Skip to main content

LogRhythmRest v2

This Integration is part of the LogRhythm Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

LogRhythm security intelligence. This integration was integrated and tested with version 7.7 of LogRhythm Rest API. Previous versions that have been declared EOL by the vendor, are not supported.

Some changes have been made that might affect your existing content. If you are upgrading from a previous of this integration, see Breaking Changes.

Configure LogRhythmRest v2 in Cortex#

ParameterRequired
Server URLTrue
API TokenTrue
Fetch incidentsFalse
Incidents Fetch IntervalFalse
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
Incident typeFalse
Alarms max fetchFalse
Cases max fetchFalse
Fetch incidents from typeTrue
Alarm status filterFalse
Alarm rule name filterFalse
Case tags filterFalse
Case status filterFalse
Case priority filterFalse
Fetch case evidencesFalse
Use system proxy settingsFalse
Trust any certificate (not secure)False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

lr-alarms-list#


Gets the details of the alarms using the filter criteria.

Base Command#

lr-alarms-list

Input#

Argument NameDescriptionRequired
alarm_statusThe alarm status. Possible values: "New", "Opened", "Working", "Escalated", Closed, "Closed_FalseAlarm", "Closed_Resolved", "Closed_Unresolved", "Closed_Reported", "Closed_Monitor". Possible values are: New, Opened, Working, Escalated, Closed, Closed_FalseAlarm, Closed_Resolved, Closed_Unresolved, Closed_Reported, Closed_Monitor.Optional
offsetThe number of alarms to skip before starting to collect the result set. Default is 0.Optional
countThe numbers of alarms to return. Default is 50.Optional
alarm_rule_nameFilter by alarm rule name.Optional
entity_nameFilter by entity name.Optional
alarm_idFilter by alarm ID.Optional
case_associationFilter by case ID.Optional

Context Output#

PathTypeDescription
LogRhythm.Alarm.alarmIdNumberThe alarm ID.
LogRhythm.Alarm.alarmDataCachedStringA flag indicating whether the alarm data is cached.
LogRhythm.Alarm.alarmRuleNameStringThe alarm rule name.
LogRhythm.Alarm.alarmStatusStringThe alarm status
LogRhythm.Alarm.dateInsertedDateThe alarm date inserted.
LogRhythm.Alarm.entityNameStringThe alarm entity name.
LogRhythm.Alarm.associatedCasesStringThe alarm associated cases.

Command Example#

!lr-alarms-list count=2 alarm_status=Opened

Context Example#

{
"LogRhythm": {
"Alarm": [
{
"alarmDataCached": "N",
"alarmId": 882,
"alarmRuleName": "LogRhythm Agent Heartbeat Missed",
"alarmStatus": "Opened",
"associatedCases": [
"7C2A040E-3014-41D5-ADF0-164A202D3518",
" 5FAA1AFB-5453-4FF7-92F8-28222A586368",
" 0795BCB1-28AA-4C3F-9739-B5431AE4004B"
],
"dateInserted": "2021-10-13T09:13:20.103",
"entityName": "EchoTestEntity"
},
{
"alarmDataCached": "N",
"alarmId": 334,
"alarmRuleName": "LogRhythm Agent Heartbeat Missed",
"alarmStatus": "Opened",
"associatedCases": [
"15E63C0A-91EC-49E6-9694-32A432DD657E",
" CCB51B6F-083D-442F-8E3F-67BD797A6B52",
" 10F65BB5-8B49-42FF-862E-ABDEDF1BA7DE",
" C52E0A86-D894-4424-A7A6-EE152B232146",
" 58437431-2117-4982-A2B1-FDEC2F083A43"
],
"dateInserted": "2021-08-29T11:30:48.083",
"entityName": "EchoTestEntity"
}
]
}
}

Human Readable Output#

Alarms#

Alarm IdAlarm StatusAssociated CasesAlarm Rule NameDate InsertedEntity NameAlarm Data Cached
882Opened7C2A040E-3014-41D5-ADF0-164A202D3518,
5FAA1AFB-5453-4FF7-92F8-28222A586368,
0795BCB1-28AA-4C3F-9739-B5431AE4004B
LogRhythm Agent Heartbeat Missed2021-10-13T09:13:20.103EchoTestEntityN
334Opened15E63C0A-91EC-49E6-9694-32A432DD657E,
CCB51B6F-083D-442F-8E3F-67BD797A6B52,
10F65BB5-8B49-42FF-862E-ABDEDF1BA7DE,
C52E0A86-D894-4424-A7A6-EE152B232146,
58437431-2117-4982-A2B1-FDEC2F083A43
LogRhythm Agent Heartbeat Missed2021-08-29T11:30:48.083EchoTestEntityN

lr-alarm-update#


Updates the alarm status and RBP based on the alarm ID supplied. alarm_status or rbp are required.

Base Command#

lr-alarm-update

Input#

Argument NameDescriptionRequired
alarm_idThe alarm ID.Required
alarm_statusThe alarm status. Possible values: "New", "Opened", "Working", "Escalated", Closed, "Closed_FalseAlarm", "Closed_Resolved", "Closed_Unresolved", "Closed_Reported", "Closed_Monitor". Possible values are: New, Opened, Working, Escalated, Closed, Closed_FalseAlarm, Closed_Resolved, Closed_Unresolved, Closed_Reported, Closed_Monitor.Optional
rbpThe alarm rbp.Optional

Context Output#

There is no context output for this command.

Command Example#

!lr-alarm-update alarm_id=200 alarm_status=Closed rbp=100

Human Readable Output#

Alarm 200 has been updated.

lr-alarm-add-comment#


Updates the Alarm History table with comments in the Comments column based on the alarm ID supplied.

Base Command#

lr-alarm-add-comment

Input#

Argument NameDescriptionRequired
alarm_idThe alarm ID.Required
alarm_commentThe alarm comment.Required

Context Output#

There is no context output for this command.

Command Example#

!lr-alarm-add-comment alarm_id=200 alarm_comment=test

Human Readable Output#

Comment added successfully to the alarm 200.

lr-alarm-history-list#


Gets the alarm history details by ID and filter criteria.

Base Command#

lr-alarm-history-list

Input#

Argument NameDescriptionRequired
alarm_idThe alarm ID.Required
person_idFilter by person ID.Optional
date_updatedFilter by when the alarm was updated. The returned value will be greater than or equal to the given date.Optional
typeFilter by history type. Possible type: "comment", "status", and "rbp". Possible values are: comment, status, rbp.Optional
offsetThe number of items to skip before starting to collect the result set. Default is 0.Optional
countThe numbers of items to return. Default is 50.Optional

Context Output#

PathTypeDescription
LogRhythm.AlarmHistory.alarmIdNumberThe alarm ID.
LogRhythm.AlarmHistory.personIdNumberThe ID of the person who edited the alarm (changed status/ added comment, etc.).
LogRhythm.AlarmHistory.commentsStringThe alarm comments.
LogRhythm.AlarmHistory.dateInsertedDateThe date when the alarm was inserted.
LogRhythm.AlarmHistory.dateUpdatedDateThe date when the alarm was updated.

Command Example#

!lr-alarm-history-list alarm_id=200 type=status

Context Example#

{
"LogRhythm": {
"AlarmHistory": [
{
"alarmId": 200,
"comments": "Changed status to: Closed",
"dateInserted": "2021-10-30T20:16:33.673",
"dateUpdated": "2021-10-30T20:16:33.673",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Closed",
"dateInserted": "2021-08-31T15:02:00.127",
"dateUpdated": "2021-08-31T15:02:00.127",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Working",
"dateInserted": "2021-08-26T05:17:38.19",
"dateUpdated": "2021-08-26T05:17:38.19",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Working",
"dateInserted": "2021-08-26T05:15:57.89",
"dateUpdated": "2021-08-26T05:15:57.89",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Closed",
"dateInserted": "2021-08-19T15:31:32.68",
"dateUpdated": "2021-08-19T15:31:32.68",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Closed: Unresolved",
"dateInserted": "2021-08-19T15:02:08.6",
"dateUpdated": "2021-08-19T15:02:08.6",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Closed: Resolved",
"dateInserted": "2021-08-19T15:01:34.403",
"dateUpdated": "2021-08-19T15:01:34.403",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Escalated",
"dateInserted": "2021-08-19T15:01:04.353",
"dateUpdated": "2021-08-19T15:01:04.353",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Working",
"dateInserted": "2021-08-19T15:00:38.097",
"dateUpdated": "2021-08-19T15:00:38.097",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Opened",
"dateInserted": "2021-08-19T15:00:00.247",
"dateUpdated": "2021-08-19T15:00:00.247",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: New",
"dateInserted": "2021-08-19T14:59:27.707",
"dateUpdated": "2021-08-19T14:59:27.707",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Closed: Monitor",
"dateInserted": "2021-08-19T14:58:06.113",
"dateUpdated": "2021-08-19T14:58:06.113",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Closed: False Alarm",
"dateInserted": "2021-08-19T14:57:35.607",
"dateUpdated": "2021-08-19T14:57:35.607",
"personId": 1
},
{
"alarmId": 200,
"comments": "Changed status to: Closed",
"dateInserted": "2021-08-19T14:56:36.82",
"dateUpdated": "2021-08-19T14:56:36.82",
"personId": 1
}
]
}
}

Human Readable Output#

History for alarm 200#

Alarm IdCommentsDate InsertedDate UpdatedPerson Id
200Changed status to: Closed2021-10-30T20:16:33.6732021-10-30T20:16:33.6731
200Changed status to: Closed2021-08-31T15:02:00.1272021-08-31T15:02:00.1271
200Changed status to: Working2021-08-26T05:17:38.192021-08-26T05:17:38.191
200Changed status to: Working2021-08-26T05:15:57.892021-08-26T05:15:57.891
200Changed status to: Closed2021-08-19T15:31:32.682021-08-19T15:31:32.681
200Changed status to: Closed: Unresolved2021-08-19T15:02:08.62021-08-19T15:02:08.61
200Changed status to: Closed: Resolved2021-08-19T15:01:34.4032021-08-19T15:01:34.4031
200Changed status to: Escalated2021-08-19T15:01:04.3532021-08-19T15:01:04.3531
200Changed status to: Working2021-08-19T15:00:38.0972021-08-19T15:00:38.0971
200Changed status to: Opened2021-08-19T15:00:00.2472021-08-19T15:00:00.2471
200Changed status to: New2021-08-19T14:59:27.7072021-08-19T14:59:27.7071
200Changed status to: Closed: Monitor2021-08-19T14:58:06.1132021-08-19T14:58:06.1131
200Changed status to: Closed: False Alarm2021-08-19T14:57:35.6072021-08-19T14:57:35.6071
200Changed status to: Closed2021-08-19T14:56:36.822021-08-19T14:56:36.821

lr-alarm-events-list#


Gets a list of events for the specified alarm ID. Note: Currently, this command does not work as expected on LogRhythm's side. It always returns a list of one item, even if the given alarm ID is associated with more than one event.

Base Command#

lr-alarm-events-list

Input#

Argument NameDescriptionRequired
alarm_idThe alarm ID.Required

Context Output#

PathTypeDescription
LogRhythm.AlarmEvents.alarmIdNumberThe alarm ID.
LogRhythm.AlarmEvents.accountStringThe alarm event account.
LogRhythm.AlarmEvents.actionStringThe alarm event action.
LogRhythm.AlarmEvents.amountUnknownThe number of events related to the alarm.
LogRhythm.AlarmEvents.bytesInNumberThe number of bytes received or input from a device, system, or process.
LogRhythm.AlarmEvents.bytesOutUnknownThe number of bytes sent from a device, system, or process.
LogRhythm.AlarmEvents.classificationIdNumberThe alarm event classification ID.
LogRhythm.AlarmEvents.classificationNameStringThe alarm event classification name.
LogRhythm.AlarmEvents.classificationTypeNameStringThe alarm event classification type.
LogRhythm.AlarmEvents.commandStringThe specific command executed that was recorded in the log message.
LogRhythm.AlarmEvents.commonEventIdNumberThe common event name.
LogRhythm.AlarmEvents.cveStringThe alarm event CVE.
LogRhythm.AlarmEvents.commonEventNameStringThe alarm event name.
LogRhythm.AlarmEvents.countNumberThe number of alarm events.
LogRhythm.AlarmEvents.directionIdNumberThe direction by ID of the activity between a log’s origin and impacted zones.
LogRhythm.AlarmEvents.directionNameStringThe direction by name of the activity between a log’s origin and impacted zones. Values can be Internal, External, Outbound, Local, or Unknown.
LogRhythm.AlarmEvents.domainStringThe alarm event domain.
LogRhythm.AlarmEvents.durationNumberThe alarm event duration.
LogRhythm.AlarmEvents.entityIdNumberThe alarm event entity ID.
LogRhythm.AlarmEvents.entityNameStringThe alarm event entity name.
LogRhythm.AlarmEvents.groupStringThe alarm event group.
LogRhythm.AlarmEvents.impactedEntityIdNumberThe ID of the entity that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedEntityNameStringThe name of the entity that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedHostIdNumberThe ID of the host that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedHostNameStringThe name of the host that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedInterfaceStringThe interface that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedIPUnknownThe IP address that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.countryCodeStringThe country code of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.nameStringThe country name of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.latitudeNumberThe latitude of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.locationIdNumberThe ID of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.locationKeyStringThe key of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.longitudeNumberThe longitude of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.parentLocationIdNumberThe parent location ID of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.recordStatusStringThe record status of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.regionCodeStringThe region code of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.typeStringThe type of the location that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedLocation.dateUpdatedDateThe date the impacted location was last updated.
LogRhythm.AlarmEvents.impactedMACStringThe MAC that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNameStringThe name of the event that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNATIPStringThe NAT IP address that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNATPortUnknownThe NAT port that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.beginIPRange.valueStringThe beginning of the IP range for the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.dateUpdatedDateThe date the impacted network was last updated.
LogRhythm.AlarmEvents.impactedNetwork.riskThresholdStringThe risk threshold of the network impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.endIPRange.valueStringThe end of the IP range for the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.entityIdNumberThe ID of the entity for the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.hostZoneStringThe host zone for the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.locationIdNumberThe location ID of the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.longDescStringThe long description of the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.nameStringThe name of the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.networkIdNumberThe ID of the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.recordStatusStringThe status of the record of the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedNetwork.shortDescStringThe short description of the network that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedPortNumberThe port that was impacted by the alarm.
LogRhythm.AlarmEvents.impactedZoneStringThe zone that was impacted by the alarm.
LogRhythm.AlarmEvents.itemsPacketsInNumberItems such as packets received or input from a device, system, or process.
LogRhythm.AlarmEvents.itemsPacketsOutNumberItems such as packets sent from a device, system, or process.
LogRhythm.AlarmEvents.logDateDateThe event log date.
LogRhythm.AlarmEvents.loginStringThe user associated with the log activity.
LogRhythm.AlarmEvents.logMessageStringThe event log message.
LogRhythm.AlarmEvents.logSourceHostIdUnknownThe host ID of the log source of the event.
LogRhythm.AlarmEvents.logSourceHostNameStringThe log source host name.
LogRhythm.AlarmEvents.logSourceNameStringThe log source name.
LogRhythm.AlarmEvents.logSourceTypeNameStringThe log source type.
LogRhythm.AlarmEvents.messageIdNumberThe event message ID.
LogRhythm.AlarmEvents.mpeRuleIdNumberThe event MPE rule ID,
LogRhythm.AlarmEvents.mpeRuleNameStringThe event MPE rule name.
LogRhythm.AlarmEvents.normalDateMaxDateIf the message is aggregated, the maximum creation date contained in the group of logs. It can be in UTC or user-selected time zone.
LogRhythm.AlarmEvents.objectNameStringThe object name of the event.
LogRhythm.AlarmEvents.objectTypeStringThe object type of the event.
LogRhythm.AlarmEvents.originEntityIdNumberThe origin entity ID of the event.
LogRhythm.AlarmEvents.originEntityNameStringThe origin entity name of the event.
LogRhythm.AlarmEvents.originHostIdNumberThe host ID of where the event originated.
LogRhythm.AlarmEvents.originHostNameStringThe host name of where the event originated.
LogRhythm.AlarmEvents.originInterfaceStringThe interface of where the event originated.
LogRhythm.AlarmEvents.originIPUnknownThe IP address of where the event originated.
LogRhythm.AlarmEvents.originLocation.countryCodeStringThe country code of the location of where the event originated.
LogRhythm.AlarmEvents.originLocation.nameStringThe name of the location of where the event originated.
LogRhythm.AlarmEvents.originLocation.latitudeNumberThe latitude of the location of where the event originated.
LogRhythm.AlarmEvents.originLocation.locationIdNumberThe location ID of the location of where the event originated.
LogRhythm.AlarmEvents.originLocation.locationKeyStringThe location key of where the event originated.
LogRhythm.AlarmEvents.originLocation.longitudeNumberThe longitude of the location of where the event originated.
LogRhythm.AlarmEvents.originLocation.parentLocationIdNumberThe parent location ID of where the event originated.
LogRhythm.AlarmEvents.originLocation.recordStatusStringThe record status of the location of where the event originated.
LogRhythm.AlarmEvents.originLocation.regionCodeStringThe region code of the location of where the event originated.
LogRhythm.AlarmEvents.originLocation.typeStringThe type of location of where the event originated.
LogRhythm.AlarmEvents.originLocation.dateUpdatedDateThe date the location of where the event originated was last updated.
LogRhythm.AlarmEvents.originMACStringThe MAC address of where the event originated.
LogRhythm.AlarmEvents.originNameStringThe name of where the event originated.
LogRhythm.AlarmEvents.originNATIPStringThe NAT IP address of where the event originated.
LogRhythm.AlarmEvents.originNATPortUnknownThe NAT port of where the event originated.
LogRhythm.AlarmEvents.originNetwork.beginIPRange.valueStringThe beginning address of the IP range of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.dateUpdatedDateThe date of the network when the event originate was last updated.
LogRhythm.AlarmEvents.originNetwork.riskThresholdStringThe risk threshold of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.endIPRange.valueStringThe end of the IP range for the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.entityIdNumberThe entity ID of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.hostZoneStringThe host zone of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.locationIdNumberThe ID of the location of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.longDescStringThe long description of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.nameStringThe name of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.networkIdNumberThe ID of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.recordStatusStringThe record status of the network where the event originated.
LogRhythm.AlarmEvents.originNetwork.shortDescStringThe short description of the network where the event originated.
LogRhythm.AlarmEvents.originPortNumberThe port where the event originated.
LogRhythm.AlarmEvents.originZoneStringThe zone where the event originated.
LogRhythm.AlarmEvents.parentProcessIdStringThe parent process ID of the event.
LogRhythm.AlarmEvents.parentProcessNameStringThe parent process name of the event.
LogRhythm.AlarmEvents.parentProcessPathStringThe parent process path of the event.
LogRhythm.AlarmEvents.policyStringThe event policy.
LogRhythm.AlarmEvents.priorityNumberThe event priority.
LogRhythm.AlarmEvents.processStringThe event process.
LogRhythm.AlarmEvents.processIdNumberThe event process ID.
LogRhythm.AlarmEvents.protocolIdNumberThe event protocol ID.
LogRhythm.AlarmEvents.protocolNameStringThe event protocol name.
LogRhythm.AlarmEvents.quantityNumberThe event quantity.
LogRhythm.AlarmEvents.rateNumberThe event rate.
LogRhythm.AlarmEvents.reasonStringThe event reason.
LogRhythm.AlarmEvents.recipientStringThe event recipient.
LogRhythm.AlarmEvents.resultStringThe event result.
LogRhythm.AlarmEvents.responseCodeStringThe event response code.
LogRhythm.AlarmEvents.senderStringThe event sender.
LogRhythm.AlarmEvents.sessionStringThe event session.
LogRhythm.AlarmEvents.sessionTypeStringThe event session type.
LogRhythm.AlarmEvents.serialNumberStringThe event serial number.
LogRhythm.AlarmEvents.serviceIdNumberThe event service ID.
LogRhythm.AlarmEvents.serviceNameStringThe event service name.
LogRhythm.AlarmEvents.severityStringThe event severity.
LogRhythm.AlarmEvents.statusStringThe event status.
LogRhythm.AlarmEvents.sizeNumberThe event size.
LogRhythm.AlarmEvents.subjectStringThe event subject.
LogRhythm.AlarmEvents.threatIdStringThe event threat ID.
LogRhythm.AlarmEvents.threatNameStringThe event threat name.
LogRhythm.AlarmEvents.urlStringThe event URL.
LogRhythm.AlarmEvents.userAgentStringThe event user agent.
LogRhythm.AlarmEvents.vendorInfoStringThe event vendor info.
LogRhythm.AlarmEvents.vendorMsgIdStringThe event vendor message ID.
LogRhythm.AlarmEvents.versionStringThe alarm event version
LogRhythm.AlarmEvents.originUserIdentityNameStringThe event origin user identity.
LogRhythm.AlarmEvents.impactedUserIdentityNameStringThe event impacted user identity.
LogRhythm.AlarmEvents.originUserIdentityIdUnknownThe event origin user identity ID.
LogRhythm.AlarmEvents.impactedUserIdentityIdUnknownThe event impacted user identity ID.
LogRhythm.AlarmEvents.senderIdentityIdUnknownThe event sender identity ID.
LogRhythm.AlarmEvents.senderIdentityNameStringThe event sender identity name.
LogRhythm.AlarmEvents.recipientIdentityIdUnknownThe event recipient identity ID.
LogRhythm.AlarmEvents.recipientIdentityNameStringThe event recipient identity.

Command Example#

!lr-alarm-events-list alarm_id=200

Context Example#

{
"LogRhythm": {
"AlarmEvents": {
"account": "",
"action": "",
"alarmId": 200,
"amount": null,
"bytesIn": null,
"bytesOut": null,
"classificationId": 3200,
"classificationName": "Error",
"classificationTypeName": "Operations",
"command": "",
"commonEventId": -1100003,
"commonEventName": "LogRhythm Agent Heartbeat Missed",
"count": 1,
"cve": "",
"directionId": 1,
"directionName": "Local",
"domain": "",
"duration": 0,
"entityId": 2,
"entityName": "EchoTestEntity",
"group": "",
"impactedEntityId": 2,
"impactedEntityName": "EchoTestEntity",
"impactedHostId": 3,
"impactedHostName": "",
"impactedIP": null,
"impactedInterface": "",
"impactedLocation": {
"countryCode": "",
"dateUpdated": "0001-01-01T00:00:00",
"latitude": 0,
"locationId": 0,
"locationKey": "",
"longitude": 0,
"name": "",
"parentLocationId": 0,
"recordStatus": "Deleted",
"regionCode": "",
"type": "NULL"
},
"impactedMAC": "",
"impactedNATIP": "",
"impactedNATPort": null,
"impactedName": "",
"impactedNetwork": {
"beginIPRange": {
"value": ""
},
"dateUpdated": "0001-01-01T00:00:00",
"endIPRange": {
"value": ""
},
"entityId": 0,
"hostZone": "Unknown",
"locationId": 0,
"longDesc": "",
"name": "",
"networkId": 0,
"recordStatus": "Deleted",
"riskThreshold": "",
"shortDesc": ""
},
"impactedPort": -1,
"impactedUserIdentityId": null,
"impactedUserIdentityName": "",
"impactedZone": "Internal",
"itemsPacketsIn": 0,
"itemsPacketsOut": 0,
"logDate": "2021-08-18T13:05:59.477",
"logMessage": "A heartbeat message from the LogRhythm System Monitor Agent service was not received in the allotted time.",
"logSourceHostId": null,
"logSourceHostName": "",
"logSourceName": "",
"logSourceTypeName": "",
"login": "",
"messageId": 32077,
"mpeRuleId": -1,
"mpeRuleName": "",
"normalDateMax": "0001-01-01T00:00:00",
"objectName": "",
"objectType": "",
"originEntityId": 2,
"originEntityName": "EchoTestEntity",
"originHostId": 3,
"originHostName": "",
"originIP": null,
"originInterface": "",
"originLocation": {
"countryCode": "",
"dateUpdated": "0001-01-01T00:00:00",
"latitude": 0,
"locationId": 0,
"locationKey": "",
"longitude": 0,
"name": "",
"parentLocationId": 0,
"recordStatus": "Deleted",
"regionCode": "",
"type": "NULL"
},
"originMAC": "",
"originNATIP": "",
"originNATPort": null,
"originName": "",
"originNetwork": {
"beginIPRange": {
"value": ""
},
"dateUpdated": "0001-01-01T00:00:00",
"endIPRange": {
"value": ""
},
"entityId": 0,
"hostZone": "Unknown",
"locationId": 0,
"longDesc": "",
"name": "",
"networkId": 0,
"recordStatus": "Deleted",
"riskThreshold": "",
"shortDesc": ""
},
"originPort": -1,
"originUserIdentityId": null,
"originUserIdentityName": "",
"originZone": "Internal",
"parentProcessId": "",
"parentProcessName": "",
"parentProcessPath": "",
"policy": "",
"priority": 100,
"process": "",
"processId": -1,
"protocolId": -1,
"protocolName": "",
"quantity": 0,
"rate": 0,
"reason": "",
"recipient": "",
"recipientIdentityId": null,
"recipientIdentityName": "",
"responseCode": "",
"result": "",
"sender": "",
"senderIdentityId": null,
"senderIdentityName": "",
"serialNumber": "",
"serviceId": -1000004,
"serviceName": "LogRhythm Agent",
"session": "",
"sessionType": "",
"severity": "",
"size": 0,
"status": "",
"subject": "",
"threatId": "",
"threatName": "",
"url": "",
"userAgent": "",
"vendorInfo": "",
"vendorMsgId": "",
"version": ""
}
}
}

Human Readable Output#

Events for alarm 200#

Common Event NameLog MessagePriorityLog DateImpacted Host IdImpacted ZoneService NameEntity NameClassification NameClassification Type Name
LogRhythm Agent Heartbeat MissedA heartbeat message from the LogRhythm System Monitor Agent service was not received in the allotted time.1002021-08-18T13:05:59.4773InternalLogRhythm AgentEchoTestEntityErrorOperations

lr-alarm-summary#


Get the alarm summary by the specified alarm ID.

Base Command#

lr-alarm-summary

Input#

Argument NameDescriptionRequired
alarm_idNumeric ID of the alarm to get.Required

Context Output#

PathTypeDescription
LogRhythm.AlarmSummary.dateInsertedDateThe date the alarm was inserted.
LogRhythm.AlarmSummary.rbpMaxNumberThe alarm rbp max.
LogRhythm.AlarmSummary.rbpAvgNumberThe alarm rbp average.
LogRhythm.AlarmSummary.alarmRuleIdNumberThe alarm rule ID.
LogRhythm.AlarmSummary.alarmRuleGroupStringThe alarm rule group.
LogRhythm.AlarmSummary.briefDescriptionStringThe alarm brief description.
LogRhythm.AlarmSummary.additionalDetailsStringThe alarm additional details.
LogRhythm.AlarmSummary.alarmIdNumberThe alarm ID.
LogRhythm.AlarmSummary.alarmEventSummary.msgClassIdNumberThe alarm summary message class ID.
LogRhythm.AlarmSummary.alarmEventSummary.msgClassNameStringThe alarm summary message class name.
LogRhythm.AlarmSummary.alarmEventSummary.commonEventIdNumberThe alarm summary common event ID.
LogRhythm.AlarmSummary.alarmEventSummary.commonEventNameStringThe alarm summary common event name.
LogRhythm.AlarmSummary.alarmEventSummary.originHostIdNumberThe alarm summary origin host ID.
LogRhythm.AlarmSummary.alarmEventSummary.impactedHostIdNumberThe alarm summary impacted host ID
LogRhythm.AlarmSummary.alarmEventSummary.originUserStringThe alarm summary origin user.
LogRhythm.AlarmSummary.alarmEventSummary.impactedUserStringThe alarm summary impacted user.
LogRhythm.AlarmSummary.alarmEventSummary.originUserIdentityIdUnknownThe alarm summary origin user identity ID.
LogRhythm.AlarmSummary.alarmEventSummary.impactedUserIdentityIdUnknownThe alarm summary impacted user identity ID.
LogRhythm.AlarmSummary.alarmEventSummary.originUserIdentityNameStringThe alarm summary origin user identity name.
LogRhythm.AlarmSummary.alarmEventSummary.impactedUserIdentityNameStringThe alarm summary impacted user identity name.
LogRhythm.AlarmSummary.alarmEventSummary.originEntityNameStringThe alarm summary origin entity name.
LogRhythm.AlarmSummary.alarmEventSummary.impactedEntityNameStringThe alarm summary impacted entity name.

