Skip to main content

LogRhythmRest v2

This Integration is part of the LogRhythmRest Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

LogRhythm security intelligence. This integration was integrated and tested with version 7.7 of LogRhythm Rest API

Some changes have been made that might affect your existing content. If you are upgrading from a previous of this integration, see Breaking Changes.

Configure LogRhythmRest v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for LogRhythmRest v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Server URLTrue
    API TokenTrue
    Fetch incidentsFalse
    Incidents Fetch IntervalFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    Incident typeFalse
    Alarms max fetchFalse
    Cases max fetchFalse
    Fetch incidents from typeTrue
    Alarm status filterFalse
    Alarm rule name filterFalse
    Case tags filterFalse
    Case status filterFalse
    Case priority filterFalse
    Fetch case evidencesFalse
    Use system proxy settingsFalse
    Trust any certificate (not secure)False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

lr-alarms-list#


Gets the details of the alarms using the filter criteria.

Base Command#

lr-alarms-list

Input#

Argument NameDescriptionRequired
alarm_statusThe alarm status. Possible values: "New", "Opened", "Working", "Escalated", Closed, "Closed_FalseAlarm", "Closed_Resolved", "Closed_Unresolved", "Closed_Reported", "Closed_Monitor". Possible values are: New, Opened, Working, Escalated, Closed, Closed_FalseAlarm, Closed_Resolved, Closed_Unresolved, Closed_Reported, Closed_Monitor.Optional
offsetThe number of alarms to skip before starting to collect the result set. Default is 0.Optional
countThe numbers of alarms to return. Default is 50.Optional
alarm_rule_nameFilter by alarm rule name.Optional
entity_nameFilter by entity name.Optional
alarm_idFilter by alarm ID.Optional
case_associationFilter by case ID.Optional

Context Output#

PathTypeDescription
LogRhythm.Alarm.alarmIdNumberThe alarm ID.
LogRhythm.Alarm.alarmDataCachedStringA flag indicating whether the alarm data is cached.
LogRhythm.Alarm.alarmRuleNameStringThe alarm rule name.
LogRhythm.Alarm.alarmStatusStringThe alarm status
LogRhythm.Alarm.dateInsertedDateThe alarm date inserted.
LogRhythm.Alarm.entityNameStringThe alarm entity name.
LogRhythm.Alarm.associatedCasesStringThe alarm associated cases.

Command Example#

!lr-alarms-list count=2 alarm_status=Opened

Context Example#

{
"LogRhythm": {
"Alarm": [
{
"alarmDataCached": "N",
"alarmId": 882,
"alarmRuleName": "LogRhythm Agent Heartbeat Missed",
"alarmStatus": "Opened",
"associatedCases": [
"7C2A040E-3014-41D5-ADF0-164A202D3518",
" 5FAA1AFB-5453-4FF7-92F8-28222A586368",
" 0795BCB1-28AA-4C3F-9739-B5431AE4004B"
],
"dateInserted": "2021-10-13T09:13:20.103",
"entityName": "EchoTestEntity"
},
{
"alarmDataCached": "N",
"alarmId": 334,
"alarmRuleName": "LogRhythm Agent Heartbeat Missed",
"alarmStatus": "Opened",
"associatedCases": [
"15E63C0A-91EC-49E6-9694-32A432DD657E",
" CCB51B6F-083D-442F-8E3F-67BD797A6B52",
" 10F65BB5-8B49-42FF-862E-ABDEDF1BA7DE",
" C52E0A86-D894-4424-A7A6-EE152B232146",
" 58437431-2117-4982-A2B1-FDEC2F083A43"
],
"dateInserted": "2021-08-29T11:30:48.083",
"entityName": "EchoTestEntity"
}
]
}
}

Human Readable Output#

Alarms#

Alarm IdAlarm StatusAssociated CasesAlarm Rule NameDate InsertedEntity NameAlarm Data Cached
882Opened7C2A040E-3014-41D5-ADF0-164A202D3518,
5FAA1AFB-5453-4FF7-92F8-28222A586368,
0795BCB1-28AA-4C3F-9739-B5431AE4004B
LogRhythm Agent Heartbeat Missed2021-10-13T09:13:20.103EchoTestEntityN
334Opened15E63C0A-91EC-49E6-9694-32A432DD657E,
CCB51B6F-083D-442F-8E3F-67BD797A6B52,
10F65BB5-8B49-42FF-862E-ABDEDF1BA7DE,
C52E0A86-D894-4424-A7A6-EE152B232146,
58437431-2117-4982-A2B1-FDEC2F083A43
LogRhythm Agent Heartbeat Missed2021-08-29T11:30:48.083EchoTestEntityN

lr-alarm-update#


Updates the alarm status and RBP based on the alarm ID supplied. alarm_status or rbp are required.

Base Command#

lr-alarm-update

Input#

Argument NameDescriptionRequired
alarm_idThe alarm ID.Required
alarm_statusThe alarm status. Possible values: "New", "Opened", "Working", "Escalated", Closed, "Closed_FalseAlarm", "Closed_Resolved", "Closed_Unresolved", "Closed_Reported", "Closed_Monitor". Possible values are: New, Opened, Working, Escalated, Closed, Closed_FalseAlarm, Closed_Resolved, Closed_Unresolved, Closed_Reported, Closed_Monitor.Optional
rbpThe alarm rbp.Optional

Context Output#

There is no context output for this command.

Command Example#

!lr-alarm-update alarm_id=200 alarm_status=Closed rbp=100

Human Readable Output#

Alarm 200 has been updated.

lr-alarm-add-comment#


Updates the Alarm History table with comments in the Comments column based on the alarm ID supplied.

Base Command#

lr-alarm-add-comment

Input#

Argument NameDescriptionRequired
alarm_idThe alarm ID.Required
alarm_commentThe alarm comment.Required

Context Output#

There is no context output for this command.

Command Example#

!lr-alarm-add-comment alarm_id=200 alarm_comment=test

Human Readable Output#

Comment added successfully to the alarm 200.

lr-alarm-history-list#


Gets the alarm history details by ID and filter criteria.

Base Command#

lr-alarm-history-list

Input#

Argument NameDescriptionRequired
alarm_idThe alarm ID.Required
person_idFilter by person ID.Optional
date_updatedFilter by when the alarm was updated. The returned value will be greater than or equal to the given date.Optional
typeFilter by history type. Possible type: "comment", "status", and "rbp". Possible values are: comment, status, rbp.Optional
offsetThe number of items to skip before starting to collect the result set. Default is 0.Optional
countThe numbers of items to return. Default is 50.Optional

Context Output#

PathTypeDescription
LogRhythm.AlarmHistory.alarmIdNumberThe alarm ID.
LogRhythm.AlarmHistory.personIdNumberThe ID of the person who edited the alarm (changed status/ added comment, etc.).
LogRhythm.AlarmHistory.commentsStringThe alarm comments.
LogRhythm.AlarmHistory.dateInsertedDateThe date when the alarm was inserted.
LogRhythm.AlarmHistory.dateUpdatedDateThe date when the alarm was updated.

Command Example#

!lr-alarm-history-list alarm_id=200 type=status

Context Example#

{
"LogRhythm": {
"AlarmHistory": [
{
"alarmId": 200,
"comments": "Changed status to: Closed",
"dateInserted": "2021-10-30T20:16:33.673",
"dateUpdated": "2021-10-30T20:16:33.673",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Closed",
"dateInserted": "2021-08-31T15:02:00.127",
"dateUpdated": "2021-08-31T15:02:00.127",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Working",
"dateInserted": "2021-08-26T05:17:38.19",
"dateUpdated": "2021-08-26T05:17:38.19",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Working",
"dateInserted": "2021-08-26T05:15:57.89",
"dateUpdated": "2021-08-26T05:15:57.89",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Closed",
"dateInserted": "2021-08-19T15:31:32.68",
"dateUpdated": "2021-08-19T15:31:32.68",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Closed: Unresolved",
"dateInserted": "2021-08-19T15:02:08.6",
"dateUpdated": "2021-08-19T15:02:08.6",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Closed: Resolved",
"dateInserted": "2021-08-19T15:01:34.403",
"dateUpdated": "2021-08-19T15:01:34.403",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Escalated",
"dateInserted": "2021-08-19T15:01:04.353",
"dateUpdated": "2021-08-19T15:01:04.353",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Working",
"dateInserted": "2021-08-19T15:00:38.097",
"dateUpdated": "2021-08-19T15:00:38.097",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Opened",
"dateInserted": "2021-08-19T15:00:00.247",
"dateUpdated": "2021-08-19T15:00:00.247",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: New",
"dateInserted": "2021-08-19T14:59:27.707",
"dateUpdated": "2021-08-19T14:59:27.707",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Closed: Monitor",
"dateInserted": "2021-08-19T14:58:06.113",
"dateUpdated": "2021-08-19T14:58:06.113",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Closed: False Alarm",
"dateInserted": "2021-08-19T14:57:35.607",
"dateUpdated": "2021-08-19T14:57:35.607",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Closed",
"dateInserted": "2021-08-19T14:56:36.82",
"dateUpdated": "2021-08-19T14:56:36.82",
"personId": 1
}
]
}
}

Human Readable Output#

History for alarm 200#

Alarm IdCommentsDate InsertedDate UpdatedPerson Id
200Changed status to: Closed2021-10-30T20:16:33.6732021-10-30T20:16:33.6731
200Changed status to: Closed2021-08-31T15:02:00.1272021-08-31T15:02:00.1271
200Changed status to: Working2021-08-26T05:17:38.192021-08-26T05:17:38.191
200Changed status to: Working2021-08-26T05:15:57.892021-08-26T05:15:57.891
200Changed status to: Closed2021-08-19T15:31:32.682021-08-19T15:31:32.681
200Changed status to: Closed: Unresolved2021-08-19T15:02:08.62021-08-19T15:02:08.61
200Changed status to: Closed: Resolved2021-08-19T15:01:34.4032021-08-19T15:01:34.4031
200Changed status to: Escalated2021-08-19T15:01:04.3532021-08-19T15:01:04.3531
200Changed status to: Working2021-08-19T15:00:38.0972021-08-19T15:00:38.0971
200Changed status to: Opened2021-08-19T15:00:00.2472021-08-19T15:00:00.2471
200Changed status to: New2021-08-19T14:59:27.7072021-08-19T14:59:27.7071
200Changed status to: Closed: Monitor2021-08-19T14:58:06.1132021-08-19T14:58:06.1131
200Changed status to: Closed: False Alarm2021-08-19T14:57:35.6072021-08-19T14:57:35.6071
200Changed status to: Closed2021-08-19T14:56:36.822021-08-19T14:56:36.821

lr-alarm-events-list#


Gets a list of events for the specified alarm ID.

