythm.Login.DateUpdated | string | Date that the login was updated. |
| Logrhythm.Login.DateCreated | string | Date that the login was created. |
| Logrhythm.Login.Entities | string | LogRhythm entities information |
Command Example#
!lr-get-logins user_id=5
Context Example#
Human Readable Output#
Logins information#
Login UserProfileId UserId DefaultEntityId HostStatus DateUpdated DateCreated testusername -100 5 1 Retired 2021-10-11T15:04:50.753Z 2021-09-21T13:27:59.72Z
lr-get-privileges#
Returns the privileges of a given user.
Base Command#
lr-get-privileges
Input#
| Argument Name | Description | Required |
|---|---|---|
| user_id | The LogRhythm user ID. | Required |
| offset | The position to start at . Default is 0. | Optional |
| count | Number of privileges to return. Default is 30. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Privileges.ID | string | The LogRhythm user ID |
| Logrhythm.Privileges.Privileges | string | A list of the LogRhythm user's privileges. |
Command Example#
!lr-get-privileges user_id=5 count=15
Context Example#
Human Readable Output#
Privileges information#
Privileges GlobalAIEEventsAccess,
SecondLookMgmt,
LogRhythmAPIAccess,
CaseMgmtAccess,
CloudAIAccess,
ShowDeploymentManager,
ShowEntityMgr,
EntityMgmt,
ShowAgentAgentMgr,
AgentMgmt,
ShowLSMgr,
LSMgmt,
DPMgmt,
PMMgmt,
NMMgmt
lr-get-profiles#
Returns a list of user profiles
Base Command#
lr-get-profiles
Input#
| Argument Name | Description | Required |
|---|---|---|
| profile_id | The LogRhythm profile ID. | Optional |
| count | Number of profiles to return. Default is 30. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Profile.ID | string | ID of the LogRhythm user profile |
| LogRhythm.Profile.Name | string | Name of the Logrhythm user profile |
| LogRhythm.Profile.ShortDescription | string | Short description of the profile |
| LogRhythm.Profile.LongDescription | string | Long description of the profile |
| LogRhythm.Profile.DataProcessorAccessMode | string | Data processor access mode |
| LogRhythm.Profile.SecurityRole | string | The user profile's security role |
| LogRhythm.Profile.ProfileType | string | The user profile's type |
| LogRhythm.Profile.DateUpdated | string | Date that the profile was updated. |
| LogRhythm.Profile.TotalAssociatedUsers | string | Total number of users with this profile |
| LogRhythm.Profile.NotificationGroupsPermissions | string | Permissions on notification groups |
| LogRhythm.Profile.ADGroupsPermissions | string | Active Directory group permissions |
| LogRhythm.Profile.EntityPermissions | string | Entity permissions for the profile |
| LogRhythm.Profile.DataProcessorsPermissions | string | Profile's data processor permissions |
| LogRhythm.Profile.LogsourceListPermissions | string | Profile's logsource list permissions |
| LogRhythm.Profile.LogSourcePermissions | string | Profile's permissions for log sources |
| LogRhythm.Profile.Privileges | string | Profile's privileges |
| LogRhythm.Profile.SmartResponsePluginsPermissions | string | Profile's smart response plugin permissions |
Command Example#
!lr-get-profiles profile_id=-100
Context Example#
Human Readable Output#
Users information#
ID Name ShortDescription LongDescription DataProcessorAccessMode SecurityRole ProfileType DateUpdated TotalAssociatedUsers -100 LogRhythm Global Administrator LogRhythm Global Administrators have full access to the system. The LogRhythm Global Administrator profile is a system record which cannot be modified or deleted. All GlobalAdmin Allow 2021-07-09T16:03:19.62Z 11
lr-add-user#
Add a new user to the LogRhythm SIEM
Base Command#
lr-add-user
Input#
| Argument Name | Description | Required |
|---|---|---|
| first_name | First name of the LogRhythm user. | Required |
| last_name | Last name of the LogRhythm user. | Required |
| abbreviation | Abbreviation of the user name. Defaults to first letter of first name and then last name, all lowercase. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.User.ID | string | LogRhythm user ID |
| Logrhythm.User.DateUpdated | string | Date that the user was updated. |
| Logrhythm.User.HostStatus | string | Host status of the LogRhythm user. |
| Logrhythm.User.LastName | string | Last name of the LogRhythm user. |
| Logrhythm.User.FirstName | string | First name of the LogRhythm user. |
| Logrhythm.User.UserType | string | LogRhythm user type |
| Logrhythm.User.Entity | string | LogRhythm entity information |
| Logrhythm.User.Owner | string | LogRhythm owner information |
| Logrhythm.User.ReadAccess | string | Read Access of the LogRhythm user. |
| Logrhythm.User.WriteAccess | string | Write Access of the LogRhythm user. |
Command Example#
!lr-add-user first_name=Alice last_name=Richards
Context Example#
Human Readable Output#
User added#
ID DateUpdated HostStatus LastName FirstName UserType Entity Owner ReadAccess WriteAccess 13 2021-10-20T15:02:14.733Z Active Richards Alice Individual id: 1
name: Primary Siteid: 1
name: myadminPrivate Private
lr-add-login#
Add a new login to the LogRhythm user
Base Command#
lr-add-login
Input#
| Argument Name | Description | Required |
|---|---|---|
| user_id | ID of the user to attach the login to. | Required |
| login | Login name for the user. | Required |
| profile_id | ID of the user profile to associate with the login. | Required |
| password | Password for the user. . | Required |
| entity_id | ID of the entity to associate with the login. Defaults to 1. Default is 1. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Logrhythm.Login.Login | string | The login username |
| Logrhythm.Login.UserProfileId | string | The profile ID for the LogRhythm user |
| Logrhythm.Login.UserId | string | LogRhythm user ID |
| Logrhythm.Login.DefaultEntityId | string | The default entity ID of the login |
| Logrhythm.Login.HostStatus | string | Host status of the LogRhythm login. |
| Logrhythm.Login.DateUpdated | string | Date that the login was updated. |
| Logrhythm.Login.DateCreated | string | Date that the login was created. |
| Logrhythm.Login.Entities | string | LogRhythm entities information |
Command Example#
!lr-add-login login=arichards password=Example0Password123!! profile_id=-100 user_id=13
Context Example#
Human Readable Output#
Login added#
Login UserProfileId UserId DefaultEntityId HostStatus DateUpdated DateCreated arichards -100 13 1 Active 2021-10-20T15:02:17.783Z 2021-10-20T15:02:17.78Z