Command Example#

!lr-alarm-summary alarm_id=200

Context Example#

{
"LogRhythm": {
"AlarmSummary": {
"additionalDetails": "Action:\r\n1. Use LogRhythm to analyze and collect all information regarding the alarm, related events/logs, and surrounding logs from affected sources. \r\n2. Check System Monitor service health (try restarting). \r\n3. Check network connectivity between Agent and Mediator. \r\n4. Check scsm.log for errors. \r\n5. If the steps above do not provide a solution or if you require assistance, please contact LogRhythm Support.",
"alarmEventSummary": [
{
"commonEventId": -1100003,
"commonEventName": "LogRhythm Agent Heartbeat Missed",
"impactedEntityName": "EchoTestEntity",
"impactedHostId": 3,
"impactedUser": "",
"impactedUserIdentityId": null,
"impactedUserIdentityName": "",
"msgClassId": 3200,
"msgClassName": "Error",
"originEntityName": "EchoTestEntity",
"originHostId": 3,
"originUser": "",
"originUserIdentityId": null,
"originUserIdentityName": ""
}
],
"alarmId": 200,
"alarmRuleGroup": "LogRhythm Diagnostics",
"alarmRuleId": 98,
"briefDescription": "Alarms on the occurrence of a LogRhythm Agent Heartbeat Missed event which could indicate a LogRhythm Agent going down.",
"dateInserted": "2021-08-18T13:05:59.683",
"rbpAvg": 100,
"rbpMax": 100
}
}
}

Human Readable Output#

Alarm summary#

Additional DetailsAlarm IdAlarm Rule GroupAlarm Rule IdBrief DescriptionDate InsertedRbp AvgRbp Max
Action:
1. Use LogRhythm to analyze and collect all information regarding the alarm, related events/logs, and surrounding logs from affected sources.
2. Check System Monitor service health (try restarting).
3. Check network connectivity between Agent and Mediator.
4. Check scsm.log for errors.
5. If the steps above do not provide a solution or if you require assistance, please contact LogRhythm Support.
200LogRhythm Diagnostics98Alarms on the occurrence of a LogRhythm Agent Heartbeat Missed event which could indicate a LogRhythm Agent going down.2021-08-18T13:05:59.683100100

Alarm event summary#

Common Event IdCommon Event NameImpacted Entity NameImpacted Host IdImpacted UserImpacted User Identity IdImpacted User Identity NameMsg Class IdMsg Class NameOrigin Entity NameOrigin Host IdOrigin UserOrigin User Identity IdOrigin User Identity Name
-1100003LogRhythm Agent Heartbeat MissedEchoTestEntity33200ErrorEchoTestEntity3

lr-alarm-drilldown#


Gets the drill-down logs per rule block for a specific alarm Id that fired associated with an AIE alarm.

Base Command#

lr-alarm-drilldown

Input#

Argument NameDescriptionRequired
alarm_idNumeric ID of the alarm to get.Required

Context Output#

PathTypeDescription
LogRhythm.AlarmDrilldown.AlarmIDNumberThe alarm ID.
LogRhythm.AlarmDrilldown.AIERuleIDNumberThe alarm AIE rule ID.
LogRhythm.AlarmDrilldown.Status.valueNumberThe value of the drilldown request.
LogRhythm.AlarmDrilldown.Status.nameStringThe name of the drilldown request.
LogRhythm.AlarmDrilldown.Status.descriptionStringThe description of the drilldown request.
LogRhythm.AlarmDrilldown.RetryCountNumberThe number of times the Data Indexer is queried for the drill-down results.
LogRhythm.AlarmDrilldown.LastDxTimestampDateThe timestamp, in UTC, at which the Data Indexer was queried to obtain the drill-down results.
LogRhythm.AlarmDrilldown.DateInsertedDateThe timestamp, in UTC, when the Alarm was added to the cache.
LogRhythm.AlarmDrilldown.AlarmGuidStringThe unique identification of the Alarm GUID.
LogRhythm.AlarmDrilldown.WebConsoleIdStringThe unique identification of the Web Console ID.
LogRhythm.AlarmDrilldown.NotificationSentBooleanThe unique identification of the Alarm GUID.
LogRhythm.AlarmDrilldown.AIEMsgXmlStringThe message XML associated with the event that triggered by the AI Engine.
LogRhythm.AlarmDrilldown.EventIDNumberThe event ID associated with the AI Engine alarm.
LogRhythm.AlarmDrilldown.NormalMessageDateDateThe date, in UTC, that specifies the time of occurrence of the log.
LogRhythm.AlarmDrilldown.RuleBlocks.RuleBlockIDNumberThe Rule Block Id associated with the AI Engine rule that triggered the alarm.
LogRhythm.AlarmDrilldown.RuleBlocks.RuleBlockTypeIDNumberThe type of rule block as specified in the Events Msg XML.
LogRhythm.AlarmDrilldown.RuleBlocks.DrillDownLogsStringLogs that triggered the AI Engine rule associated with the rule block.
LogRhythm.AlarmDrilldown.RuleBlocks.AIECountNumberThe number of logs identified by the AI Engine that triggered the alarm.
LogRhythm.AlarmDrilldown.RuleBlocks.DXCountNumberThe number of logs stored in the Data Indexer that matched the drill-down criteria.
LogRhythm.AlarmDrilldown.RuleBlocks.NormalMessageDateDateThe date, in UTC, that specifies the time of occurence of the log.
LogRhythm.AlarmDrilldown.RuleBlocks.NormalMessageDateUpperDateThe date, in UTC, that specifies the upper bound for the rule block triggered.
LogRhythm.AlarmDrilldown.RuleBlocks.NormalMessageDateLowerDateThe date, in UTC, that specifies the lower bound for the rule block triggered.
LogRhythm.AlarmDrilldown.RuleBlocks.DDSummaries.SummaryFieldTypeNumberThe Summary Field type selected for the rule block.
LogRhythm.AlarmDrilldown.RuleBlocks.DDSummaries.DrillDownSummariesStringThe aggregate of the Summary Field type as found in the drill-down logs associated with the alarm.
LogRhythm.AlarmDrilldown.RuleBlocks.DDSummaries.DefaultValueStringThe value populated from the ARM when an alarm is added to the cache.

lr-get-alarm-details#


Get the details of an alarm by the specified alarm ID.

Base Command#

lr-get-alarm-details

Input#

Argument NameDescriptionRequired
alarm_idNumeric ID of the alarm to get.Required

Context Output#

PathTypeDescription
LogRhythm.AlarmDetails.alarmIdNumberThe alarm ID.
LogRhythm.AlarmDetails.personIdNumberThe person ID.
LogRhythm.AlarmDetails.entityIdNumberThe entity ID.
LogRhythm.AlarmDetails.entityNameStringThe name of the entity.
LogRhythm.AlarmDetails.alarmDateStringThe date in UTC of the alarm.
LogRhythm.AlarmDetails.alarmRuleIDNumberThe Rule ID of the rule which triggered the alarm
LogRhythm.AlarmDetails.alarmRuleNameStringThe name of the rule which triggered the alarm
LogRhythm.AlarmDetails.alarmStatusStringThe status of the alarm.
LogRhythm.AlarmDetails.alarmStatusNameStringThe name for the status of the alarm.
LogRhythm.AlarmDetails.lastUpdatedIDNumberThe ID of the last person to update the alarm.
LogRhythm.AlarmDetails.lastUpdatedNameStringThe name of the last person to update the alarm.
LogRhythm.AlarmDetails.dateInsertedStringThe date in UTC, that the alarm was inserted.
LogRhythm.AlarmDetails.dateUpdatedStringThe date in UTC, that the alarm was updated.
LogRhythm.AlarmDetails.associatedCasesStringThe cases associated with this alarm.
LogRhythm.AlarmDetails.lastPersonIDNumberThe ID of the last person to edit this alarm.
LogRhythm.AlarmDetails.eventCountNumberThe amount of events that triggered this alarm.
LogRhythm.AlarmDetails.eventDateFirstStringThe date in UTC of the first event to trigger this alarm.
LogRhythm.AlarmDetails.eventDateLastStringThe date in UTC of the last event to trigger this alarm.
LogRhythm.AlarmDetails.rBPMaxNumberThe maximum Risk Based Priority for this alarm.
LogRhythm.AlarmDetails.rBPAvgNumberThe average Risk Based Priority for this alarm.
LogRhythm.AlarmDetails.executionTargetNumberThe target which the alarm was executed against.
LogRhythm.AlarmDetails.alarmDataCachedStringThe cached alarm data.

lr-cases-list#


Get cases details using filter criteria.

Base Command#

lr-cases-list

Input#

Argument NameDescriptionRequired
case_idThe case ID by which to filter the results.Optional
timestamp_filter_typeThe type by which to filter case results combined with the argument timestamp. Possible values: "updatedAfter", "updatedBefore", "createdAfter", and "createdBefore". Possible values are: updatedAfter, updatedBefore, createdAfter, createdBefore.Optional
timestampThe timestamp by which to filter case results combined with the argument timestamp_filter_type.Optional
priorityThe priority by which to filter the results. Possible values: "1", "2", "3", "4", and "5", where 1 is the highest priority. Possible values are: 1, 2, 3, 4, 5.Optional
statusThe status by which to filter the results. Possible values are "1", (created), "2" (completed), "3" (incident), "4" (mitigated), and "5" (resolved). Possible values are: 1, 2, 3, 4, 5.Optional
ownersA comma-separated list of owner numbers.Optional
tagsA comma-separated list of tag numbers.Optional
textFilter results that have a case number or name that contains the specified value.Optional
evidence_typeFilter results that have evidence of the specified type. Possible values: "alarm", "userEvents", "log", no"te, and "file". Possible values are: alarm, userEvents, log, note, file.Optional
reference_idFilter results that have evidence with the given reference identifier. For example, an alarm ID.Optional
external_idFilter results that have the specified, unique, external identifier.Optional
offsetThe number of cases to skip before starting to collect the result set. Default is 0.Optional
countThe number of cases to return. Default is 50.Optional

Context Output#

PathTypeDescription
LogRhythm.Case.idStringThe case ID.
LogRhythm.Case.numberNumberThe case number.
LogRhythm.Case.externalIdStringThe case external ID.
LogRhythm.Case.dateCreatedDateThe date the case was created.
LogRhythm.Case.dateUpdatedDateThe date the case was updated.
LogRhythm.Case.dateClosedUnknownThe date the case was closed.
LogRhythm.Case.owner.numberNumberThe ID of the case owner.
LogRhythm.Case.owner.nameStringThe name of the case owner.
LogRhythm.Case.owner.disabledBooleanWhether the case owner is disabled.
LogRhythm.Case.lastUpdatedBy.numberNumberThe ID of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.nameStringThe name of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.disabledBooleanWhether the user who last updated the case is disabled.
LogRhythm.Case.nameStringThe case name.
LogRhythm.Case.status.nameStringThe case status.
LogRhythm.Case.status.numberNumberThe case status number.
LogRhythm.Case.priorityNumberThe case priority.
LogRhythm.Case.dueDateDateThe datetime the case is due.
LogRhythm.Case.resolutionUnknownThe case resolution.
LogRhythm.Case.resolutionDateUpdatedUnknownThe date the case resolution was last updated.
LogRhythm.Case.resolutionLastUpdatedByUnknownThe user who last updated the case resolution.
LogRhythm.Case.summaryStringThe case summary.
LogRhythm.Case.entity.numberNumberThe case entity number.
LogRhythm.Case.entity.nameStringThe case entity name.
LogRhythm.Case.entity.fullNameStringThe case entity full name.
LogRhythm.Case.collaborators.numberNumberThe case collaborator number.
LogRhythm.Case.collaborators.nameStringThe case collaborator name.
LogRhythm.Case.collaborators.disabledBooleanWhether the case collaborator is disabled.
LogRhythm.Case.tags.textStringThe case tag name.
LogRhythm.Case.tags.numberNumberThe case tag number.

Command Example#

!lr-cases-list priority=5

Context Example#

{
"LogRhythm": {
"Case": [
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-08-11T14:10:08.617291Z",
"dateUpdated": "2021-08-31T15:18:26.8118901Z",
"dueDate": "2021-08-12T14:10:08.617291Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "B055F3D5-6F49-4D94-AEF1-FAEDC4A25251",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test case",
"number": 4,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Incident",
"number": 3
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-08-11T14:19:48.7669718Z",
"dateUpdated": "2021-08-11T14:19:48.7669718Z",
"dueDate": "2021-08-12T14:19:48.7669718Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "75081347-EB56-4AEA-A6F9-A6EB6662F48E",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test case from API",
"number": 5,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-05T10:53:07.0405063Z",
"dateUpdated": "2021-10-05T10:53:07.0405063Z",
"dueDate": "2021-10-06T10:53:07.0405063Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "BB8EB00A-F4A7-4710-BB1C-E89DA7BF866B",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 35,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-06T06:13:06.6792318Z",
"dateUpdated": "2021-10-06T06:13:06.6792318Z",
"dueDate": "2021-10-07T06:13:06.6792318Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "5091AD33-E29E-41A4-A975-E792EFCFF8E1",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 38,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-06T07:57:30.7682964Z",
"dateUpdated": "2021-10-06T07:57:30.7682964Z",
"dueDate": "2021-10-07T07:57:30.7682964Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "B9F8031A-7420-4080-96A7-4FF9AB6B6ECF",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 39,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-06T09:30:58.6568951Z",
"dateUpdated": "2021-10-06T09:30:58.6568951Z",
"dueDate": "2021-10-07T09:30:58.6568951Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "9D7AEA2E-F9D4-4787-9A9B-F8F0E9CE817E",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test1111",
"number": 40,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-06T09:37:39.7847983Z",
"dateUpdated": "2021-10-06T09:37:39.7847983Z",
"dueDate": "2021-10-07T09:37:39.7847983Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "805BCD50-D301-4F20-9757-A96AC3B1E52C",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test1111",
"number": 41,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-06T09:44:06.4646762Z",
"dateUpdated": "2021-10-06T09:44:06.4646762Z",
"dueDate": "2021-10-07T09:44:06.4646762Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "FE8A7A3F-2D33-449F-83A5-09D3351E67DC",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test1111",
"number": 42,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-18T11:45:02.190818Z",
"dateUpdated": "2021-10-18T11:45:02.190818Z",
"dueDate": "2021-10-19T11:45:02.190818Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "01825095-3D3E-4082-9F3D-29BC68EBCE9F",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test123123",
"number": 58,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-19T05:44:36.6091003Z",
"dateUpdated": "2021-10-19T05:44:36.6091003Z",
"dueDate": "2021-10-20T05:44:36.6091003Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "97F336B2-D18E-438A-8FB1-7F49DCB0A867",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test777777",
"number": 59,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
},
{
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-19T05:51:51.6372007Z",
"dateUpdated": "2021-10-19T05:51:51.6372007Z",
"dueDate": "2021-10-20T05:51:51.6372007Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "",
"id": "064C632E-E7E8-4913-A123-EB6153FE4BE4",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test777777",
"number": 60,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 5,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "",
"tags": []
}
]
}
}

Human Readable Output#

Cases#

CollaboratorsDate ClosedDate CreatedDate UpdatedDue DateEntityExternal IdIdLast Updated ByNameNumberOwnerPriorityResolutionResolution Date UpdatedResolution Last Updated ByStatusSummaryTags
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-08-11T14:10:08.617291Z2021-08-31T15:18:26.8118901Z2021-08-12T14:10:08.617291Znumber: -100
name: Global Entity
fullName: Global Entity
B055F3D5-6F49-4D94-AEF1-FAEDC4A25251number: 1
name: LR Soap API
disabled: false
test case4number: 1
name: LR Soap API
disabled: false
5name: Incident
number: 3
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-08-11T14:19:48.7669718Z2021-08-11T14:19:48.7669718Z2021-08-12T14:19:48.7669718Znumber: -100
name: Global Entity
fullName: Global Entity
75081347-EB56-4AEA-A6F9-A6EB6662F48Enumber: 1
name: LR Soap API
disabled: false
test case from API5number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-05T10:53:07.0405063Z2021-10-05T10:53:07.0405063Z2021-10-06T10:53:07.0405063Znumber: -100
name: Global Entity
fullName: Global Entity
BB8EB00A-F4A7-4710-BB1C-E89DA7BF866Bnumber: 1
name: LR Soap API
disabled: false
test35number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-06T06:13:06.6792318Z2021-10-06T06:13:06.6792318Z2021-10-07T06:13:06.6792318Znumber: -100
name: Global Entity
fullName: Global Entity
5091AD33-E29E-41A4-A975-E792EFCFF8E1number: 1
name: LR Soap API
disabled: false
test38number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-06T07:57:30.7682964Z2021-10-06T07:57:30.7682964Z2021-10-07T07:57:30.7682964Znumber: -100
name: Global Entity
fullName: Global Entity
B9F8031A-7420-4080-96A7-4FF9AB6B6ECFnumber: 1
name: LR Soap API
disabled: false
test39number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-06T09:30:58.6568951Z2021-10-06T09:30:58.6568951Z2021-10-07T09:30:58.6568951Znumber: -100
name: Global Entity
fullName: Global Entity
9D7AEA2E-F9D4-4787-9A9B-F8F0E9CE817Enumber: 1
name: LR Soap API
disabled: false
test111140number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-06T09:37:39.7847983Z2021-10-06T09:37:39.7847983Z2021-10-07T09:37:39.7847983Znumber: -100
name: Global Entity
fullName: Global Entity
805BCD50-D301-4F20-9757-A96AC3B1E52Cnumber: 1
name: LR Soap API
disabled: false
test111141number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-06T09:44:06.4646762Z2021-10-06T09:44:06.4646762Z2021-10-07T09:44:06.4646762Znumber: -100
name: Global Entity
fullName: Global Entity
FE8A7A3F-2D33-449F-83A5-09D3351E67DCnumber: 1
name: LR Soap API
disabled: false
test111142number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-18T11:45:02.190818Z2021-10-18T11:45:02.190818Z2021-10-19T11:45:02.190818Znumber: -100
name: Global Entity
fullName: Global Entity
01825095-3D3E-4082-9F3D-29BC68EBCE9Fnumber: 1
name: LR Soap API
disabled: false
test12312358number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-19T05:44:36.6091003Z2021-10-19T05:44:36.6091003Z2021-10-20T05:44:36.6091003Znumber: -100
name: Global Entity
fullName: Global Entity
97F336B2-D18E-438A-8FB1-7F49DCB0A867number: 1
name: LR Soap API
disabled: false
test77777759number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-19T05:51:51.6372007Z2021-10-19T05:51:51.6372007Z2021-10-20T05:51:51.6372007Znumber: -100
name: Global Entity
fullName: Global Entity
064C632E-E7E8-4913-A123-EB6153FE4BE4number: 1
name: LR Soap API
disabled: false
test77777760number: 1
name: LR Soap API
disabled: false
5name: Created
number: 1

lr-case-create#


Create a new case.

Base Command#

lr-case-create

Input#

Argument NameDescriptionRequired
nameName of the case.Required
priorityThe priority by which to filter the results. Possible values: "1", "2", "3", "4", and "5", where 1 is the highest priority. Possible values are: 1, 2, 3, 4, 5.Required
external_idExternally defined identifier for the case.Optional
due_dateThe timedate of when the case is due, as an RFC 3339 formatted string. E.g., 2020-04-20T14:15:22Z.Optional
summaryNote summarizing the case.Optional

Context Output#

PathTypeDescription
LogRhythm.Case.idStringThe case ID.
LogRhythm.Case.numberNumberThe case number.
LogRhythm.Case.externalIdStringThe case external ID.
LogRhythm.Case.dateCreatedDateThe date the case was created.
LogRhythm.Case.dateUpdatedDateThe date the case was updated.
LogRhythm.Case.dateClosedUnknownThe date the case was closed.
LogRhythm.Case.owner.numberNumberThe ID of the case owner.
LogRhythm.Case.owner.nameStringThe name of the case owner.
LogRhythm.Case.owner.disabledBooleanWhether the owner is disabled.
LogRhythm.Case.lastUpdatedBy.numberNumberThe ID of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.nameStringThe name of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.disabledBooleanWhether the last user who updated the case is disabled.
LogRhythm.Case.nameStringThe case name.
LogRhythm.Case.status.nameStringThe case status.
LogRhythm.Case.status.numberNumberThe case status number.
LogRhythm.Case.priorityNumberThe case priority.
LogRhythm.Case.dueDateDateThe datetime the case is due.
LogRhythm.Case.resolutionUnknownThe case resolution.
LogRhythm.Case.resolutionDateUpdatedUnknownThe date the case resolution was last updated.
LogRhythm.Case.resolutionLastUpdatedByUnknownThe user who last updated the case resolution.
LogRhythm.Case.summaryStringThe case summary.
LogRhythm.Case.entity.numberNumberThe case entity number.
LogRhythm.Case.entity.nameStringThe case entity name.
LogRhythm.Case.entity.fullNameStringThe case entity full name.
LogRhythm.Case.collaborators.numberNumberThe case collaborator number.
LogRhythm.Case.collaborators.nameStringThe case collaborator name.
LogRhythm.Case.collaborators.disabledBooleanWhether the case collaborator is disabled.
LogRhythm.Case.tags.textStringThe case tag name.
LogRhythm.Case.tags.numberNumberThe case tag number.

Command Example#

``!lr-case-create name=test priority=1 external_id=8200 summary=test case````

Context Example#

{
"LogRhythm": {
"Case": {
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-10-30T20:33:44.6636405Z",
"dateUpdated": "2021-10-30T20:33:44.6636405Z",
"dueDate": "2021-10-31T20:33:44.6636405Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "8200",
"id": "83E66AB6-5F9A-441E-BF96-52CA53E20BEA",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 98,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 1,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Created",
"number": 1
},
"summary": "test case",
"tags": []
}
}
}

Human Readable Output#

Case created successfully#

CollaboratorsDate ClosedDate CreatedDate UpdatedDue DateEntityExternal IdIdLast Updated ByNameNumberOwnerPriorityResolutionResolution Date UpdatedResolution Last Updated ByStatusSummaryTags
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-10-30T20:33:44.6636405Z2021-10-30T20:33:44.6636405Z2021-10-31T20:33:44.6636405Znumber: -100
name: Global Entity
fullName: Global Entity
820083E66AB6-5F9A-441E-BF96-52CA53E20BEAnumber: 1
name: LR Soap API
disabled: false
test98number: 1
name: LR Soap API
disabled: false
1name: Created
number: 1
test case

lr-case-update#


Update case information. For example, the case name, priority, and due date.

Base Command#

lr-case-update

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
nameName of the case.Optional
priorityThe priority of the case. Possible values: "1", "2", "3", "4", and "5", where 1 is the highest priority. Possible values are: 1, 2, 3, 4, 5.Optional
external_idExternally defined identifier for the case.Optional
due_dateThe timedate of when the case is due, as an RFC 3339 formatted string. E.g., 2020-04-20T14:15:22Z.Optional
summaryNote summarizing the case.Optional
entity_idEntity to assign to the case.Optional
resolutionDescription of how the case was resolved.Optional

Context Output#

PathTypeDescription
LogRhythm.Case.idStringThe case ID.
LogRhythm.Case.numberNumberThe case number.
LogRhythm.Case.externalIdStringThe case external ID.
LogRhythm.Case.dateCreatedDateThe date the case was created.
LogRhythm.Case.dateUpdatedDateThe date the case was updated.
LogRhythm.Case.dateClosedUnknownThe date the case was closed.
LogRhythm.Case.owner.numberNumberThe ID of the case owner.
LogRhythm.Case.owner.nameStringThe name of the case owner.
LogRhythm.Case.owner.disabledBooleanWhether the owner is disabled.
LogRhythm.Case.lastUpdatedBy.numberNumberThe ID of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.nameStringThe name of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.disabledBooleanWhether the last user who updated the case is disabled.
LogRhythm.Case.nameStringThe case name.
LogRhythm.Case.status.nameStringThe case status.
LogRhythm.Case.status.numberNumberThe case status number.
LogRhythm.Case.priorityNumberThe case priority.
LogRhythm.Case.dueDateDateThe datetime the case is due.
LogRhythm.Case.resolutionUnknownThe case resolution.
LogRhythm.Case.resolutionDateUpdatedUnknownThe date the case resolution was last updated.
LogRhythm.Case.resolutionLastUpdatedByUnknownThe user who last updated the case resolution.
LogRhythm.Case.summaryStringThe case summary.
LogRhythm.Case.entity.numberNumberThe case entity number.
LogRhythm.Case.entity.nameStringThe case entity name.
LogRhythm.Case.entity.fullNameStringThe case entity full name.
LogRhythm.Case.collaborators.numberNumberThe case collaborator number.
LogRhythm.Case.collaborators.nameStringThe case collaborator name.
LogRhythm.Case.collaborators.disabledBooleanWhether the case collaborator is disabled.
LogRhythm.Case.tags.textStringThe case tag name.
LogRhythm.Case.tags.numberNumberThe case tag number.

Command Example#

!lr-case-update case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE priority=3

Context Example#

{
"LogRhythm": {
"Case": {
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-08-19T15:38:07.8995494Z",
"dateUpdated": "2021-08-31T15:31:24.9870972Z",
"dueDate": "2021-08-20T15:38:07.8995494Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "9930",
"id": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 17,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 3,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Incident",
"number": 3
},
"summary": "test case",
"tags": []
}
}
}

Human Readable Output#

Case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE updated successfully#

CollaboratorsDate ClosedDate CreatedDate UpdatedDue DateEntityExternal IdIdLast Updated ByNameNumberOwnerPriorityResolutionResolution Date UpdatedResolution Last Updated ByStatusSummaryTags
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-08-19T15:38:07.8995494Z2021-08-31T15:31:24.9870972Z2021-08-20T15:38:07.8995494Znumber: -100
name: Global Entity
fullName: Global Entity
99302E7FA20D-191E-4733-B7DC-A18BBFE762CEnumber: 1
name: LR Soap API
disabled: false
test17number: 1
name: LR Soap API
disabled: false
3name: Incident
number: 3
test case

lr-case-status-change#


Update the status of a case.

Base Command#

lr-case-status-change

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
statusThe case status. Possible values: "Created", "Completed", "Incident", "Mitigated", and "Resolved". Possible values are: Created, Completed, Incident, Mitigated, Resolved.Required

Context Output#

PathTypeDescription
LogRhythm.Case.idStringThe case ID.
LogRhythm.Case.numberNumberThe case number.
LogRhythm.Case.externalIdStringThe case external ID.
LogRhythm.Case.dateCreatedDateThe date the case was created.
LogRhythm.Case.dateUpdatedDateThe date the case was updated.
LogRhythm.Case.dateClosedUnknownThe date the case was closed.
LogRhythm.Case.owner.numberNumberThe ID of the case owner.
LogRhythm.Case.owner.nameStringThe name of the case owner.
LogRhythm.Case.owner.disabledBooleanWhether the owner is disabled.
LogRhythm.Case.lastUpdatedBy.numberNumberThe ID of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.nameStringThe name of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.disabledBooleanWhether the last user who updated the case is disabled.
LogRhythm.Case.nameStringThe case name.
LogRhythm.Case.status.nameStringThe case status.
LogRhythm.Case.status.numberNumberThe case status number.
LogRhythm.Case.priorityNumberThe case priority.
LogRhythm.Case.dueDateDateThe datetime the case is due.
LogRhythm.Case.resolutionUnknownThe case resolution.
LogRhythm.Case.resolutionDateUpdatedUnknownThe date the case resolution was last updated.
LogRhythm.Case.resolutionLastUpdatedByUnknownThe user who last updated the case resolution.
LogRhythm.Case.summaryStringThe case summary.
LogRhythm.Case.entity.numberNumberThe case entity number.
LogRhythm.Case.entity.nameStringThe case entity name.
LogRhythm.Case.entity.fullNameStringThe case entity full name.
LogRhythm.Case.collaborators.numberNumberThe case collaborator number.
LogRhythm.Case.collaborators.nameStringThe case collaborator name.
LogRhythm.Case.collaborators.disabledBooleanWhether the case collaborator is disabled.
LogRhythm.Case.tags.textStringThe case tag name.
LogRhythm.Case.tags.numberNumberThe case tag number.

Command Example#

!lr-case-status-change case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE status=Incident

Context Example#

{
"LogRhythm": {
"Case": {
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-08-19T15:38:07.8995494Z",
"dateUpdated": "2021-08-31T15:31:24.9870972Z",
"dueDate": "2021-08-20T15:38:07.8995494Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "9930",
"id": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 17,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 3,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Incident",
"number": 3
},
"summary": "test case",
"tags": []
}
}
}

Human Readable Output#

Case status updated successfully#

CollaboratorsDate ClosedDate CreatedDate UpdatedDue DateEntityExternal IdIdLast Updated ByNameNumberOwnerPriorityResolutionResolution Date UpdatedResolution Last Updated ByStatusSummaryTags
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-08-19T15:38:07.8995494Z2021-08-31T15:31:24.9870972Z2021-08-20T15:38:07.8995494Znumber: -100
name: Global Entity
fullName: Global Entity
99302E7FA20D-191E-4733-B7DC-A18BBFE762CEnumber: 1
name: LR Soap API
disabled: false
test17number: 1
name: LR Soap API
disabled: false
3name: Incident
number: 3
test case

lr-case-evidence-list#


Return a list of evidence summaries for a case.