Base Command#

lr-alarm-events-list

Input#

Argument NameDescriptionRequired
alarm_idThe alarm ID.Required

Context Output#

PathTypeDescription
LogRhythm.AlarmEvents.alarmIdNumberThe alarm ID.
LogRhythm.AlarmEvents.accountStringThe alarm event account.
LogRhythm.AlarmEvents.actionStringThe alarm event action.
LogRhythm.AlarmEvents.amountUnknownThe number of events related to the alarm.
LogRhythm.AlarmEvents.bytesInNumberThe number of bytes received or input from a device, system, or process.
LogRhythm.AlarmEvents.bytesOutUnknownThe number of bytes sent from a device, system, or process.
LogRhythm.AlarmEvents.classificationIdNumberThe alarm event classification ID.
LogRhythm.AlarmEvents.classificationNameStringThe alarm event classification name.
LogRhythm.AlarmEvents.classificationTypeNameStringThe alarm event classification type.
LogRhythm.AlarmEvents.commandStringThe specific command executed that was recorded in the log message.
LogRhythm.AlarmEvents.commonEventIdNumberThe common event name.
LogRhythm.AlarmEvents.cveStringThe alarm event CVE.
LogRhythm.AlarmEvents.commonEventNameStringThe alarm event name.
LogRhythm.AlarmEvents.countNumberThe number of alarm events.
LogRhythm.AlarmEvents.directionIdNumberThe direction by ID of the activity between a log’s origin and impacted zones.
LogRhythm.AlarmEvents.directionNameStringThe direction by name of the activity between a log’s origin and impacted zones. Values can be Internal, External, Outbound, Local, or Unknown.
LogRhythm.AlarmEvents.domainStringThe alarm event domain.
LogRhythm.AlarmEvents.durationNumberThe alarm event duration.
LogRhythm.AlarmEvents.entityIdNumberThe alarm event entity ID.
LogRhythm.AlarmEvents.entityNameStringThe alarm event entity name.
LogRhythm.AlarmEvents.groupStringThe alarm event group.
LogRhythm.AlarmEvents.impactedEntityIdNumberThe ID of the entity that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedEntityNameStringThe name of the entity that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedHostIdNumberThe ID of the host that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedHostNameStringThe name of the host that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedInterfaceStringThe interface that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedIPUnknownThe IP address that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.countryCodeStringThe country code of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.nameStringThe country name of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.latitudeNumberThe latitude of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.locationIdNumberThe ID of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.locationKeyStringThe key of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.longitudeNumberThe longitude of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.parentLocationIdNumberThe parent location ID of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.recordStatusStringThe record status of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.regionCodeStringThe region code of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.typeStringThe type of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.dateUpdatedDateThe date the impacted location was last updated.
LogRhythm.AlarmEvents.impactedMACStringThe MAC that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNameStringThe name of the event that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNATIPStringThe NAT IP address that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNATPortUnknownThe NAT port that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.beginIPRange.valueStringThe beginning of the IP range for the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.dateUpdatedDateThe date the impacted network was last updated.
LogRhythm.AlarmEvents.impactedNetwork.riskThresholdStringThe risk threshold of the network impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.endIPRange.valueStringThe end of the IP range for the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.entityIdNumberThe ID of the entity for the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.hostZoneStringThe host zone for the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.locationIdNumberThe location ID of the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.longDescStringThe long description of the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.nameStringThe name of the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.networkIdNumberThe ID of the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.recordStatusStringThe status of the record of the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.shortDescStringThe short description of the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedPortNumberThe port that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedZoneStringThe zone that was impacted by the alarm.
LogRhythm.AlarmEvents.itemsPacketsInNumberItems such as packets received or input from a device, system, or process.
LogRhythm.AlarmEvents.itemsPacketsOutNumberItems such as packets sent from a device, system, or process.
LogRhythm.AlarmEvents.logDateDateThe event log date.
LogRhythm.AlarmEvents.loginStringThe user associated with the log activity.
LogRhythm.AlarmEvents.logMessageStringThe event log message.
LogRhythm.AlarmEvents.logSourceHostIdUnknownThe host ID of the log source of the event.
LogRhythm.AlarmEvents.logSourceHostNameStringThe log source host name.
LogRhythm.AlarmEvents.logSourceNameStringThe log source name.
LogRhythm.AlarmEvents.logSourceTypeNameStringThe log source type.
LogRhythm.AlarmEvents.messageIdNumberThe event message ID.
LogRhythm.AlarmEvents.mpeRuleIdNumberThe event MPE rule ID,
LogRhythm.AlarmEvents.mpeRuleNameStringThe event MPE rule name.
LogRhythm.AlarmEvents.normalDateMaxDateIf the message is aggregated, the maximum creation date contained in the group of logs. It can be in UTC or user-selected time zone.
LogRhythm.AlarmEvents.objectNameStringThe object name of the event.
LogRhythm.AlarmEvents.objectTypeStringThe object type of the event.
LogRhythm.AlarmEvents.originEntityIdNumberThe origin entity ID of the event.
LogRhythm.AlarmEvents.originEntityNameStringThe origin entity name of the event.
LogRhythm.AlarmEvents.originHostIdNumberThe host ID of where the event originated.
LogRhythm.AlarmEvents.originHostNameStringThe host name of where the event originated.
LogRhythm.AlarmEvents.originInterfaceStringThe interface of where the event originated.
LogRhythm.AlarmEvents.originIPUnknownThe IP address of where the event originated.
LogRhythm.AlarmEvents.originLocation.countryCodeStringThe country code of the location of where the event originated.
LogRhythm.AlarmEvents.originLocation.nameStringThe name of the location of where the event originated.
LogRhythm.AlarmEvents.originLocation.latitudeNumberThe latitude of the location of where the event originated.
LogRhythm.AlarmEvents.originLocation.locationIdNumberThe location ID of the location of where the event originated.
LogRhythm.AlarmEvents.originLocation.locationKeyStringThe location key of where the event originated.
LogRhythm.AlarmEvents.originLocation.longitudeNumberThe longitude of the location of where the event originated.
LogRhythm.AlarmEvents.originLocation.parentLocationIdNumberThe parent location ID of where the event originated.
LogRhythm.AlarmEvents.originLocation.recordStatusStringThe record status of the location of where the event originated.
LogRhythm.AlarmEvents.originLocation.regionCodeStringThe region code of the location of where the event originated.
LogRhythm.AlarmEvents.originLocation.typeStringThe type of location of where the event originated.
LogRhythm.AlarmEvents.originLocation.dateUpdatedDateThe date the location of where the event originated was last updated.
LogRhythm.AlarmEvents.originMACStringThe MAC address of where the event originated.
LogRhythm.AlarmEvents.originNameStringThe name of where the event originated.
LogRhythm.AlarmEvents.originNATIPStringThe NAT IP address of where the event originated.
LogRhythm.AlarmEvents.originNATPortUnknownThe NAT port of where the event originated.
LogRhythm.AlarmEvents.originNetwork.beginIPRange.valueStringThe beginning address of the IP range of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.dateUpdatedDateThe date of the network when the event originate was last updated.
LogRhythm.AlarmEvents.originNetwork.riskThresholdStringThe risk threshold of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.endIPRange.valueStringThe end of the IP range for the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.entityIdNumberThe entity ID of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.hostZoneStringThe host zone of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.locationIdNumberThe ID of the location of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.longDescStringThe long description of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.nameStringThe name of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.networkIdNumberThe ID of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.recordStatusStringThe record status of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.shortDescStringThe short description of the network where the event originated.
LogRhythm.AlarmEvents.originPortNumberThe port where the event originated.
LogRhythm.AlarmEvents.originZoneStringThe zone where the event originated.
LogRhythm.AlarmEvents.parentProcessIdStringThe parent process ID of the event.
LogRhythm.AlarmEvents.parentProcessNameStringThe parent process name of the event.
LogRhythm.AlarmEvents.parentProcessPathStringThe parent process path of the event.
LogRhythm.AlarmEvents.policyStringThe event policy.
LogRhythm.AlarmEvents.priorityNumberThe event priority.
LogRhythm.AlarmEvents.processStringThe event process.
LogRhythm.AlarmEvents.processIdNumberThe event process ID.
LogRhythm.AlarmEvents.protocolIdNumberThe event protocol ID.
LogRhythm.AlarmEvents.protocolNameStringThe event protocol name.
LogRhythm.AlarmEvents.quantityNumberThe event quantity.
LogRhythm.AlarmEvents.rateNumberThe event rate.
LogRhythm.AlarmEvents.reasonStringThe event reason.
LogRhythm.AlarmEvents.recipientStringThe event recipient.
LogRhythm.AlarmEvents.resultStringThe event result.
LogRhythm.AlarmEvents.responseCodeStringThe event response code.
LogRhythm.AlarmEvents.senderStringThe event sender.
LogRhythm.AlarmEvents.sessionStringThe event session.
LogRhythm.AlarmEvents.sessionTypeStringThe event session type.
LogRhythm.AlarmEvents.serialNumberStringThe event serial number.
LogRhythm.AlarmEvents.serviceIdNumberThe event service ID.
LogRhythm.AlarmEvents.serviceNameStringThe event service name.
LogRhythm.AlarmEvents.severityStringThe event severity.
LogRhythm.AlarmEvents.statusStringThe event status.
LogRhythm.AlarmEvents.sizeNumberThe event size.
LogRhythm.AlarmEvents.subjectStringThe event subject.
LogRhythm.AlarmEvents.threatIdStringThe event threat ID.
LogRhythm.AlarmEvents.threatNameStringThe event threat name.
LogRhythm.AlarmEvents.urlStringThe event URL.
LogRhythm.AlarmEvents.userAgentStringThe event user agent.
LogRhythm.AlarmEvents.vendorInfoStringThe event vendor info.
LogRhythm.AlarmEvents.vendorMsgIdStringThe event vendor message ID.
LogRhythm.AlarmEvents.versionStringThe alarm event version
LogRhythm.AlarmEvents.originUserIdentityNameStringThe event origin user identity.
LogRhythm.AlarmEvents.impactedUserIdentityNameStringThe event impacted user identity.
LogRhythm.AlarmEvents.originUserIdentityIdUnknownThe event origin user identity ID.
LogRhythm.AlarmEvents.impactedUserIdentityIdUnknownThe event impacted user identity ID.
LogRhythm.AlarmEvents.senderIdentityIdUnknownThe event sender identity ID.
LogRhythm.AlarmEvents.senderIdentityNameStringThe event sender identity name.
LogRhythm.AlarmEvents.recipientIdentityIdUnknownThe event recipient identity ID.
LogRhythm.AlarmEvents.recipientIdentityNameStringThe event recipient identity.

Command Example#

!lr-alarm-events-list alarm_id=200

Context Example#

{
"LogRhythm": {
"AlarmEvents": {
"account": "",
"action": "",
"alarmId": 200,
"amount": null,
"bytesIn": null,
"bytesOut": null,
"classificationId": 3200,
"classificationName": "Error",
"classificationTypeName": "Operations",
"command": "",
"commonEventId": -1100003,
"commonEventName": "LogRhythm Agent Heartbeat Missed",
"count": 1,
"cve": "",
"directionId": 1,
"directionName": "Local",
"domain": "",
"duration": 0,
"entityId": 2,
"entityName": "EchoTestEntity",
"group": "",
"impactedEntityId": 2,
"impactedEntityName": "EchoTestEntity",
"impactedHostId": 3,
"impactedHostName": "",
"impactedIP": null,
"impactedInterface": "",
"impactedLocation": {
"countryCode": "",
"dateUpdated": "0001-01-01T00:00:00",
"latitude": 0,
"locationId": 0,
"locationKey": "",
"longitude": 0,
"name": "",
"parentLocationId": 0,
"recordStatus": "Deleted",
"regionCode": "",
"type": "NULL"
},
"impactedMAC": "",
"impactedNATIP": "",
"impactedNATPort": null,
"impactedName": "",
"impactedNetwork": {
"beginIPRange": {
"value": ""
},
"dateUpdated": "0001-01-01T00:00:00",
"endIPRange": {
"value": ""
},
"entityId": 0,
"hostZone": "Unknown",
"locationId": 0,
"longDesc": "",
"name": "",
"networkId": 0,
"recordStatus": "Deleted",
"riskThreshold": "",
"shortDesc": ""
},
"impactedPort": -1,
"impactedUserIdentityId": null,
"impactedUserIdentityName": "",
"impactedZone": "Internal",
"itemsPacketsIn": 0,
"itemsPacketsOut": 0,
"logDate": "2021-08-18T13:05:59.477",
"logMessage": "A heartbeat message from the LogRhythm System Monitor Agent service was not received in the allotted time.",
"logSourceHostId": null,
"logSourceHostName": "",
"logSourceName": "",
"logSourceTypeName": "",
"login": "",
"messageId": 32077,
"mpeRuleId": -1,
"mpeRuleName": "",
"normalDateMax": "0001-01-01T00:00:00",
"objectName": "",
"objectType": "",
"originEntityId": 2,
"originEntityName": "EchoTestEntity",
"originHostId": 3,
"originHostName": "",
"originIP": null,
"originInterface": "",
"originLocation": {
"countryCode": "",
"dateUpdated": "0001-01-01T00:00:00",
"latitude": 0,
"locationId": 0,
"locationKey": "",
"longitude": 0,
"name": "",
"parentLocationId": 0,
"recordStatus": "Deleted",
"regionCode": "",
"type": "NULL"
},
"originMAC": "",
"originNATIP": "",
"originNATPort": null,
"originName": "",
"originNetwork": {
"beginIPRange": {
"value": ""
},
"dateUpdated": "0001-01-01T00:00:00",
"endIPRange": {
"value": ""
},
"entityId": 0,
"hostZone": "Unknown",
"locationId": 0,
"longDesc": "",
"name": "",
"networkId": 0,
"recordStatus": "Deleted",
"riskThreshold": "",
"shortDesc": ""
},
"originPort": -1,
"originUserIdentityId": null,
"originUserIdentityName": "",
"originZone": "Internal",
"parentProcessId": "",
"parentProcessName": "",
"parentProcessPath": "",
"policy": "",
"priority": 100,
"process": "",
"processId": -1,
"protocolId": -1,
"protocolName": "",
"quantity": 0,
"rate": 0,
"reason": "",
"recipient": "",
"recipientIdentityId": null,
"recipientIdentityName": "",
"responseCode": "",
"result": "",
"sender": "",
"senderIdentityId": null,
"senderIdentityName": "",
"serialNumber": "",
"serviceId": -1000004,
"serviceName": "LogRhythm Agent",
"session": "",
"sessionType": "",
"severity": "",
"size": 0,
"status": "",
"subject": "",
"threatId": "",
"threatName": "",
"url": "",
"userAgent": "",
"vendorInfo": "",
"vendorMsgId": "",
"version": ""
}
}
}

Human Readable Output#

Events for alarm 200#

Common Event NameLog MessagePriorityLog DateImpacted Host IdImpacted ZoneService NameEntity NameClassification NameClassification Type Name
LogRhythm Agent Heartbeat MissedA heartbeat message from the LogRhythm System Monitor Agent service was not received in the allotted time.1002021-08-18T13:05:59.4773InternalLogRhythm AgentEchoTestEntityErrorOperations

lr-alarm-summary#


Get the alarm summary by the specified alarm ID.

Base Command#

lr-alarm-summary

Input#

Argument NameDescriptionRequired
alarm_idNumeric ID of the alarm to get.Required

Context Output#

PathTypeDescription
LogRhythm.AlarmSummary.dateInsertedDateThe date the alarm was inserted.
LogRhythm.AlarmSummary.rbpMaxNumberThe alarm rbp max.
LogRhythm.AlarmSummary.rbpAvgNumberThe alarm rbp average.
LogRhythm.AlarmSummary.alarmRuleIdNumberThe alarm rule ID.
LogRhythm.AlarmSummary.alarmRuleGroupStringThe alarm rule group.
LogRhythm.AlarmSummary.briefDescriptionStringThe alarm brief description.
LogRhythm.AlarmSummary.additionalDetailsStringThe alarm additional details.
LogRhythm.AlarmSummary.alarmIdNumberThe alarm ID.
LogRhythm.AlarmSummary.alarmEventSummary.msgClassIdNumberThe alarm summary message class ID.
LogRhythm.AlarmSummary.alarmEventSummary.msgClassNameStringThe alarm summary message class name.
LogRhythm.AlarmSummary.alarmEventSummary.commonEventIdNumberThe alarm summary common event ID.
LogRhythm.AlarmSummary.alarmEventSummary.commonEventNameStringThe alarm summary common event name.
LogRhythm.AlarmSummary.alarmEventSummary.originHostIdNumberThe alarm summary origin host ID.
LogRhythm.AlarmSummary.alarmEventSummary.impactedHostIdNumberThe alarm summary impacted host ID
LogRhythm.AlarmSummary.alarmEventSummary.originUserStringThe alarm summary origin user.
LogRhythm.AlarmSummary.alarmEventSummary.impactedUserStringThe alarm summary impacted user.
LogRhythm.AlarmSummary.alarmEventSummary.originUserIdentityIdUnknownThe alarm summary origin user identity ID.
LogRhythm.AlarmSummary.alarmEventSummary.impactedUserIdentityIdUnknownThe alarm summary impacted user identity ID.
LogRhythm.AlarmSummary.alarmEventSummary.originUserIdentityNameStringThe alarm summary origin user identity name.
LogRhythm.AlarmSummary.alarmEventSummary.impactedUserIdentityNameStringThe alarm summary impacted user identity name.
LogRhythm.AlarmSummary.alarmEventSummary.originEntityNameStringThe alarm summary origin entity name.
LogRhythm.AlarmSummary.alarmEventSummary.impactedEntityNameStringThe alarm summary impacted entity name.