Base Command#

lr-case-evidence-list

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
evidence_typeFilter results that have evidence of the specified type. Possible values are: "alarm", "userEvents", "log", "note", and "file". Possible values are: alarm, userEvents, log, note, file.Optional
statusFilter results that have a specific evidence status. Possible values: "pending", "completed", and "failed". Possible values are: pending, completed, failed.Optional
evidence_numberFilter results by evidence number.Optional

Context Output#

PathTypeDescription
LogRhythm.CaseEvidence.CaseIDStringThe case ID.
LogRhythm.CaseEvidence.Evidences.numberNumberThe evidence number.
LogRhythm.CaseEvidence.Evidences.dateCreatedDateThe date the evidence was created.
LogRhythm.CaseEvidence.Evidences.dateUpdatedDateThe date the evidence was updated.
LogRhythm.CaseEvidence.Evidences.createdBy.numberNumberThe ID of the user who created the evidence.
LogRhythm.CaseEvidence.Evidences.createdBy.nameStringThe name of the user who created the evidence.
LogRhythm.CaseEvidence.Evidences.createdBy.disabledBooleanWhether the user is disabled.
LogRhythm.CaseEvidence.Evidences.lastUpdatedBy.numberNumberThe ID of the user who last updated the case evidence.
LogRhythm.CaseEvidence.Evidences.lastUpdatedBy.nameStringThe name of the user who last updated the case evidence.
LogRhythm.CaseEvidence.Evidences.lastUpdatedBy.disabledBooleanWhether the last user who updated the case evidence is disabled.
LogRhythm.CaseEvidence.Evidences.typeStringThe evidence type.
LogRhythm.CaseEvidence.Evidences.statusStringThe evidence status
LogRhythm.CaseEvidence.Evidences.statusMessageUnknownThe evidence status message.
LogRhythm.CaseEvidence.Evidences.textStringThe evidence text.
LogRhythm.CaseEvidence.Evidences.pinnedBooleanWhether the evidence is pinned.
LogRhythm.CaseEvidence.Evidences.datePinnedUnknownThe date the evidence was pinned.

Command Example#

!lr-case-evidence-list case_id=583A7DAA-872A-4ECE-80B8-0DECB6FC3061

Context Example#

{
"LogRhythm": {
"CaseEvidence": {
"CaseID": "583A7DAA-872A-4ECE-80B8-0DECB6FC3061",
"Evidences": [
{
"alarm": {
"alarmDate": "2021-08-19T13:08:08.713Z",
"alarmId": 212,
"alarmRuleId": 98,
"alarmRuleName": "LogRhythm Agent Heartbeat Missed",
"dateInserted": "2021-08-19T13:08:08.727Z",
"entityId": 2,
"entityName": "EchoTestEntity",
"riskBasedPriorityMax": 39
},
"createdBy": {
"disabled": false,
"name": "LogRhythm Administrator",
"number": -100
},
"dateCreated": "2021-08-19T14:21:01.7066667Z",
"datePinned": null,
"dateUpdated": "2021-08-19T14:21:01.7066667Z",
"lastUpdatedBy": {
"disabled": false,
"name": "LogRhythm Administrator",
"number": -100
},
"number": 58,
"pinned": false,
"status": "completed",
"statusMessage": null,
"text": "",
"type": "alarm"
},
{
"alarm": {
"alarmDate": "2021-08-19T11:07:56.86Z",
"alarmId": 211,
"alarmRuleId": 98,
"alarmRuleName": "LogRhythm Agent Heartbeat Missed",
"dateInserted": "2021-08-19T11:07:56.877Z",
"entityId": 2,
"entityName": "EchoTestEntity",
"riskBasedPriorityMax": 39
},
"createdBy": {
"disabled": false,
"name": "LogRhythm Administrator",
"number": -100
},
"dateCreated": "2021-08-19T14:21:11.7766667Z",
"datePinned": null,
"dateUpdated": "2021-08-19T14:21:11.7766667Z",
"lastUpdatedBy": {
"disabled": false,
"name": "LogRhythm Administrator",
"number": -100
},
"number": 59,
"pinned": false,
"status": "completed",
"statusMessage": null,
"text": "",
"type": "alarm"
},
{
"createdBy": {
"disabled": false,
"name": "LogRhythm Administrator",
"number": -100
},
"dateCreated": "2021-08-19T14:25:33.5976206Z",
"datePinned": null,
"dateUpdated": "2021-08-19T14:25:33.5976206Z",
"lastUpdatedBy": {
"disabled": false,
"name": "LogRhythm Administrator",
"number": -100
},
"number": 61,
"pinned": false,
"status": "completed",
"statusMessage": null,
"text": "test note",
"type": "note"
}
]
}
}
}

Human Readable Output#

Evidences for case 583A7DAA-872A-4ECE-80B8-0DECB6FC3061#

NumberTypeStatusDate CreatedCreated ByTextAlarmFile
58alarmcompleted2021-08-19T14:21:01.7066667Znumber: -100
name: LogRhythm Administrator
disabled: false
alarmId: 212
alarmDate: 2021-08-19T13:08:08.713Z
alarmRuleId: 98
alarmRuleName: LogRhythm Agent Heartbeat Missed
dateInserted: 2021-08-19T13:08:08.727Z
entityId: 2
entityName: EchoTestEntity
riskBasedPriorityMax: 39
59alarmcompleted2021-08-19T14:21:11.7766667Znumber: -100
name: LogRhythm Administrator
disabled: false
alarmId: 211
alarmDate: 2021-08-19T11:07:56.86Z
alarmRuleId: 98
alarmRuleName: LogRhythm Agent Heartbeat Missed
dateInserted: 2021-08-19T11:07:56.877Z
entityId: 2
entityName: EchoTestEntity
riskBasedPriorityMax: 39
61notecompleted2021-08-19T14:25:33.5976206Znumber: -100
name: LogRhythm Administrator
disabled: false
test note

lr-case-alarm-evidence-add#


Add multiple alarms as evidence on a case.

Base Command#

lr-case-alarm-evidence-add

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
alarm_numbersA comma-separated list of alarm IDs.Required

Context Output#

PathTypeDescription
LogRhythm.AlarmEvidence.CaseIDStringThe case ID.
LogRhythm.AlarmEvidence.Evidences.numberNumberThe evidence number.
LogRhythm.AlarmEvidence.Evidences.dateCreatedDateThe date the evidence was created.
LogRhythm.AlarmEvidence.Evidences.dateUpdatedDateThe date the evidence was updated.
LogRhythm.AlarmEvidence.Evidences.createdBy.numberNumberThe ID of the user who created the evidence.
LogRhythm.AlarmEvidence.Evidences.createdBy.nameStringThe name of the user who created the evidence.
LogRhythm.AlarmEvidence.Evidences.createdBy.disabledBooleanWhether the user is disabled.
LogRhythm.AlarmEvidence.Evidences.lastUpdatedBy.numberNumberThe ID of the user who last updated the alarm evidence.
LogRhythm.AlarmEvidence.Evidences.lastUpdatedBy.nameStringThe name of the user who last updated the alarm evidence.
LogRhythm.AlarmEvidence.Evidences.lastUpdatedBy.disabledBooleanWhether the last user who updated the alarm evidence is disabled.
LogRhythm.AlarmEvidence.Evidences.typeStringThe evidence type.
LogRhythm.AlarmEvidence.Evidences.statusStringThe evidence status
LogRhythm.AlarmEvidence.Evidences.statusMessageUnknownThe evidence status message.
LogRhythm.AlarmEvidence.Evidences.textStringThe evidence text.
LogRhythm.AlarmEvidence.Evidences.pinnedBooleanWhether the evidence is pinned.
LogRhythm.AlarmEvidence.Evidences.datePinnedUnknownThe date the evidence was pinned.
LogRhythm.AlarmEvidence.Evidences.alarm.alarmIdNumberThe alarm ID.
LogRhythm.AlarmEvidence.Evidences.alarm.alarmDateDateThe alarm date.
LogRhythm.AlarmEvidence.Evidences.alarm.alarmRuleIdNumberThe alarm rule ID.
LogRhythm.AlarmEvidence.Evidences.alarm.alarmRuleNameStringThe alarm rule name.
LogRhythm.AlarmEvidence.Evidences.alarm.dateInsertedDateThe date the alarm was inserted.
LogRhythm.AlarmEvidence.Evidences.alarm.entityIdNumberThe alarm entity ID.
LogRhythm.AlarmEvidence.Evidences.alarm.entityNameStringThe alarm entity name.
LogRhythm.AlarmEvidence.Evidences.alarm.riskBasedPriorityMaxNumberThe maximum Risk Based Priority (RBP) threshold of events to monitor.

Command Example#

!lr-case-alarm-evidence-add case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE alarm_numbers=200,201

Context Example#

{
"LogRhythm": {
"AlarmEvidence": {
"CaseID": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"Evidences": [
{
"alarm": {
"alarmDate": "2021-08-18T13:05:59.663Z",
"alarmId": 200,
"alarmRuleId": 98,
"alarmRuleName": "LogRhythm Agent Heartbeat Missed",
"dateInserted": "2021-08-18T13:05:59.683Z",
"entityId": 2,
"entityName": "EchoTestEntity",
"riskBasedPriorityMax": 100
},
"createdBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"dateCreated": "2021-08-19T15:41:35.54Z",
"datePinned": null,
"dateUpdated": "2021-08-19T15:41:35.54Z",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"number": 62,
"pinned": false,
"status": "completed",
"statusMessage": null,
"text": "",
"type": "alarm"
},
{
"alarm": {
"alarmDate": "2021-08-18T15:06:10.623Z",
"alarmId": 201,
"alarmRuleId": 98,
"alarmRuleName": "LogRhythm Agent Heartbeat Missed",
"dateInserted": "2021-08-18T15:06:10.637Z",
"entityId": 2,
"entityName": "EchoTestEntity",
"riskBasedPriorityMax": 39
},
"createdBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"dateCreated": "2021-08-19T15:41:35.54Z",
"datePinned": null,
"dateUpdated": "2021-08-19T15:41:35.54Z",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"number": 63,
"pinned": false,
"status": "completed",
"statusMessage": null,
"text": "",
"type": "alarm"
}
]
}
}
}

Human Readable Output#

Alarms added as evidence to case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE successfully#

NumberTypeStatusDate CreatedCreated ByTextAlarmFile
62alarmcompleted2021-08-19T15:41:35.54Znumber: 1
name: LR Soap API
disabled: false
alarmId: 200
alarmDate: 2021-08-18T13:05:59.663Z
alarmRuleId: 98
alarmRuleName: LogRhythm Agent Heartbeat Missed
dateInserted: 2021-08-18T13:05:59.683Z
entityId: 2
entityName: EchoTestEntity
riskBasedPriorityMax: 100
63alarmcompleted2021-08-19T15:41:35.54Znumber: 1
name: LR Soap API
disabled: false
alarmId: 201
alarmDate: 2021-08-18T15:06:10.623Z
alarmRuleId: 98
alarmRuleName: LogRhythm Agent Heartbeat Missed
dateInserted: 2021-08-18T15:06:10.637Z
entityId: 2
entityName: EchoTestEntity
riskBasedPriorityMax: 39

lr-case-note-evidence-add#


Add a note as evidence on a case.

Base Command#

lr-case-note-evidence-add

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
noteNote text.Required

Context Output#

PathTypeDescription
LogRhythm.NoteEvidence.CaseIDStringThe case ID.
LogRhythm.NoteEvidence.Evidences.numberNumberThe evidence number.
LogRhythm.NoteEvidence.Evidences.dateCreatedDateThe date the evidence was created.
LogRhythm.NoteEvidence.Evidences.dateUpdatedDateThe date the evidence was updated.
LogRhythm.NoteEvidence.Evidences.createdBy.numberNumberThe ID of the user who created the evidence.
LogRhythm.NoteEvidence.Evidences.createdBy.nameStringThe name of the user who created the evidence.
LogRhythm.NoteEvidence.Evidences.createdBy.disabledBooleanWhether the user is disabled.
LogRhythm.NoteEvidence.Evidences.lastUpdatedBy.numberNumberThe ID of the user who last updated the evidence.
LogRhythm.NoteEvidence.Evidences.lastUpdatedBy.nameStringThe name of the user who last updated the evidence.
LogRhythm.NoteEvidence.Evidences.lastUpdatedBy.disabledBooleanWhether the last user who updated the evidence is disabled.
LogRhythm.NoteEvidence.Evidences.typeStringThe evidence type.
LogRhythm.NoteEvidence.Evidences.statusStringThe evidence status,
LogRhythm.NoteEvidence.Evidences.statusMessageUnknownThe evidence status message.
LogRhythm.NoteEvidence.Evidences.textStringThe evidence text.
LogRhythm.NoteEvidence.Evidences.pinnedBooleanWhether the evidence is pinned.
LogRhythm.NoteEvidence.Evidences.datePinnedUnknownThe date the evidence was pinned.

Command Example#

!lr-case-note-evidence-add case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE note=test

Context Example#

{
"LogRhythm": {
"NoteEvidence": [
{
"CaseID": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"Evidences": {
"createdBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"dateCreated": "2021-10-30T20:17:09.2251906Z",
"datePinned": null,
"dateUpdated": "2021-10-30T20:17:09.2251906Z",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"number": 243,
"pinned": false,
"status": "completed",
"statusMessage": null,
"text": "test",
"type": "note"
}
}
]
}
}

Human Readable Output#

Note added as evidence to case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE successfully#

NumberTypeStatusDate CreatedCreated ByTextAlarmFile
243notecompleted2021-10-30T20:17:09.2251906Znumber: 1
name: LR Soap API
disabled: false
test

lr-case-file-evidence-add#


Upload a file as evidence on a case.

Base Command#

lr-case-file-evidence-add

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case,.Required
entryIdThe entry ID of the file to attach.Required

Context Output#

PathTypeDescription
LogRhythm.FileEvidence.CaseIDStringThe case ID.
LogRhythm.FileEvidence.Evidences.numberNumberThe evidence number.
LogRhythm.FileEvidence.Evidences.dateCreatedDateThe date the evidence was created.
LogRhythm.FileEvidence.Evidences.dateUpdatedDateThe date the evidence was updated.
LogRhythm.FileEvidence.Evidences.createdBy.numberNumberThe ID of the user who created the evidence.
LogRhythm.FileEvidence.Evidences.createdBy.nameStringThe name of the user who created the evidence.
LogRhythm.FileEvidence.Evidences.createdBy.disabledBooleanWhether the user is disabled.
LogRhythm.FileEvidence.Evidences.lastUpdatedBy.numberNumberThe ID of the user who last updated the evidence.
LogRhythm.FileEvidence.Evidences.lastUpdatedBy.nameStringThe name of the user who last updated the evidence.
LogRhythm.FileEvidence.Evidences.lastUpdatedBy.disabledBooleanWhether the last user who updated the evidence is disabled.
LogRhythm.FileEvidence.Evidences.typeStringThe evidence type.
LogRhythm.FileEvidence.Evidences.statusStringThe evidence status
LogRhythm.FileEvidence.Evidences.statusMessageUnknownThe evidence status message.
LogRhythm.FileEvidence.Evidences.textStringThe evidence text.
LogRhythm.FileEvidence.Evidences.pinnedBooleanWhether the evidence is pinned.
LogRhythm.FileEvidence.Evidences.datePinnedUnknownThe date the evidence was pinned.

Command Example#

!lr-case-file-evidence-add case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE entryId=8502@383ed6ae-1fd7-431a-858d-a11f2620c73b

Context Example#

{
"LogRhythm": {
"FileEvidence": [
{
"CaseID": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"Evidences": {
"createdBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"dateCreated": "2021-10-30T20:33:46.8Z",
"datePinned": null,
"dateUpdated": "2021-10-30T20:33:46.8Z",
"file": {
"name": "File.jpeg",
"size": 170781
},
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"number": 244,
"pinned": false,
"status": "pending",
"statusMessage": null,
"text": "",
"type": "file"
}
}
]
}
}

Human Readable Output#

File added as evidence to case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE successfully#

NumberTypeStatusDate CreatedCreated ByTextAlarmFile
244filepending2021-10-30T20:33:46.8Znumber: 1
name: LR Soap API
disabled: false
name: File.jpeg
size: 170781

lr-case-evidence-delete#


Remove evidence from a case.

Base Command#

lr-case-evidence-delete

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
evidence_numberUnique, numeric identifier for the evidence to remove.Required

Context Output#

There is no context output for this command.

Command Example#

!lr-case-evidence-delete case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE evidence_number=65

Human Readable Output#

Evidence deleted successfully from case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE.

lr-case-file-evidence-download#


Download an item of file evidence from a case.

Base Command#

lr-case-file-evidence-download

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
evidence_numberUnique, numeric identifier for the evidence.Required

Context Output#

There is no context output for this command.

Command Example#

!lr-case-file-evidence-download case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE evidence_number=66

Context Example#

{
"File": {
"EntryID": "8420@383ed6ae-1fd7-431a-858d-a11f2620c73b",
"Extension": "jpg",
"Info": "image/jpeg",
"MD5": "0f9e8a7d9e49fee24f6a34424ad45662",
"Name": "IMG_20210723_165057.jpg",
"SHA1": "SHA1",
"SHA256": "SHA256",
"SHA512": "SHA512",
"SSDeep": "SSDeep",
"Size": 3021461,
"Type": "JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=2112, manufacturer=OnePlus, model=ONEPLUS A6013, orientation=upper-left, xresolution=180, yresolution=188, resolutionunit=2, datetime=2021:07:23 16:50:59, GPS-Data, width=4608], baseline, precision 8, 4608x2112, frames 3"
}
}

Human Readable Output#

lr-case-tags-add#


Add tags to a case.

Base Command#

lr-case-tags-add

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
tag_numbersA comma-separated list of tag numbers to add.Required

Context Output#

PathTypeDescription
LogRhythm.Case.idStringThe case ID.
LogRhythm.Case.numberNumberThe case number.
LogRhythm.Case.externalIdStringThe case external ID.
LogRhythm.Case.dateCreatedDateThe date the case was created.
LogRhythm.Case.dateUpdatedDateThe date the case was updated.
LogRhythm.Case.dateClosedUnknownThe date the case was closed.
LogRhythm.Case.owner.numberNumberThe ID of the case owner.
LogRhythm.Case.owner.nameStringThe name of the case owner.
LogRhythm.Case.owner.disabledBooleanWhether the owner is disabled or not
LogRhythm.Case.lastUpdatedBy.numberNumberThe ID of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.nameStringThe name of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.disabledBooleanWhether the last user who updated the case is disabled.
LogRhythm.Case.nameStringThe case name.
LogRhythm.Case.status.nameStringThe case status.
LogRhythm.Case.status.numberNumberThe case status number.
LogRhythm.Case.priorityNumberThe case priority.
LogRhythm.Case.dueDateDateThe datetime the case is due.
LogRhythm.Case.resolutionUnknownThe case resolution.
LogRhythm.Case.resolutionDateUpdatedUnknownThe date the case resolution was last updated.
LogRhythm.Case.resolutionLastUpdatedByUnknownThe user who last updated the case resolution.
LogRhythm.Case.summaryStringThe case summary.
LogRhythm.Case.entity.numberNumberThe case entity number.
LogRhythm.Case.entity.nameStringThe case entity name.
LogRhythm.Case.entity.fullNameStringThe case entity full name.
LogRhythm.Case.collaborators.numberNumberThe case collaborator number.
LogRhythm.Case.collaborators.nameStringThe case collaborator name.
LogRhythm.Case.collaborators.disabledBooleanWhether the case collaborator is disabled.
LogRhythm.Case.tags.textStringThe case tag name.
LogRhythm.Case.tags.numberNumberThe case tag number.

Command Example#

!lr-case-tags-add case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE tag_numbers=2,3

Context Example#

{
"LogRhythm": {
"Case": {
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-08-19T15:38:07.8995494Z",
"dateUpdated": "2021-10-30T20:17:15.9861818Z",
"dueDate": "2021-08-20T15:38:07.8995494Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "9930",
"id": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 17,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 3,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Incident",
"number": 3
},
"summary": "test case",
"tags": [
{
"number": 2,
"text": "tag #2"
},
{
"number": 3,
"text": "tag #3"
}
]
}
}
}

Human Readable Output#

Tags added successfully to case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE#

CollaboratorsDate ClosedDate CreatedDate UpdatedDue DateEntityExternal IdIdLast Updated ByNameNumberOwnerPriorityResolutionResolution Date UpdatedResolution Last Updated ByStatusSummaryTags
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-08-19T15:38:07.8995494Z2021-10-30T20:17:15.9861818Z2021-08-20T15:38:07.8995494Znumber: -100
name: Global Entity
fullName: Global Entity
99302E7FA20D-191E-4733-B7DC-A18BBFE762CEnumber: 1
name: LR Soap API
disabled: false
test17number: 1
name: LR Soap API
disabled: false
3name: Incident
number: 3
test case{'number': 2, 'text': 'tag #2'},
{'number': 3, 'text': 'tag #3'}

lr-case-tags-remove#


Remove tags from a case.

Base Command#

lr-case-tags-remove

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
tag_numbersA comma-separated list of tag numbers to remove.Required

Context Output#

PathTypeDescription
LogRhythm.Case.idStringThe case ID.
LogRhythm.Case.numberNumberThe case number.
LogRhythm.Case.externalIdStringThe case external ID.
LogRhythm.Case.dateCreatedDateThe date the case was created.
LogRhythm.Case.dateUpdatedDateThe date the case was updated.
LogRhythm.Case.dateClosedUnknownThe date the case was closed.
LogRhythm.Case.owner.numberNumberThe ID of the case owner.
LogRhythm.Case.owner.nameStringThe name of the case owner.
LogRhythm.Case.owner.disabledBooleanWhether the owner is disabled or not
LogRhythm.Case.lastUpdatedBy.numberNumberThe ID of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.nameStringThe name of the user who last updated the case.
LogRhythm.Case.lastUpdatedBy.disabledBooleanWhether the last user who updated the case is disabled.
LogRhythm.Case.nameStringThe case name.
LogRhythm.Case.status.nameStringThe case status.
LogRhythm.Case.status.numberNumberThe case status number.
LogRhythm.Case.priorityNumberThe case priority.
LogRhythm.Case.dueDateDateThe datetime the case is due.
LogRhythm.Case.resolutionUnknownThe case resolution.
LogRhythm.Case.resolutionDateUpdatedUnknownThe date the case resolution was last updated.
LogRhythm.Case.resolutionLastUpdatedByUnknownThe user who last updated the case resolution.
LogRhythm.Case.summaryStringThe case summary.
LogRhythm.Case.entity.numberNumberThe case entity number.
LogRhythm.Case.entity.nameStringThe case entity name.
LogRhythm.Case.entity.fullNameStringThe case entity full name.
LogRhythm.Case.collaborators.numberNumberThe case collaborator number.
LogRhythm.Case.collaborators.nameStringThe case collaborator name.
LogRhythm.Case.collaborators.disabledBooleanWhether the case collaborator is disabled.
LogRhythm.Case.tags.textStringThe case tag name.
LogRhythm.Case.tags.numberNumberThe case tag number.

Command Example#

!lr-case-tags-remove case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE tag_numbers=1,2

Context Example#

{
"LogRhythm": {
"Case": {
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"dateClosed": null,
"dateCreated": "2021-08-19T15:38:07.8995494Z",
"dateUpdated": "2021-10-30T20:17:17.3901952Z",
"dueDate": "2021-08-20T15:38:07.8995494Z",
"entity": {
"fullName": "Global Entity",
"name": "Global Entity",
"number": -100
},
"externalId": "9930",
"id": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"lastUpdatedBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"name": "test",
"number": 17,
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"priority": 3,
"resolution": null,
"resolutionDateUpdated": null,
"resolutionLastUpdatedBy": null,
"status": {
"name": "Incident",
"number": 3
},
"summary": "test case",
"tags": [
{
"number": 3,
"text": "tag #3"
}
]
}
}
}

Human Readable Output#

Tags removed successfully from case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE#

CollaboratorsDate ClosedDate CreatedDate UpdatedDue DateEntityExternal IdIdLast Updated ByNameNumberOwnerPriorityResolutionResolution Date UpdatedResolution Last Updated ByStatusSummaryTags
{'number': 1, 'name': 'LR Soap API', 'disabled': False}2021-08-19T15:38:07.8995494Z2021-10-30T20:17:17.3901952Z2021-08-20T15:38:07.8995494Znumber: -100
name: Global Entity
fullName: Global Entity
99302E7FA20D-191E-4733-B7DC-A18BBFE762CEnumber: 1
name: LR Soap API
disabled: false
test17number: 1
name: LR Soap API
disabled: false
3name: Incident
number: 3
test case{'number': 3, 'text': 'tag #3'}

lr-tags-list#


Return a list of tags using filter criteria.

Base Command#

lr-tags-list

Input#

Argument NameDescriptionRequired
tag_nameFilter results that have a tag name that contains the specified value.Optional
offsetThe number of tags to skip before starting to collect the result set. Default is 0.Optional
countThe numbers of tags to return. Default is 50.Optional

Context Output#

PathTypeDescription
LogRhythm.Tag.numberNumberThe tag number.
LogRhythm.Tag.textStringThe tag text.
LogRhythm.Tag.dateCreatedDateThe date the tag was created.
LogRhythm.Tag.createdBy.numberNumberThe ID of the user who created the tag.
LogRhythm.Tag.createdBy.nameStringThe name of the user who created the tag.
LogRhythm.Tag.createdBy.disabledBooleanWhether the user is disabled.

Command Example#

!lr-tags-list count=2

Context Example#

{
"LogRhythm": {
"Tag": [
{
"createdBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"dateCreated": "2021-08-11T13:44:00.4433333Z",
"number": 2,
"text": "tag #2"
},
{
"createdBy": {
"disabled": false,
"name": "LR Soap API",
"number": 1
},
"dateCreated": "2021-08-11T13:44:05.7433333Z",
"number": 3,
"text": "tag #3"
}
]
}
}

Human Readable Output#

Tags#

NumberTextDate CreatedCreated By
2tag #22021-08-11T13:44:00.4433333Znumber: 1
name: LR Soap API
disabled: false
3tag #32021-08-11T13:44:05.7433333Znumber: 1
name: LR Soap API
disabled: false

lr-case-collaborators-list#


Returns the owner and a list of collaborators associated with a specific case.

Base Command#

lr-case-collaborators-list

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required

Context Output#

PathTypeDescription
LogRhythm.CaseCollaborator.CaseIDStringThe case ID.
LogRhythm.CaseCollaborator.owner.numberNumberThe ID of the case owner.
LogRhythm.CaseCollaborator.owner.nameStringThe name of the case owner.
LogRhythm.CaseCollaborator.owner.disabledBooleanWhether the owner is disabled.
LogRhythm.CaseCollaborator.collaborators.numberNumberThe case collaborator number.
LogRhythm.CaseCollaborator.collaborators.nameStringThe case collaborator name.
LogRhythm.CaseCollaborator.collaborators.disabledBooleanWhether the case collaborator is disabled.

Command Example#

!lr-case-collaborators-list case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE

Context Example#

{
"LogRhythm": {
"CaseCollaborator": {
"CaseID": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
}
}
}
}

Human Readable Output#

Case owner#

DisabledNameNumber
falseLR Soap API1

Case collaborators#

DisabledNameNumber
falseLR Soap API1

lr-case-collaborators-update#


Updates the owner and collaborators associated with a specific case.

Base Command#

lr-case-collaborators-update

Input#

Argument NameDescriptionRequired
case_idUnique identifier for the case.Required
ownerUnique, numeric identifier for the person.Required
collaboratorsA comma-separated list of user IDs.Required

Context Output#

PathTypeDescription
LogRhythm.CaseCollaborator.CaseIDStringThe case ID.
LogRhythm.CaseCollaborator.owner.numberNumberThe ID of the case owner.
LogRhythm.CaseCollaborator.owner.nameStringThe name of the case owner.
LogRhythm.CaseCollaborator.owner.disabledBooleanWhether the owner is disabled.
LogRhythm.CaseCollaborator.collaborators.numberNumberThe case collaborator ID.
LogRhythm.CaseCollaborator.collaborators.nameStringThe case collaborator name.
LogRhythm.CaseCollaborator.collaborators.disabledBooleanWhether the case collaborator is disabled.

Command Example#

!lr-case-collaborators-update case_id=2E7FA20D-191E-4733-B7DC-A18BBFE762CE collaborators=1 owner=1

Context Example#

{
"LogRhythm": {
"CaseCollaborator": {
"CaseID": "2E7FA20D-191E-4733-B7DC-A18BBFE762CE",
"collaborators": [
{
"disabled": false,
"name": "LR Soap API",
"number": 1
}
],
"owner": {
"disabled": false,
"name": "LR Soap API",
"number": 1
}
}
}
}

Human Readable Output#

Case 2E7FA20D-191E-4733-B7DC-A18BBFE762CE updated successfully#

Case owner#

DisabledNameNumber
falseLR Soap API1

Case collaborators#

DisabledNameNumber
falseLR Soap API1

lr-entities-list#


Returns all Entities that match the specified criteria.