Command Example#

!lr-alarm-summary alarm_id=200

Context Example#

{
"LogRhythm": {
"AlarmSummary": {
"additionalDetails": "Action:\r\n1. Use LogRhythm to analyze and collect all information regarding the alarm, related events/logs, and surrounding logs from affected sources. \r\n2. Check System Monitor service health (try restarting). \r\n3. Check network connectivity between Agent and Mediator. \r\n4. Check scsm.log for errors. \r\n5. If the steps above do not provide a solution or if you require assistance, please contact LogRhythm Support.",
"alarmEventSummary": [
{
"commonEventId": -1100003,
"commonEventName": "LogRhythm Agent Heartbeat Missed",
"impactedEntityName": "EchoTestEntity",
"impactedHostId": 3,
"impactedUser": "",
"impactedUserIdentityId": null,
"impactedUserIdentityName": "",
"msgClassId": 3200,
"msgClassName": "Error",
"originEntityName": "EchoTestEntity",
"originHostId": 3,
"originUser": "",
"originUserIdentityId": null,
"originUserIdentityName": ""
}
],
"alarmId": 200,
"alarmRuleGroup": "LogRhythm Diagnostics",
"alarmRuleId": 98,
"briefDescription": "Alarms on the occurrence of a LogRhythm Agent Heartbeat Missed event which could indicate a LogRhythm Agent going down.",
"dateInserted": "2021-08-18T13:05:59.683",
"rbpAvg": 100,
"rbpMax": 100
}
}
}

Human Readable Output#

Alarm summary#

Additional DetailsAlarm IdAlarm Rule GroupAlarm Rule IdBrief DescriptionDate InsertedRbp AvgRbp Max
Action:
1. Use LogRhythm to analyze and collect all information regarding the alarm, related events/logs, and surrounding logs from affected sources.
2. Check System Monitor service health (try restarting).
3. Check network connectivity between Agent and Mediator.
4. Check scsm.log for errors.
5. If the steps above do not provide a solution or if you require assistance, please contact LogRhythm Support.
200LogRhythm Diagnostics98Alarms on the occurrence of a LogRhythm Agent Heartbeat Missed event which could indicate a LogRhythm Agent going down.2021-08-18T13:05:59.683100100

Alarm event summary#

Common Event IdCommon Event NameImpacted Entity NameImpacted Host IdImpacted UserImpacted User Identity IdImpacted User Identity NameMsg Class IdMsg Class NameOrigin Entity NameOrigin Host IdOrigin UserOrigin User Identity IdOrigin User Identity Name
-1100003LogRhythm Agent Heartbeat MissedEchoTestEntity33200ErrorEchoTestEntity3

lr-cases-list#


Get cases details using filter criteria.

Base Command#

lr-cases-list

Input#

Argument NameDescriptionRequired
case_idThe case ID by which to filter the results.Optional
timestamp_filter_typeThe type by which to filter case results combined with the argument timestamp. Possible values: "updatedAfter", "updatedBefore", "createdAfter", and "createdBefore". Possible values are: updatedAfter, updatedBefore, createdAfter, createdBefore.Optional
timestampThe timestamp by which to filter case results combined with the argument timestamp_filter_type.Optional
priorityThe priority by which to filter the results. Possible values: "1", "2", "3", "4", and "5", where 1 is the highest priority. Possible values are: 1, 2, 3, 4, 5.Optional
statusThe status by which to filter the results. Possible values are "1", (created), "2" (completed), "3" (incident), "4" (mitigated), and "5" (resolved). Possible values are: 1, 2, 3, 4, 5.Optional
ownersA comma-separated list of owner numbers.Optional
tagsA comma-separated list of tag numbers.Optional
textFilter results that have a case number or name that contains the specified value.Optional
evidence_typeFilter results that have evidence of the specified type. Possible values: "alarm", "userEvents", "log", no"te, and "file". Possible values are: alarm, userEvents, log, note, file.Optional
reference_idFilter results that have evidence with the given reference identifier. For example, an alarm ID.Optional
external_idFilter results that have the specified, unique, external identifier.Optional
offsetThe number of cases to skip before starting to collect the result set. Default is 0.Optional
countThe number of cases to return. Default is 50.Optional

Context Output#

PathTypeDescription
LogRhythm.Case.idStringThe case ID.
LogRhythm.Case.numberNumberThe case number.
LogRhythm.Case.externalIdStringThe case external ID.
LogRhythm.Case.dateCreatedDateThe date the case was created.
LogRhythm.Case.dateUpdatedDateThe date the case was updated.
LogRhythm.Case.dateClosedUnknownThe date the case was closed.
LogRhythm.Case.owner.numberNumberThe ID of the case owner.
LogRhythm.Case.owner.nameStringThe name of the case owner.
LogRhythm.Case.owner.disabledBooleanWhether the case owner is disabled.
LogRhythm.Case.lastUpdatedBy.numberNumberThe ID of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.nameStringThe name of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.disabledBooleanWhether the user who last updated the case is disabled.
LogRhythm.Case.nameStringThe case name.
LogRhythm.Case.status.nameStringThe case status.
LogRhythm.Case.status.numberNumberThe case status number.
LogRhythm.Case.priorityNumberThe case priority.
LogRhythm.Case.dueDateDateThe datetime the case is due.
LogRhythm.Case.resolutionUnknownThe case resolution.
LogRhythm.Case.resolutionDateUpdatedUnknownThe date the case resolution was last updated.
LogRhythm.Case.resolutionLastUpdatedByUnknownThe user who last updated the case resolution.
LogRhythm.Case.summaryStringThe case summary.
LogRhythm.Case.entity.numberNumberThe case entity number.
LogRhythm.Case.entity.nameStringThe case entity name.
LogRhythm.Case.entity.fullNameStringThe case entity full name.
LogRhythm.Case.collaborators.numberNumberThe case collaborator number.
LogRhythm.Case.collaborators.nameStringThe case collaborator name.
LogRhythm.Case.collaborators.disabledBooleanWhether the case collaborator is disabled.
LogRhythm.Case.tags.textStringThe case tag name.
LogRhythm.Case.tags.numberNumberThe case tag number.

Command Example#

!lr-cases-list priority=5

Context Example#

{
"LogRhythm": {
"Case": [
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-08-11T14:10:08.617291Z",
"dateUpdated": "2021-08-31T15:18:26.8118901Z",
"dueDate": "2021-08-12T14:10:08.617291Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "B055F3D5-6F49-4D94-AEF1-FAEDC4A25251",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test case",
"number": 4,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Incident",
"number": 3
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-08-11T14:19:48.7669718Z",
"dateUpdated": "2021-08-11T14:19:48.7669718Z",
"dueDate": "2021-08-12T14:19:48.7669718Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "75081347-EB56-4AEA-A6F9-A6EB6662F48E",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test case from API",
"number": 5,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-05T10:53:07.0405063Z",
"dateUpdated": "2021-10-05T10:53:07.0405063Z",
"dueDate": "2021-10-06T10:53:07.0405063Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "BB8EB00A-F4A7-4710-BB1C-E89DA7BF866B",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 35,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-06T06:13:06.6792318Z",
"dateUpdated": "2021-10-06T06:13:06.6792318Z",
"dueDate": "2021-10-07T06:13:06.6792318Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "5091AD33-E29E-41A4-A975-E792EFCFF8E1",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 38,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-06T07:57:30.7682964Z",
"dateUpdated": "2021-10-06T07:57:30.7682964Z",
"dueDate": "2021-10-07T07:57:30.7682964Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "B9F8031A-7420-4080-96A7-4FF9AB6B6ECF",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 39,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-06T09:30:58.6568951Z",
"dateUpdated": "2021-10-06T09:30:58.6568951Z",
"dueDate": "2021-10-07T09:30:58.6568951Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "9D7AEA2E-F9D4-4787-9A9B-F8F0E9CE817E",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test1111",
"number": 40,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-06T09:37:39.7847983Z",
"dateUpdated": "2021-10-06T09:37:39.7847983Z",
"dueDate": "2021-10-07T09:37:39.7847983Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "805BCD50-D301-4F20-9757-A96AC3B1E52C",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test1111",
"number": 41,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-06T09:44:06.4646762Z",
"dateUpdated": "2021-10-06T09:44:06.4646762Z",
"dueDate": "2021-10-07T09:44:06.4646762Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "FE8A7A3F-2D33-449F-83A5-09D3351E67DC",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test1111",
"number": 42,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-18T11:45:02.190818Z",
"dateUpdated": "2021-10-18T11:45:02.190818Z",
"dueDate": "2021-10-19T11:45:02.190818Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "01825095-3D3E-4082-9F3D-29BC68EBCE9F",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test123123",
"number": 58,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-19T05:44:36.6091003Z",
"dateUpdated": "2021-10-19T05:44:36.6091003Z",
"dueDate": "2021-10-20T05:44:36.6091003Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "97F336B2-D18E-438A-8FB1-7F49DCB0A867",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test777777",
"number": 59,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-19T05:51:51.6372007Z",
"dateUpdated": "2021-10-19T05:51:51.6372007Z",
"dueDate": "2021-10-20T05:51:51.6372007Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "064C632E-E7E8-4913-A123-EB6153FE4BE4",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test777777",
"number": 60,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
}
]
}
}

Human Readable Output#

Cases#

CollaboratorsDate ClosedDate CreatedDate UpdatedDue DateEntityExternal IdIdLast Updated ByNameNumberOwnerPriorityResolutionResolution Date UpdatedResolution Last Updated ByStatusSummaryTags
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-08-11T14:10:08.617291Z2021-08-31T15:18:26.8118901Z2021-08-12T14:10:08.617291Znumber: -100
name: Global Entity
fullName: Global Entity
B055F3D5-6F49-4D94-AEF1-FAEDC4A25251number: 1
name: LR Soap API
disabled: false
test case4number: 1
name: LR Soap API
disabled: false
5name: Incident
number: 3
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-08-11T14:19:48.7669718Z2021-08-11T14:19:48.7669718Z2021-08-12T14:19:48.7669718Znumber: -100
name: Global Entity
fullName: Global Entity
75081347-EB56-4AEA-A6F9-A6EB6662F48Enumber: 1
name: LR Soap API
disabled: false
test case from API5number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-05T10:53:07.0405063Z2021-10-05T10:53:07.0405063Z2021-10-06T10:53:07.0405063Znumber: -100
name: Global Entity
fullName: Global Entity
BB8EB00A-F4A7-4710-BB1C-E89DA7BF866Bnumber: 1
name: LR Soap API
disabled: false
test35number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-06T06:13:06.6792318Z2021-10-06T06:13:06.6792318Z2021-10-07T06:13:06.6792318Znumber: -100
name: Global Entity
fullName: Global Entity
5091AD33-E29E-41A4-A975-E792EFCFF8E1number: 1
name: LR Soap API
disabled: false
test38number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-06T07:57:30.7682964Z2021-10-06T07:57:30.7682964Z2021-10-07T07:57:30.7682964Znumber: -100
name: Global Entity
fullName: Global Entity
B9F8031A-7420-4080-96A7-4FF9AB6B6ECFnumber: 1
name: LR Soap API
disabled: false
test39number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-06T09:30:58.6568951Z2021-10-06T09:30:58.6568951Z2021-10-07T09:30:58.6568951Znumber: -100
name: Global Entity
fullName: Global Entity
9D7AEA2E-F9D4-4787-9A9B-F8F0E9CE817Enumber: 1
name: LR Soap API
disabled: false
test111140number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-06T09:37:39.7847983Z2021-10-06T09:37:39.7847983Z2021-10-07T09:37:39.7847983Znumber: -100
name: Global Entity
fullName: Global Entity
805BCD50-D301-4F20-9757-A96AC3B1E52Cnumber: 1
name: LR Soap API
disabled: false
test111141number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-06T09:44:06.4646762Z2021-10-06T09:44:06.4646762Z2021-10-07T09:44:06.4646762Znumber: -100
name: Global Entity
fullName: Global Entity
FE8A7A3F-2D33-449F-83A5-09D3351E67DCnumber: 1
name: LR Soap API
disabled: false
test111142number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-18T11:45:02.190818Z2021-10-18T11:45:02.190818Z2021-10-19T11:45:02.190818Znumber: -100
name: Global Entity
fullName: Global Entity
01825095-3D3E-4082-9F3D-29BC68EBCE9Fnumber: 1
name: LR Soap API
disabled: false
test12312358number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-19T05:44:36.6091003Z2021-10-19T05:44:36.6091003Z2021-10-20T05:44:36.6091003Znumber: -100
name: Global Entity
fullName: Global Entity
97F336B2-D18E-438A-8FB1-7F49DCB0A867number: 1
name: LR Soap API
disabled: false
test77777759number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-19T05:51:51.6372007Z2021-10-19T05:51:51.6372007Z2021-10-20T05:51:51.6372007Znumber: -100
name: Global Entity
fullName: Global Entity
064C632E-E7E8-4913-A123-EB6153FE4BE4number: 1
name: LR Soap API
disabled: false
test77777760number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1

lr-case-create#


Create a new case.

Base Command#

lr-case-create

Input#

Argument NameDescriptionRequired
nameName of the case.Required
priorityThe priority by which to filter the results. Possible values: "1", "2", "3", "4", and "5", where 1 is the highest priority. Possible values are: 1, 2, 3, 4, 5.Required
external_idExternally defined identifier for the case.Optional
due_dateThe timedate of when the case is due, as an RFC 3339 formatted string. E.g., 2020-04-20T14:15:22Z.Optional
summaryNote summarizing the case.Optional

Context Output#

PathTypeDescription
LogRhythm.Case.idStringThe case ID.
LogRhythm.Case.numberNumberThe case number.
LogRhythm.Case.externalIdStringThe case external ID.
LogRhythm.Case.dateCreatedDateThe date the case was created.
LogRhythm.Case.dateUpdatedDateThe date the case was updated.
LogRhythm.Case.dateClosedUnknownThe date the case was closed.
LogRhythm.Case.owner.numberNumberThe ID of the case owner.
LogRhythm.Case.owner.nameStringThe name of the case owner.
LogRhythm.Case.owner.disabledBooleanWhether the owner is disabled.
LogRhythm.Case.lastUpdatedBy.numberNumberThe ID of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.nameStringThe name of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.disabledBooleanWhether the last user who updated the case is disabled.
LogRhythm.Case.nameStringThe case name.
LogRhythm.Case.status.nameStringThe case status.
LogRhythm.Case.status.numberNumberThe case status number.
LogRhythm.Case.priorityNumberThe case priority.
LogRhythm.Case.dueDateDateThe datetime the case is due.
LogRhythm.Case.resolutionUnknownThe case resolution.
LogRhythm.Case.resolutionDateUpdatedUnknownThe date the case resolution was last updated.
LogRhythm.Case.resolutionLastUpdatedByUnknownThe user who last updated the case resolution.
LogRhythm.Case.summaryStringThe case summary.
LogRhythm.Case.entity.numberNumberThe case entity number.
LogRhythm.Case.entity.nameStringThe case entity name.
LogRhythm.Case.entity.fullNameStringThe case entity full name.
LogRhythm.Case.collaborators.numberNumberThe case collaborator number.
LogRhythm.Case.collaborators.nameStringThe case collaborator name.
LogRhythm.Case.collaborators.disabledBooleanWhether the case collaborator is disabled.
LogRhythm.Case.tags.textStringThe case tag name.
LogRhythm.Case.tags.numberNumberThe case tag number.

Command Example#

``!lr-case-create name=test priority=1 external_id=8200 summary=test case````

Context Example#

{
"LogRhythm": {
"Case": {
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-30T20:33:44.6636405Z",
"dateUpdated": "2021-10-30T20:33:44.6636405Z",
"dueDate": "2021-10-31T20:33:44.6636405Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "8200",
"id": "83E66AB6-5F9A-441E-BF96-52CA53E20BEA",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 98,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 1,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "test case",
"tags": []
}
}
}

Human Readable Output#

Case created successfully#

CollaboratorsDate ClosedDate CreatedDate UpdatedDue DateEntityExternal IdIdLast Updated ByNameNumberOwnerPriorityResolutionResolution Date UpdatedResolution Last Updated ByStatusSummaryTags
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-30T20:33:44.6636405Z2021-10-30T20:33:44.6636405Z2021-10-31T20:33:44.6636405Znumber: -100
name: Global Entity
fullName: Global Entity
820083E66AB6-5F9A-441E-BF96-52CA53E20BEAnumber: 1
name: LR Soap API
disabled: false
test98number: 1
name: LR Soap API
disabled: false
1name: Created
number: 1
test case

lr-case-update#


Update case information. For example, the case name, priority, and due date.

Base Command#

lr-case-update

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
nameName of the case.Optional
priorityThe priority of the case. Possible values: "1", "2", "3", "4", and "5", where 1 is the highest priority. Possible values are: 1, 2, 3, 4, 5.Optional
external_idExternally defined identifier for the case.Optional
due_dateThe timedate of when the case is due, as an RFC 3339 formatted string. E.g., 2020-04-20T14:15:22Z.Optional
summaryNote summarizing the case.Optional
entity_idEntity to assign to the case.Optional
resolutionDescription of how the case was resolved.Optional

Context Output#

PathTypeDescription
LogRhythm.Case.idStringThe case ID.
LogRhythm.Case.numberNumberThe case number.
LogRhythm.Case.externalIdStringThe case external ID.
LogRhythm.Case.dateCreatedDateThe date the case was created.
LogRhythm.Case.dateUpdatedDateThe date the case was updated.
LogRhythm.Case.dateClosedUnknownThe date the case was closed.
LogRhythm.Case.owner.numberNumberThe ID of the case owner.
LogRhythm.Case.owner.nameStringThe name of the case owner.
LogRhythm.Case.owner.disabledBooleanWhether the owner is disabled.
LogRhythm.Case.lastUpdatedBy.numberNumberThe ID of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.nameStringThe name of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.disabledBooleanWhether the last user who updated the case is disabled.
LogRhythm.Case.nameStringThe case name.
LogRhythm.Case.status.nameStringThe case status.
LogRhythm.Case.status.numberNumberThe case status number.
LogRhythm.Case.priorityNumberThe case priority.
LogRhythm.Case.dueDateDateThe datetime the case is due.
LogRhythm.Case.resolutionUnknownThe case resolution.
LogRhythm.Case.resolutionDateUpdatedUnknownThe date the case resolution was last updated.
LogRhythm.Case.resolutionLastUpdatedByUnknownThe user who last updated the case resolution.
LogRhythm.Case.summaryStringThe case summary.
LogRhythm.Case.entity.numberNumberThe case entity number.
LogRhythm.Case.entity.nameStringThe case entity name.
LogRhythm.Case.entity.fullNameStringThe case entity full name.
LogRhythm.Case.collaborators.numberNumberThe case collaborator number.
LogRhythm.Case.collaborators.nameStringThe case collaborator name.
LogRhythm.Case.collaborators.disabledBooleanWhether the case collaborator is disabled.
LogRhythm.Case.tags.textStringThe case tag name.
LogRhythm.Case.tags.numberNumberThe case tag number.

Command Example#

!lr-case-update case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE priority=3

Context Example#

{
"LogRhythm": {
"Case": {
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-08-19T15:38:07.8995494Z",
"dateUpdated": "2021-08-31T15:31:24.9870972Z",
"dueDate": "2021-08-20T15:38:07.8995494Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "9930",
"id": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 17,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 3,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Incident",
"number": 3
},
"summary": "test case",
"tags": []
}
}
}

Human Readable Output#

Case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE updated successfully#

CollaboratorsDate ClosedDate CreatedDate UpdatedDue DateEntityExternal IdIdLast Updated ByNameNumberOwnerPriorityResolutionResolution Date UpdatedResolution Last Updated ByStatusSummaryTags
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-08-19T15:38:07.8995494Z2021-08-31T15:31:24.9870972Z2021-08-20T15:38:07.8995494Znumber: -100
name: Global Entity
fullName: Global Entity
99302E7FA20D-191E-4733-B7DC-A18BBFE762CEnumber: 1
name: LR Soap API
disabled: false
test17number: 1
name: LR Soap API
disabled: false
3name: Incident
number: 3
test case

lr-case-status-change#


Update the status of a case.

Base Command#

lr-case-status-change

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
statusThe case status. Possible values: "Created", "Completed", "Incident", "Mitigated", and "Resolved". Possible values are: Created, Completed, Incident, Mitigated, Resolved.Required

Context Output#

PathTypeDescription
LogRhythm.Case.idStringThe case ID.
LogRhythm.Case.numberNumberThe case number.
LogRhythm.Case.externalIdStringThe case external ID.
LogRhythm.Case.dateCreatedDateThe date the case was created.
LogRhythm.Case.dateUpdatedDateThe date the case was updated.
LogRhythm.Case.dateClosedUnknownThe date the case was closed.
LogRhythm.Case.owner.numberNumberThe ID of the case owner.
LogRhythm.Case.owner.nameStringThe name of the case owner.
LogRhythm.Case.owner.disabledBooleanWhether the owner is disabled.
LogRhythm.Case.lastUpdatedBy.numberNumberThe ID of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.nameStringThe name of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.disabledBooleanWhether the last user who updated the case is disabled.
LogRhythm.Case.nameStringThe case name.
LogRhythm.Case.status.nameStringThe case status.
LogRhythm.Case.status.numberNumberThe case status number.
LogRhythm.Case.priorityNumberThe case priority.
LogRhythm.Case.dueDateDateThe datetime the case is due.
LogRhythm.Case.resolutionUnknownThe case resolution.
LogRhythm.Case.resolutionDateUpdatedUnknownThe date the case resolution was last updated.
LogRhythm.Case.resolutionLastUpdatedByUnknownThe user who last updated the case resolution.
LogRhythm.Case.summaryStringThe case summary.
LogRhythm.Case.entity.numberNumberThe case entity number.
LogRhythm.Case.entity.nameStringThe case entity name.
LogRhythm.Case.entity.fullNameStringThe case entity full name.
LogRhythm.Case.collaborators.numberNumberThe case collaborator number.
LogRhythm.Case.collaborators.nameStringThe case collaborator name.
LogRhythm.Case.collaborators.disabledBooleanWhether the case collaborator is disabled.
LogRhythm.Case.tags.textStringThe case tag name.
LogRhythm.Case.tags.numberNumberThe case tag number.

Command Example#

!lr-case-status-change case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE status=Incident

Context Example#

{
"LogRhythm": {
"Case": {
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-08-19T15:38:07.8995494Z",
"dateUpdated": "2021-08-31T15:31:24.9870972Z",
"dueDate": "2021-08-20T15:38:07.8995494Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "9930",
"id": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 17,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 3,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Incident",
"number": 3
},
"summary": "test case",
"tags": []
}
}
}

Human Readable Output#

Case status updated successfully#

CollaboratorsDate ClosedDate CreatedDate UpdatedDue DateEntityExternal IdIdLast Updated ByNameNumberOwnerPriorityResolutionResolution Date UpdatedResolution Last Updated ByStatusSummaryTags
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-08-19T15:38:07.8995494Z2021-08-31T15:31:24.9870972Z2021-08-20T15:38:07.8995494Znumber: -100
name: Global Entity
fullName: Global Entity
99302E7FA20D-191E-4733-B7DC-A18BBFE762CEnumber: 1
name: LR Soap API
disabled: false
test17number: 1
name: LR Soap API
disabled: false
3name: Incident
number: 3
test case

lr-case-evidence-list#


Return a list of evidence summaries for a case.

Base Command#

lr-case-evidence-list

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
evidence_typeFilter results that have evidence of the specified type. Possible values are: "alarm", "userEvents", "log", "note", and "file". Possible values are: alarm, userEvents, log, note, file.Optional
statusFilter results that have a specific evidence status. Possible values: "pending", "completed", and "failed". Possible values are: pending, completed, failed.Optional
evidence_numberFilter results by evidence number.Optional

Context Output#

PathTypeDescription
LogRhythm.CaseEvidence.CaseIDStringThe case ID.
LogRhythm.CaseEvidence.Evidences.numberNumberThe evidence number.
LogRhythm.CaseEvidence.Evidences.dateCreatedDateThe date the evidence was created.
LogRhythm.CaseEvidence.Evidences.dateUpdatedDateThe date the evidence was updated.
LogRhythm.CaseEvidence.Evidences.createdBy.numberNumberThe ID of the user who created the evidence.
LogRhythm.CaseEvidence.Evidences.createdBy.nameStringThe name of the user who created the evidence.
LogRhythm.CaseEvidence.Evidences.createdBy.disabledBooleanWhether the user is disabled.
LogRhythm.CaseEvidence.Evidences.lastUpdatedBy.numberNumberThe ID of the user who last updated the case evidence.
LogRhythm.CaseEvidence.Evidences.lastUpdatedBy.nameStringThe name of the user who last updated the case evidence.
LogRhythm.CaseEvidence.Evidences.lastUpdatedBy.disabledBooleanWhether the last user who updated the case evidence is disabled.
LogRhythm.CaseEvidence.Evidences.typeStringThe evidence type.
LogRhythm.CaseEvidence.Evidences.statusStringThe evidence status
LogRhythm.CaseEvidence.Evidences.statusMessageUnknownThe evidence status message.
LogRhythm.CaseEvidence.Evidences.textStringThe evidence text.
LogRhythm.CaseEvidence.Evidences.pinnedBooleanWhether the evidence is pinned.
LogRhythm.CaseEvidence.Evidences.datePinnedUnknownThe date the evidence was pinned.

Command Example#

!lr-case-evidence-list case_id=583A7DAA-872A-4ECE-80B8-0DECB6FC3061

Context Example#

{
"LogRhythm": {
"CaseEvidence": {
"CaseID": "583A7DAA-872A-4ECE-80B8-0DECB6FC3061",
"Evidences": [
{
"alarm": {
"alarmDate": "2021-08-19T13:08:08.713Z",
"alarmId": 212,
"alarmRuleId": 98,
"alarmRuleName": "LogRhythm Agent Heartbeat Missed",
"dateInserted": "2021-08-19T13:08:08.727Z",
"entityId": 2,
"entityName": "EchoTestEntity",
"riskBasedPriorityMax": 39
},
"createdBy": {
"disabled": false,
"name": "LogRhythm Administrator",
"number": -100
},
"dateCreated": "2021-08-19T14:21:01.7066667Z",
"datePinned": null,
"dateUpdated": "2021-08-19T14:21:01.7066667Z",
"lastUpdatedBy": {
"disabled": false,
"name": "LogRhythm Administrator",
"number": -100
},
"number": 58,
"pinned": false,
"status": "completed",
"statusMessage": null,
"text": "",
"type": "alarm"
},
{
"alarm": {
"alarmDate": "2021-08-19T11:07:56.86Z",
"alarmId": 211,
"alarmRuleId": 98,
"alarmRuleName": "LogRhythm Agent Heartbeat Missed",
"dateInserted": "2021-08-19T11:07:56.877Z",
"entityId": 2,
"entityName": "EchoTestEntity",
"riskBasedPriorityMax": 39
},
"createdBy": {
"disabled": false,
"name": "LogRhythm Administrator",
"number": -100
},
"dateCreated": "2021-08-19T14:21:11.7766667Z",
"datePinned": null,
"dateUpdated": "2021-08-19T14:21:11.7766667Z",
"lastUpdatedBy": {
"disabled": false,
"name": "LogRhythm Administrator",
"number": -100
},
"number": 59,
"pinned": false,
"status": "completed",
"statusMessage": null,
"text": "",
"type": "alarm"
},
{
"createdBy": {
"disabled": false,
"name": "LogRhythm Administrator",
"number": -100
},
"dateCreated": "2021-08-19T14:25:33.5976206Z",
"datePinned": null,
"dateUpdated": "2021-08-19T14:25:33.5976206Z",
"lastUpdatedBy": {
"disabled": false,
"name": "LogRhythm Administrator",
"number": -100
},
"number": 61,
"pinned": false,
"status": "completed",
"statusMessage": null,
"text": "test note",
"type": "note"
}
]
}
}
}

Human Readable Output#

Evidences for case 583A7DAA-872A-4ECE-80B8-0DECB6FC3061#

NumberTypeStatusDate CreatedCreated ByTextAlarmFile
58alarmcompleted2021-08-19T14:21:01.7066667Znumber: -100
name: LogRhythm Administrator
disabled: false
alarmId: 212
alarmDate: 2021-08-19T13:08:08.713Z
alarmRuleId: 98
alarmRuleName: LogRhythm Agent Heartbeat Missed
dateInserted: 2021-08-19T13:08:08.727Z
entityId: 2
entityName: EchoTestEntity
riskBasedPriorityMax: 39
59alarmcompleted2021-08-19T14:21:11.7766667Znumber: -100
name: LogRhythm Administrator
disabled: false
alarmId: 211
alarmDate: 2021-08-19T11:07:56.86Z
alarmRuleId: 98
alarmRuleName: LogRhythm Agent Heartbeat Missed
dateInserted: 2021-08-19T11:07:56.877Z
entityId: 2
entityName: EchoTestEntity
riskBasedPriorityMax: 39
61notecompleted2021-08-19T14:25:33.5976206Znumber: -100
name: LogRhythm Administrator
disabled: false
test note

lr-case-alarm-evidence-add#


Add multiple alarms as evidence on a case.