Base Command#

lr-entities-list

Input#

Argument NameDescriptionRequired
parent_entity_idFilter by the object parent entity ID.Optional
entity_idFilter by the entity ID.Optional
offsetThe number of entities to skip before starting to collect the result set. Default is 0.Optional
countThe number of entities to return. Default is 50.Optional

Context Output#

PathTypeDescription
LogRhythm.Entity.idNumberThe entity ID.
LogRhythm.Entity.nameStringThe entity name.
LogRhythm.Entity.fullNameStringThe entity full name.
LogRhythm.Entity.recordStatusNameStringThe entity record status.
LogRhythm.Entity.shortDescStringThe entity short description.
LogRhythm.Entity.dateUpdatedDateThe date the entity was updated.

Command Example#

!lr-entities-list count=2

Context Example#

{
"LogRhythm": {
"Entity": [
{
"dateUpdated": "2021-10-12T14:01:21.54Z",
"fullName": "EchoTestEntity",
"id": 2,
"name": "EchoTestEntity",
"recordStatusName": "Active",
"shortDesc": "LogRhythm ECHO"
},
{
"dateUpdated": "2021-10-27T16:27:14.363Z",
"fullName": "Global Entity",
"id": -100,
"name": "Global Entity",
"recordStatusName": "Active",
"shortDesc": "Global entity containing shared network and host records"
}
]
}
}

Human Readable Output#

Entities#

IdNameFull NameRecord Status NameShort DescDate Updated
2EchoTestEntityEchoTestEntityActiveLogRhythm ECHO2021-10-12T14:01:21.54Z
-100Global EntityGlobal EntityActiveGlobal entity containing shared network and host records2021-10-27T16:27:14.363Z

lr-hosts-list#


Returns all hosts that match the specified criteria.

Base Command#

lr-hosts-list

Input#

Argument NameDescriptionRequired
host_idFilter by host ID.Optional
host_nameFilter by host name.Optional
entity_nameFilter by entity name.Optional
record_statusFilter by record status. Possible values: "all", "active", "retired". Possible values are: all, active, retired.Optional
offsetThe number of hosts to skip before starting to collect the result set. Default is 0.Optional
countThe number of hosts to return. Default is 50.Optional

Context Output#

PathTypeDescription
LogRhythm.Host.idNumberThe host ID.
LogRhythm.Host.entity.idNumberThe host entity ID.
LogRhythm.Host.entity.nameStringThe host entity name.
LogRhythm.Host.nameStringThe host name.
LogRhythm.Host.riskLevelStringThe host risk level.
LogRhythm.Host.threatLevelStringThe host threat level.
LogRhythm.Host.threatLevelCommentsStringThe threat level comments
LogRhythm.Host.recordStatusNameStringThe host record status name.
LogRhythm.Host.hostZoneStringThe host zone.
LogRhythm.Host.location.idNumberThe host location ID.
LogRhythm.Host.osStringThe operating system type supported by LogRhythm.
LogRhythm.Host.useEventlogCredentialsBooleanWhether to use the event log credentials.
LogRhythm.Host.osTypeStringThe agent server type on which the operating system is installed.
LogRhythm.Host.dateUpdatedDateThe date the host was updated.
LogRhythm.Host.shortDescStringThe host short description.
LogRhythm.Host.osVersionStringThe host operation system version.
LogRhythm.Host.hostIdentifiers.typeStringThe host identifier type.
LogRhythm.Host.hostIdentifiers.valueStringThe host identifier value.
LogRhythm.Host.hostIdentifiers.dateAssignedDateThe date the host identifier was assigned.
LogRhythm.Host.eventlogPasswordStringThe event log password.

Command Example#

!lr-hosts-list count=2

Context Example#

{
"LogRhythm": {
"Host": [
{
"dateUpdated": "2021-07-27T15:56:14.34Z",
"entity": {
"id": -100,
"name": "Global Entity"
},
"hostIdentifiers": [],
"hostRoles": [],
"hostZone": "Internal",
"id": -1000001,
"location": {
"id": -1
},
"name": "AI Engine Server",
"os": "Unknown",
"osType": "Server",
"recordStatusName": "Active",
"riskLevel": "None",
"threatLevel": "None",
"threatLevelComments": "",
"useEventlogCredentials": false
},
{
"dateUpdated": "2021-07-27T15:56:14.343Z",
"entity": {
"id": 1,
"name": "Primary Site"
},
"hostIdentifiers": [],
"hostRoles": [],
"hostZone": "Internal",
"id": -1000002,
"location": {
"id": -1
},
"name": "AI Engine Server",
"os": "Unknown",
"osType": "Server",
"recordStatusName": "Active",
"riskLevel": "None",
"threatLevel": "None",
"threatLevelComments": "",
"useEventlogCredentials": false
}
]
}
}

Human Readable Output#

Hosts#

Date UpdatedEntityHost IdentifiersHost RolesHost ZoneIdLocationNameOsOs TypeRecord Status NameRisk LevelThreat LevelThreat Level CommentsUse Eventlog Credentials
2021-07-27T15:56:14.34Zid: -100
name: Global Entity
Internal-1000001id: -1AI Engine ServerUnknownServerActiveNoneNonefalse
2021-07-27T15:56:14.343Zid: 1
name: Primary Site
Internal-1000002id: -1AI Engine ServerUnknownServerActiveNoneNonefalse

lr-users-list#


Returns user records based on the permissions of the currently logged in user and the specified criteria.

Base Command#

lr-users-list

Input#

Argument NameDescriptionRequired
user_idsA comma-separated list of user IDs.Optional
entity_idsA comma-separated list of entity IDs.Optional
user_statusFilter by user status. Possible values: "Active" and "Retired". Possible values are: Active, Retired.Optional
offsetThe ID of users to skip before starting to collect the result set. Default is 0.Optional
countThe IDs of the users to return. Default is 50.Optional

Context Output#

PathTypeDescription
LogRhythm.User.firstNameStringThe user first name.
LogRhythm.User.lastNameStringThe user last name.
LogRhythm.User.userTypeStringThe user type
LogRhythm.User.fullNameStringThe user full name.
LogRhythm.User.objectPermissions.readAccessStringThe user read access permissions.
LogRhythm.User.objectPermissions.writeAccessStringThe user write access permissions.
LogRhythm.User.objectPermissions.entity.idNumberThe user permissions entity ID.
LogRhythm.User.objectPermissions.entity.nameStringThe user permissions entity name.
LogRhythm.User.objectPermissions.owner.idNumberThe user permissions owner ID.
LogRhythm.User.objectPermissions.owner.nameStringThe user permissions owner.
LogRhythm.User.idNumberThe user ID.
LogRhythm.User.recordStatusNameStringThe user record status.
LogRhythm.User.dateUpdatedDateThe date the user was updated.

Command Example#

!lr-users-list count=2

Context Example#

{
"LogRhythm": {
"User": [
{
"dateUpdated": "2021-07-27T20:38:31.443Z",
"firstName": "",
"fullName": "LR Soap API",
"id": 1,
"lastName": "",
"objectPermissions": {
"entity": {
"id": 1,
"name": "Primary Site"
},
"owner": {
"id": -100,
"name": "LogRhythmAdmin"
},
"readAccess": "PublicGlobalAdmin",
"writeAccess": "PublicGlobalAdmin"
},
"recordStatusName": "Active",
"userType": "Role"
},
{
"dateUpdated": "2021-07-27T15:07:47.05Z",
"firstName": "LogRhythm",
"fullName": "LogRhythm Analyst",
"id": -101,
"lastName": "Analyst",
"objectPermissions": {
"entity": {
"id": -100,
"name": "Global Entity"
},
"owner": {
"id": -100,
"name": "LogRhythmAdmin"
},
"readAccess": "PublicAll",
"writeAccess": "PublicGlobalAdmin"
},
"recordStatusName": "Active",
"userType": "Role"
}
]
}
}

Human Readable Output#

Users#

IdFull NameUser TypeFirst NameLast NameRecord Status NameDate UpdatedObject Permissions
1LR Soap APIRoleActive2021-07-27T20:38:31.443ZreadAccess: PublicGlobalAdmin
writeAccess: PublicGlobalAdmin
entity: {"id": 1, "name": "Primary Site"}
owner: {"id": -100, "name": "LogRhythmAdmin"}
-101LogRhythm AnalystRoleLogRhythmAnalystActive2021-07-27T15:07:47.05ZreadAccess: PublicAll
writeAccess: PublicGlobalAdmin
entity: {"id": -100, "name": "Global Entity"}
owner: {"id": -100, "name": "LogRhythmAdmin"}

lr-lists-get#


Returns list details using the filter criteria.

Base Command#

lr-lists-get

Input#

Argument NameDescriptionRequired
list_typeThe list type. Possible values: "None", "Application", "Classification", "CommonEvent", "Host", "Location", "MsgSource", "MsgSourceType", "MPERule", "Network", "User", "GeneralValue", "Entity", "RootEntity", "IP", "IPRange", and "Identity". Possible values are: None, Application, Classification, CommonEvent, Host, Location, MsgSource, MsgSourceType, MPERule, Network, User, GeneralValue, Entity, RootEntity, IP, IPRange, Identity.Optional
list_nameThe name of the object or regex match.Optional
can_editSpecifies if Write Only (true) or Read Only (false) lists are required for a user. Possible values: "true" and "false". Possible values are: true, false.Optional

Context Output#

PathTypeDescription
LogRhythm.List.listTypeStringThe list type.
LogRhythm.List.statusStringThe list status.
LogRhythm.List.nameStringThe list name.
LogRhythm.List.shortDescriptionStringThe list short description.
LogRhythm.List.useContextStringThe use context type.
LogRhythm.List.autoImportOption.enabledBooleanWhether the list auto import is enabled.
LogRhythm.List.autoImportOption.usePatternsBooleanWhether the auto import use patterns is enabled.
LogRhythm.List.autoImportOption.replaceExistingBooleanWhether the auto import replace existing is enabled.
LogRhythm.List.idNumberThe list ID.
LogRhythm.List.guidStringThe list GUID.
LogRhythm.List.dateCreatedDateThe date the list was created.
LogRhythm.List.dateUpdatedDateThe date the list was updated.
LogRhythm.List.readAccessStringThe read permission level.
LogRhythm.List.writeAccessStringThe write permission level.
LogRhythm.List.restrictedReadBooleanWhether the list is read restricted.
LogRhythm.List.entityNameStringThe list entity name.
LogRhythm.List.entryCountNumberThe list entry count.
LogRhythm.List.needToNotifyBooleanWhether the list will notify the user when updated.
LogRhythm.List.doesExpireBooleanWhether the list expires.
LogRhythm.List.ownerNumberThe ID of the list owner.
LogRhythm.List.longDescriptionStringThe list long description.
LogRhythm.List.timeToLiveSecondsNumberThe list time for the list to live in seconds.
LogRhythm.List.revisitDateDateThe list revisit date.

Command Example#

!lr-lists-get

Context Example#

{
"LogRhythm": {
"List": [
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2019-11-05T04:11:38.303Z",
"dateUpdated": "2021-07-27T16:03:30.617Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "B1E34445-2693-411E-8BE2-9B97AFFF20A9",
"id": -1000130,
"listType": "GeneralValue",
"name": "Windows System32 Hashes",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Hashes of executables in the %systemroot%\\system32 directory. Use Case: Masquerading technique in MITRE ATT&CK",
"status": "Active",
"useContext": [
"Hash"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-07-27T15:07:50.893Z",
"dateUpdated": "2021-07-27T15:07:50.893Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "F205DE21-9F73-462E-8F83-DE64CAD2A401",
"id": -1000001,
"listType": "Identity",
"longDescription": "Anomaly scores from CloudAI will not be displayed for the identities in this list. Identities added to this list will automatically expire 24 hours after they are added.",
"name": "CloudAI: Ignore for 24 Hours",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Anomaly scores from CloudAI will not be displayed for the identities in this list. Identities added to this list will automatically expire 24 hours after they are added.",
"status": "Active",
"timeToLiveSeconds": 86400,
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-07-27T15:07:50.893Z",
"dateUpdated": "2021-07-27T15:07:50.893Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "5A2E34FB-3AD1-44CB-8E5F-643CAEDD1EC2",
"id": -1000000,
"listType": "Identity",
"longDescription": "Identities monitored by CloudAI",
"name": "CloudAI: Monitored Identities",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Identities monitored by CloudAI",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2015-06-06T00:15:20.033Z",
"dateUpdated": "2021-07-27T16:03:30.627Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "6B9A54EF-70C9-49E0-B051-75C363178603",
"id": -2389,
"listType": "MsgSource",
"longDescription": "This list will need to capture all related systems according to their classification as high, medium, or low impacts within the environment. \r\n\r\nThis list is used in the following:\r\n(Reports)\r\nNERC-CIP: Access Failure Summary\r\nNERC-CIP: Default Act Auth/Accs Success Summary\r\nNERC-CIP: Default Act Management Summary\r\nNERC-CIP: Host Authentication Success Summary\r\nNERC-CIP: Non-encrypted protocol\r\nNERC-CIP: Priv Act Auth/Accs Success Summary\r\nNERC-CIP: Priv Act Management Summary\r\nNERC-CIP: Shared Act Auth/Accs Success Summary\r\nNERC-CIP: Shared Act Management Summary\r\nNERC-CIP: Suspicious Activity Summary\r\nNERC-CIP: Term Act Auth/Accs Success Summary\r\nNERC-CIP: Term Act Management Summary\r\nNERC-CIP: Vendor Act Auth/Accs Success Summary\r\nNERC-CIP: Vendor Act Management Summary\r\nNERC-CIP: VPN Node Registration Failure (Auth)\r\nNERC-CIP: VPN Node Registration Failure (un-Auth)\r\n(Investigation)\r\nNERC-CIP: Access Failure Detail\r\nNERC-CIP: Host Authentication Success Detail\r\nNERC-CIP: Priv Group Access Granted Detail\r\nNERC-CIP: Rogue WAP Detected Detail\r\nNERC-CIP: Suspicious Activity Detail\r\nNERC-CIP: VPN Node Registration Failure Detail (Auth)\r\nNERC-CIP: VPN Node Registration Failure Detail (un- Auth)\r\nNERC-CIP: Windows Firewall Change Detail\r\n(AIE Rules)\r\nNERC-CIP: Account Locked or Disabled Rule\r\nNERC-CIP: Attack Detected Rule\r\nNERC-CIP: Compromise Detected Rule\r\nNERC-CIP: Concur VPN From Multiple Country\r\nNERC-CIP: Concur VPN Same User\r\nNERC-CIP: Concurrent VPN From Multiple Cities\r\nNERC-CIP: Concurrent VPN From Multiple Region\r\nNERC-CIP: Config/Policy Change\r\nNERC-CIP: Data Destruction Rule\r\nNERC-CIP: Data Exfiltration Rule\r\nNERC-CIP: Data Loss Prevention Rule\r\nNERC-CIP: ESP Network Allow Egress Rule\r\nNERC-CIP: ESP Network Allow Ingress Rule\r\nNERC-CIP: ESP Network Denied Egress Rule\r\nNERC-CIP: ESP Network Denied Ingress Rule\r\nNERC-CIP: Malware Detected Rule\r\nNERC-CIP: Port Misuse: FTP\r\nNERC-CIP: Port Misuse: HTTP \r\nNERC-CIP: Port Misuse: SSH In\r\nNERC-CIP: Port Misuse: S",
"name": "NERC-CIP: Electronic Security Perimeter",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This log source list represents various network related systems such as security perimeter enforcing devices (i.e. IPS, firewalls), security perimeter monitoring devices (i.e. IDS), VPNs, wireless access points, remote access devices, anti-malware, etc. ",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2015-06-05T21:31:30.7Z",
"dateUpdated": "2021-07-27T16:03:30.64Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "F7A6369A-33C3-4249-91EF-6710E13F48F6",
"id": -2379,
"listType": "MsgSource",
"longDescription": "This list will need to capture all related systems according to their classification as high, medium, or low impacts within the environment. \r\n\r\nThis list is used in the following:\r\n(Reports)\r\nNERC-CIP: Access Failure Summary\r\nNERC-CIP: Authentication Failure Summary\r\nNERC-CIP: Change in Software Config (Linux)\r\nNERC-CIP: Change in Software Config (Windows)\r\nNERC-CIP: Default Act Auth/Accs Success Summary\r\nNERC-CIP: Default Act Management Summary\r\nNERC-CIP: Failed File Access (Linux)\r\nNERC-CIP: Failed File Access (Windows)\r\nNERC-CIP: Host Authentication Success Summary\r\nNERC-CIP: Object Creation/Disposal Summary\r\nNERC-CIP: Priv Act Auth/Accs Success Summary\r\nNERC-CIP: Priv Act Management Summary\r\nNERC-CIP: Shared Act Auth/Accs Success Summary\r\nNERC-CIP: Shared Act Management Summary\r\nNERC-CIP: Suspicious Activity Summary\r\nNERC-CIP: Term Act Auth/Accs Success Summary\r\nNERC-CIP: Term Act Management Summary\r\nNERC-CIP: Vendor Act Auth/Accs Success Summary\r\nNERC-CIP: Vendor Act Management Summary\r\n (Investigation)\r\nNERC-CIP: Access Failure Detail\r\nNERC-CIP: Host Authentication Success Detail\r\nNERC-CIP: Priv Group Access Granted Detail\r\nNERC-CIP: Suspicious Activity Detail\r\n (AIE Rules)\r\nNERC-CIP: Account Locked or Disabled Rule\r\nNERC-CIP: Attack Detected Rule\r\nNERC-CIP: Compromise Detected Rule\r\nNERC-CIP: Concur VPN From Multiple Country\r\nNERC-CIP: Concur VPN Same User\r\nNERC-CIP: Concurrent VPN From Multiple Cities\r\nNERC-CIP: Concurrent VPN From Multiple Region\r\nNERC-CIP: Config/Policy Change\r\nNERC-CIP: Data Destruction Rule\r\nNERC-CIP: Data Exfiltration Rule\r\nNERC-CIP: Data Loss Prevention Rule\r\nNERC-CIP: ESP Network Allow Egress Rule\r\nNERC-CIP: ESP Network Allow Ingress Rule\r\nNERC-CIP: ESP Network Denied Egress Rule\r\nNERC-CIP: ESP Network Denied Ingress Rule\r\nNERC-CIP: Malware Detected Rule\r\nNERC-CIP: Port Misuse: FTP\r\nNERC-CIP: Port Misuse: HTTP \r\nNERC-CIP: Port Misuse: SSH In\r\nNERC-CIP: Port Misuse: SSH Out\r\nNERC-CIP: Rogue WAP Detected Rule\r\nNERC-CIP: Software Instal",
"name": "NERC-CIP: BES Cyber Systems",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This log source list represents various BES Cyber Assets related to IT operations that reflect groupings of the BES Cyber System(s)",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T03:39:14.56Z",
"dateUpdated": "2021-07-27T16:03:30.663Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "4E629B5B-7D5D-447B-B672-BBCAF8E32E37",
"id": -2085,
"listType": "Application",
"longDescription": "This list is used in the following package elements: \r\n\nPCI-DSS: Invalid DMZ => Internal Comm AIE Rule\n\r\nPCI-DSS: Invalid DMZ => Internal Comm Details\r\n\nPCI-DSS: Invalid DMZ => Internal Comm Summary\r\n\nPCI-DSS: Invalid DMZ => Internal Comm Detail\n\r\n",
"name": "PCI-DSS: Allowed DMZ => Internal App List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with the impacted applications, ports, and protocols which are allowed from the demilitarized zone environment to the internal network.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T02:43:14.257Z",
"dateUpdated": "2021-07-27T16:03:30.683Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "AFD1ACEB-A5CB-4EE7-BB46-331CE023F750",
"id": -2078,
"listType": "Network",
"longDescription": "This list is used in the following package elements: \r\n\nPCI-DSS: Internal Communication\r\nPCI-DSS: Denied Intrn => Intrn Comm AIE Rule\r\nPCI-DSS: Denied Intrn => Intrn Comm Detail\n\r\nPCI-DSS: Denied Intrn => Intrn Comm Details\r\nPCI-DSS: Denied Intrn => Intrn Comm Summary\r\n\n\nPCI-DSS: Invalid Intrn => Intrn Comm AIE Rule\r\nPCI-DSS: Invalid Intrn => Intrn Comm Detail\n\r\nPCI-DSS: Invalid Intrn => Intrn Comm Details\n\r\nPCI-DSS: Invalid Intrn => Intrn Comm Summary\r\n\nPCI-DSS: Denied Inet => Intrn Comm AIE Rule\r\nPCI-DSS: Denied Inet => Intrn Comm Detail\n\r\nPCI-DSS: Denied Inet => Intrn Comm Details\r\nPCI-DSS: Denied Inet => Intrn Comm Summary\r\n\n\nPCI-DSS: Invalid Inet => Intrn Comm AIE Rule\r\nPCI-DSS: Invalid Inet => Intrn Comm Detail\n\r\nPCI-DSS: Invalid Inet => Intrn Comm Details\n\r\nPCI-DSS: Invalid Inet => Intrn Comm Summary\r\nPCI-DSS: Denied Inet => Intrn Comm AIE Rule\r\nPCI-DSS: Denied Inet => Intrn Comm Detail\n\r\nPCI-DSS: Denied Inet => Intrn Comm Details\r\nPCI-DSS: Denied Inet => Intrn Comm Summary\r\n\n\nPCI-DSS: Invalid Inet => Intrn Comm AIE Rule\r\nPCI-DSS: Invalid Inet => Intrn Comm Detail\n\r\nPCI-DSS: Invalid Inet => Intrn Comm Details\n\r\nPCI-DSS: Invalid Inet => Intrn Comm Summary\r\n\nPCI-DSS: Denied Test => Intrn Comm AIE Rule\r\nPCI-DSS: Denied Test => Intrn Comm Detail\n\r\nPCI-DSS: Denied Test => Intrn Comm Details\r\nPCI-DSS: Denied Test => Intrn Comm Summary\r\n\n\nPCI-DSS: Invalid Test => Intrn Comm AIE Rule\r\nPCI-DSS: Invalid Test => Intrn Comm Detail\n\r\nPCI-DSS: Invalid Test => Intrn Comm Details\n\r\nPCI-DSS: Invalid Test => Intrn Comm Summary\n",
"name": "PCI-DSS: Internal Environment List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with internal IP addresses of your entire internal network.\r\n",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T02:29:50.9Z",
"dateUpdated": "2021-07-27T16:03:30.7Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "2A5E5FCE-1FEF-4A7A-A827-93B7676028EA",
"id": -2077,
"listType": "Network",
"longDescription": "This list is used in the following package elements: \r\nPCI-DSS: DMZ Communication\r\nPCI-DSS: DMZ Communication Detail\r\nPCI-DSS: Denied DMZ => Internal Comm AIE Rule\r\nPCI-DSS: Denied DMZ => Internal Comm Details\r\nPCI-DSS: Denied DMZ => Internal Comm Summary\r\nPCI-DSS: Denied DMZ => Internal Comm Detail\r\nPCI-DSS: Denied Internet => DMZ Comm AIE Rule\r\nPCI-DSS: Denied Internet => DMZ Comm Details\r\nPCI-DSS: Denied Internet => DMZ Comm Summary\r\nPCI-DSS: Denied Internet => DMZ Comm Detail\r\nPCI-DSS: Invalid DMZ => Internal Comm AIE Rule\r\nPCI-DSS: Invalid DMZ => Internal Comm Details\r\nPCI-DSS: Invalid DMZ => Internal Comm Summary\r\nPCI-DSS: Invalid DMZ => Internal Comm Detail\r\nPCI-DSS: Invalid Internet => DMZ Comm AIE Rule\r\nPCI-DSS: Invalid Internet => DMZ Comm Details\r\nPCI-DSS: Invalid Internet => DMZ Comm Summary\r\nPCI-DSS: Invalid Internet => DMZ Comm Detail\r\n",
"name": "PCI-DSS: DMZ Environment List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with internal IP addresses of your demilitarized zone network.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T02:22:50.693Z",
"dateUpdated": "2021-07-27T16:03:30.713Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "4CAB138D-9BD4-4ED4-AB4E-FF5F48D4BC3E",
"id": -2076,
"listType": "Network",
"longDescription": "This list is used in the following package elements: \n\r\nPCI-DSS: CDE Communication \r\n\nPCI-DSS: Denied CDE => Internet Comm AIE Rule\n\r\nPCI-DSS: Denied CDE => Internet Comm Detail\n\r\nPCI-DSS: Denied CDE => Internet Comm Details\r\n\nPCI-DSS: Denied CDE => Internet Comm Summary\r\n\nPCI-DSS: Denied Internet => CDE Comm AIE Rule\n\r\nPCI-DSS: Denied Internet => CDE Comm Detail\n\r\nPCI-DSS: Denied Internet => CDE Comm Details\r\n\nPCI-DSS: Denied Internet => CDE Comm Summary\r\n\nPCI-DSS: Denied Wireless => CDE Comm AIE Rule\n\r\nPCI-DSS: Denied Wireless => CDE Comm Detail\n\r\nPCI-DSS: Denied Wireless => CDE Comm Details\r\n\nPCI-DSS: Denied Wireless => CDE Comm Summary\r\n\nPCI-DSS: Invalid CDE => Internet Comm AIE Rule\n\r\nPCI-DSS: Invalid CDE => Internet Comm Detail\n\r\nPCI-DSS: Invalid CDE => Internet Comm Details\n\r\nPCI-DSS: Invalid CDE => Internet Comm Summary\n\r\nPCI-DSS: Invalid Internet => CDE Comm AIE Rule\n\r\nPCI-DSS: Invalid Internet => CDE Comm Detail\n\r\nPCI-DSS: Invalid Internet => CDE Comm Details\r\n\nPCI-DSS: Invalid Internet => CDE Comm Summary\r\n\nPCI-DSS: Invalid Wireless => CDE Comm AIE Rule\r\n\nPCI-DSS: Invalid Wireless => CDE Comm Detail\r\n\nPCI-DSS: Invalid Wireless => CDE Comm Details\r\n\nPCI-DSS: Invalid Wireless => CDE Comm Summary\n\r\n",
"name": "PCI-DSS: Cardholder Data Environment List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with internal IP addresses of your cardholder data.\r\n",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T02:10:32.13Z",
"dateUpdated": "2021-07-27T16:03:30.723Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "76B503F9-7F63-4EBC-B06F-0AB083ECDCF1",
"id": -2073,
"listType": "MsgSource",
"longDescription": "This list is used in many of the package elements covering network security system including: \r\nfirewalls, intrusion detection/prevention, malware detection/prevention, network access control, remote access, virtual private network, and vulnerability scanning.",
"name": "PCI-DSS: Network Security Systems",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with network security systems (firewalls, intrusion detection/prevention, malware detection/prevention, network access control, remote access, virtual private network, vulnerability scanning) on the network.\r\n",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T00:31:39.017Z",
"dateUpdated": "2021-07-27T16:03:30.733Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "EAAC1F68-44F7-477E-BBB5-CFAEF5AEDBF6",
"id": -2063,
"listType": "Application",
"longDescription": "This list is used in the following package elements: \n\r\nPCI-DSS: Invalid Inet => Intrn Comm AIE Rule\r\n\nPCI-DSS: Invalid Inet => Intrn Comm Detail\n\r\nPCI-DSS: Invalid Inet => Intrn Comm Details\n\r\nPCI-DSS: Invalid Inet => Intrn Comm Summary\n\r\n\r\n",
"name": "PCI-DSS: Allowed Internet => Internal App List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with the impacted applications, ports, and protocols which are allowed from the external internet environment to the internal environment network.\r\n",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T00:29:15.183Z",
"dateUpdated": "2021-07-27T16:03:30.74Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "3D987185-2C72-4AE0-B453-FB27E8412510",
"id": -2062,
"listType": "Application",
"longDescription": "This list is used in the following package elements: \r\n\nPCI-DSS: Invalid Internet => DMZ Comm AIE Rule\n\r\nPCI-DSS: Invalid Internet => DMZ Comm Details\n\r\nPCI-DSS: Invalid Internet => DMZ Comm Summary\n\r\nPCI-DSS: Invalid Internet => DMZ Comm Detail\n\r\n",
"name": "PCI-DSS: Allowed Internet => DMZ App List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with the impacted applications, ports, and protocols which are allowed from the external internet to the demilitarized zone environment network.\r\n",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T00:27:14.477Z",
"dateUpdated": "2021-07-27T16:03:30.757Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "8A030E0F-870C-4F59-A5DD-28F8572723DD",
"id": -2061,
"listType": "Application",
"longDescription": "This list is used in the following package elements: \n\r\nPCI-DSS: Invalid Internet => CDE Comm AIE Rule\n\r\nPCI-DSS: Invalid Internet => CDE Comm Details\n\r\nPCI-DSS: Invalid Internet => CDE Comm Summary\r\n\nPCI-DSS: Invalid Internet => CDE Comm Detail\n\r\n\r\n",
"name": "PCI-DSS: Allowed Internet => CDE App List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with the impacted applications, ports, and protocols which are allowed from the external internet to the internal cardholder data environment network.\r\n",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2012-06-14T00:18:04.5Z",
"dateUpdated": "2021-08-09T05:25:25.377Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 1,
"guid": "DBA00254-D606-43D0-B291-EF38DA092DB3",
"id": -2058,
"listType": "Application",
"longDescription": "This list is used in the following package elements: \r\n\nPCI-DSS: Invalid CDE => Internet Comm AIE Rule\r\n\nPCI-DSS: Invalid CDE => Internet Comm Detail\n\r\nPCI-DSS: Invalid CDE => Internet Comm Details\n\r\nPCI-DSS: Invalid CDE => Internet Comm Summary\r\n",
"name": "PCI-DSS: Allowed CDE => Internet App List",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "This list should be populated with the impacted applications, ports, and protocols which are allowed from the cardholder data environment network to the external internet.\r\n",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2011-12-14T06:13:01.05Z",
"dateUpdated": "2021-07-27T16:03:30.78Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "642A7B7B-274E-4A66-9FBD-E4EC1CFC2404",
"id": -2031,
"listType": "MsgSource",
"longDescription": "This list should contain all log sources from workstations that store or process data applicable to compliance regulations. Examples include personal computers, notebooks, netbooks, tablet PCs, and publicly accessible systems such as kiosks. Virtualized application servers may also qualify as a workstation log source.",
"name": "NRC: Workstations",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Workstations that store or process data applicable to compliance regulations. Examples: personal computers, notebooks, tablet PCs, and publicly accessible systems.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2011-12-14T06:09:16.99Z",
"dateUpdated": "2021-07-27T16:03:30.79Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "229E1613-221C-4961-90F6-0B19B282B80F",
"id": -2027,
"listType": "MsgSource",
"longDescription": "This list should contain all log sources from production servers that store or process data applicable to compliance regulations. Examples include servers that store/process financial data, customer data, and employee data.",
"name": "NRC: Production Servers",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Production servers applicable to compliance regulations. Examples: servers that store/process financial data, customer data, and employee data.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2011-12-14T00:43:04.903Z",
"dateUpdated": "2021-07-27T16:03:30.8Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "F0F6C2E0-5EBD-41D8-B64E-3D67E649B2F1",
"id": -2023,
"listType": "MsgSource",
"longDescription": "This list should contain all log sources from workstations that store or process data applicable to compliance regulations. Examples include personal computers, notebooks, netbooks, tablet PCs, and publicly accessible systems such as kiosks. Virtualized application servers may also qualify as a workstation log source.",
"name": "NEI: Workstations",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Workstations that store or process data applicable to compliance regulations. Examples: personal computers, notebooks, tablet PCs, and publicly accessible systems.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2011-12-14T00:39:35.59Z",
"dateUpdated": "2021-07-27T16:03:30.81Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "35EB656F-CEB0-498D-B684-9E97B325B14B",
"id": -2019,
"listType": "MsgSource",
"longDescription": "This list should contain all log sources from production servers that store or process data applicable to compliance regulations. Examples include servers that store/process financial data, customer data, and employee data.",
"name": "NEI: Production Servers",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Production servers applicable to compliance regulations. Examples: servers that store/process financial data, customer data, and employee data.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-08-16T20:21:23.91Z",
"dateUpdated": "2021-07-27T16:03:30.817Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "48555D7B-0BEB-43F0-B758-29D7838B0907",
"id": -1049,
"listType": "MsgSource",
"longDescription": "Populate with all production data loss prevention devices, including LogRhythm Data Loss Defender.",
"name": "QsEMP: Data Loss Prevention",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Production data loss prevention devices, including LogRhythm Data Loss Defender.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-08-16T20:20:56.847Z",
"dateUpdated": "2021-07-27T16:03:30.827Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "280E2A9C-EB0C-4CCC-9776-FE1C164B8C5D",
"id": -1048,
"listType": "MsgSource",
"longDescription": "Populate with the system and audit logs of all production UNIX and Linux servers, as well as LogRhythm User Activity Monitor and Network Connection Monitor for production agents.",
"name": "QsEMP: Production *NIX Servers",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "System and audit logs of production UNIX and Linux servers. LogRhythm User Activity Monitor and Network Connection Monitor for production agents.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-08-16T20:20:34.41Z",
"dateUpdated": "2021-07-27T16:03:30.84Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "60390FB9-0419-4A01-A517-611098B9171E",
"id": -1047,
"listType": "MsgSource",
"longDescription": "Populate with the System, Application, and Security Event Logs of all production Windows Servers, as well as LogRhythm User Activity Monitor, Process Monitor and Network Connection Monitor for production agents.",
"name": "QsEMP: Production Windows Servers",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "System, Application, and Security Event Logs of production Windows Servers. LogRhythm User Activity Monitor, Process Monitor and Network Connection Monitor for production agents.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-08-16T20:20:10.877Z",
"dateUpdated": "2021-07-27T16:03:30.85Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "A55CE990-D057-4760-9845-2E9CD173FE5B",
"id": -1046,
"listType": "MsgSource",
"longDescription": "Populate with the system logs of all production routers and switches.",
"name": "QsEMP: Production Routers and Switches",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "System logs of all production routers and switches.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-08-16T20:19:46.61Z",
"dateUpdated": "2021-07-27T16:03:30.86Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "AE1EDD58-9DE0-4E72-BC87-A4939D9CA0B7",
"id": -1045,
"listType": "MsgSource",
"longDescription": "Populate with the system logs of all production firewalls.",
"name": "QsEMP: Production Firewalls",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "System logs of all production firewalls.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-08-16T20:19:25.033Z",
"dateUpdated": "2021-07-27T16:03:30.867Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "6658537A-358C-435F-8451-B02440B6C50B",
"id": -1044,
"listType": "MsgSource",
"longDescription": "Populate with the system or application logs of all devices providing malware detection capabilities. This includes anti-virus, spyware, and general malware detection software and central servers.",
"name": "QsEMP: Production Malware Detection Devices",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "System or application logs of devices providing malware detection capabilities. Examples: anti-virus, spyware, general malware detection software and central servers.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-08-16T20:18:57.753Z",
"dateUpdated": "2021-07-27T16:03:30.877Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "DE466E5C-19D6-46B5-936C-7A7E5ADFB03E",
"id": -1043,
"listType": "MsgSource",
"longDescription": "Populate with the system logs of all devices with intrusion detection or prevention capabilities. This typically includes IDS/IPS devices, but may also include firewalls and UTM devices that include these capabilities.",
"name": "QsEMP: Production IDS/IPS Devices",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "System logs of devices with intrusion detection or prevention capabilities. Examples: firewalls and UTM devices that include these capabilities.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-02-25T00:42:26.083Z",
"dateUpdated": "2021-07-27T16:03:30.887Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "41BCC625-7E73-4603-8B39-AE1E6DEEDC18",
"id": -1038,
"listType": "MsgSource",
"longDescription": "This list should contain all log sources from workstations that store or process data applicable to compliance regulations. Examples include personal computers, notebooks, netbooks, tablet PCs, and publicly accessible systems such as kiosks. Virtualized application servers may also qualify as a workstation log source.",
"name": "FISMA: Workstations",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Workstations that store or process data applicable to compliance regulations. Examples: personal computers, notebooks, tablet PCs, and publicly accessible systems.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2010-02-25T00:41:57.283Z",
"dateUpdated": "2021-07-27T16:03:30.9Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "BF568BD1-E69E-4377-BB7F-2BD5FEE593A0",
"id": -1037,
"listType": "MsgSource",
"longDescription": "This list should contain all log sources from production servers that store or process data applicable to compliance regulations. Examples include servers that store/process financial data, customer data, and employee data.",
"name": "FISMA: Production Servers",
"needToNotify": false,
"owner": -1000000,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "Production servers applicable to compliance regulations. Examples: servers that store/process financial data, customer data, and employee data.",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicGlobalAdmin"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-08-09T05:04:50.927Z",
"dateUpdated": "2021-08-09T05:35:48.757Z",
"doesExpire": false,
"entityName": "Primary Site",
"entryCount": 0,
"guid": "2D0073F7-DB6A-4751-91E7-38272D12C737",
"id": 2001,
"listType": "Network",
"name": "test list",
"needToNotify": false,
"owner": -100,
"readAccess": "PublicAll",
"restrictedRead": false,
"shortDescription": "test for logrhythm integration",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicAll"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-08-09T05:41:30.443Z",
"dateUpdated": "2021-10-27T16:27:32.467Z",
"doesExpire": false,
"entityName": "Primary Site",
"entryCount": 2,
"guid": "EA778B8F-20CA-4413-9A2D-CF69FB536793",
"id": 2002,
"listType": "Application",
"name": "test list 2",
"needToNotify": false,
"owner": -100,
"readAccess": "Private",
"restrictedRead": false,
"revisitDate": "2031-10-27T16:27:32.467Z",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-09-29T14:09:10.093Z",
"dateUpdated": "2021-09-29T14:09:10.093Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "15C307AE-CDA6-4BA0-A605-F3FAE5215C1B",
"id": 2003,
"listType": "Application",
"name": "test",
"needToNotify": true,
"owner": 1,
"readAccess": "PublicAll",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicAll"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-09-29T14:51:55.337Z",
"dateUpdated": "2021-09-29T14:51:55.337Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "B8D0E804-928A-492E-85FF-4E2940BB8B3C",
"id": 2004,
"listType": "Application",
"name": "test1",
"needToNotify": true,
"owner": 1,
"readAccess": "PublicAll",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicAll"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-09-29T14:53:03.013Z",
"dateUpdated": "2021-10-27T13:51:08.88Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "1120112E-4743-4BE8-BF95-ADE3252CB915",
"id": 2005,
"listType": "Application",
"name": "test1",
"needToNotify": true,
"owner": 1,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-09-29T15:03:03.84Z",
"dateUpdated": "2021-09-29T15:03:03.84Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "7C8B63A6-68D3-4B1C-AD95-06125A77CF99",
"id": 2006,
"listType": "Application",
"name": "test1",
"needToNotify": true,
"owner": 1,
"readAccess": "Private",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-09-29T15:03:07.51Z",
"dateUpdated": "2021-09-29T15:03:07.51Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "F52EDC03-ECED-4683-86E9-4783409D1C92",
"id": 2007,
"listType": "Application",
"name": "test1",
"needToNotify": true,
"owner": 1,
"readAccess": "Private",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-09-29T15:06:38.853Z",
"dateUpdated": "2021-09-29T15:06:38.853Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "A2D11D2A-3017-4216-870E-6F3E1E5682BF",
"id": 2008,
"listType": "Application",
"name": "test1",
"needToNotify": true,
"owner": 1,
"readAccess": "Private",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-09-29T15:10:14.497Z",
"dateUpdated": "2021-09-29T15:10:14.497Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "325E81FC-2D62-461B-BB7C-5C9169600C97",
"id": 2009,
"listType": "Application",
"name": "test1",
"needToNotify": true,
"owner": 1,
"readAccess": "Private",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-09-29T15:10:17.113Z",
"dateUpdated": "2021-09-29T15:10:17.113Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "D3EA4CDC-5A58-4D60-8CAB-096B466AE4B7",
"id": 2010,
"listType": "Application",
"name": "test1",
"needToNotify": true,
"owner": 1,
"readAccess": "Private",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-09-29T15:10:17.98Z",
"dateUpdated": "2021-09-29T15:10:17.98Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "8BC72673-1C8C-4B26-BB21-E65AA908A4EF",
"id": 2011,
"listType": "Application",
"name": "test1",
"needToNotify": true,
"owner": 1,
"readAccess": "Private",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-09-29T15:10:18.923Z",
"dateUpdated": "2021-09-29T15:10:18.923Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "A927EB2E-8850-46A0-9798-E2C3B8C6C4F6",
"id": 2012,
"listType": "Application",
"name": "test1",
"needToNotify": true,
"owner": 1,
"readAccess": "Private",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-09-29T15:10:55.743Z",
"dateUpdated": "2021-09-29T15:10:55.743Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "D0D70666-1BF2-4C34-A10A-F4C131C76687",
"id": 2013,
"listType": "Application",
"name": "test1",
"needToNotify": true,
"owner": 1,
"readAccess": "Private",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-09-29T15:11:03.187Z",
"dateUpdated": "2021-09-29T15:11:03.187Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "CBC412AE-F98C-4CE9-A290-B36C0D3344E4",
"id": 2014,
"listType": "Application",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-09-29T15:11:05.657Z",
"dateUpdated": "2021-09-29T15:11:05.657Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "F4CB25B5-F190-482C-A82D-B3C4AF4BCAAE",
"id": 2015,
"listType": "Application",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-09-29T15:13:22.533Z",
"dateUpdated": "2021-09-29T15:13:22.533Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "F9597684-1119-42B9-911C-0114968D402E",
"id": 2016,
"listType": "Application",
"name": "test1",
"needToNotify": true,
"owner": 1,
"readAccess": "Private",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-09-29T15:13:40Z",
"dateUpdated": "2021-09-29T15:13:40Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "4CBB4771-0A44-4B8B-BF05-DD832369A864",
"id": 2017,
"listType": "Application",
"name": "test1",
"needToNotify": true,
"owner": 1,
"readAccess": "Private",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-10-05T07:44:41.107Z",
"dateUpdated": "2021-10-05T07:44:41.107Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "B21EA8F5-3031-42B5-8410-F6AEE42B8E42",
"id": 2018,
"listType": "User",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-10-05T07:45:20.603Z",
"dateUpdated": "2021-10-05T07:45:20.603Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "3624C3B7-04E5-4820-BF93-3D22D2DDEF96",
"id": 2019,
"listType": "User",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-10-05T07:45:24.86Z",
"dateUpdated": "2021-10-05T07:45:24.86Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "D73FEF9B-D9BA-4C1E-8C6A-A5A15EB9F657",
"id": 2020,
"listType": "User",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-10-05T07:56:28.223Z",
"dateUpdated": "2021-10-05T07:56:28.223Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "DA3B78E8-A0EF-4BEC-A41D-0671D509A56D",
"id": 2021,
"listType": "User",
"name": "tesl list",
"needToNotify": false,
"owner": 1,
"readAccess": "PublicAll",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicAll"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-10-05T08:03:35.007Z",
"dateUpdated": "2021-10-05T08:03:35.007Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "43BC3DD5-00B9-4F3D-9A6E-B01F96560B46",
"id": 2022,
"listType": "User",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": false
},
"dateCreated": "2021-10-05T08:04:27.267Z",
"dateUpdated": "2021-10-05T08:04:27.27Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "2888D7FD-1C6F-40E0-AAB7-AF292BCB8A3D",
"id": 2023,
"listType": "User",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": false
},
"dateCreated": "2021-10-05T08:04:37.11Z",
"dateUpdated": "2021-10-05T08:04:37.11Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "CBA4C600-ED03-4F5E-A274-A694144F362F",
"id": 2024,
"listType": "User",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-10-05T08:05:11.877Z",
"dateUpdated": "2021-10-05T08:05:11.877Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "D35B50C4-3CA3-4A20-9B31-742137965A64",
"id": 2025,
"listType": "Application",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-10-05T08:05:14.59Z",
"dateUpdated": "2021-10-05T08:05:14.59Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "58041B5B-2B8A-4353-8DF8-5169D28E71DA",
"id": 2026,
"listType": "Application",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-10-05T08:05:19.55Z",
"dateUpdated": "2021-10-05T08:05:19.55Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "20CC50DF-7352-4521-8642-50C93BBD0182",
"id": 2027,
"listType": "Application",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": false
},
"dateCreated": "2021-10-05T08:05:51.01Z",
"dateUpdated": "2021-10-05T08:05:51.01Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "FD411415-93C4-4094-B3E5-8415A42A7F9E",
"id": 2028,
"listType": "User",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-10-05T08:06:14.563Z",
"dateUpdated": "2021-10-05T08:06:14.567Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "6C353897-F317-4077-A720-62F4204C8BB0",
"id": 2029,
"listType": "User",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-10-05T08:06:18.727Z",
"dateUpdated": "2021-10-05T08:06:18.727Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "73E09328-94C5-4166-B1CE-8DC581F98496",
"id": 2030,
"listType": "User",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-10-27T13:46:24.71Z",
"dateUpdated": "2021-10-27T13:46:24.713Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "6B417043-4740-4821-8474-8DC8972F529C",
"id": 2031,
"listType": "User",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": false
},
"dateCreated": "2021-10-27T13:47:30.467Z",
"dateUpdated": "2021-10-27T13:47:30.467Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "3D9ED83F-0ED6-4911-B13D-1FC750A411C3",
"id": 2032,
"listType": "User",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": false
},
"dateCreated": "2021-10-27T13:47:39.58Z",
"dateUpdated": "2021-10-27T13:47:39.58Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "7C13886C-A9E7-42F2-8553-33B6AFEFD079",
"id": 2033,
"listType": "User",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-10-27T13:50:09.693Z",
"dateUpdated": "2021-10-27T13:51:55.893Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "9B279A23-2822-43C2-BABC-23D08AD0046E",
"id": 2034,
"listType": "Application",
"name": "test202020",
"needToNotify": true,
"owner": 1,
"readAccess": "PublicAll",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicAll"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-10-27T13:50:23.25Z",
"dateUpdated": "2021-10-27T13:50:23.25Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "A2F0C0AB-6C8C-46D5-9F57-13A5298DC7AC",
"id": 2035,
"listType": "Application",
"name": "test2020201",
"needToNotify": false,
"owner": 1,
"readAccess": "PublicAll",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicAll"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-10-27T13:54:14.383Z",
"dateUpdated": "2021-10-27T13:54:39.233Z",
"doesExpire": false,
"entityName": "Primary Site",
"entryCount": 0,
"guid": "F4A3EAE5-E5F8-4A6B-92DD-06C9CCCFF67A",
"id": 2036,
"listType": "Application",
"name": "a",
"needToNotify": false,
"owner": -100,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-10-27T13:54:48.01Z",
"dateUpdated": "2021-10-27T13:54:48.01Z",
"doesExpire": false,
"entityName": "Primary Site",
"entryCount": 0,
"guid": "B8B79601-76E5-4C19-94E3-053A0D41EC67",
"id": 2037,
"listType": "CommonEvent",
"name": "a",
"needToNotify": false,
"owner": -100,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-10-27T13:55:27.393Z",
"dateUpdated": "2021-10-27T13:55:27.393Z",
"doesExpire": false,
"entityName": "Primary Site",
"entryCount": 0,
"guid": "5FEDBC14-EE01-4B00-BF9D-20D0BE549C14",
"id": 2038,
"listType": "MsgSource",
"name": "a",
"needToNotify": false,
"owner": -100,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-10-27T13:56:45.6Z",
"dateUpdated": "2021-10-27T13:58:02.647Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "741FAD03-E3AC-4C43-BE93-A17407A66C89",
"id": 2039,
"listType": "Application",
"name": "test20202012",
"needToNotify": true,
"owner": 1,
"readAccess": "PublicAll",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicAll"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-10-27T13:58:18.13Z",
"dateUpdated": "2021-10-27T14:00:08.607Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "07F90C7D-F205-4614-9B2D-8F2005878226",
"id": 2040,
"listType": "Application",
"name": "test20202012_true",
"needToNotify": true,
"owner": 1,
"readAccess": "PublicAll",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicAll"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": true,
"usePatterns": true
},
"dateCreated": "2021-10-27T13:58:26.87Z",
"dateUpdated": "2021-10-27T13:58:26.873Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "02684746-10C2-4153-A854-D4465E24B82C",
"id": 2041,
"listType": "Application",
"name": "test20202012_false",
"needToNotify": false,
"owner": 1,
"readAccess": "PublicAll",
"restrictedRead": true,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicAll"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": false,
"usePatterns": true
},
"dateCreated": "2021-10-27T14:02:32.25Z",
"dateUpdated": "2021-10-27T14:04:08.84Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "CB767AFE-65BC-4243-AC82-22B398FB61D9",
"id": 2042,
"listType": "Application",
"name": "test1818_false",
"needToNotify": false,
"owner": 1,
"readAccess": "PublicAll",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicAll"
},
{
"autoImportOption": {
"enabled": true,
"replaceExisting": false,
"usePatterns": true
},
"dateCreated": "2021-10-27T14:02:44.92Z",
"dateUpdated": "2021-10-27T14:08:48.587Z",
"doesExpire": true,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "F89F6CAF-4892-4E83-81C5-C64DE02591E8",
"id": 2043,
"listType": "Application",
"name": "test1818_true",
"needToNotify": true,
"owner": 1,
"readAccess": "PublicAll",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "PublicAll"
}
]
}
}

Human Readable Output#

Lists#

GuidNameList TypeStatusShort DescriptionIdEntity NameDate CreatedOwnerWrite AccessRead Access
B1E34445-2693-411E-8BE2-9B97AFFF20A9Windows System32 HashesGeneralValueActiveHashes of executables in the %systemroot%\system32 directory. Use Case: Masquerading technique in MITRE ATT&CK -1000130Global Entity2019-11-05T04:11:38.303Z-1000000PublicGlobalAdminPublicAll
F205DE21-9F73-462E-8F83-DE64CAD2A401CloudAI: Ignore for 24 HoursIdentityActiveAnomaly scores from CloudAI will not be displayed for the identities in this list. Identities added to this list will automatically expire 24 hours after they are added.-1000001Global Entity2021-07-27T15:07:50.893Z-1000000PublicGlobalAdminPublicAll
5A2E34FB-3AD1-44CB-8E5F-643CAEDD1EC2CloudAI: Monitored IdentitiesIdentityActiveIdentities monitored by CloudAI-1000000Global Entity2021-07-27T15:07:50.893Z-1000000PublicGlobalAdminPublicAll
6B9A54EF-70C9-49E0-B051-75C363178603NERC-CIP: Electronic Security PerimeterMsgSourceActiveThis log source list represents various network related systems such as security perimeter enforcing devices (i.e. IPS, firewalls), security perimeter monitoring devices (i.e. IDS), VPNs, wireless access points, remote access devices, anti-malware, etc.-2389Global Entity2015-06-06T00:15:20.033Z-1000000PublicGlobalAdminPublicAll
F7A6369A-33C3-4249-91EF-6710E13F48F6NERC-CIP: BES Cyber SystemsMsgSourceActiveThis log source list represents various BES Cyber Assets related to IT operations that reflect groupings of the BES Cyber System(s)-2379Global Entity2015-06-05T21:31:30.7Z-1000000PublicGlobalAdminPublicAll
4E629B5B-7D5D-447B-B672-BBCAF8E32E37PCI-DSS: Allowed DMZ => Internal App ListApplicationActiveThis list should be populated with the impacted applications, ports, and protocols which are allowed from the demilitarized zone environment to the internal network.-2085Global Entity2012-06-14T03:39:14.56Z-1000000PublicGlobalAdminPublicAll
AFD1ACEB-A5CB-4EE7-BB46-331CE023F750PCI-DSS: Internal Environment ListNetworkActiveThis list should be populated with internal IP addresses of your entire internal network.
-2078Global Entity2012-06-14T02:43:14.257Z-1000000PublicGlobalAdminPublicAll
2A5E5FCE-1FEF-4A7A-A827-93B7676028EAPCI-DSS: DMZ Environment ListNetworkActiveThis list should be populated with internal IP addresses of your demilitarized zone network.-2077Global Entity2012-06-14T02:29:50.9Z-1000000PublicGlobalAdminPublicAll
4CAB138D-9BD4-4ED4-AB4E-FF5F48D4BC3EPCI-DSS: Cardholder Data Environment ListNetworkActiveThis list should be populated with internal IP addresses of your cardholder data.
-2076Global Entity2012-06-14T02:22:50.693Z-1000000PublicGlobalAdminPublicAll
76B503F9-7F63-4EBC-B06F-0AB083ECDCF1PCI-DSS: Network Security SystemsMsgSourceActiveThis list should be populated with network security systems (firewalls, intrusion detection/prevention, malware detection/prevention, network access control, remote access, virtual private network, vulnerability scanning) on the network.
-2073Global Entity2012-06-14T02:10:32.13Z-1000000PublicGlobalAdminPublicAll
EAAC1F68-44F7-477E-BBB5-CFAEF5AEDBF6PCI-DSS: Allowed Internet => Internal App ListApplicationActiveThis list should be populated with the impacted applications, ports, and protocols which are allowed from the external internet environment to the internal environment network.
-2063Global Entity2012-06-14T00:31:39.017Z-1000000PublicGlobalAdminPublicAll
3D987185-2C72-4AE0-B453-FB27E8412510PCI-DSS: Allowed Internet => DMZ App ListApplicationActiveThis list should be populated with the impacted applications, ports, and protocols which are allowed from the external internet to the demilitarized zone environment network.
-2062Global Entity2012-06-14T00:29:15.183Z-1000000PublicGlobalAdminPublicAll
8A030E0F-870C-4F59-A5DD-28F8572723DDPCI-DSS: Allowed Internet => CDE App ListApplicationActiveThis list should be populated with the impacted applications, ports, and protocols which are allowed from the external internet to the internal cardholder data environment network.
-2061Global Entity2012-06-14T00:27:14.477Z-1000000PublicGlobalAdminPublicAll
DBA00254-D606-43D0-B291-EF38DA092DB3PCI-DSS: Allowed CDE => Internet App ListApplicationActiveThis list should be populated with the impacted applications, ports, and protocols which are allowed from the cardholder data environment network to the external internet.
-2058Global Entity2012-06-14T00:18:04.5Z-1000000PublicGlobalAdminPublicAll
642A7B7B-274E-4A66-9FBD-E4EC1CFC2404NRC: WorkstationsMsgSourceActiveWorkstations that store or process data applicable to compliance regulations. Examples: personal computers, notebooks, tablet PCs, and publicly accessible systems.-2031Global Entity2011-12-14T06:13:01.05Z-1000000PublicGlobalAdminPublicAll
229E1613-221C-4961-90F6-0B19B282B80FNRC: Production ServersMsgSourceActiveProduction servers applicable to compliance regulations. Examples: servers that store/process financial data, customer data, and employee data.-2027Global Entity2011-12-14T06:09:16.99Z-1000000PublicGlobalAdminPublicAll
F0F6C2E0-5EBD-41D8-B64E-3D67E649B2F1NEI: WorkstationsMsgSourceActiveWorkstations that store or process data applicable to compliance regulations. Examples: personal computers, notebooks, tablet PCs, and publicly accessible systems.-2023Global Entity2011-12-14T00:43:04.903Z-1000000PublicGlobalAdminPublicAll
35EB656F-CEB0-498D-B684-9E97B325B14BNEI: Production ServersMsgSourceActiveProduction servers applicable to compliance regulations. Examples: servers that store/process financial data, customer data, and employee data.-2019Global Entity2011-12-14T00:39:35.59Z-1000000PublicGlobalAdminPublicAll
48555D7B-0BEB-43F0-B758-29D7838B0907QsEMP: Data Loss PreventionMsgSourceActiveProduction data loss prevention devices, including LogRhythm Data Loss Defender.-1049Global Entity2010-08-16T20:21:23.91Z-1000000PublicGlobalAdminPublicAll
280E2A9C-EB0C-4CCC-9776-FE1C164B8C5DQsEMP: Production *NIX ServersMsgSourceActiveSystem and audit logs of production UNIX and Linux servers. LogRhythm User Activity Monitor and Network Connection Monitor for production agents.-1048Global Entity2010-08-16T20:20:56.847Z-1000000PublicGlobalAdminPublicAll
60390FB9-0419-4A01-A517-611098B9171EQsEMP: Production Windows ServersMsgSourceActiveSystem, Application, and Security Event Logs of production Windows Servers. LogRhythm User Activity Monitor, Process Monitor and Network Connection Monitor for production agents.-1047Global Entity2010-08-16T20:20:34.41Z-1000000PublicGlobalAdminPublicAll
A55CE990-D057-4760-9845-2E9CD173FE5BQsEMP: Production Routers and SwitchesMsgSourceActiveSystem logs of all production routers and switches.-1046Global Entity2010-08-16T20:20:10.877Z-1000000PublicGlobalAdminPublicAll
AE1EDD58-9DE0-4E72-BC87-A4939D9CA0B7QsEMP: Production FirewallsMsgSourceActiveSystem logs of all production firewalls.-1045Global Entity2010-08-16T20:19:46.61Z-1000000PublicGlobalAdminPublicAll
6658537A-358C-435F-8451-B02440B6C50BQsEMP: Production Malware Detection DevicesMsgSourceActiveSystem or application logs of devices providing malware detection capabilities. Examples: anti-virus, spyware, general malware detection software and central servers.-1044Global Entity2010-08-16T20:19:25.033Z-1000000PublicGlobalAdminPublicAll
DE466E5C-19D6-46B5-936C-7A7E5ADFB03EQsEMP: Production IDS/IPS DevicesMsgSourceActiveSystem logs of devices with intrusion detection or prevention capabilities. Examples: firewalls and UTM devices that include these capabilities.-1043Global Entity2010-08-16T20:18:57.753Z-1000000PublicGlobalAdminPublicAll
41BCC625-7E73-4603-8B39-AE1E6DEEDC18FISMA: WorkstationsMsgSourceActiveWorkstations that store or process data applicable to compliance regulations. Examples: personal computers, notebooks, tablet PCs, and publicly accessible systems.-1038Global Entity2010-02-25T00:42:26.083Z-1000000PublicGlobalAdminPublicAll
BF568BD1-E69E-4377-BB7F-2BD5FEE593A0FISMA: Production ServersMsgSourceActiveProduction servers applicable to compliance regulations. Examples: servers that store/process financial data, customer data, and employee data.-1037Global Entity2010-02-25T00:41:57.283Z-1000000PublicGlobalAdminPublicAll
2D0073F7-DB6A-4751-91E7-38272D12C737test listNetworkActivetest for logrhythm integration2001Primary Site2021-08-09T05:04:50.927Z-100PublicAllPublicAll
EA778B8F-20CA-4413-9A2D-CF69FB536793test list 2ApplicationActive2002Primary Site2021-08-09T05:41:30.443Z-100PrivatePrivate
15C307AE-CDA6-4BA0-A605-F3FAE5215C1BtestApplicationActive2003Global Entity2021-09-29T14:09:10.093Z1PublicAllPublicAll
B8D0E804-928A-492E-85FF-4E2940BB8B3Ctest1ApplicationActive2004Global Entity2021-09-29T14:51:55.337Z1PublicAllPublicAll
1120112E-4743-4BE8-BF95-ADE3252CB915test1ApplicationActive2005Global Entity2021-09-29T14:53:03.013Z1PrivatePrivate
7C8B63A6-68D3-4B1C-AD95-06125A77CF99test1ApplicationActive2006Global Entity2021-09-29T15:03:03.84Z1PrivatePrivate
F52EDC03-ECED-4683-86E9-4783409D1C92test1ApplicationActive2007Global Entity2021-09-29T15:03:07.51Z1PrivatePrivate
A2D11D2A-3017-4216-870E-6F3E1E5682BFtest1ApplicationActive2008Global Entity2021-09-29T15:06:38.853Z1PrivatePrivate
325E81FC-2D62-461B-BB7C-5C9169600C97test1ApplicationActive2009Global Entity2021-09-29T15:10:14.497Z1PrivatePrivate
D3EA4CDC-5A58-4D60-8CAB-096B466AE4B7test1ApplicationActive2010Global Entity2021-09-29T15:10:17.113Z1PrivatePrivate
8BC72673-1C8C-4B26-BB21-E65AA908A4EFtest1ApplicationActive2011Global Entity2021-09-29T15:10:17.98Z1PrivatePrivate
A927EB2E-8850-46A0-9798-E2C3B8C6C4F6test1ApplicationActive2012Global Entity2021-09-29T15:10:18.923Z1PrivatePrivate
D0D70666-1BF2-4C34-A10A-F4C131C76687test1ApplicationActive2013Global Entity2021-09-29T15:10:55.743Z1PrivatePrivate
CBC412AE-F98C-4CE9-A290-B36C0D3344E4test1ApplicationActive2014Global Entity2021-09-29T15:11:03.187Z1PrivatePrivate
F4CB25B5-F190-482C-A82D-B3C4AF4BCAAEtest1ApplicationActive2015Global Entity2021-09-29T15:11:05.657Z1PrivatePrivate
F9597684-1119-42B9-911C-0114968D402Etest1ApplicationActive2016Global Entity2021-09-29T15:13:22.533Z1PrivatePrivate
4CBB4771-0A44-4B8B-BF05-DD832369A864test1ApplicationActive2017Global Entity2021-09-29T15:13:40Z1PrivatePrivate
B21EA8F5-3031-42B5-8410-F6AEE42B8E42test1UserActive2018Global Entity2021-10-05T07:44:41.107Z1PrivatePrivate
3624C3B7-04E5-4820-BF93-3D22D2DDEF96test1UserActive2019Global Entity2021-10-05T07:45:20.603Z1PrivatePrivate
D73FEF9B-D9BA-4C1E-8C6A-A5A15EB9F657test1UserActive2020Global Entity2021-10-05T07:45:24.86Z1PrivatePrivate
DA3B78E8-A0EF-4BEC-A41D-0671D509A56Dtesl listUserActive2021Global Entity2021-10-05T07:56:28.223Z1PublicAllPublicAll
43BC3DD5-00B9-4F3D-9A6E-B01F96560B46test1UserActive2022Global Entity2021-10-05T08:03:35.007Z1PrivatePrivate
2888D7FD-1C6F-40E0-AAB7-AF292BCB8A3Dtest1UserActive2023Global Entity2021-10-05T08:04:27.267Z1PrivatePrivate
CBA4C600-ED03-4F5E-A274-A694144F362Ftest1UserActive2024Global Entity2021-10-05T08:04:37.11Z1PrivatePrivate
D35B50C4-3CA3-4A20-9B31-742137965A64test1ApplicationActive2025Global Entity2021-10-05T08:05:11.877Z1PrivatePrivate
58041B5B-2B8A-4353-8DF8-5169D28E71DAtest1ApplicationActive2026Global Entity2021-10-05T08:05:14.59Z1PrivatePrivate
20CC50DF-7352-4521-8642-50C93BBD0182test1ApplicationActive2027Global Entity2021-10-05T08:05:19.55Z1PrivatePrivate
FD411415-93C4-4094-B3E5-8415A42A7F9Etest1UserActive2028Global Entity2021-10-05T08:05:51.01Z1PrivatePrivate
6C353897-F317-4077-A720-62F4204C8BB0test1UserActive2029Global Entity2021-10-05T08:06:14.563Z1PrivatePrivate
73E09328-94C5-4166-B1CE-8DC581F98496test1UserActive2030Global Entity2021-10-05T08:06:18.727Z1PrivatePrivate
6B417043-4740-4821-8474-8DC8972F529Ctest1UserActive2031Global Entity2021-10-27T13:46:24.71Z1PrivatePrivate
3D9ED83F-0ED6-4911-B13D-1FC750A411C3test1UserActive2032Global Entity2021-10-27T13:47:30.467Z1PrivatePrivate
7C13886C-A9E7-42F2-8553-33B6AFEFD079test1UserActive2033Global Entity2021-10-27T13:47:39.58Z1PrivatePrivate
9B279A23-2822-43C2-BABC-23D08AD0046Etest202020ApplicationActive2034Global Entity2021-10-27T13:50:09.693Z1PublicAllPublicAll
A2F0C0AB-6C8C-46D5-9F57-13A5298DC7ACtest2020201ApplicationActive2035Global Entity2021-10-27T13:50:23.25Z1PublicAllPublicAll
F4A3EAE5-E5F8-4A6B-92DD-06C9CCCFF67AaApplicationActive2036Primary Site2021-10-27T13:54:14.383Z-100PrivatePrivate
B8B79601-76E5-4C19-94E3-053A0D41EC67aCommonEventActive2037Primary Site2021-10-27T13:54:48.01Z-100PrivatePrivate
5FEDBC14-EE01-4B00-BF9D-20D0BE549C14aMsgSourceActive2038Primary Site2021-10-27T13:55:27.393Z-100PrivatePrivate
741FAD03-E3AC-4C43-BE93-A17407A66C89test20202012ApplicationActive2039Global Entity2021-10-27T13:56:45.6Z1PublicAllPublicAll
07F90C7D-F205-4614-9B2D-8F2005878226test20202012_trueApplicationActive2040Global Entity2021-10-27T13:58:18.13Z1PublicAllPublicAll
02684746-10C2-4153-A854-D4465E24B82Ctest20202012_falseApplicationActive2041Global Entity2021-10-27T13:58:26.87Z1PublicAllPublicAll
CB767AFE-65BC-4243-AC82-22B398FB61D9test1818_falseApplicationActive2042Global Entity2021-10-27T14:02:32.25Z1PublicAllPublicAll
F89F6CAF-4892-4E83-81C5-C64DE02591E8test1818_trueApplicationActive2043Global Entity2021-10-27T14:02:44.92Z1PublicAllPublicAll