Base Command#

lr-case-alarm-evidence-add

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
alarm_numbersA comma-separated list of alarm IDs.Required

Context Output#

PathTypeDescription
LogRhythm.AlarmEvidence.CaseIDStringThe case ID.
LogRhythm.AlarmEvidence.Evidences.numberNumberThe evidence number.
LogRhythm.AlarmEvidence.Evidences.dateCreatedDateThe date the evidence was created.
LogRhythm.AlarmEvidence.Evidences.dateUpdatedDateThe date the evidence was updated.
LogRhythm.AlarmEvidence.Evidences.createdBy.numberNumberThe ID of the user who created the evidence.
LogRhythm.AlarmEvidence.Evidences.createdBy.nameStringThe name of the user who created the evidence.
LogRhythm.AlarmEvidence.Evidences.createdBy.disabledBooleanWhether the user is disabled.
LogRhythm.AlarmEvidence.Evidences.lastUpdatedBy.numberNumberThe ID of the user who last updated the alarm evidence.
LogRhythm.AlarmEvidence.Evidences.lastUpdatedBy.nameStringThe name of the user who last updated the alarm evidence.
LogRhythm.AlarmEvidence.Evidences.lastUpdatedBy.disabledBooleanWhether the last user who updated the alarm evidence is disabled.
LogRhythm.AlarmEvidence.Evidences.typeStringThe evidence type.
LogRhythm.AlarmEvidence.Evidences.statusStringThe evidence status
LogRhythm.AlarmEvidence.Evidences.statusMessageUnknownThe evidence status message.
LogRhythm.AlarmEvidence.Evidences.textStringThe evidence text.
LogRhythm.AlarmEvidence.Evidences.pinnedBooleanWhether the evidence is pinned.
LogRhythm.AlarmEvidence.Evidences.datePinnedUnknownThe date the evidence was pinned.
LogRhythm.AlarmEvidence.Evidences.alarm.alarmIdNumberThe alarm ID.
LogRhythm.AlarmEvidence.Evidences.alarm.alarmDateDateThe alarm date.
LogRhythm.AlarmEvidence.Evidences.alarm.alarmRuleIdNumberThe alarm rule ID.
LogRhythm.AlarmEvidence.Evidences.alarm.alarmRuleNameStringThe alarm rule name.
LogRhythm.AlarmEvidence.Evidences.alarm.dateInsertedDateThe date the alarm was inserted.
LogRhythm.AlarmEvidence.Evidences.alarm.entityIdNumberThe alarm entity ID.
LogRhythm.AlarmEvidence.Evidences.alarm.entityNameStringThe alarm entity name.
LogRhythm.AlarmEvidence.Evidences.alarm.riskBasedPriorityMaxNumberThe maximum Risk Based Priority (RBP) threshold of events to monitor.

Command Example#

!lr-case-alarm-evidence-add case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE alarm_numbers=200,201

Context Example#

{
"LogRhythm": {
"AlarmEvidence": {
"CaseID": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"Evidences": [
{
"alarm": {
"alarmDate": "2021-08-18T13:05:59.663Z",
"alarmId": 200,
"alarmRuleId": 98,
"alarmRuleName": "LogRhythm Agent Heartbeat Missed",
"dateInserted": "2021-08-18T13:05:59.683Z",
"entityId": 2,
"entityName": "EchoTestEntity",
"riskBasedPriorityMax": 100
},
"createdBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"dateCreated": "2021-08-19T15:41:35.54Z",
"datePinned": null,
"dateUpdated": "2021-08-19T15:41:35.54Z",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"number": 62,
"pinned": false,
"status": "completed",
"statusMessage": null,
"text": "",
"type": "alarm"
},
{
"alarm": {
"alarmDate": "2021-08-18T15:06:10.623Z",
"alarmId": 201,
"alarmRuleId": 98,
"alarmRuleName": "LogRhythm Agent Heartbeat Missed",
"dateInserted": "2021-08-18T15:06:10.637Z",
"entityId": 2,
"entityName": "EchoTestEntity",
"riskBasedPriorityMax": 39
},
"createdBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"dateCreated": "2021-08-19T15:41:35.54Z",
"datePinned": null,
"dateUpdated": "2021-08-19T15:41:35.54Z",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"number": 63,
"pinned": false,
"status": "completed",
"statusMessage": null,
"text": "",
"type": "alarm"
}
]
}
}
}

Human Readable Output#

Alarms added as evidence to case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE successfully#

NumberTypeStatusDate CreatedCreated ByTextAlarmFile
62alarmcompleted2021-08-19T15:41:35.54Znumber: 1
name: LR Soap API
disabled: false
alarmId: 200
alarmDate: 2021-08-18T13:05:59.663Z
alarmRuleId: 98
alarmRuleName: LogRhythm Agent Heartbeat Missed
dateInserted: 2021-08-18T13:05:59.683Z
entityId: 2
entityName: EchoTestEntity
riskBasedPriorityMax: 100
63alarmcompleted2021-08-19T15:41:35.54Znumber: 1
name: LR Soap API
disabled: false
alarmId: 201
alarmDate: 2021-08-18T15:06:10.623Z
alarmRuleId: 98
alarmRuleName: LogRhythm Agent Heartbeat Missed
dateInserted: 2021-08-18T15:06:10.637Z
entityId: 2
entityName: EchoTestEntity
riskBasedPriorityMax: 39

lr-case-note-evidence-add#


Add a note as evidence on a case.

Base Command#

lr-case-note-evidence-add

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
noteNote text.Required

Context Output#

PathTypeDescription
LogRhythm.NoteEvidence.CaseIDStringThe case ID.
LogRhythm.NoteEvidence.Evidences.numberNumberThe evidence number.
LogRhythm.NoteEvidence.Evidences.dateCreatedDateThe date the evidence was created.
LogRhythm.NoteEvidence.Evidences.dateUpdatedDateThe date the evidence was updated.
LogRhythm.NoteEvidence.Evidences.createdBy.numberNumberThe ID of the user who created the evidence.
LogRhythm.NoteEvidence.Evidences.createdBy.nameStringThe name of the user who created the evidence.
LogRhythm.NoteEvidence.Evidences.createdBy.disabledBooleanWhether the user is disabled.
LogRhythm.NoteEvidence.Evidences.lastUpdatedBy.numberNumberThe ID of the user who last updated the evidence.
LogRhythm.NoteEvidence.Evidences.lastUpdatedBy.nameStringThe name of the user who last updated the evidence.
LogRhythm.NoteEvidence.Evidences.lastUpdatedBy.disabledBooleanWhether the last user who updated the evidence is disabled.
LogRhythm.NoteEvidence.Evidences.typeStringThe evidence type.
LogRhythm.NoteEvidence.Evidences.statusStringThe evidence status,
LogRhythm.NoteEvidence.Evidences.statusMessageUnknownThe evidence status message.
LogRhythm.NoteEvidence.Evidences.textStringThe evidence text.
LogRhythm.NoteEvidence.Evidences.pinnedBooleanWhether the evidence is pinned.
LogRhythm.NoteEvidence.Evidences.datePinnedUnknownThe date the evidence was pinned.

Command Example#

!lr-case-note-evidence-add case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE note=test

Context Example#

{
"LogRhythm": {
"NoteEvidence": [
{
"CaseID": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"Evidences": {
"createdBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"dateCreated": "2021-10-30T20:17:09.2251906Z",
"datePinned": null,
"dateUpdated": "2021-10-30T20:17:09.2251906Z",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"number": 243,
"pinned": false,
"status": "completed",
"statusMessage": null,
"text": "test",
"type": "note"
}
}
]
}
}

Human Readable Output#

Note added as evidence to case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE successfully#

NumberTypeStatusDate CreatedCreated ByTextAlarmFile
243notecompleted2021-10-30T20:17:09.2251906Znumber: 1
name: LR Soap API
disabled: false
test

lr-case-file-evidence-add#


Upload a file as evidence on a case.

Base Command#

lr-case-file-evidence-add

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case,.Required
entryIdThe entry ID of the file to attach.Required

Context Output#

PathTypeDescription
LogRhythm.FileEvidence.CaseIDStringThe case ID.
LogRhythm.FileEvidence.Evidences.numberNumberThe evidence number.
LogRhythm.FileEvidence.Evidences.dateCreatedDateThe date the evidence was created.
LogRhythm.FileEvidence.Evidences.dateUpdatedDateThe date the evidence was updated.
LogRhythm.FileEvidence.Evidences.createdBy.numberNumberThe ID of the user who created the evidence.
LogRhythm.FileEvidence.Evidences.createdBy.nameStringThe name of the user who created the evidence.
LogRhythm.FileEvidence.Evidences.createdBy.disabledBooleanWhether the user is disabled.
LogRhythm.FileEvidence.Evidences.lastUpdatedBy.numberNumberThe ID of the user who last updated the evidence.
LogRhythm.FileEvidence.Evidences.lastUpdatedBy.nameStringThe name of the user who last updated the evidence.
LogRhythm.FileEvidence.Evidences.lastUpdatedBy.disabledBooleanWhether the last user who updated the evidence is disabled.
LogRhythm.FileEvidence.Evidences.typeStringThe evidence type.
LogRhythm.FileEvidence.Evidences.statusStringThe evidence status
LogRhythm.FileEvidence.Evidences.statusMessageUnknownThe evidence status message.
LogRhythm.FileEvidence.Evidences.textStringThe evidence text.
LogRhythm.FileEvidence.Evidences.pinnedBooleanWhether the evidence is pinned.
LogRhythm.FileEvidence.Evidences.datePinnedUnknownThe date the evidence was pinned.

Command Example#

!lr-case-file-evidence-add case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE entryId=8502@383ed6ae-1fd7-431a-858d-a11f2620c73b

Context Example#

{
"LogRhythm": {
"FileEvidence": [
{
"CaseID": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"Evidences": {
"createdBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"dateCreated": "2021-10-30T20:33:46.8Z",
"datePinned": null,
"dateUpdated": "2021-10-30T20:33:46.8Z",
"file": {
"name": "File.jpeg",
"size": 170781
},
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"number": 244,
"pinned": false,
"status": "pending",
"statusMessage": null,
"text": "",
"type": "file"
}
}
]
}
}

Human Readable Output#

File added as evidence to case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE successfully#

NumberTypeStatusDate CreatedCreated ByTextAlarmFile
244filepending2021-10-30T20:33:46.8Znumber: 1
name: LR Soap API
disabled: false
name: File.jpeg
size: 170781

lr-case-evidence-delete#


Remove evidence from a case.

Base Command#

lr-case-evidence-delete

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
evidence_numberUnique, numeric identifier for the evidence to remove.Required

Context Output#

There is no context output for this command.

Command Example#

!lr-case-evidence-delete case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE evidence_number=65

Human Readable Output#

Evidence deleted successfully from case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE.

lr-case-file-evidence-download#


Download an item of file evidence from a case.

Base Command#

lr-case-file-evidence-download

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
evidence_numberUnique, numeric identifier for the evidence.Required

Context Output#

There is no context output for this command.

Command Example#

!lr-case-file-evidence-download case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE evidence_number=66

Context Example#

{
"File": {
"EntryID": "8420@383ed6ae-1fd7-431a-858d-a11f2620c73b",
"Extension": "jpg",
"Info": "image/jpeg",
"MD5": "0f9e8a7d9e49fee24f6a34424ad45662",
"Name": "IMG_20210723_165057.jpg",
"SHA1": "SHA1",
"SHA256": "SHA256",
"SHA512": "SHA512",
"SSDeep": "SSDeep",
"Size": 3021461,
"Type": "JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=2112, manufacturer=OnePlus, model=ONEPLUS A6013, orientation=upper-left, xresolution=180, yresolution=188, resolutionunit=2, datetime=2021:07:23 16:50:59, GPS-Data, width=4608], baseline, precision 8, 4608x2112, frames 3"
}
}

Human Readable Output#

lr-case-tags-add#


Add tags to a case.

Base Command#

lr-case-tags-add

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
tag_numbersA comma-separated list of tag numbers to add.Required

Context Output#

PathTypeDescription
LogRhythm.Case.idStringThe case ID.
LogRhythm.Case.numberNumberThe case number.
LogRhythm.Case.externalIdStringThe case external ID.
LogRhythm.Case.dateCreatedDateThe date the case was created.
LogRhythm.Case.dateUpdatedDateThe date the case was updated.
LogRhythm.Case.dateClosedUnknownThe date the case was closed.
LogRhythm.Case.owner.numberNumberThe ID of the case owner.
LogRhythm.Case.owner.nameStringThe name of the case owner.
LogRhythm.Case.owner.disabledBooleanWhether the owner is disabled or not
LogRhythm.Case.lastUpdatedBy.numberNumberThe ID of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.nameStringThe name of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.disabledBooleanWhether the last user who updated the case is disabled.
LogRhythm.Case.nameStringThe case name.
LogRhythm.Case.status.nameStringThe case status.
LogRhythm.Case.status.numberNumberThe case status number.
LogRhythm.Case.priorityNumberThe case priority.
LogRhythm.Case.dueDateDateThe datetime the case is due.
LogRhythm.Case.resolutionUnknownThe case resolution.
LogRhythm.Case.resolutionDateUpdatedUnknownThe date the case resolution was last updated.
LogRhythm.Case.resolutionLastUpdatedByUnknownThe user who last updated the case resolution.
LogRhythm.Case.summaryStringThe case summary.
LogRhythm.Case.entity.numberNumberThe case entity number.
LogRhythm.Case.entity.nameStringThe case entity name.
LogRhythm.Case.entity.fullNameStringThe case entity full name.
LogRhythm.Case.collaborators.numberNumberThe case collaborator number.
LogRhythm.Case.collaborators.nameStringThe case collaborator name.
LogRhythm.Case.collaborators.disabledBooleanWhether the case collaborator is disabled.
LogRhythm.Case.tags.textStringThe case tag name.
LogRhythm.Case.tags.numberNumberThe case tag number.

Command Example#

!lr-case-tags-add case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE tag_numbers=2,3

Context Example#

{
"LogRhythm": {
"Case": {
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-08-19T15:38:07.8995494Z",
"dateUpdated": "2021-10-30T20:17:15.9861818Z",
"dueDate": "2021-08-20T15:38:07.8995494Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "9930",
"id": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 17,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 3,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Incident",
"number": 3
},
"summary": "test case",
"tags": [
{
"number": 2,
"text": "tag #2"
},
{
"number": 3,
"text": "tag #3"
}
]
}
}
}

Human Readable Output#

Tags added successfully to case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE#

CollaboratorsDate ClosedDate CreatedDate UpdatedDue DateEntityExternal IdIdLast Updated ByNameNumberOwnerPriorityResolutionResolution Date UpdatedResolution Last Updated ByStatusSummaryTags
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-08-19T15:38:07.8995494Z2021-10-30T20:17:15.9861818Z2021-08-20T15:38:07.8995494Znumber: -100
name: Global Entity
fullName: Global Entity
99302E7FA20D-191E-4733-B7DC-A18BBFE762CEnumber: 1
name: LR Soap API
disabled: false
test17number: 1
name: LR Soap API
disabled: false
3name: Incident
number: 3
test case{'number': 2, 'text': 'tag #2'},
{'number': 3, 'text': 'tag #3'}

lr-case-tags-remove#


Remove tags from a case.