lr-list-summary-create-update#


Updates a list summary based on the GUID and other required details. Searches the system for existing list summaries by GUID. Creates a new list summary if the GUID does not exist. Otherwise, updates the list summary.

Base Command#

lr-list-summary-create-update

Input#

Argument NameDescriptionRequired
list_typeThe list type. Possible values: "None", "Application", "Classification", "CommonEvent", "Host", "Location", "MsgSource", "MsgSourceType", "MPERule", "Network", "User", "GeneralValue", "Entity", "RootEntity", "IP", "IPRange", and "Identity". Possible values are: None, Application, Classification, CommonEvent, Host, Location, MsgSource, MsgSourceType, MPERule, Network, User, GeneralValue, Entity, RootEntity, IP, IPRange, Identity.Required
nameThe list name.Required
enabledWhether the list auto import is enabled. Possible values: "true" and "false". Possible values are: true, false.Required
use_patternsWhether the auto import use patterns is enabled. Possible values: "true" and "false". Possible values are: true, false.Required
replace_existingWhether the auto import replace existing is enabled. Possible values: "true" and "false". Possible values are: true, false.Required
read_accessThe read permission level. Possible values: "Private", "PublicAll", "PublicGlobalAdmin", "PublicGlobalAnalyst", "PublicRestrictedAnalyst", "PublicRestrictedAdmin". Possible values are: Private, PublicAll, PublicGlobalAdmin, PublicGlobalAnalyst, PublicRestrictedAnalyst, PublicRestrictedAdmin.Required
write_accessThe write permission level. Possible values: "Private", "PublicAll", "PublicGlobalAdmin", "PublicGlobalAnalyst", "PublicRestrictedAnalyst", "PublicRestrictedAdmin". Possible values are: Private, PublicAll, PublicGlobalAdmin, PublicGlobalAnalyst, PublicRestrictedAnalyst, PublicRestrictedAdmin.Required
restricted_readWhether the list is read restricted. Possible values: "true" and "false". Possible values are: true, false.Required
entity_nameThe entity name.Required
need_to_notifyWhether the list need to notify. Possible values: "true" and "false". Possible values are: true, false.Required
does_expireWhether the list expires. Possible values: "true" and "false". Possible values are: true, false.Required
ownerThe ID of the owner.Optional

Context Output#

PathTypeDescription
LogRhythm.List.listTypeStringThe list type.
LogRhythm.List.statusStringThe list status.
LogRhythm.List.nameStringThe list name.
LogRhythm.List.useContextStringThe use context type.
LogRhythm.List.autoImportOption.enabledBooleanWhether the list auto import is enabled.
LogRhythm.List.autoImportOption.usePatternsBooleanWhether the auto import use patterns is enabled.
LogRhythm.List.autoImportOption.replaceExistingBooleanWhether the auto import replace existing is enabled.
LogRhythm.List.idNumberThe list ID.
LogRhythm.List.guidStringThe list GUID.
LogRhythm.List.dateCreatedDateThe date the list was created.
LogRhythm.List.dateUpdatedDateThe date the list was updated.
LogRhythm.List.readAccessStringThe read permission level.
LogRhythm.List.writeAccessStringThe write permission level.
LogRhythm.List.restrictedReadBooleanWhether the list is read restricted.
LogRhythm.List.entityNameStringThe list entity name.
LogRhythm.List.entryCountNumberThe list entry count.
LogRhythm.List.needToNotifyBooleanWhether the list will notify the user when updated.
LogRhythm.List.doesExpireBooleanWhether the list expires.
LogRhythm.List.ownerNumberThe ID of the list owner.

Command Example#

!lr-list-summary-create-update does_expire=false enabled=true entity_name=`Global Entity` list_type=User name=test1 need_to_notify=false read_access=Private replace_existing=false restricted_read=false use_patterns=false write_access=Private owner=1

Context Example#

{
"LogRhythm": {
"List": {
"autoImportOption": {
"enabled": true,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-10-30T20:17:42.433Z",
"dateUpdated": "2021-10-30T20:17:42.433Z",
"doesExpire": false,
"entityName": "Global Entity",
"entryCount": 0,
"guid": "4BC51B20-640B-4F58-A448-A5C8A52161D2",
"id": 2044,
"listType": "User",
"name": "test1",
"needToNotify": false,
"owner": 1,
"readAccess": "Private",
"restrictedRead": false,
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
}
}
}

Human Readable Output#

List created successfully#

GuidNameList TypeStatusShort DescriptionIdEntity NameDate CreatedOwnerWrite AccessRead Access
4BC51B20-640B-4F58-A448-A5C8A52161D2test1UserActive2044Global Entity2021-10-30T20:17:42.433Z1PrivatePrivate

lr-list-details-and-items-get#


Returns list details and list items based on the list GUID.

Base Command#

lr-list-details-and-items-get

Input#

Argument NameDescriptionRequired
list_guidThe GUID stored in the database.Required
max_itemsThe maximum number of items that can be returned in a single request. Default is 100.Optional

Context Output#

PathTypeDescription
LogRhythm.ListDetails.listTypeStringThe list type.
LogRhythm.ListDetails.statusStringThe list status.
LogRhythm.ListDetails.nameStringThe list name.
LogRhythm.ListDetails.useContextStringThe use context type.
LogRhythm.ListDetails.autoImportOption.enabledBooleanWhether the list auto import is enabled.
LogRhythm.ListDetails.autoImportOption.usePatternsBooleanWhether the auto import use patterns is enabled.
LogRhythm.ListDetails.autoImportOption.replaceExistingBooleanWhether the auto import replace existing is enabled.
LogRhythm.ListDetails.idNumberThe list ID.
LogRhythm.ListDetails.guidStringThe list GUID.
LogRhythm.ListDetails.dateCreatedDateThe date the list was created.
LogRhythm.ListDetails.dateUpdatedDateThe date the list was updated.
LogRhythm.ListDetails.revisitDateDateThe date the list was revisited.
LogRhythm.ListDetails.readAccessStringThe read permission level.
LogRhythm.ListDetails.writeAccessStringThe write permission level.
LogRhythm.ListDetails.restrictedReadBooleanWhether the list is read restricted.
LogRhythm.ListDetails.entityNameStringThe list entity name.
LogRhythm.ListDetails.entryCountNumberThe list entry count.
LogRhythm.ListDetails.needToNotifyBooleanWhether the list will notify the user when updated.
LogRhythm.ListDetails.doesExpireBooleanWhether the list expires.
LogRhythm.ListDetails.ownerNumberThe ID of the list owner.
LogRhythm.ListDetails.listItemsCountNumberThe list items count.
LogRhythm.ListDetails.items.displayValueStringThe list items value.
LogRhythm.ListDetails.items.expirationDateUnknownThe list item expiration date.
LogRhythm.ListDetails.items.isExpiredBooleanWhether the item is expired.
LogRhythm.ListDetails.items.isListItemBooleanWhether the item is a list item.
LogRhythm.ListDetails.items.isPatternBooleanWhether the item is a pattern.
LogRhythm.ListDetails.items.listItemDataTypeStringThe item data type.
LogRhythm.ListDetails.items.listItemTypeStringThe item type.
LogRhythm.ListDetails.items.valueStringThe item value.

Command Example#

!lr-list-details-and-items-get list_guid=EA778B8F-20CA-4413-9A2D-CF69FB536793

Context Example#

{
"LogRhythm": {
"ListDetails": {
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-08-09T05:41:30.443Z",
"dateUpdated": "2021-10-27T16:27:32.467Z",
"doesExpire": false,
"entityName": "Primary Site",
"entryCount": 2,
"guid": "EA778B8F-20CA-4413-9A2D-CF69FB536793",
"id": 2002,
"items": [
{
"displayValue": "8081,8085",
"expirationDate": null,
"isExpired": false,
"isListItem": false,
"isPattern": false,
"listItemDataType": "PortRange",
"listItemType": "PortRange",
"value": "8081,8085"
},
{
"displayValue": "1,100",
"expirationDate": null,
"isExpired": false,
"isListItem": false,
"isPattern": false,
"listItemDataType": "PortRange",
"listItemType": "PortRange",
"value": "1,100"
}
],
"listItemsCount": 0,
"listType": "Application",
"name": "test list 2",
"needToNotify": false,
"owner": -100,
"readAccess": "Private",
"restrictedRead": false,
"revisitDate": "2031-10-27T16:27:32.467Z",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
}
}
}

Human Readable Output#

List EA778B8F-20CA-4413-9A2D-CF69FB536793 details#

GuidNameList TypeStatusShort DescriptionIdEntity NameDate CreatedOwnerWrite AccessRead Access
EA778B8F-20CA-4413-9A2D-CF69FB536793test list 2ApplicationActive2002Primary Site2021-08-09T05:41:30.443Z-100PrivatePrivate

List items#

Display ValueExpiration DateIs ExpiredIs List ItemIs PatternList Item Data TypeList Item TypeValue
8081,8085falsefalsefalsePortRangePortRange8081,8085
1,100falsefalsefalsePortRangePortRange1,100

lr-list-items-add#


Adds more items to an existing list.

Base Command#

lr-list-items-add

Input#

Argument NameDescriptionRequired
list_guidThe GUID stored in the database.Required
itemsThe body of the list item so that the list can be updated with new items (JSON format).Required

Context Output#

PathTypeDescription
LogRhythm.ListItemsAdd.listTypeStringThe list type.
LogRhythm.ListItemsAdd.statusStringThe list status.
LogRhythm.ListItemsAdd.nameStringThe list name.
LogRhythm.ListItemsAdd.useContextStringThe use context type.
LogRhythm.ListItemsAdd.autoImportOption.enabledBooleanWhether the list auto import is enabled.
LogRhythm.ListItemsAdd.autoImportOption.usePatternsBooleanWhether the auto import use patterns is enabled.
LogRhythm.ListItemsAdd.autoImportOption.replaceExistingBooleanWhether the auto import replace existing is enabled.
LogRhythm.ListItemsAdd.idNumberThe list ID.
LogRhythm.ListItemsAdd.guidStringThe list GUID.
LogRhythm.ListItemsAdd.dateCreatedDateThe date the list was created.
LogRhythm.ListItemsAdd.dateUpdatedDateThe date the list was updated.
LogRhythm.ListItemsAdd.revisitDateDateThe list revisit date.
LogRhythm.ListItemsAdd.readAccessStringThe read permission level.
LogRhythm.ListItemsAdd.writeAccessStringThe write permission level.
LogRhythm.ListItemsAdd.restrictedReadBooleanWhether the list is read restricted.
LogRhythm.ListItemsAdd.entityNameStringThe list entity name.
LogRhythm.ListItemsAdd.entryCountNumberThe list entry count.
LogRhythm.ListItemsAdd.needToNotifyBooleanWhether the list will notify the user when updated.
LogRhythm.ListItemsAdd.doesExpireBooleanWhether the list expires.
LogRhythm.ListItemsAdd.ownerNumberThe ID of the list owner.
LogRhythm.ListItemsAdd.listItemsCountNumberThe list items count.

Command Example#

``!lr-list-items-add list_guid=EA778B8F-20CA-4413-9A2D-CF69FB536793 items={"listItemDataType": "PortRange","listItemType": "PortRange","value": "200,300","valueAsListReference":{"listType": "Network"}}````

Context Example#

{
"LogRhythm": {
"ListItemsAdd": {
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-08-09T05:41:30.443Z",
"dateUpdated": "2021-10-30T20:33:48.12Z",
"doesExpire": false,
"entityName": "Primary Site",
"entryCount": 3,
"guid": "EA778B8F-20CA-4413-9A2D-CF69FB536793",
"id": 2002,
"listItemsCount": 0,
"listType": "Application",
"name": "test list 2",
"needToNotify": false,
"owner": -100,
"readAccess": "Private",
"restrictedRead": false,
"revisitDate": "2031-10-30T20:33:48.12Z",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
}
}
}

Human Readable Output#

The item added to the list EA778B8F-20CA-4413-9A2D-CF69FB536793.#

Auto Import OptionDate CreatedDate UpdatedDoes ExpireEntity NameEntry CountGuidIdList Items CountList TypeNameNeed To NotifyOwnerRead AccessRestricted ReadRevisit DateStatusUse ContextWrite Access
enabled: false
usePatterns: false
replaceExisting: false
2021-08-09T05:41:30.443Z2021-10-30T20:33:48.12ZfalsePrimary Site3EA778B8F-20CA-4413-9A2D-CF69FB53679320020Applicationtest list 2false-100Privatefalse2031-10-30T20:33:48.12ZActiveNonePrivate

lr-list-items-remove#


Removes items from an existing list.

Base Command#

lr-list-items-remove

Input#

Argument NameDescriptionRequired
list_guidThe GUID stored in the database.Required
itemsBody of the list items to be removed from the list (JSON format).Required

Context Output#

PathTypeDescription
LogRhythm.ListItemsRemove.listTypeStringThe list type.
LogRhythm.ListItemsRemove.statusStringThe list status.
LogRhythm.ListItemsRemove.nameStringThe list name.
LogRhythm.ListItemsRemove.useContextStringThe use context type.
LogRhythm.ListItemsRemove.autoImportOption.enabledBooleanWhether the list auto import is enabled.
LogRhythm.ListItemsRemove.autoImportOption.usePatternsBooleanWhether the auto import use patterns is enabled.
LogRhythm.ListItemsRemove.autoImportOption.replaceExistingBooleanWhether the auto import replace existing is enabled.
LogRhythm.ListItemsRemove.idNumberThe list ID.
LogRhythm.ListItemsRemove.guidStringThe list GUID.
LogRhythm.ListItemsRemove.dateCreatedDateThe date the list was created.
LogRhythm.ListItemsRemove.dateUpdatedDateThe date the list was updated.
LogRhythm.ListItemsRemove.revisitDateDateThe list revisit date.
LogRhythm.ListItemsRemove.readAccessStringThe read permission level.
LogRhythm.ListItemsRemove.writeAccessStringThe write permission level.
LogRhythm.ListItemsRemove.restrictedReadBooleanWhether the list is read restricted.
LogRhythm.ListItemsRemove.entityNameStringThe list entity name.
LogRhythm.ListItemsRemove.entryCountNumberThe list entry count.
LogRhythm.ListItemsRemove.needToNotifyBooleanWhether the list will notify the user when updated.
LogRhythm.ListItemsRemove.doesExpireBooleanWhether the list expires.
LogRhythm.ListItemsRemove.ownerNumberThe ID of the list owner.
LogRhythm.ListItemsRemove.listItemsCountNumberThe list items count.

Command Example#

``!lr-list-items-remove list_guid=EA778B8F-20CA-4413-9A2D-CF69FB536793 items={"displayValue": "201,301","listItemType": "PortRange","value": "201,301"}````

Context Example#

{
"LogRhythm": {
"ListItemsRemove": {
"autoImportOption": {
"enabled": false,
"replaceExisting": false,
"usePatterns": false
},
"dateCreated": "2021-08-09T05:41:30.443Z",
"dateUpdated": "2021-10-30T20:33:49.717Z",
"doesExpire": false,
"entityName": "Primary Site",
"entryCount": 3,
"guid": "EA778B8F-20CA-4413-9A2D-CF69FB536793",
"id": 2002,
"listItemsCount": 0,
"listType": "Application",
"name": "test list 2",
"needToNotify": false,
"owner": -100,
"readAccess": "Private",
"restrictedRead": false,
"revisitDate": "2031-10-30T20:33:49.717Z",
"status": "Active",
"useContext": [
"None"
],
"writeAccess": "Private"
}
}
}

Human Readable Output#

The item deleted from the list EA778B8F-20CA-4413-9A2D-CF69FB536793.#

Auto Import OptionDate CreatedDate UpdatedDoes ExpireEntity NameEntry CountGuidIdList Items CountList TypeNameNeed To NotifyOwnerRead AccessRestricted ReadRevisit DateStatusUse ContextWrite Access
enabled: false
usePatterns: false
replaceExisting: false
2021-08-09T05:41:30.443Z2021-10-30T20:33:49.717ZfalsePrimary Site3EA778B8F-20CA-4413-9A2D-CF69FB53679320020Applicationtest list 2false-100Privatefalse2031-10-30T20:33:49.717ZActiveNonePrivate

lr-execute-search-query#


Execute a search query on the LogRhythm log database.

Base Command#

lr-execute-search-query

Input#

Argument NameDescriptionRequired
number_of_daysNumber of days to search.Required
search_nameName of the search.Optional
source_typeLog source type. Possible values are: all, API-_AWS_CloudTrail, API-AWS_CloudWatch_Alarm, API-AWS_Config_Event, API-AWS_S3_Flat_File, API-AWS_S3_Server_Access_Event, API-BeyondTrust_Retina_Vulnerability_Management, API-Box_Event, API-Cisco_IDS/IPS, API-Cradlepoint_ECM, API-IP360_Vulnerability_Scanner, API-Metasploit_Penetration_Scanner, API-Nessus_Vulnerability_Scanner, API-NetApp_CIFS_Security_Audit_Event_Log, API-NeXpose_Vulnerability_Scanner, API-Office_365_Management_Activity, API-Office_365_Message_Tracking, API-Okta_Event, API-Qualys_Vulnerability_Scanner, API-Salesforce_EventLogFile, API-Sourcefire_eStreamer, API-Tenable_SecurityCenter, API-Tenable.io_Scanner, Flat_File-ActivIdentity_CMS, Flat_File-Airwatch_MDM, Flat_File-Alfresco, Flat_File-AllScripts, Flat_File-Apache_Access_Log, Flat_File-Apache_Error_Log, Flat_File-Apache_SSL_Access_Log, Flat_File-Apache_SSL_Error_Log, Flat_File-Apache_Tomcat_Access_Log, Flat_File-Apache_Tomcat_Console_Log, Flat_File-Avaya_Secure_Access_Link_Remote_Access_Log, Flat_File-Avaya_Voice_Mail_Log, Flat_File-Axway_SFTP, Flat_File-Beacon_Endpoint_Profiler, Flat_File-Bind_9, Flat_File-BlackBerry_Enterprise_Server, Flat_File-Blue_Coat_Proxy_BCREPORTERMAIN_Format, Flat_File-Blue_Coat_Proxy_CSV_Format, Flat_File-Blue_Coat_Proxy_SQUID-1_Format, Flat_File-Blue_Coat_Proxy_W3C_Format, Flat_File-Bro_IDS_Critical_Stack_Intel_Log, Flat_File-Broadcom_SiteMinder, Flat_File-CA_ACF2_for_z/OS-ACFRPTDS, Flat_File-CA_ACF2_for_z/OS-ACFRPTEL, Flat_File-CA_ACF2_for_z/OS-ACFRPTJL, Flat_File-CA_ACF2_for_z/OS-ACFRPTLL, Flat_File-CA_ACF2_for_z/OS-ACFRPTNV, Flat_File-CA_ACF2_for_z/OS-ACFRPTOM, Flat_File-CA_ACF2_for_z/OS-ACFRPTPW, Flat_File-CA_ACF2_for_z/OS-ACFRPTRL, Flat_File-CA_ACF2_for_z/OS-ACFRPTRV, Flat_File-CA_ControlMinder, Flat_File-Cerberus_FTP_Server, Flat_File-Cerner, Flat_File-Cisco_AMP_for_Endpoints, Flat_File-Cisco_Email_Security_Appliance, Flat_File-Cisco_LMS(cwcli), FlatFile-Cisco_LMS(Syslog), FlatFile-Cisco_NGFW, Flat_File-Cisco_Secure_ACS_CSV_File, Flat_File-Cisco_Security_Agent, Flat_File-Cisco_Umbrella_DNS, Flat_File-Cisco_Web_Security_aclog, Flat_File-Citrix_Access_Gateway_IIS_Format, Flat_File-Citrix_Access_Gateway_NCSA_Common_Format, Flat_File-Citrix_Access_Gateway_W3C_Format, Flat_File-Citrix_Presentation_Server, Flat_File-Citrix_Secure_Gateway, Flat_File-ClamAV_Anti-Virus, Flat_File-ColdFusion_Application_Log, Flat_File-ColdFusion_Exception_Log, Flat_File-ColdFusion_Mail_Log, Flat_File-ColdFusion_Mailsent_Log, Flat_File-ColdFusion_Server_Log, Flat_File-Cornerstone_Managed_File_Transfer, Flat_File-Coyote_Point_Equalizer, Flat_File-DB2_Audit_Log, Flat_File-DB2_via_BMC_Log_Master, Flat_File-Defender_Server, Flat_File-DocWorks, Flat_File-eClinicalWorks_Audit_Log, Flat_File-EMC_Isilon, Flat_File-Epicor_Coalition, Flat_File-FairWarning_Ready-For-Healthcare, Flat_File-FileZilla_System_Log, Flat_File-FireEye_Web_MPS, Flat_File-Forcepoint_Web_Security_CEF_Cloud_Format, Flat_File-Forescout_CounterACT, Flat_File-FoxT_BoKS_Server_Access_Control, Flat_File-FundsXpress, Flat_File-Gene6_FTP, Flat_File-GlobalSCAPE_EFT, Flat_File-Hadoop, Flat_File-HMC, Flat_File-HP-UX_Audit_Log, Flat_File-IBM_4690_POS, Flat_File-IBM_Informix_Application_Log, Flat_File-IBM_Informix_Audit_Log, Flat_File-IBM_Tivoli_Storage_Manager, Flat_File-IBM_WebSphere_App_Server_v7_Audit_Log, Flat_File-IBM_WebSphere_Cast_Iron_Cloud_Integration, Flat_File-IBM_ZOS_Batch_Decryption_Log, Flat_File-IBM_ZOS_CICS_Decryption_Log, Flat_File-IBM_ZOS_RACF_Access_Log, Flat_File-IBM_ZOS_RACF_SMF_Type_80, Flat_File-IPSwitch_WS_FTP, Flat_File-Irix_Audit_Logs, Flat_File-IT-CUBE_AgileSI, Flat_File-JBoss_Log_File, Flat_File-Juniper_Steel_Belted_Radius_Server, Flat_File-Kerio_Mail_Server, Flat_File-KERISYS_Doors_Event_Export_Format, Flat_File-Kippo_Honeypot, Flat_File-Linux_Audit_ASCII, Flat_File-Linux_Audit_Log, Flat_File-Linux_Host_Secure_Log, Flat_File-LOGbinder_EX, Flat_File-LogRhythm_Alarm_Reingest, Flat_File-LogRhythm_Data_Indexer_Monitor, Flat_File-LogRhythm_Oracle_Log, Flat_File-LogRhythm_System_Monitor, Flat_File-LogRhythm_System_Monitor_Log_File, Flat_File-LogRhythm_Trebek_Log, Flat_File-LogRhythm_Zeus_Log, Flat_File-Lotus_Domino_Client_Log, Flat_File-McAfee_Cloud_Proxy_do_not_use, Flat_File-McAfee_ePO_HIPS, Flat_File-McAfee_Foundstone, Flat_File-McAfee_Proxy_Cloud, Flat_File-McAfee_SaaS_Web_Protection, Flat_File-McAfee_Web_Gateway_Audit_Log, Flat_File-Merak, Flat_File-Meridian, Flat_File-Microsoft_ActiveSync_2010, Flat_File-Microsoft_CRM, Flat_File-Microsoft_DHCP_Server_Log, Flat_File-Microsoft_Forefront_TMG, Flat_File-Microsoft_Forefront_TMG_Web_Proxy, Flat_File-Microsoft_IIS(IISFormat)_File, Flat_File-Microsoft_IIS_7.x_W3C_Extended_Format, Flat_File-Microsoft_IIS_Error_Log_V6, Flat_File-Microsoft_IIS_FTP_IIS_Log_File_Format, Flat_File-Microsoft_IIS_FTP_W3C_Extended_Format, Flat_File-Microsoft_IIS_NCSA_Common_Format_File, Flat_File-Microsoft_IIS_SMTP_W3C_Format, Flat_File-Microsoft_IIS_URL_Scan_Log, Flat_File-Microsoft_IIS_W3C_File, Flat_File-Microsoft_ISA_Server_2004, Flat_File-Microsoft_ISA_Server_W3C_File, Flat_File-Microsoft_Netlogon, Flat_File-Microsoft_Port_Reporter_PR-PORTS_Log, Flat_File-Microsoft_Semantic_Logging, Flat_File-Microsoft_SQL_Server_2000_Error_Log, Flat_File-Microsoft_SQL_Server_2005_Error_Log, Flat_File-Microsoft_SQL_Server_2008_Error_Log, Flat_File-Microsoft_SQL_Server_2012_Error_Log, Flat_File-Microsoft_SQL_Server_2014_Error_Log, Flat_File-Microsoft_Windows_2003_DNS, Flat_File-Microsoft_Windows_2008_DNS, Flat_File-Microsoft_Windows_2012_DNS, Flat_File-Microsoft_Windows_Firewall, Flat_File-MicroStrategy, Flat_File-Mimecast_Audit, Flat_File-Mimecast_Email, Flat_File-Monetra, Flat_File-MongoDB, Flat_File-MS_Exchange_2003_Message_Tracking_Log, Flat_File-MS_Exchange_2007_Message_Tracking_Log, Flat_File-MS_Exchange_2010_Message_Tracking_Log, Flat_File-MS_Exchange_2013_Message_Tracking_Log, Flat_File-MS_Exchange_2016_Message_Tracking_Log, Flat_File-MS_Exchange_RPC_Client_Access, Flat_File-MS_IAS/RAS_Server_NPS_DB_Log_Format, Flat_File-MS_IAS/RAS_Server_Standard_Log_Format, Flat_File-MS_ISA_Server_2006_ISA_All_Fields, Flat_File-MS_ISA_Server_2006_W3C_All_Fields, Flat_File-MS_SQL_Server_Reporting_Services_2008, Flat_File-MySQL, Flat_File-MySQL_error.log, Flat_File-MySQL_mysql.log, Flat_File-MySQL_mysql-slow.log, Flat_File-Nessus_System_Log, Flat_File-NetApp_Cluster, Flat_File-Nginx_Log, Flat_File-Novell_Audit, Flat_File-Novell_GroupWise, Flat_File-Novell_LDAP, Flat_File-ObserveIT_Enterprise, Flat_File-Office_365_Message_Tracking, Flat_File-OpenDJ, Flat_File-OpenVMS, Flat_File-OpenVPN, Flat_File-Oracle_11g_Fine_Grained_Audit_Trail, Flat_File-Oracle_9i, Flat_File-Oracle_BRM_CM_Log, Flat_File-Oracle_BRM_DM_Log, Flat_File-Oracle_Listener_Audit_Trail, Flat_File-Oracle_SunOne_Directory_Server, Flat_File-Oracle_SunOne_Web_Server_Access_Log, Flat_File-Oracle_Virtual_Directory, Flat_File-Oracle_WebLogic_11g_Access_Log, Flat_File-Other, Flat_File-PeopleSoft, Flat_File-PhpMyAdmin_Honeypot, Flat_File-Postfix, Flat_File-PowerBroker_Servers, Flat_File-Princeton_Card_Secure, Flat_File-ProFTPD, Flat_File-PureMessage_For_Exchange_SMTP_Log, Flat_File-PureMessage_For_UNIX_Blocklist_Log, Flat_File-PureMessage_For_UNIX_Message_Log, Flat_File-RACF(SMF), FlatFile-Radmin, Flat_File-Restic_Backup_Log, Flat_File-RL_Patient_Feedback, Flat_File-RSA_Adaptive_Authentication, Flat_File-RSA_Authentication_Manager_6.1, Flat_File-S2_Badge_Reader, Flat_File-Safenet, Flat_File-Sendmail_File, Flat_File-Sharepoint_ULS, Flat_File-ShoreTel_VOIP, Flat_File-Siemens_Radiology_Information_System, Flat_File-Snort_Fast_Alert_File, Flat_File-Solaris-Sulog, Flat_File-Solaris_Audit_Log, Flat_File-SpamAssassin, Flat_File-Squid_Proxy, Flat_File-Subversion, Flat_File-Sudo.Log, Flat_File-Swift_Alliance, Flat_File-Symantec_Antivirus_10.x_Corporate_Edtn, Flat_File-Symantec_Antivirus_12.x_Corporate_Edtn, Flat_File-Symitar_Episys_Console_Log, Flat_File-Symitar_Episys_Sysevent_Log, Flat_File-Tandem_EMSOUT_Log_File, Flat_File-Tandem_XYGATE, Flat_File-Tectia_SSH_Server, Flat_File-Trade_Innovations_CSCS, Flat_File-Trend_Micro_IMSS, Flat_File-Trend_Micro_Office_Scan, Flat_File-Tumbleweed_Mailgate_Server, Flat_File-Verint_Audit_Trail_File, Flat_File-VMWare_Virtual_Machine, Flat_File-Voltage_Securemail, Flat_File-Vormetric_Log_File, Flat_File-vsFTP_Daemon_Log, Flat_File-Vyatta_Firewall_Kernel_Log, Flat_File-WordPot_Honeypot, Flat_File-X-NetStat_Log, Flat_File-XPient_POS_CCA_Manager, Flat_File-XPIENT_POS_POSLOG, Flat_File-XPIENT_POS_Shell_Log, IPFIX-IP_Flow_Information_Export, J-Flow-Juniper_J-Flow_Version_5, J-Flow-Juniper_J-Flow_Version_9, LogRhythm_CloudAI, LogRhythm_Data_Loss_Defender, LogRhythm_Demo_File-Application_Server_Log, LogRhythm_Demo_File-Content_Inspection_Log, LogRhythm_Demo_File-Database_Audit_Log, LogRhythm_Demo_File-Ecom_Server_Log, LogRhythm_Demo_File-File_Server_Log, LogRhythm_Demo_File-Firewall_Log, LogRhythm_Demo_File-FTP_Log, LogRhythm_Demo_File-IDS_Alarms_Log, LogRhythm_Demo_File-Mail_Server_Log, LogRhythm_Demo_File-Netflow_Log, LogRhythm_Demo_File-Network_Device_Log, LogRhythm_Demo_File-Network_Server_Log, LogRhythm_Demo_File-VPN_Log, LogRhythm_Demo_File-Web_Access_Log, LogRhythm_File_Monitor(AIX), LogRhythmFile_Monitor(HP-UX), LogRhythmFile_Monitor(Linux), LogRhythmFile_Monitor(Solaris), LogRhythmFile_Monitor(Windows), LogRhythmFilter, LogRhythm_Network_Connection_Monitor(AIX), LogRhythmNetwork_Connection_Monitor(HP-UX), LogRhythmNetwork_Connection_Monitor(Linux), LogRhythmNetwork_Connection_Monitor(Solaris), LogRhythmNetwork_Connection_Monitor(Windows), LogRhythmProcess_Monitor(AIX), LogRhythmProcess_Monitor(HP-UX), LogRhythmProcess_Monitor(Linux), LogRhythmProcess_Monitor(Solaris), LogRhythmProcess_Monitor(Windows), LogRhythmRegistry_Integrity_Monitor, LogRhythm_SQL_Server_2000_C2_Audit_Log, LogRhythm_SQL_Server_2005_C2_Audit_Log, LogRhythm_SQL_Server_2008_C2_Audit_Log, LogRhythm_SQL_Server_2012+_C2_Audit_Log, LogRhythm_User_Activity_Monitor(AIX), LogRhythmUser_Activity_Monitor(HP-UX), LogRhythmUser_Activity_Monitor(Linux), LogRhythmUser_Activity_Monitor(Solaris), LogRhythmUser_Activity_Monitor(Windows), MSEvent_Log_for_XP/2000/2003-Application, MS_Event_Log_for_XP/2000/2003-Application-Espaniol, MS_Event_Log_for_XP/2000/2003-BioPassword, MS_Event_Log_for_XP/2000/2003-DFS, MS_Event_Log_for_XP/2000/2003-Directory_Service, MS_Event_Log_for_XP/2000/2003-DNS, MS_Event_Log_for_XP/2000/2003-DotDefender, MS_Event_Log_for_XP/2000/2003-EMC_Celerra_NAS, MS_Event_Log_for_XP/2000/2003-File_Rep_Service, MS_Event_Log_for_XP/2000/2003-HA, MS_Event_Log_for_XP/2000/2003-Kaspersky, MS_Event_Log_for_XP/2000/2003-Micros_POS, MS_Event_Log_for_XP/2000/2003-PatchLink, MS_Event_Log_for_XP/2000/2003-SafeWord_2008, MS_Event_Log_for_XP/2000/2003-SCE, MS_Event_Log_for_XP/2000/2003-Security, MS_Event_Log_for_XP/2000/2003-Security-Espaniol, MS_Event_Log_for_XP/2000/2003-SMS_2003, MS_Event_Log_for_XP/2000/2003-System, MS_Event_Log_for_XP/2000/2003-System-Espaniol, MS_Event_Log_for_XP/2000/2003-Virtual_Server, MS_Windows_Event_Logging-ADFS_Admin, MS_Windows_Event_Logging-Application, MS_Windows_Event_Logging-AppLockerApp, MS_Windows_Event_Logging-Backup, MS_Windows_Event_Logging-Citrix_Delivery_Services, MS_Windows_Event_Logging-Citrix_XenApp, MS_Windows_Event_Logging-DFS, MS_Windows_Event_Logging-DHCP_Admin, MS_Windows_Event_Logging-DHCP_Operational, MS_Windows_Event_Logging-Diagnosis-PLA, MS_Windows_Event_Logging-Digital_Persona, MS_Windows_Event_Logging-Dir_Service, MS_Windows_Event_Logging-DNS, MS_Windows_Event_Logging-Dot_Defender, MS_Windows_Event_Logging-ESD_Data_Flow_Track, MS_Windows_Event_Logging-Exchange_Mailbox_DB_Failures, MS_Windows_Event_Logging-FailoverClustering/Operational, MS_Windows_Event_Logging-Firewall_With_Advanced_Security, MS_Windows_Event_Logging-Forefront_AV, MS_Windows_Event_Logging-Group_Policy_Operational, MS_Windows_Event_Logging-Hyper-V_Hvisor, MS_Windows_Event_Logging-Hyper-V_IMS, MS_Windows_Event_Logging-Hyper-V_Network, MS_Windows_Event_Logging-Hyper-V_SynthSt, MS_Windows_Event_Logging-Hyper-V_VMMS, MS_Windows_Event_Logging-Hyper-V_Worker, MS_Windows_Event_Logging-Kaspersky, MS_Windows_Event_Logging-Kernel_PnP_Configuration, MS_Windows_Event_Logging-Lync_Server, MS_Windows_Event_Logging-MSExchange_Management, MS_Windows_Event_Logging-Operations_Manager, MS_Windows_Event_Logging-PowerShell, MS_Windows_Event_Logging-Print_Services, MS_Windows_Event_Logging-Quest_ActiveRoles_EDM_Server, MS_Windows_Event_Logging-Replication, MS_Windows_Event_Logging-SafeWord_2008, MS_Windows_Event_Logging-Security, MS_Windows_Event_Logging-Setup, MS_Windows_Event_Logging-Sysmon, MS_Windows_Event_Logging-System, MS_Windows_Event_Logging-Task_Scheduler, MS_Windows_Event_Logging-TS_Gateway, MS_Windows_Event_Logging-TS_Licensing, MS_Windows_Event_Logging-TS_Local_Session_Manager, MS_Windows_Event_Logging-TS_Remote_Connection_Manager, MS_Windows_Event_Logging-TS_Session_Broker, MS_Windows_Event_Logging-TS_Session_Broker_Client, MS_Windows_Event_Logging-VisualSVN, MS_Windows_Event_Logging:Deutsch-Security, MS_Windows_Event_Logging:Espaniol-Application, MS_Windows_Event_Logging:Espaniol-Security, MS_Windows_Event_Logging:Espaniol-System, MS_Windows_Event_Logging:Francais-System, MS_Windows_Event_Logging:Francais-Security, MS_Windows_Event_Logging_XML-ADFS, MS_Windows_Event_Logging_XML-Application, MS_Windows_Event_Logging_XML-Forwarded_Events, MS_Windows_Event_Logging_XML-Generic, MS_Windows_Event_Logging_XML-Security, MS_Windows_Event_Logging_XML-Sysmon, MS_Windows_Event_Logging_XML-Sysmon_7.01, MS_Windows_Event_Logging_XML-Sysmon_8/9/10, MS_Windows_Event_Logging_XML-System, MS_Windows_Event_Logging_XML-Unisys_Stealth, MS_Windows_Event_Logging_XML-Windows_Defender, Netflow-Cisco_Netflow_Version_1, Netflow-Cisco_Netflow_Version_5, Netflow-Cisco_Netflow_Version_9, Netflow-Palo_Alto_Version_9, Netflow-SonicWALL_Version_5, Netflow-SonicWALL_Version_9, OPSEC_LEA-Checkpoint_Firewall, OPSEC_LEA-Checkpoint_Firewall_Audit_Log, OPSEC_LEA-Checkpoint_For_LR_7.4.1+, OPSEC_LEA-Checkpoint_Log_Server, sFlow-Version_5, SNMP_Trap-Audiolog, SNMP_Trap-Autoregistered, SNMP_Trap-Brocade_Switch, SNMP_Trap-Cisco_5508_Wireless_Controller, SNMP_Trap-Cisco_IP_SLA, SNMP_Trap-Cisco_Prime, SNMP_Trap-Cisco_Router-Switch, SNMP_Trap-CyberArk, SNMP_Trap-Dell_OpenManage, SNMP_Trap-HP_Network_Node_Manager, SNMP_Trap-IBM_TS3000_Series_Tape_Drive, SNMP_Trap-Riverbed_SteelCentral_NetShark, SNMP_Trap-RSA_Authentication_Manager, SNMP_Trap-Swift_Alliance, SNMP_Trap-Trend_Micro_Control_Manager, Syslog-3Com_Switch, Syslog-A10_Networks_AX1000_Load_Balancer, Syslog-A10_Networks_Web_Application_Firewall, Syslog-Accellion_Secure_File_Transfer_Application, Syslog-Active_Scout_IPS, Syslog-Adallom, Syslog-Adtran_Switch, Syslog-Aerohive_Access_Point, Syslog-Aerohive_Firewall, Syslog-AIMIA_Tomcat, Syslog-AirDefense_Enterprise, Syslog-Airmagnet_Wireless_IDS, Syslog-AirTight_IDS/IPS, Syslog-AirWatch_MDM, Syslog-Airwave_Management_System_Log, Syslog-AIX_Host, Syslog-Alcatel-Lucent_Switch, Syslog-Alcatel-Lucent_Wireless_Controller, Syslog-AlertLogic, Syslog-AMX_AV_Controller, Syslog-Apache_Access_Log, Syslog-Apache_Error_Log, Syslog-Apache_Tomcat_Request_Parameters, Syslog-Apache_Tomcat_Service_Clients_Log, Syslog-APC_ATS, Syslog-APC_NetBotz_Environmental_Monitoring, Syslog-APC_PDU, Syslog-APC_UPS, Syslog-Apcon_Network_Monitor, Syslog-Apex_One, Syslog-Arbor_Networks_Peakflow, Syslog-Arbor_Networks_Spectrum, Syslog-Arbor_Pravail_APS, Syslog-Arista_Switch, Syslog-Array_TMX_Load_Balancer, Syslog-Arris_CMTS, Syslog-Aruba_Clear_Pass, Syslog-Aruba_Mobility_Controller, Syslog-Aruba_Wireless_Access_Point, Syslog-AS/400_via_Powertech_Interact, Syslog-Asus_WRT_Router, Syslog-Avatier_Identity_Management_Suite(AIMS), Syslog-_Avaya_Communications_Manager, Syslog-Avaya_Ethernet_Routing_Switch, Syslog-Avaya_G450_Media_Gateway, Syslog-Avaya_Router, Syslog-Aventail_SSL/VPN, Syslog-Avocent_Cyclades_Terminal_Server, Syslog-Azul_Java_Appliance, Syslog-Barracuda_Load_Balancer, Syslog-Barracuda_Mail_Archiver, Syslog-Barracuda_NG_Firewall, Syslog-Barracuda_NG_Firewall_6.x, Syslog-Barracuda_Spam_Firewall, Syslog-Barracuda_Web_Application_Firewall, Syslog-Barracuda_Webfilter, Syslog-BeyondTrust_BeyondInsight_LEEF, Syslog-Bind_DNS, Syslog-Bit9_Parity_Suite, Syslog-Bit9_Security_Platform_CEF, Syslog-Bit9+Carbon_Black(Deprecated), Syslog-_BitDefender, Syslog-Black_Diamond_Switch, Syslog-Blue_Coat_CAS, Syslog-Blue_Coat_Forward_Proxy, Syslog-Blue_Coat_PacketShaper, Syslog-Blue_Coat_ProxyAV_ISA_W3C_Format, Syslog-Blue_Coat_ProxyAV_MS_Proxy_2.0_Format, Syslog-Blue_Coat_ProxySG, Syslog-Blue_Socket_Wireless_Controller, Syslog-Bluecat_Adonis, Syslog-BlueCedar, Syslog-BluVector, Syslog-Bomgar, Syslog-Bradford_Networks_NAC, Syslog-Bradford_Remediation&Registration_Svr, Syslog-Bro_IDS, Syslog-Brocade_Switch, Syslog-Bromium_vSentry_CEF, Syslog-BSD_Host, Syslog-CA_Privileged_Access_Manager, Syslog-Cb_Defense_CEF, Syslog-Cb_Protection_CEF, Syslog-Cb_Response_LEEF, Syslog-Cell_Relay, Syslog-Certes_Networks_CEP, Syslog-Check_Point_Log_Exporter, Syslog-Checkpoint_Site-to-Site_VPN, Syslog-Cisco_ACS, Syslog-Cisco_Aironet_WAP, Syslog-Cisco_APIC, Syslog-Cisco_Application_Control_Engine, Syslog-Cisco_ASA, Syslog-Cisco_Clean_Access(CCA)Appliance, Syslog-Cisco_CSS_Load_Balancer, Syslog-Cisco_Email_Security_Appliance, Syslog-Cisco_FirePOWER, Syslog-Cisco_Firepower_Threat_Defense, Syslog-Cisco_FireSIGHT, Syslog-Cisco_FWSM, Syslog-Cisco_Global_Site_Selector, Syslog-Cisco_ISE, Syslog-Cisco_Meraki, Syslog-Cisco_Nexus_Switch, Syslog-Cisco_PIX, Syslog-Cisco_Prime_Infrastructure, Syslog-Cisco_Router, Syslog-Cisco_Secure_ACS_5, Syslog-Cisco_Session_Border_Controller, Syslog-Cisco_Switch, Syslog-Cisco_Telepresence_Video_Communications_Server, Syslog-Cisco_UCS, Syslog-Cisco_Unified_Comm_Mgr(CallMgr), Syslog-Cisco_VPN_Concentrator, Syslog-Cisco_WAAS, Syslog-Cisco_Web_Security, Syslog-Cisco_Wireless_Access_Point, Syslog-Cisco_Wireless_Control_System, Syslog-CiscoWorks, Syslog-Citrix_Access_Gateway_Server, Syslog-Citrix_Netscaler, Syslog-Citrix_XenServer, Syslog-Claroty_CTD_CEF, Syslog-Clearswift_Secure_Email_Gateway, Syslog-CloudLock, Syslog-CodeGreen_Data_Loss_Prevention, Syslog-Cofense_Triage_CEF, Syslog-Consentry_NAC, Syslog-Corero_IPS, Syslog-Corero_SmartWall_DDoS, Syslog-CoyotePoint_Equalizer, Syslog-Crowdstrike_Falconhost_CEF, Syslog-CyberArk, Syslog-CyberArk_Privileged_Threat_Analytics, Syslog-Cylance_CEF, Syslog-CylancePROTECT, Syslog-DarkTrace_CEF, Syslog-Dell_Force_10, Syslog-Dell_PowerConnect_Switch, Syslog-Dell_Remote_Access_Controller, Syslog-Dell_SecureWorks_iSensor_IPS, Syslog-Dialogic_Media_Gateway, Syslog-Digital_Guardian_CEF, Syslog-D-Link_Switch, Syslog-Don_not_use, Syslog-Dragos_Platform_CEF, Syslog-Ecessa_ShieldLink, Syslog-EfficientIP, Syslog-EMC_Avamar, Syslog-EMC_Centera, Syslog-EMC_Data_Domain, Syslog-EMC_Isilon, Syslog-EMC_Unity_Array, Syslog-EMC_VNX, Syslog-Ensilo_NGAV, Syslog-Enterasys_Dragon_IDS, Syslog-Enterasys_Router, Syslog-Enterasys_Switch, Syslog-Entrust_Entelligence_Messaging_Server, Syslog-Entrust_IdentityGuard, Syslog-Epic_Hyperspace_CEF, Syslog-EqualLogic_SAN, Syslog-eSafe_Email_Security, Syslog-ESET_Remote_Administrator(ERA)LEEF, Syslog-Event_Reporter(Win2000/XP/2003), Syslog-Exabeam, Syslog-Exchange_Message_Tracking, Syslog-ExtraHop, Syslog-Extreme_Wireless_LAN, Syslog-ExtremeWare, Syslog-ExtremeXOS, Syslog-F5_BIG-IP_Access_Policy_Manager, Syslog-F5_BIG-IP_AFM, Syslog-F5_BIG-IP_ASM, Syslog-F5_BIG-IP_ASM_Key-Value_Pairs, Syslog-F5_BIG-IP_ASM_v12, Syslog-F5_Big-IP_GTM&DNS, Syslog-F5_Big-IP_LTM, Syslog-F5_FirePass_Firewall, Syslog-F5_Silverline_DDoS_Protection, Syslog-Fargo_HDP_Card_Printer_and_Encoder, Syslog-Fat_Pipe_Load_Balancer, Syslog-Fidelis_XPS, Syslog-FireEye_E-Mail_MPS, Syslog-FireEye_EX, Syslog-FireEye_Web_MPS/CMS/ETP/HX, Syslog-Forcepoint_DLP, Syslog-Forcepoint_Email_Security_Gateway, Syslog-Forcepoint_Stonesoft_NGFW, Syslog-Forcepoint_SureView_Insider_Threat, Syslog-Forcepoint_Web_Security, Syslog-Forcepoint_Web_Security_CEF_Format, Syslog-Forescout_CounterACT_NAC, Syslog-Fortinet_FortiAnalyzer, Syslog-Fortinet_FortiAuthenticator, Syslog-Fortinet_FortiDDoS, Syslog-Fortinet_FortiGate, Syslog-Fortinet_FortiGate_v4.0, Syslog-Fortinet_FortiGate_v5.0, Syslog-Fortinet_FortiGate_v5.2, Syslog-Fortinet_FortiGate_v5.4/v5.6, Syslog-Fortinet_FortiGate_v5.6_CEF, Syslog-Fortinet_Fortigate_v6.0, Syslog-Fortinet_FortiMail, Syslog-Fortinet_FortiWeb, Syslog-Foundry_Switch, Syslog-Gene6_FTP, Syslog-Generic_CEF, Syslog-Generic_ISC_DHCP, Syslog-Generic_LEEF, Syslog-Guardium_Database_Activity_Monitor, Syslog-H3C_Router, Syslog-Hitachi_Universal_Storage_Platform, Syslog-HP_BladeSystem, Syslog-HP_iLO, Syslog-HP_Procurve_Switch, Syslog-HP_Router, Syslog-HP_Switch, Syslog-HP_Unix_Tru64, Syslog-HP_Virtual_Connect_Switch, Syslog-HP-UX_Host, Syslog-Huawei_Access_Router, Syslog-IBM_Blade_Center, Syslog-IBM_Security_Network_Protection, Syslog-IBM_Virtual_Tape_Library_Server, Syslog-IBM_WebSphere_DataPower_Integration, Syslog-IBM_zSecure_Alert_for_ACF2_2.1.0, Syslog-IceWarp_Server, Syslog-Imperva_Incapsula_CEF, Syslog-Imperva_SecureSphere, Syslog-Imprivata_OneSign_SSO, Syslog-InfoBlox, Syslog-Invincea(LEEF), Syslog-_iPrism_Proxy_Log, Syslog-IPSWITCH_MOVEit_Server, Syslog-IPTables, Syslog-IRIX_Host, Syslog-iSeries_via_Powertech_Interact, Syslog-Ivanti_FileDirector, Syslog-JetNexus_Load_Balancer, Syslog-Juniper_DX_Application_Accelerator, Syslog-Juniper_Firewall, Syslog-Juniper_Firewall_3400, Syslog-Juniper_Host_Checker, Syslog-Juniper_IDP, Syslog-Juniper_NSM, Syslog-Juniper_Router, Syslog-Juniper_SSL_VPN, Syslog-Juniper_SSL_VPN_WELF_Format, Syslog-Juniper_Switch, Syslog-Juniper_Trapeze, Syslog-Juniper_vGW_Virtual_Gateway, Syslog-Kaspersky_Security_Center, Syslog-Kea_DHCP_Server, Syslog-Kemp_Load_Balancer, Syslog-KFSensor_Honeypot, Syslog-KFSensor_Honeypot_CEF, Syslog-Lancope_StealthWatch, Syslog-Lancope_StealthWatch_CEF, Syslog-Layer_7_SecureSpan_SOA_Gateway, Syslog-Legacy_Checkpoint_Firewall(NotLog_Exporter), Syslog-Legacy_Checkpoint_IPS(NotLog_Exporter), Syslog-Lieberman_Enterprise_Random_Password_Manager, Syslog-Linux_Audit, Syslog-Linux_Host, Syslog-Linux_TACACS_Plus, Syslog-LOGbinder_EX, Syslog-LOGbinder_SP, Syslog-LOGbinder_SQL, Syslog-LogRhythm_Data_Indexer_Monitor, Syslog-LogRhythm_Inter_Deployment_Data_Sharing, Syslog-LogRhythm_Log_Distribution_Services, Syslog-LogRhythm_Network_Monitor, Syslog-LogRhythm_Syslog_Generator, Syslog-Lumension, Syslog-MacOS_X, Syslog-Malwarebytes_Endpoint_Security_CEF, Syslog-Mandiant_MIR, Syslog-McAfee_Advanced_Threat_Defense, Syslog-McAfee_Email_And_Web_Security, Syslog-McAfee_ePO, Syslog-McAfee_Firewall_Enterprise, Syslog-McAfee_Network_Security_Manager, Syslog-McAfee_Secure_Internet_Gateway, Syslog-McAfee_SecureMail, Syslog-McAfee_Skyhigh_for_Shadow_IT_LEEF, Syslog-McAfee_Web_Gateway, Syslog-mGuard_Firewall, Syslog-Microsoft_Advanced_Threat_Analytics(ATA)CEF, Syslog-Microsoft_Azure_Log_Integration, Syslog-Microsoft_Azure_MFA, Syslog-Microsoft_Forefront_UAG, Syslog-Mirapoint, Syslog-MobileIron, Syslog-Motorola_Access_Point, Syslog-MS_IIS_Web_Log_W3C_Format(Snare), Syslog-_MS_Windows_Event_Logging_XML-Application, Syslog-MS_Windows_Event_Logging_XML-Security, Syslog-MS_Windows_Event_Logging_XML-System, Syslog-Nagios, Syslog-nCircle_Configuration_Compliance_Manager, Syslog-NetApp_Filer, Syslog-NETASQ_Firewall, Syslog-NetGate_Router, Syslog-NetMotion_VPN, Syslog-Netscout_nGenius_InfiniStream, Syslog-NetScreen_Firewall, Syslog-Netskope, Syslog-Netskope_CEF, Syslog-Network_Chemistry_RFprotect, Syslog-Nginx_Web_Log, Syslog-Nimble_Storage, Syslog-Nortel_8600_Switch, Syslog-Nortel_BayStack_Switch, Syslog-Nortel_Contivity, Syslog-Nortel_Firewall, Syslog-Nortel_IP_1220, Syslog-Nortel_Passport_Switch, Syslog-Nozomi_Networks_Guardian_CEF, Syslog-NuSecure_Gateway, Syslog-Nutanix, Syslog-Open_Collector, Syslog-Open_Collector-AWS_CloudTrail, Syslog-Open_Collector-AWS_CloudWatch, Syslog-Open_Collector-AWS_Config_Events, Syslog-Open_Collector-AWS_Guard_Duty, Syslog-Open_Collector-AWS_S3, Syslog-Open_Collector-Azure_Event_Hub, Syslog-Open_Collector-Carbon_Black_Cloud, Syslog-Open_Collector-CarbonBlackBeat_Heartbeat, Syslog-Open_Collector-Cisco_AMP, Syslog-Open_Collector-Cisco_Umbrella, Syslog-Open_Collector-CiscoAMPBeat_Heartbeat, Syslog-Open_Collector-Duo_Authentication_Security, Syslog-Open_Collector-DuoBeat_Heartbeat, Syslog-Open_Collector-EventHubBeat_Heartbeat, Syslog-Open_Collector-GCP_Audit, Syslog-Open_Collector-GCP_Cloud_Key_Management_Service, Syslog-Open_Collector-GCP_Http_Load_Balancer, Syslog-Open_Collector-GCP_Pub_Sub, Syslog-Open_Collector-GCP_Security_Command_Center, Syslog-Open_Collector-GCP_Virtual_Private_Cloud, Syslog-Open_Collector-Gmail_Message_Tracking, Syslog-Open_Collector-GMTBeat_Heartbeat, Syslog-Open_Collector-GSuite, Syslog-Open_Collector-GSuiteBeat_Heartbeat, Syslog-Open_Collector-Metricbeat, Syslog-Open_Collector-Okta_System_Log, Syslog-Open_Collector-OktaSystemLogBeat_Heartbeat, Syslog-Open_Collector-PubSubBeat_Heartbeat, Syslog-Open_Collector-S3Beat_Heartbeat, Syslog-Open_Collector-Sophos_Central, Syslog-Open_Collector-SophosCentralBeat_Heartbeat, Syslog-Open_Collector-Webhook, Syslog-Open_Collector-Webhook_OneLogin, Syslog-Open_Collector-Webhook_Zoom, Syslog-Open_Collector-WebhookBeat_Heartbeat, Syslog-Opengear_Console, Syslog-OpenLDAP, Syslog-Oracle_10g_Audit_Trail, Syslog-Oracle_11g_Audit_Trail, Syslog-OSSEC_Alerts, Syslog-Other, Syslog-Outpost24, Syslog-Palo_Alto_Cortex_XDR, Syslog-Palo_Alto_Custom_Pipe, Syslog-Palo_Alto_Firewall, Syslog-Palo_Alto_Traps_CEF, Syslog-Palo_Alto_Traps_Management_Service, Syslog-Password_Manager_Pro, Syslog-pfSense_Firewall, Syslog-PingFederate_7.2, Syslog-PingFederate_CEF, Syslog-Polycom, Syslog-Postfix, Syslog-Procera_PacketLogic, Syslog-Proofpoint_Spam_Firewall, Syslog-Protegrity_Defiance_DPS, Syslog-QLogic_Infiniband_Switch, Syslog-Quest_Defender, Syslog-Radiator_Radius, Syslog-RADiFlow_3180_Switch, Syslog-Radware_Alteon_Load_Balancer, Syslog-Radware_DefensePro, Syslog-Radware_Web_Server_Director_Audit_Log, Syslog-Raritan_KVM, Syslog-Raz-Lee, Syslog-RedSeal, Syslog-Riverbed, Syslog-RSA_ACE, Syslog-RSA_Authentication_Manager_v7.1, Syslog-RSA_Authentication_Manager_v8.x, Syslog-RSA_Web_Threat_Detection, Syslog-RSA_Web_Threat_Detection_5.1, Syslog-RuggedRouter, Syslog-Safenet, Syslog-Sailpoint, Syslog-Sauce_Labs, Syslog-SecureAuth_IdP, Syslog-SecureAuth_IdP_v9, Syslog-SecureLink, Syslog-SecureTrack, Syslog-SEL_3610_Port_Switch, Syslog-SEL_3620_Ethernet_Security_Gateway, Syslog-Sentinel_IPS, Syslog-SentinelOne_CEF, Syslog-Sguil, Syslog-Siemens_Scalance_X400, Syslog-Smoothwall_Firewall, Syslog-SnapGear_Firewall, Syslog-Snare_Windows_2003_Event_Log, Syslog-Snare_Windows_2008_Event_Log, Syslog-Snort_IDS, Syslog-Solaris(Snare), Syslog-_Solaris_Host, Syslog-SonicWALL, Syslog-SonicWALL_SSL-VPN, Syslog-Sophos_Email_Encryption_Appliance, Syslog-Sophos_UTM, Syslog-Sophos_Web_Proxy, Syslog-Sophos_XG_Firewall, Syslog-Sourcefire_IDS_3D, Syslog-Sourcefire_RNA, Syslog-Spectracom_Network_Time_Server, Syslog-Splunk_API-Checkpoint_Firewall, Syslog-Splunk_API-Cisco_Netflow_V9, Syslog-Splunk_API-Nessus_Vulnerability_Scanner, Syslog-Squid_Proxy, Syslog-StealthBits_Activity_Monitor, Syslog-STEALTHbits_StealthINTERCEPT, Syslog-StoneGate_Firewall, Syslog-Stonesoft_IPS, Syslog-Stormshield_Network_Security_Firewall, Syslog-Sycamore_Networks_DNX-88, Syslog-Sygate_Firewall, Syslog-Symantec_Advanced_Threat_Protection(ATP)CEF, Syslog-Symantec_DLP_CEF, Syslog-Symantec_Endpoint_Server, Syslog-Symantec_Messaging_Gateway, Syslog-Symantec_PGP_Gateway, Syslog-Symbol_Wireless_Access_Point, Syslog-Tanium, Syslog-Temporary_LST-2, Syslog-Tenable_SecurityCenter, Syslog-Thycotic_Secret_Server, Syslog-Tipping_Point_IPS, Syslog-Tipping_Point_SSL_Reverse_Proxy, Syslog-Top_Layer_IPS, Syslog-Townsend_Alliance_LogAgent, Syslog-Trend_Micro_Control_Manager_CEF, Syslog-Trend_Micro_Deep_Discovery_Inspector, Syslog-Trend_Micro_Deep_Security_CEF, Syslog-Trend_Micro_Deep_Security_LEEF, Syslog-Trend_Micro_IWSVA, Syslog-Trend_Micro_Vulnerability_Protection_Manager, Syslog-Tripwire, Syslog-Trustwave_NAC, Syslog-Trustwave_Secure_Web_Gateway, Syslog-Trustwave_Web_Application_Firewall, Syslog-Tufin, Syslog-Tumbleweed_Mailgate_Server, Syslog-Ubiquiti_UniFi_Security_Gateway, Syslog-Ubiquiti_UniFi_Switch, Syslog-Ubiquiti_UniFi_WAP, Syslog-Untangle, Syslog-Vamsoft_ORF, Syslog-Vanguard_Active_Alerts, Syslog-Varonis_DatAlert, Syslog-Vasco_Digipass_Identikey_Server, Syslog-Vectra_Networks, Syslog-Versa_Networks_SD-WAN, Syslog-VMWare_ESX/ESXi_Server, Syslog-VMware_Horizon_View, Syslog-VMWare_NSX/NSX-T, Syslog-VMWare_Unified_Access_Gateway, Syslog-VMWare_vCenter_Server, Syslog-VMWare_vShield, Syslog-Voltage_Securemail, Syslog-Vormetric_CoreGuard, Syslog-Vormetric_Data_Security_Manager, Syslog-WALLIX_Bastion, Syslog-Watchguard_FireBox, Syslog-WS2000_Wireless_Access_Point, Syslog-Wurldtech_SmartFirewall, Syslog-Xirrus_Wireless_Array, Syslog-Zimbra_System_Log, Syslog-Zix_E-mail_Encryption, Syslog-Zscaler_Nano_Streaming_Service, Syslog-ZXT_Load_Balancer, Syslog-ZyWALL_VPN_Firewall, Syslog_Avaya_G450_Media_Gateway, Syslog_File-AIX_Host, Syslog_File-BSD_Format, Syslog_File-HP-UX_Host, Syslog_File-IRIX_Host, Syslog_File-Linux_Host, Syslog_File-LogRhythm_Syslog_Generator, Syslog_File-MS_2003_Event_Log(Snare), SyslogFile-Oracle_10g_Audit_Trail, Syslog_File-Oracle_11g_Audit_Trail, Syslog_File-Solaris_Host, UDLA-CA_Single_Sign-On, UDLA-Deepnet_DualShield, UDLA-Drupal, UDLA-Finacle_Core, UDLA-Finacle_Treasury_Logs, UDLA-Forcepoint, UDLA-Gallagher_Command_Centre, UDLA-iManage_Worksite, UDLA-ISS_Proventia_SiteProtector-IPS, UDLA-LogRhythm_Enterprise_Monitoring_Solution, UDLA-LREnhancedAudit, UDLA-McAfee_ePolicy_Orchestrator-Universal_ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_3.6-Events, UDLA-McAfee_ePolicy_Orchestrator_4.0-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_4.5-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.0-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.1-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.3-ePOEvents, UDLA-McAfee_ePolicy_Orchestrator_5.9-ePOEvents, UDLA-McAfee_Network_Access_Control, UDLA-McAfee_Network_Security_Manager, UDLA-Microsoft_System_Center_2012_Endpoint_Protection, UDLA-ObserveIT, UDLA-Oracle_10g_Audit_Trail, UDLA-Oracle_11g_Audit_Trail, UDLA-Oracle_12C_Unified_Auditing, UDLA-Oracle_9i_Audit_Trail, UDLA-Other, UDLA-SEL_3530_RTAC, UDLA-SharePoint_2007_AuditData, UDLA-SharePoint_2010_EventData, UDLA-SharePoint_2013_EventData, UDLA-Siemens_Invision, UDLA-Sophos_Anti-Virus, UDLA-Sophos_Endpoint_Security_and_Control, UDLA-Symantec_CSP, UDLA-Symantec_SEP, UDLA-Symmetry_Access_Control, UDLA-VMWare_vCenter_Server, UDLA-VMWare_vCloud, VLS-Syslog-Infoblox-DNS_RPZ, VLS-Syslog-Infoblox-_Threat_Protection.Optional
host_nameImpacted host name.Optional
usernameUsername.Optional
subjectEmail subject.Optional
senderEmail sender.Optional
recipientEmail recipient.Optional
hashHash code of the event.Optional
urlURL of the event.Optional
process_nameProcess name.Optional
objectLog object.Optional
ip_addressIP address of the endpoint.Optional
max_messageMaximum number of log messages to query. Default is 100.Optional
query_timeoutThe query timeout in seconds. Default is 60.Optional
entity_idEntity ID.Optional
interval_in_secondsInterval in seconds between each poll.Optional
page_sizePage size.Optional