Base Command#

lr-case-tags-remove

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
tag_numbersA comma-separated list of tag numbers to remove.Required

Context Output#

PathTypeDescription
LogRhythm.Case.idStringThe case ID.
LogRhythm.Case.numberNumberThe case number.
LogRhythm.Case.externalIdStringThe case external ID.
LogRhythm.Case.dateCreatedDateThe date the case was created.
LogRhythm.Case.dateUpdatedDateThe date the case was updated.
LogRhythm.Case.dateClosedUnknownThe date the case was closed.
LogRhythm.Case.owner.numberNumberThe ID of the case owner.
LogRhythm.Case.owner.nameStringThe name of the case owner.
LogRhythm.Case.owner.disabledBooleanWhether the owner is disabled or not
LogRhythm.Case.lastUpdatedBy.numberNumberThe ID of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.nameStringThe name of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.disabledBooleanWhether the last user who updated the case is disabled.
LogRhythm.Case.nameStringThe case name.
LogRhythm.Case.status.nameStringThe case status.
LogRhythm.Case.status.numberNumberThe case status number.
LogRhythm.Case.priorityNumberThe case priority.
LogRhythm.Case.dueDateDateThe datetime the case is due.
LogRhythm.Case.resolutionUnknownThe case resolution.
LogRhythm.Case.resolutionDateUpdatedUnknownThe date the case resolution was last updated.
LogRhythm.Case.resolutionLastUpdatedByUnknownThe user who last updated the case resolution.
LogRhythm.Case.summaryStringThe case summary.
LogRhythm.Case.entity.numberNumberThe case entity number.
LogRhythm.Case.entity.nameStringThe case entity name.
LogRhythm.Case.entity.fullNameStringThe case entity full name.
LogRhythm.Case.collaborators.numberNumberThe case collaborator number.
LogRhythm.Case.collaborators.nameStringThe case collaborator name.
LogRhythm.Case.collaborators.disabledBooleanWhether the case collaborator is disabled.
LogRhythm.Case.tags.textStringThe case tag name.
LogRhythm.Case.tags.numberNumberThe case tag number.

Command Example#

!lr-case-tags-remove case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE tag_numbers=1,2

Context Example#

{
"LogRhythm": {
"Case": {
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-08-19T15:38:07.8995494Z",
"dateUpdated": "2021-10-30T20:17:17.3901952Z",
"dueDate": "2021-08-20T15:38:07.8995494Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "9930",
"id": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 17,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 3,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Incident",
"number": 3
},
"summary": "test case",
"tags": [
{
"number": 3,
"text": "tag #3"
}
]
}
}
}

Human Readable Output#

Tags removed successfully from case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE#

CollaboratorsDate ClosedDate CreatedDate UpdatedDue DateEntityExternal IdIdLast Updated ByNameNumberOwnerPriorityResolutionResolution Date UpdatedResolution Last Updated ByStatusSummaryTags
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-08-19T15:38:07.8995494Z2021-10-30T20:17:17.3901952Z2021-08-20T15:38:07.8995494Znumber: -100
name: Global Entity
fullName: Global Entity
99302E7FA20D-191E-4733-B7DC-A18BBFE762CEnumber: 1
name: LR Soap API
disabled: false
test17number: 1
name: LR Soap API
disabled: false
3name: Incident
number: 3
test case{'number': 3, 'text': 'tag #3'}

lr-tags-list#


Return a list of tags using filter criteria.

Base Command#

lr-tags-list

Input#

Argument NameDescriptionRequired
tag_nameFilter results that have a tag name that contains the specified value.Optional
offsetThe number of tags to skip before starting to collect the result set. Default is 0.Optional
countThe numbers of tags to return. Default is 50.Optional

Context Output#

PathTypeDescription
LogRhythm.Tag.numberNumberThe tag number.
LogRhythm.Tag.textStringThe tag text.
LogRhythm.Tag.dateCreatedDateThe date the tag was created.
LogRhythm.Tag.createdBy.numberNumberThe ID of the user who created the tag.
LogRhythm.Tag.createdBy.nameStringThe name of the user who created the tag.
LogRhythm.Tag.createdBy.disabledBooleanWhether the user is disabled.

Command Example#

!lr-tags-list count=2

Context Example#

{
"LogRhythm": {
"Tag": [
{
"createdBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"dateCreated": "2021-08-11T13:44:00.4433333Z",
"number": 2,
"text": "tag #2"
},
{
"createdBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"dateCreated": "2021-08-11T13:44:05.7433333Z",
"number": 3,
"text": "tag #3"
}
]
}
}

Human Readable Output#

Tags#

NumberTextDate CreatedCreated By
2tag #22021-08-11T13:44:00.4433333Znumber: 1
name: LR Soap API
disabled: false
3tag #32021-08-11T13:44:05.7433333Znumber: 1
name: LR Soap API
disabled: false

lr-case-collaborators-list#


Returns the owner and a list of collaborators associated with a specific case.

Base Command#

lr-case-collaborators-list

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required

Context Output#

PathTypeDescription
LogRhythm.CaseCollaborator.CaseIDStringThe case ID.
LogRhythm.CaseCollaborator.owner.numberNumberThe ID of the case owner.
LogRhythm.CaseCollaborator.owner.nameStringThe name of the case owner.
LogRhythm.CaseCollaborator.owner.disabledBooleanWhether the owner is disabled.
LogRhythm.CaseCollaborator.collaborators.numberNumberThe case collaborator number.
LogRhythm.CaseCollaborator.collaborators.nameStringThe case collaborator name.
LogRhythm.CaseCollaborator.collaborators.disabledBooleanWhether the case collaborator is disabled.

Command Example#

!lr-case-collaborators-list case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE

Context Example#

{
"LogRhythm": {
"CaseCollaborator": {
"CaseID": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
}
}
}
}

Human Readable Output#

Case owner#

DisabledNameNumber
falseLR Soap API1

Case collaborators#

DisabledNameNumber
falseLR Soap API1

lr-case-collaborators-update#


Updates the owner and collaborators associated with a specific case.

Base Command#

lr-case-collaborators-update

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
ownerUnique, numeric identifier for the person.Required
collaboratorsA comma-separated list of user IDs.Required

Context Output#

PathTypeDescription
LogRhythm.CaseCollaborator.CaseIDStringThe case ID.
LogRhythm.CaseCollaborator.owner.numberNumberThe ID of the case owner.
LogRhythm.CaseCollaborator.owner.nameStringThe name of the case owner.
LogRhythm.CaseCollaborator.owner.disabledBooleanWhether the owner is disabled.
LogRhythm.CaseCollaborator.collaborators.numberNumberThe case collaborator ID.
LogRhythm.CaseCollaborator.collaborators.nameStringThe case collaborator name.
LogRhythm.CaseCollaborator.collaborators.disabledBooleanWhether the case collaborator is disabled.

Command Example#

!lr-case-collaborators-update case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE collaborators=1 owner=1

Context Example#

{
"LogRhythm": {
"CaseCollaborator": {
"CaseID": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
}
}
}
}

Human Readable Output#

Case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE updated successfully#

Case owner#

DisabledNameNumber
falseLR Soap API1

Case collaborators#

DisabledNameNumber
falseLR Soap API1

lr-entities-list#


Returns all Entities that match the specified criteria.

Base Command#

lr-entities-list

Input#

Argument NameDescriptionRequired
parent_entity_idFilter by the object parent entity ID.Optional
entity_idFilter by the entity ID.Optional
offsetThe number of entities to skip before starting to collect the result set. Default is 0.Optional
countThe number of entities to return. Default is 50.Optional

Context Output#

PathTypeDescription
LogRhythm.Entity.idNumberThe entity ID.
LogRhythm.Entity.nameStringThe entity name.
LogRhythm.Entity.fullNameStringThe entity full name.
LogRhythm.Entity.recordStatusNameStringThe entity record status.
LogRhythm.Entity.shortDescStringThe entity short description.
LogRhythm.Entity.dateUpdatedDateThe date the entity was updated.

Command Example#

!lr-entities-list count=2

Context Example#

{
"LogRhythm": {
"Entity": [
{
"dateUpdated": "2021-10-12T14:01:21.54Z",
"fullName": "EchoTestEntity",
"id": 2,
"name": "EchoTestEntity",
"recordStatusName": "Active",
"shortDesc": "LogRhythm ECHO"
},
{
"dateUpdated": "2021-10-27T16:27:14.363Z",
"fullName": "Global Entity",
"id": -100,
"name": "Global Entity",
"recordStatusName": "Active",
"shortDesc": "Global entity containing shared network and host records"
}
]
}
}

Human Readable Output#

Entities#

IdNameFull NameRecord Status NameShort DescDate Updated
2EchoTestEntityEchoTestEntityActiveLogRhythm ECHO2021-10-12T14:01:21.54Z
-100Global EntityGlobal EntityActiveGlobal entity containing shared network and host records2021-10-27T16:27:14.363Z

lr-hosts-list#


Returns all hosts that match the specified criteria.

Base Command#

lr-hosts-list

Input#

Argument NameDescriptionRequired
host_idFilter by host ID.Optional
host_nameFilter by host name.Optional
entity_nameFilter by entity name.Optional
record_statusFilter by record status. Possible values: "all", "active", "retired". Possible values are: all, active, retired.Optional
offsetThe number of hosts to skip before starting to collect the result set. Default is 0.Optional
countThe number of hosts to return. Default is 50.Optional

Context Output#

PathTypeDescription
LogRhythm.Host.idNumberThe host ID.
LogRhythm.Host.entity.idNumberThe host entity ID.
LogRhythm.Host.entity.nameStringThe host entity name.
LogRhythm.Host.nameStringThe host name.
LogRhythm.Host.riskLevelStringThe host risk level.
LogRhythm.Host.threatLevelStringThe host threat level.
LogRhythm.Host.threatLevelCommentsStringThe threat level comments
LogRhythm.Host.recordStatusNameStringThe host record status name.
LogRhythm.Host.hostZoneStringThe host zone.
LogRhythm.Host.location.idNumberThe host location ID.
LogRhythm.Host.osStringThe operating system type supported by LogRhythm.
LogRhythm.Host.useEventlogCredentialsBooleanWhether to use the event log credentials.
LogRhythm.Host.osTypeStringThe agent server type on which the operating system is installed.
LogRhythm.Host.dateUpdatedDateThe date the host was updated.
LogRhythm.Host.shortDescStringThe host short description.
LogRhythm.Host.osVersionStringThe host operation system version.
LogRhythm.Host.hostIdentifiers.typeStringThe host identifier type.
LogRhythm.Host.hostIdentifiers.valueStringThe host identifier value.
LogRhythm.Host.hostIdentifiers.dateAssignedDateThe date the host identifier was assigned.
LogRhythm.Host.eventlogPasswordStringThe event log password.

Command Example#

!lr-hosts-list count=2

Context Example#

{
"LogRhythm": {
"Host": [
{
"dateUpdated": "2021-07-27T15:56:14.34Z",
"entity": {
"id": -100,
"name": "Global Entity"
},
"hostIdentifiers": [],
"hostRoles": [],
"hostZone": "Internal",
"id": -1000001,
"location": {
"id": -1
},
"name": "AI Engine Server",
"os": "Unknown",
"osType": "Server",
"recordStatusName": "Active",
"riskLevel": "None",
"threatLevel": "None",
"threatLevelComments": "",
"useEventlogCredentials": false
},
{
"dateUpdated": "2021-07-27T15:56:14.343Z",
"entity": {
"id": 1,
"name": "Primary Site"
},
"hostIdentifiers": [],
"hostRoles": [],
"hostZone": "Internal",
"id": -1000002,
"location": {
"id": -1
},
"name": "AI Engine Server",
"os": "Unknown",
"osType": "Server",
"recordStatusName": "Active",
"riskLevel": "None",
"threatLevel": "None",
"threatLevelComments": "",
"useEventlogCredentials": false
}
]
}
}

Human Readable Output#

Hosts#

Date UpdatedEntityHost IdentifiersHost RolesHost ZoneIdLocationNameOsOs TypeRecord Status NameRisk LevelThreat LevelThreat Level CommentsUse Eventlog Credentials
2021-07-27T15:56:14.34Zid: -100
name: Global Entity
Internal-1000001id: -1AI Engine ServerUnknownServerActiveNoneNonefalse
2021-07-27T15:56:14.343Zid: 1
name: Primary Site
Internal-1000002id: -1AI Engine ServerUnknownServerActiveNoneNonefalse

lr-users-list#


Returns user records based on the permissions of the currently logged in user and the specified criteria.

Base Command#

lr-users-list

Input#

Argument NameDescriptionRequired
user_idsA comma-separated list of user IDs.Optional
entity_idsA comma-separated list of entity IDs.Optional
user_statusFilter by user status. Possible values: "Active" and "Retired". Possible values are: Active, Retired.Optional
offsetThe ID of users to skip before starting to collect the result set. Default is 0.Optional
countThe IDs of the users to return. Default is 50.Optional

Context Output#

PathTypeDescription
LogRhythm.User.firstNameStringThe user first name.
LogRhythm.User.lastNameStringThe user last name.
LogRhythm.User.userTypeStringThe user type
LogRhythm.User.fullNameStringThe user full name.
LogRhythm.User.objectPermissions.readAccessStringThe user read access permissions.
LogRhythm.User.objectPermissions.writeAccessStringThe user write access permissions.
LogRhythm.User.objectPermissions.entity.idNumberThe user permissions entity ID.
LogRhythm.User.objectPermissions.entity.nameStringThe user permissions entity name.
LogRhythm.User.objectPermissions.owner.idNumberThe user permissions owner ID.
LogRhythm.User.objectPermissions.owner.nameStringThe user permissions owner.
LogRhythm.User.idNumberThe user ID.
LogRhythm.User.recordStatusNameStringThe user record status.
LogRhythm.User.dateUpdatedDateThe date the user was updated.

Command Example#

!lr-users-list count=2

Context Example#

{
"LogRhythm": {
"User": [
{
"dateUpdated": "2021-07-27T20:38:31.443Z",
"firstName": "",
"fullName": "LR Soap API",
"id": 1,
"lastName": "",
"objectPermissions": {
"entity": {
"id": 1,
"name": "Primary Site"
},
"owner": {
"id": -100,
"name": "LogRhythmAdmin"
},
"readAccess": "PublicGlobalAdmin",
"writeAccess": "PublicGlobalAdmin"
},
"recordStatusName": "Active",
"userType": "Role"
},
{
"dateUpdated": "2021-07-27T15:07:47.05Z",
"firstName": "LogRhythm",
"fullName": "LogRhythm Analyst",
"id": -101,
"lastName": "Analyst",
"objectPermissions": {
"entity": {
"id": -100,
"name": "Global Entity"
},
"owner": {
"id": -100,
"name": "LogRhythmAdmin"
},
"readAccess": "PublicAll",
"writeAccess": "PublicGlobalAdmin"
},
"recordStatusName": "Active",
"userType": "Role"
}
]
}
}

Human Readable Output#

Users#

IdFull NameUser TypeFirst NameLast NameRecord Status NameDate UpdatedObject Permissions
1LR Soap APIRoleActive2021-07-27T20:38:31.443ZreadAccess: PublicGlobalAdmin
writeAccess: PublicGlobalAdmin
entity: {"id": 1, "name": "Primary Site"}
owner: {"id": -100, "name": "LogRhythmAdmin"}
-101LogRhythm AnalystRoleLogRhythmAnalystActive2021-07-27T15:07:47.05ZreadAccess: PublicAll
writeAccess: PublicGlobalAdmin
entity: {"id": -100, "name": "Global Entity"}
owner: {"id": -100, "name": "LogRhythmAdmin"}

lr-lists-get#


Returns list details using the filter criteria.

Base Command#

lr-lists-get

Input#

Argument NameDescriptionRequired
list_typeThe list type. Possible values: "None", "Application", "Classification", "CommonEvent", "Host", "Location", "MsgSource", "MsgSourceType", "MPERule", "Network", "User", "GeneralValue", "Entity", "RootEntity", "IP", "IPRange", and "Identity". Possible values are: None, Application, Classification, CommonEvent, Host, Location, MsgSource, MsgSourceType, MPERule, Network, User, GeneralValue, Entity, RootEntity, IP, IPRange, Identity.Optional
list_nameThe name of the object or regex match.Optional
can_editSpecifies if Write Only (true) or Read Only (false) lists are required for a user. Possible values: "true" and "false". Possible values are: true, false.Optional

Context Output#

PathTypeDescription
LogRhythm.List.listTypeStringThe list type.
LogRhythm.List.statusStringThe list status.
LogRhythm.List.nameStringThe list name.
LogRhythm.List.shortDescriptionStringThe list short description.
LogRhythm.List.useContextStringThe use context type.
LogRhythm.List.autoImportOption.enabledBooleanWhether the list auto import is enabled.
LogRhythm.List.autoImportOption.usePatternsBooleanWhether the auto import use patterns is enabled.
LogRhythm.List.autoImportOption.replaceExistingBooleanWhether the auto import replace existing is enabled.
LogRhythm.List.idNumberThe list ID.
LogRhythm.List.guidStringThe list GUID.
LogRhythm.List.dateCreatedDateThe date the list was created.
LogRhythm.List.dateUpdatedDateThe date the list was updated.
LogRhythm.List.readAccessStringThe read permission level.
LogRhythm.List.writeAccessStringThe write permission level.
LogRhythm.List.restrictedReadBooleanWhether the list is read restricted.
LogRhythm.List.entityNameStringThe list entity name.
LogRhythm.List.entryCountNumberThe list entry count.
LogRhythm.List.needToNotifyBooleanWhether the list will notify the user when updated.
LogRhythm.List.doesExpireBooleanWhether the list expires.
LogRhythm.List.ownerNumberThe ID of the list owner.
LogRhythm.List.longDescriptionStringThe list long description.
LogRhythm.List.timeToLiveSecondsNumberThe list time for the list to live in seconds.
LogRhythm.List.revisitDateDateThe list revisit date.

Command Example#

!lr-lists-get

Context Example#

{
"LogRhythm": {
"List": [
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2019-11-05T04:11:38.303Z",
"dateUpdated": "2021-07-27T16:03:30.617Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "B1E34445-2693-411E-8BE2-9B97AFFF20A9",
"id": -1000130,
"listType": "GeneralValue",
"name": "Windows System32 Hashes",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Hashes of executables in the %systemroot%\\system32 directory. Use Case: Masquerading technique in MITRE ATT&CK",
"status": "Active",
"useContext": [
"Hash"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-07-27T15:07:50.893Z",
"dateUpdated": "2021-07-27T15:07:50.893Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "F205DE21-9F73-462E-8F83-DE64CAD2A401",
"id": -1000001,
"listType": "Identity",
"longDescription": "Anomaly scores from CloudAI will not be displayed for the identities in this list. Identities added to this list will automatically expire 24 hours after they are added.",
"name": "CloudAI: Ignore for 24 Hours",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Anomaly scores from CloudAI will not be displayed for the identities in this list. Identities added to this list will automatically expire 24 hours after they are added.",
"status": "Active",
"timeToLiveSeconds": 86400,
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-07-27T15:07:50.893Z",
"dateUpdated": "2021-07-27T15:07:50.893Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "5A2E34FB-3AD1-44CB-8E5F-643CAEDD1EC2",
"id": -1000000,
"listType": "Identity",
"longDescription": "Identities monitored by CloudAI",
"name": "CloudAI: Monitored Identities",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Identities monitored by CloudAI",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2015-06-06T00:15:20.033Z",
"dateUpdated": "2021-07-27T16:03:30.627Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "6B9A54EF-70C9-49E0-B051-75C363178603",
"id": -2389,
"listType": "MsgSource",
"longDescription": "This list will need to capture all related systems according to their classification as high, medium, or low impacts within the environment. \r\n\r\nThis list is used in the following:\r\n(Reports)\r\nNERC-CIP: Access Failure Summary\r\nNERC-CIP: Default Act Auth/Accs Success Summary\r\nNERC-CIP: Default Act Management Summary\r\nNERC-CIP: Host Authentication Success Summary\r\nNERC-CIP: Non-encrypted protocol\r\nNERC-CIP: Priv Act Auth/Accs Success Summary\r\nNERC-CIP: Priv Act Management Summary\r\nNERC-CIP: Shared Act Auth/Accs Success Summary\r\nNERC-CIP: Shared Act Management Summary\r\nNERC-CIP: Suspicious Activity Summary\r\nNERC-CIP: Term Act Auth/Accs Success Summary\r\nNERC-CIP: Term Act Management Summary\r\nNERC-CIP: Vendor Act Auth/Accs Success Summary\r\nNERC-CIP: Vendor Act Management Summary\r\nNERC-CIP: VPN Node Registration Failure (Auth)\r\nNERC-CIP: VPN Node Registration Failure (un-Auth)\r\n(Investigation)\r\nNERC-CIP: Access Failure Detail\r\nNERC-CIP: Host Authentication Success Detail\r\nNERC-CIP: Priv Group Access Granted Detail\r\nNERC-CIP: Rogue WAP Detected Detail\r\nNERC-CIP: Suspicious Activity Detail\r\nNERC-CIP: VPN Node Registration Failure Detail (Auth)\r\nNERC-CIP: VPN Node Registration Failure Detail (un- Auth)\r\nNERC-CIP: Windows Firewall Change Detail\r\n(AIE Rules)\r\nNERC-CIP: Account Locked or Disabled Rule\r\nNERC-CIP: Attack Detected Rule\r\nNERC-CIP: Compromise Detected Rule\r\nNERC-CIP: Concur VPN From Multiple Country\r\nNERC-CIP: Concur VPN Same User\r\nNERC-CIP: Concurrent VPN From Multiple Cities\r\nNERC-CIP: Concurrent VPN From Multiple Region\r\nNERC-CIP: Config/Policy Change\r\nNERC-CIP: Data Destruction Rule\r\nNERC-CIP: Data Exfiltration Rule\r\nNERC-CIP: Data Loss Prevention Rule\r\nNERC-CIP: ESP Network Allow Egress Rule\r\nNERC-CIP: ESP Network Allow Ingress Rule\r\nNERC-CIP: ESP Network Denied Egress Rule\r\nNERC-CIP: ESP Network Denied Ingress Rule\r\nNERC-CIP: Malware Detected Rule\r\nNERC-CIP: Port Misuse: FTP\r\nNERC-CIP: Port Misuse: HTTP \r\nNERC-CIP: Port Misuse: SSH In\r\nNERC-CIP: Port Misuse: S",
"name": "NERC-CIP: Electronic Security Perimeter",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This log source list represents various network related systems such as security perimeter enforcing devices (i.e. IPS, firewalls), security perimeter monitoring devices (i.e. IDS), VPNs, wireless access points, remote access devices, anti-malware, etc. ",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2015-06-05T21:31:30.7Z",
"dateUpdated": "2021-07-27T16:03:30.64Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "F7A6369A-33C3-4249-91EF-6710E13F48F6",
"id": -2379,
"listType": "MsgSource",
"longDescription": "This list will need to capture all related systems according to their classification as high, medium, or low impacts within the environment. \r\n\r\nThis list is used in the following:\r\n(Reports)\r\nNERC-CIP: Access Failure Summary\r\nNERC-CIP: Authentication Failure Summary\r\nNERC-CIP: Change in Software Config (Linux)\r\nNERC-CIP: Change in Software Config (Windows)\r\nNERC-CIP: Default Act Auth/Accs Success Summary\r\nNERC-CIP: Default Act Management Summary\r\nNERC-CIP: Failed File Access (Linux)\r\nNERC-CIP: Failed File Access (Windows)\r\nNERC-CIP: Host Authentication Success Summary\r\nNERC-CIP: Object Creation/Disposal Summary\r\nNERC-CIP: Priv Act Auth/Accs Success Summary\r\nNERC-CIP: Priv Act Management Summary\r\nNERC-CIP: Shared Act Auth/Accs Success Summary\r\nNERC-CIP: Shared Act Management Summary\r\nNERC-CIP: Suspicious Activity Summary\r\nNERC-CIP: Term Act Auth/Accs Success Summary\r\nNERC-CIP: Term Act Management Summary\r\nNERC-CIP: Vendor Act Auth/Accs Success Summary\r\nNERC-CIP: Vendor Act Management Summary\r\n (Investigation)\r\nNERC-CIP: Access Failure Detail\r\nNERC-CIP: Host Authentication Success Detail\r\nNERC-CIP: Priv Group Access Granted Detail\r\nNERC-CIP: Suspicious Activity Detail\r\n (AIE Rules)\r\nNERC-CIP: Account Locked or Disabled Rule\r\nNERC-CIP: Attack Detected Rule\r\nNERC-CIP: Compromise Detected Rule\r\nNERC-CIP: Concur VPN From Multiple Country\r\nNERC-CIP: Concur VPN Same User\r\nNERC-CIP: Concurrent VPN From Multiple Cities\r\nNERC-CIP: Concurrent VPN From Multiple Region\r\nNERC-CIP: Config/Policy Change\r\nNERC-CIP: Data Destruction Rule\r\nNERC-CIP: Data Exfiltration Rule\r\nNERC-CIP: Data Loss Prevention Rule\r\nNERC-CIP: ESP Network Allow Egress Rule\r\nNERC-CIP: ESP Network Allow Ingress Rule\r\nNERC-CIP: ESP Network Denied Egress Rule\r\nNERC-CIP: ESP Network Denied Ingress Rule\r\nNERC-CIP: Malware Detected Rule\r\nNERC-CIP: Port Misuse: FTP\r\nNERC-CIP: Port Misuse: HTTP \r\nNERC-CIP: Port Misuse: SSH In\r\nNERC-CIP: Port Misuse: SSH Out\r\nNERC-CIP: Rogue WAP Detected Rule\r\nNERC-CIP: Software Instal",
"name": "NERC-CIP: BES Cyber Systems",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This log source list represents various BES Cyber Assets related to IT operations that reflect groupings of the BES Cyber System(s)",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T03:39:14.56Z",
"dateUpdated": "2021-07-27T16:03:30.663Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "4E629B5B-7D5D-447B-B672-BBCAF8E32E37",
"id": -2085,
"listType": "Application",
"longDescription": "This list is used in the following package elements: \r\n\nPCI-DSS: Invalid DMZ => Internal Comm AIE Rule\n\r\nPCI-DSS: Invalid DMZ => Internal Comm Details\r\n\nPCI-DSS: Invalid DMZ => Internal Comm Summary\r\n\nPCI-DSS: Invalid DMZ => Internal Comm Detail\n\r\n",
"name": "PCI-DSS: Allowed DMZ => Internal App List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with the impacted applications, ports, and protocols which are allowed from the demilitarized zone environment to the internal network.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T02:43:14.257Z",
"dateUpdated": "2021-07-27T16:03:30.683Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "AFD1ACEB-A5CB-4EE7-BB46-331CE023F750",
"id": -2078,
"listType": "Network",
"longDescription": "This list is used in the following package elements: \r\n\nPCI-DSS: Internal Communication\r\nPCI-DSS: Denied Intrn => Intrn Comm AIE Rule\r\nPCI-DSS: Denied Intrn => Intrn Comm Detail\n\r\nPCI-DSS: Denied Intrn => Intrn Comm Details\r\nPCI-DSS: Denied Intrn => Intrn Comm Summary\r\n\n\nPCI-DSS: Invalid Intrn => Intrn Comm AIE Rule\r\nPCI-DSS: Invalid Intrn => Intrn Comm Detail\n\r\nPCI-DSS: Invalid Intrn => Intrn Comm Details\n\r\nPCI-DSS: Invalid Intrn => Intrn Comm Summary\r\n\nPCI-DSS: Denied Inet => Intrn Comm AIE Rule\r\nPCI-DSS: Denied Inet => Intrn Comm Detail\n\r\nPCI-DSS: Denied Inet => Intrn Comm Details\r\nPCI-DSS: Denied Inet => Intrn Comm Summary\r\n\n\nPCI-DSS: Invalid Inet => Intrn Comm AIE Rule\r\nPCI-DSS: Invalid Inet => Intrn Comm Detail\n\r\nPCI-DSS: Invalid Inet => Intrn Comm Details\n\r\nPCI-DSS: Invalid Inet => Intrn Comm Summary\r\nPCI-DSS: Denied Inet => Intrn Comm AIE Rule\r\nPCI-DSS: Denied Inet => Intrn Comm Detail\n\r\nPCI-DSS: Denied Inet => Intrn Comm Details\r\nPCI-DSS: Denied Inet => Intrn Comm Summary\r\n\n\nPCI-DSS: Invalid Inet => Intrn Comm AIE Rule\r\nPCI-DSS: Invalid Inet => Intrn Comm Detail\n\r\nPCI-DSS: Invalid Inet => Intrn Comm Details\n\r\nPCI-DSS: Invalid Inet => Intrn Comm Summary\r\n\nPCI-DSS: Denied Test => Intrn Comm AIE Rule\r\nPCI-DSS: Denied Test => Intrn Comm Detail\n\r\nPCI-DSS: Denied Test => Intrn Comm Details\r\nPCI-DSS: Denied Test => Intrn Comm Summary\r\n\n\nPCI-DSS: Invalid Test => Intrn Comm AIE Rule\r\nPCI-DSS: Invalid Test => Intrn Comm Detail\n\r\nPCI-DSS: Invalid Test => Intrn Comm Details\n\r\nPCI-DSS: Invalid Test => Intrn Comm Summary\n",
"name": "PCI-DSS: Internal Environment List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with internal IP addresses of your entire internal network.\r\n",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T02:29:50.9Z",
"dateUpdated": "2021-07-27T16:03:30.7Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "2A5E5FCE-1FEF-4A7A-A827-93B7676028EA",
"id": -2077,
"listType": "Network",
"longDescription": "This list is used in the following package elements: \r\nPCI-DSS: DMZ Communication\r\nPCI-DSS: DMZ Communication Detail\r\nPCI-DSS: Denied DMZ => Internal Comm AIE Rule\r\nPCI-DSS: Denied DMZ => Internal Comm Details\r\nPCI-DSS: Denied DMZ => Internal Comm Summary\r\nPCI-DSS: Denied DMZ => Internal Comm Detail\r\nPCI-DSS: Denied Internet => DMZ Comm AIE Rule\r\nPCI-DSS: Denied Internet => DMZ Comm Details\r\nPCI-DSS: Denied Internet => DMZ Comm Summary\r\nPCI-DSS: Denied Internet => DMZ Comm Detail\r\nPCI-DSS: Invalid DMZ => Internal Comm AIE Rule\r\nPCI-DSS: Invalid DMZ => Internal Comm Details\r\nPCI-DSS: Invalid DMZ => Internal Comm Summary\r\nPCI-DSS: Invalid DMZ => Internal Comm Detail\r\nPCI-DSS: Invalid Internet => DMZ Comm AIE Rule\r\nPCI-DSS: Invalid Internet => DMZ Comm Details\r\nPCI-DSS: Invalid Internet => DMZ Comm Summary\r\nPCI-DSS: Invalid Internet => DMZ Comm Detail\r\n",
"name": "PCI-DSS: DMZ Environment List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with internal IP addresses of your demilitarized zone network.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T02:22:50.693Z",
"dateUpdated": "2021-07-27T16:03:30.713Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "4CAB138D-9BD4-4ED4-AB4E-FF5F48D4BC3E",
"id": -2076,
"listType": "Network",
"longDescription": "This list is used in the following package elements: \n\r\nPCI-DSS: CDE Communication \r\n\nPCI-DSS: Denied CDE => Internet Comm AIE Rule\n\r\nPCI-DSS: Denied CDE => Internet Comm Detail\n\r\nPCI-DSS: Denied CDE => Internet Comm Details\r\n\nPCI-DSS: Denied CDE => Internet Comm Summary\r\n\nPCI-DSS: Denied Internet => CDE Comm AIE Rule\n\r\nPCI-DSS: Denied Internet => CDE Comm Detail\n\r\nPCI-DSS: Denied Internet => CDE Comm Details\r\n\nPCI-DSS: Denied Internet => CDE Comm Summary\r\n\nPCI-DSS: Denied Wireless => CDE Comm AIE Rule\n\r\nPCI-DSS: Denied Wireless => CDE Comm Detail\n\r\nPCI-DSS: Denied Wireless => CDE Comm Details\r\n\nPCI-DSS: Denied Wireless => CDE Comm Summary\r\n\nPCI-DSS: Invalid CDE => Internet Comm AIE Rule\n\r\nPCI-DSS: Invalid CDE => Internet Comm Detail\n\r\nPCI-DSS: Invalid CDE => Internet Comm Details\n\r\nPCI-DSS: Invalid CDE => Internet Comm Summary\n\r\nPCI-DSS: Invalid Internet => CDE Comm AIE Rule\n\r\nPCI-DSS: Invalid Internet => CDE Comm Detail\n\r\nPCI-DSS: Invalid Internet => CDE Comm Details\r\n\nPCI-DSS: Invalid Internet => CDE Comm Summary\r\n\nPCI-DSS: Invalid Wireless => CDE Comm AIE Rule\r\n\nPCI-DSS: Invalid Wireless => CDE Comm Detail\r\n\nPCI-DSS: Invalid Wireless => CDE Comm Details\r\n\nPCI-DSS: Invalid Wireless => CDE Comm Summary\n\r\n",
"name": "PCI-DSS: Cardholder Data Environment List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with internal IP addresses of your cardholder data.\r\n",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T02:10:32.13Z",
"dateUpdated": "2021-07-27T16:03:30.723Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "76B503F9-7F63-4EBC-B06F-0AB083ECDCF1",
"id": -2073,
"listType": "MsgSource",
"longDescription": "This list is used in many of the package elements covering network security system including: \r\nfirewalls, intrusion detection/prevention, malware detection/prevention, network access control, remote access, virtual private network, and vulnerability scanning.",
"name": "PCI-DSS: Network Security Systems",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with network security systems (firewalls, intrusion detection/prevention, malware detection/prevention, network access control, remote access, virtual private network, vulnerability scanning) on the network.\r\n",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T00:31:39.017Z",
"dateUpdated": "2021-07-27T16:03:30.733Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "EAAC1F68-44F7-477E-BBB5-CFAEF5AEDBF6",
"id": -2063,
"listType": "Application",
"longDescription": "This list is used in the following package elements: \n\r\nPCI-DSS: Invalid Inet => Intrn Comm AIE Rule\r\n\nPCI-DSS: Invalid Inet => Intrn Comm Detail\n\r\nPCI-DSS: Invalid Inet => Intrn Comm Details\n\r\nPCI-DSS: Invalid Inet => Intrn Comm Summary\n\r\n\r\n",
"name": "PCI-DSS: Allowed Internet => Internal App List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with the impacted applications, ports, and protocols which are allowed from the external internet environment to the internal environment network.\r\n",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T00:29:15.183Z",
"dateUpdated": "2021-07-27T16:03:30.74Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "3D987185-2C72-4AE0-B453-FB27E8412510",
"id": -2062,
"listType": "Application",
"longDescription": "This list is used in the following package elements: \r\n\nPCI-DSS: Invalid Internet => DMZ Comm AIE Rule\n\r\nPCI-DSS: Invalid Internet => DMZ Comm Details\n\r\nPCI-DSS: Invalid Internet => DMZ Comm Summary\n\r\nPCI-DSS: Invalid Internet => DMZ Comm Detail\n\r\n",
"name": "PCI-DSS: Allowed Internet => DMZ App List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with the impacted applications, ports, and protocols which are allowed from the external internet to the demilitarized zone environment network.\r\n",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T00:27:14.477Z",
"dateUpdated": "2021-07-27T16:03:30.757Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "8A030E0F-870C-4F59-A5DD-28F8572723DD",
"id": -2061,
"listType": "Application",
"longDescription": "This list is used in the following package elements: \n\r\nPCI-DSS: Invalid Internet => CDE Comm AIE Rule\n\r\nPCI-DSS: Invalid Internet => CDE Comm Details\n\r\nPCI-DSS: Invalid Internet => CDE Comm Summary\r\n\nPCI-DSS: Invalid Internet => CDE Comm Detail\n\r\n\r\n",
"name": "PCI-DSS: Allowed Internet => CDE App List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with the impacted applications, ports, and protocols which are allowed from the external internet to the internal cardholder data environment network.\r\n",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T00:18:04.5Z",
"dateUpdated": "2021-08-09T05:25:25.377Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 1,
"guid": "DBA00254-D606-43D0-B291-EF38DA092DB3",
"id": -2058,
"listType": "Application",
"longDescription": "This list is used in the following package elements: \r\n\nPCI-DSS: Invalid CDE => Internet Comm AIE Rule\r\n\nPCI-DSS: Invalid CDE => Internet Comm Detail\n\r\nPCI-DSS: Invalid CDE => Internet Comm Details\n\r\nPCI-DSS: Invalid CDE => Internet Comm Summary\r\n",
"name": "PCI-DSS: Allowed CDE => Internet App List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with the impacted applications, ports, and protocols which are allowed from the cardholder data environment network to the external internet.\r\n",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2011-12-14T06:13:01.05Z",
"dateUpdated": "2021-07-27T16:03:30.78Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "642A7B7B-274E-4A66-9FBD-E4EC1CFC2404",
"id": -2031,
"listType": "MsgSource",
"longDescription": "This list should contain all log sources from workstations that store or process data applicable to compliance regulations. Examples include personal computers, notebooks, netbooks, tablet PCs, and publicly accessible systems such as kiosks. Virtualized application servers may also qualify as a workstation log source.",
"name": "NRC: Workstations",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Workstations that store or process data applicable to compliance regulations. Examples: personal computers, notebooks, tablet PCs, and publicly accessible systems.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2011-12-14T06:09:16.99Z",
"dateUpdated": "2021-07-27T16:03:30.79Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "229E1613-221C-4961-90F6-0B19B282B80F",
"id": -2027,
"listType": "MsgSource",
"longDescription": "This list should contain all log sources from production servers that store or process data applicable to compliance regulations. Examples include servers that store/process financial data, customer data, and employee data.",
"name": "NRC: Production Servers",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Production servers applicable to compliance regulations. Examples: servers that store/process financial data, customer data, and employee data.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2011-12-14T00:43:04.903Z",
"dateUpdated": "2021-07-27T16:03:30.8Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "F0F6C2E0-5EBD-41D8-B64E-3D67E649B2F1",
"id": -2023,
"listType": "MsgSource",
"longDescription": "This list should contain all log sources from workstations that store or process data applicable to compliance regulations. Examples include personal computers, notebooks, netbooks, tablet PCs, and publicly accessible systems such as kiosks. Virtualized application servers may also qualify as a workstation log source.",
"name": "NEI: Workstations",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Workstations that store or process data applicable to compliance regulations. Examples: personal computers, notebooks, tablet PCs, and publicly accessible systems.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2011-12-14T00:39:35.59Z",
"dateUpdated": "2021-07-27T16:03:30.81Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "35EB656F-CEB0-498D-B684-9E97B325B14B",
"id": -2019,
"listType": "MsgSource",
"longDescription": "This list should contain all log sources from production servers that store or process data applicable to compliance regulations. Examples include servers that store/process financial data, customer data, and employee data.",
"name": "NEI: Production Servers",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Production servers applicable to compliance regulations. Examples: servers that store/process financial data, customer data, and employee data.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-08-16T20:21:23.91Z",
"dateUpdated": "2021-07-27T16:03:30.817Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "48555D7B-0BEB-43F0-B758-29D7838B0907",
"id": -1049,
"listType": "MsgSource",
"longDescription": "Populate with all production data loss prevention devices, including LogRhythm Data Loss Defender.",
"name": "QsEMP: Data Loss Prevention",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Production data loss prevention devices, including LogRhythm Data Loss Defender.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-08-16T20:20:56.847Z",
"dateUpdated": "2021-07-27T16:03:30.827Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "280E2A9C-EB0C-4CCC-9776-FE1C164B8C5D",
"id": -1048,
"listType": "MsgSource",
"longDescription": "Populate with the system and audit logs of all production UNIX and Linux servers, as well as LogRhythm User Activity Monitor and Network Connection Monitor for production agents.",
"name": "QsEMP: Production *NIX Servers",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "System and audit logs of production UNIX and Linux servers. LogRhythm User Activity Monitor and Network Connection Monitor for production agents.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-08-16T20:20:34.41Z",
"dateUpdated": "2021-07-27T16:03:30.84Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "60390FB9-0419-4A01-A517-611098B9171E",
"id": -1047,
"listType": "MsgSource",
"longDescription": "Populate with the System, Application, and Security Event Logs of all production Windows Servers, as well as LogRhythm User Activity Monitor, Process Monitor and Network Connection Monitor for production agents.",
"name": "QsEMP: Production Windows Servers",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "System, Application, and Security Event Logs of production Windows Servers. LogRhythm User Activity Monitor, Process Monitor and Network Connection Monitor for production agents.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-08-16T20:20:10.877Z",
"dateUpdated": "2021-07-27T16:03:30.85Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "A55CE990-D057-4760-9845-2E9CD173FE5B",
"id": -1046,
"listType": "MsgSource",
"longDescription": "Populate with the system logs of all production routers and switches.",
"name": "QsEMP: Production Routers and Switches",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "System logs of all production routers and switches.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-08-16T20:19:46.61Z",
"dateUpdated": "2021-07-27T16:03:30.86Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "AE1EDD58-9DE0-4E72-BC87-A4939D9CA0B7",
"id": -1045,
"listType": "MsgSource",
"longDescription": "Populate with the system logs of all production firewalls.",
"name": "QsEMP: Production Firewalls",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "System logs of all production firewalls.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-08-16T20:19:25.033Z",
"dateUpdated": "2021-07-27T16:03:30.867Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "6658537A-358C-435F-8451-B02440B6C50B",
"id": -1044,
"listType": "MsgSource",
"longDescription": "Populate with the system or application logs of all devices providing malware detection capabilities. This includes anti-virus, spyware, and general malware detection software and central servers.",
"name": "QsEMP: Production Malware Detection Devices",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "System or application logs of devices providing malware detection capabilities. Examples: anti-virus, spyware, general malware detection software and central servers.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-08-16T20:18:57.753Z",
"dateUpdated": "2021-07-27T16:03:30.877Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "DE466E5C-19D6-46B5-936C-7A7E5ADFB03E",
"id": -1043,
"listType": "MsgSource",
"longDescription": "Populate with the system logs of all devices with intrusion detection or prevention capabilities. This typically includes IDS/IPS devices, but may also include firewalls and UTM devices that include these capabilities.",
"name": "QsEMP: Production IDS/IPS Devices",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "System logs of devices with intrusion detection or prevention capabilities. Examples: firewalls and UTM devices that include these capabilities.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-02-25T00:42:26.083Z",
"dateUpdated": "2021-07-27T16:03:30.887Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "41BCC625-7E73-4603-8B39-AE1E6DEEDC18",
"id": -1038,
"listType": "MsgSource",
"longDescription": "This list should contain all log sources from workstations that store or process data applicable to compliance regulations. Examples include personal computers, notebooks, netbooks, tablet PCs, and publicly accessible systems such as kiosks. Virtualized application servers may also qualify as a workstation log source.",
"name": "FISMA: Workstations",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Workstations that store or process data applicable to compliance regulations. Examples: personal computers, notebooks, tablet PCs, and publicly accessible systems.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-02-25T00:41:57.283Z",
"dateUpdated": "2021-07-27T16:03:30.9Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "BF568BD1-E69E-4377-BB7F-2BD5FEE593A0",
"id": -1037,
"listType": "MsgSource",
"longDescription": "This list should contain all log sources from production servers that store or process data applicable to compliance regulations. Examples include servers that store/process financial data, customer data, and employee data.",
"name": "FISMA: Production Servers",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Production servers applicable to compliance regulations. Examples: servers that store/process financial data, customer data, and employee data.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-08-09T05:04:50.927Z",
"dateUpdated": "2021-08-09T05:35:48.757Z",
"doesExpire": false,
"entityName": "Primary Site",
"entryCount": 0,
"guid": "2D0073F7-DB6A-4751-91E7-38272D12C737",
"id": 2001,
"listType": "Network"