Context Output#

PathTypeDescription
LogRhythm.Search.TaskIdStringThe task ID returned from the database for the current search. This is actually the search GUID.
LogRhythm.Search.StatusMessageStringThe task status returned from the database for the current search.
LogRhythm.Search.SearchNameStringThe name of the search query in Cortex XSOAR.
LogRhythm.Search.TaskStatusStringTask status.
LogRhythm.Search.Results.originEntityIdNumberEntity ID.
LogRhythm.Search.Results.impactedIpStringImpacted IP address.
LogRhythm.Search.Results.classificationTypeNameStringClassification name.
LogRhythm.Search.Results.logSourceNameStringLog source name.
LogRhythm.Search.Results.entityNameStringEntity name.
LogRhythm.Search.Results.normalDateDateDate.
LogRhythm.Search.Results.vendorMessageIdStringVendor log message.
LogRhythm.Search.Results.priorityNumberLog priority.
LogRhythm.Search.Results.sequenceNumberStringSequence number.
LogRhythm.Search.Results.originHostIdNumberOrigin host ID.
LogRhythm.Search.Results.mpeRuleIdNumberLogrhythm rule ID.
LogRhythm.Search.Results.originIpStringOrigin IP address.
LogRhythm.Search.Results.mpeRuleNameStringLogrhythm rule name.
LogRhythm.Search.Results.logSourceHostIdNumberLog source host ID.
LogRhythm.Search.Results.originHostStringOrigin host.
LogRhythm.Search.Results.logDateDateLog date.
LogRhythm.Search.Results.classificationNameStringLog classification name.

Command Example#

!lr-execute-search-query number_of_days=5 entity_id=1 host_name=HOSTNAME

Context Example#

{
"LogRhythm": {
"Search": {
"Task": {
"StatusMessage": "Success",
"TaskId": "9a5533c6-dc18-46dc-9d9a-3e7461b5ca7a"
}
}
}
}

Human Readable Output#

New search query created, Task ID=9a5533c6-dc18-46dc-9d9a-3e7461b5ca7a

lr-get-query-result#


Get the search query result for the specified task ID. The task ID can be retrieved from the lr-execute-search-query command.

Base Command#

lr-get-query-result

Input#

Argument NameDescriptionRequired
task_idThe task ID. The task ID can be retrieved from the lr-execute-search-query command.Required
page_sizePage size. Default is 50.Optional

Context Output#

PathTypeDescription
LogRhythm.Search.TaskStatusStringTask status.
LogRhythm.Search.TaskIdStringTask ID.
LogRhythm.Search.Results.originEntityIdNumberEntity ID.
LogRhythm.Search.Results.impactedIpStringImpacted IP address.
LogRhythm.Search.Results.classificationTypeNameStringClassification name.
LogRhythm.Search.Results.logSourceNameStringLog source name.
LogRhythm.Search.Results.entityNameStringEntity name.
LogRhythm.Search.Results.normalDateDateDate.
LogRhythm.Search.Results.vendorMessageIdStringVendor log message.
LogRhythm.Search.Results.priorityNumberLog priority.
LogRhythm.Search.Results.sequenceNumberStringSequence number.
LogRhythm.Search.Results.originHostIdNumberOrigin host ID.
LogRhythm.Search.Results.mpeRuleIdNumberLogrhythm rule ID.
LogRhythm.Search.Results.originIpStringOrigin IP address.
LogRhythm.Search.Results.mpeRuleNameStringLogrhythm rule name.
LogRhythm.Search.Results.logSourceHostIdNumberLog source host ID.
LogRhythm.Search.Results.originHostStringOrigin host.
LogRhythm.Search.Results.logDateDateLog date.
LogRhythm.Search.Results.classificationNameStringLog classification name.

Command Example#

!lr-get-query-result task_id=88e1a446-b49d-4197-b599-26d4b3d1d1ac

Context Example#

{
"LogRhythm": {
"Search": {
"Results": {
"Items": [
{
"action": "none",
"classificationId": 1020,
"classificationName": "Authentication Success",
"classificationTypeName": "Audit",
"command": "authorizationsuccess",
"commonEventId": -1100516,
"commonEventName": "LogRhythm DX Authorization Success",
"count": 1,
"direction": 1,
"directionName": "Local",
"entityId": 1,
"entityName": "Primary Site",
"impactedEntityId": 1,
"impactedEntityName": "Primary Site",
"impactedHost": "HOSTNAME *",
"impactedHostId": 1,
"impactedHostName": "HOSTNAME",
"impactedZoneName": "Internal",
"indexedDate": 1635624839736,
"insertedDate": 1635624765372,
"keyField": "messageId",
"logDate": 1635624757414,
"logMessage": "2021-10-30 20:12:37.414 CODE=000030 MESSAGE=AuthorizationSuccess HOST=HOSTNAME SEVERITY=Low SERVICENAME=columbo TRIGGEREDWHEN=Data Indexer has granted access to a user or service SUGGESTEDACTION=None ADDITIONALINFO=[Name:[lr-soap-api]][Role:[globalAdmin]][PersonID:[1]][ID:[1af934a9-4a1e-46ac-9201-63d33f884347]][Action:[search]]",
"logSourceHost": "HOSTNAME",
"logSourceHostId": 1,
"logSourceHostName": "HOSTNAME",
"logSourceId": 16,
"logSourceName": "LogrhythmDXMonitor",
"logSourceType": 1000648,
"logSourceTypeName": "Flat File - LogRhythm Data Indexer Monitor",
"messageId": "209782fc-e20e-4fb1-ae24-834e8aba893f",
"messageTypeEnum": 1,
"mpeRuleId": 1490984,
"mpeRuleName": "Authorization Success",
"normalDate": 1635624757437,
"normalDateHour": 1635624000000,
"normalDateMin": 1635624757437,
"normalMsgDateMax": 1635624757437,
"originEntityId": 1,
"originEntityName": "Primary Site",
"originHost": "HOSTNAME *",
"originHostId": 1,
"originHostName": "HOSTNAME",
"originName": "HOSTNAME",
"originZone": 0,
"originZoneName": "Internal",
"priority": 22,
"process": "data indexer has granted access to a user or service",
"protocolId": -1,
"rootEntityId": 1,
"rootEntityName": "Primary Site",
"serviceId": -1000012,
"serviceName": "LogRhythm Data Indexer",
"session": "columbo",
"severity": "low",
"subject": "none",
"vendorMessageId": "000030"
},
{
"action": "none",
"classificationId": 1020,
"classificationName": "Authentication Success",
"classificationTypeName": "Audit",
"command": "authorizationsuccess",
"commonEventId": -1100516,
"commonEventName": "LogRhythm DX Authorization Success",
"count": 1,
"direction": 1,
"directionName": "Local",
"entityId": 1,
"entityName": "Primary Site",
"impactedEntityId": 1,
"impactedEntityName": "Primary Site",
"impactedHost": "HOSTNAME *",
"impactedHostId": 1,
"impactedHostName": "HOSTNAME",
"impactedZoneName": "Internal",
"indexedDate": 1635624839736,
"insertedDate": 1635344585283,
"keyField": "messageId",
"logDate": 1635344579793,
"logMessage": "2021-10-27 14:22:59.793 CODE=000030 MESSAGE=AuthorizationSuccess HOST=HOSTNAME SEVERITY=Low SERVICENAME=columbo TRIGGEREDWHEN=Data Indexer has granted access to a user or service SUGGESTEDACTION=None ADDITIONALINFO=[Name:[lr-soap-api]][Role:[globalAdmin]][PersonID:[1]][ID:[1af934a9-4a1e-46ac-9201-63d33f884347]][Action:[search]]",
"logSourceHost": "HOSTNAME",
"logSourceHostId": 1,
"logSourceHostName": "HOSTNAME",
"logSourceId": 16,
"logSourceName": "LogrhythmDXMonitor",
"logSourceType": 1000648,
"logSourceTypeName": "Flat File - LogRhythm Data Indexer Monitor",
"messageId": "c820d31f-181f-49bc-95bf-f8017fe43b28",
"messageTypeEnum": 1,
"mpeRuleId": 1490984,
"mpeRuleName": "Authorization Success",
"normalDate": 1635344579837,
"normalDateHour": 1635343200000,
"normalDateMin": 1635344579837,
"normalMsgDateMax": 1635344579837,
"originEntityId": 1,
"originEntityName": "Primary Site",
"originHost": "HOSTNAME *",
"originHostId": 1,
"originHostName": "HOSTNAME",
"originName": "HOSTNAME",
"originZone": 0,
"originZoneName": "Internal",
"priority": 22,
"process": "data indexer has granted access to a user or service",
"protocolId": -1,
"rootEntityId": 1,
"rootEntityName": "Primary Site",
"serviceId": -1000012,
"serviceName": "LogRhythm Data Indexer",
"session": "columbo",
"severity": "low",
"subject": "none",
"vendorMessageId": "000030"
},
{
"action": "none",
"classificationId": 1020,
"classificationName": "Authentication Success",
"classificationTypeName": "Audit",
"command": "authorizationsuccess",
"commonEventId": -1100516,
"commonEventName": "LogRhythm DX Authorization Success",
"count": 1,
"direction": 1,
"directionName": "Local",
"entityId": 1,
"entityName": "Primary Site",
"impactedEntityId": 1,
"impactedEntityName": "Primary Site",
"impactedHost": "HOSTNAME *",
"impactedHostId": 1,
"impactedHostName": "HOSTNAME",
"impactedZoneName": "Internal",
"indexedDate": 1635624839736,
"insertedDate": 1635624765372,
"keyField": "messageId",
"logDate": 1635624757382,
"logMessage": "2021-10-30 20:12:37.382 CODE=000030 MESSAGE=AuthorizationSuccess HOST=HOSTNAME SEVERITY=Low SERVICENAME=columbo TRIGGEREDWHEN=Data Indexer has granted access to a user or service SUGGESTEDACTION=None ADDITIONALINFO=[Name:[lr-soap-api]][Role:[globalAdmin]][PersonID:[1]][ID:[1af934a9-4a1e-46ac-9201-63d33f884347]][Action:[search]]",
"logSourceHost": "HOSTNAME",
"logSourceHostId": 1,
"logSourceHostName": "HOSTNAME",
"logSourceId": 16,
"logSourceName": "LogrhythmDXMonitor",
"logSourceType": 1000648,
"logSourceTypeName": "Flat File - LogRhythm Data Indexer Monitor",
"messageId": "69480e5e-75d4-43ee-9cb1-cbd7e1bbf6ac",
"messageTypeEnum": 1,
"mpeRuleId": 1490984,
"mpeRuleName": "Authorization Success",
"normalDate": 1635624757405,
"normalDateHour": 1635624000000,
"normalDateMin": 1635624757405,
"normalMsgDateMax": 1635624757405,
"originEntityId": 1,
"originEntityName": "Primary Site",
"originHost": "HOSTNAME *",
"originHostId": 1,
"originHostName": "HOSTNAME",
"originName": "HOSTNAME",
"originZone": 0,
"originZoneName": "Internal",
"priority": 22,
"process": "data indexer has granted access to a user or service",
"protocolId": -1,
"rootEntityId": 1,
"rootEntityName": "Primary Site",
"serviceId": -1000012,
"serviceName": "LogRhythm Data Indexer",
"session": "columbo",
"severity": "low",
"subject": "none",
"vendorMessageId": "000030"
},
{
"action": "none",
"classificationId": 1400,
"classificationName": "Startup and Shutdown",
"classificationTypeName": "Audit",
"command": "servicestarting",
"commonEventId": -1100490,
"commonEventName": "LogRhythm DX Starting",
"count": 1,
"direction": 1,
"directionName": "Local",
"entityId": 1,
"entityName": "Primary Site",
"impactedEntityId": 1,
"impactedEntityName": "Primary Site",
"impactedHost": "HOSTNAME *",
"impactedHostId": 1,
"impactedHostName": "HOSTNAME",
"impactedZoneName": "Internal",
"indexedDate": 1635624839736,
"insertedDate": 1635206479279,
"keyField": "messageId",
"logDate": 1635206477020,
"logMessage": "2021-10-26 00:01:17.020 CODE=000001 MESSAGE=ServiceStarting HOST=HOSTNAME SEVERITY=Low SERVICENAME=carpenter TRIGGEREDWHEN=Any service is requested to start SUGGESTEDACTION=None ADDITIONALINFO=",
"logSourceHost": "HOSTNAME",
"logSourceHostId": 1,
"logSourceHostName": "HOSTNAME",
"logSourceId": 16,
"logSourceName": "LogrhythmDXMonitor",
"logSourceType": 1000648,
"logSourceTypeName": "Flat File - LogRhythm Data Indexer Monitor",
"messageId": "5ce64f92-430c-4d4c-9279-0606daedd670",
"messageTypeEnum": 1,
"mpeRuleId": 1349761,
"mpeRuleName": "Sevice Starting",
"normalDate": 1635206477049,
"normalDateHour": 1635206400000,
"normalDateMin": 1635206477049,
"normalMsgDateMax": 1635206477049,
"originEntityId": 1,
"originEntityName": "Primary Site",
"originHost": "HOSTNAME *",
"originHostId": 1,
"originHostName": "HOSTNAME",
"originName": "HOSTNAME",
"originZone": 0,
"originZoneName": "Internal",
"priority": 31,
"process": "any service is requested to start",
"protocolId": -1,
"rootEntityId": 1,
"rootEntityName": "Primary Site",
"serviceId": -1000012,
"serviceName": "LogRhythm Data Indexer",
"session": "carpenter",
"severity": "low",
"subject": "none",
"vendorMessageId": "000001"
},
{
"action": "none",
"classificationId": 1020,
"classificationName": "Authentication Success",
"classificationTypeName": "Audit",
"command": "authorizationsuccess",
"commonEventId": -1100516,
"commonEventName": "LogRhythm DX Authorization Success",
"count": 1,
"direction": 1,
"directionName": "Local",
"entityId": 1,
"entityName": "Primary Site",
"impactedEntityId": 1,
"impactedEntityName": "Primary Site",
"impactedHost": "HOSTNAME *",
"impactedHostId": 1,
"impactedHostName": "HOSTNAME",
"impactedZoneName": "Internal",
"indexedDate": 1635624839736,
"insertedDate": 1635352038849,
"keyField": "messageId",
"logDate": 1635352029023,
"logMessage": "2021-10-27 16:27:09.023 CODE=000030 MESSAGE=AuthorizationSuccess HOST=HOSTNAME SEVERITY=Low SERVICENAME=columbo TRIGGEREDWHEN=Data Indexer has granted access to a user or service SUGGESTEDACTION=None ADDITIONALINFO=[Name:[lr-soap-api]][Role:[globalAdmin]][PersonID:[1]][ID:[1af934a9-4a1e-46ac-9201-63d33f884347]][Action:[search]]",
"logSourceHost": "HOSTNAME",
"logSourceHostId": 1,
"logSourceHostName": "HOSTNAME",
"logSourceId": 16,
"logSourceName": "LogrhythmDXMonitor",
"logSourceType": 1000648,
"logSourceTypeName": "Flat File - LogRhythm Data Indexer Monitor",
"messageId": "c6d33902-89d3-4395-a240-56569f4d17a0",
"messageTypeEnum": 1,
"mpeRuleId": 1490984,
"mpeRuleName": "Authorization Success",
"normalDate": 1635352029071,
"normalDateHour": 1635350400000,
"normalDateMin": 1635352029071,
"normalMsgDateMax": 1635352029071,
"originEntityId": 1,
"originEntityName": "Primary Site",
"originHost": "HOSTNAME *",
"originHostId": 1,
"originHostName": "HOSTNAME",
"originName": "HOSTNAME",
"originZone": 0,
"originZoneName": "Internal",
"priority": 22,
"process": "data indexer has granted access to a user or service",
"protocolId": -1,
"rootEntityId": 1,
"rootEntityName": "Primary Site",
"serviceId": -1000012,
"serviceName": "LogRhythm Data Indexer",
"session": "columbo",
"severity": "low",
"subject": "none",
"vendorMessageId": "000030"
},
{
"action": "none",
"classificationId": 1020,
"classificationName": "Authentication Success",
"classificationTypeName": "Audit",
"command": "authorizationsuccess",
"commonEventId": -1100516,
"commonEventName": "LogRhythm DX Authorization Success",
"count": 1,
"direction": 1,
"directionName": "Local",
"entityId": 1,
"entityName": "Primary Site",
"impactedEntityId": 1,
"impactedEntityName": "Primary Site",
"impactedHost": "HOSTNAME *",
"impactedHostId": 1,
"impactedHostName": "HOSTNAME",
"impactedZoneName": "Internal",
"indexedDate": 1635624839736,
"insertedDate": 1635624745374,
"keyField": "messageId",
"logDate": 1635624729847,
"logMessage": "2021-10-30 20:12:09.847 CODE=000030 MESSAGE=AuthorizationSuccess HOST=HOSTNAME SEVERITY=Low SERVICENAME=columbo TRIGGEREDWHEN=Data Indexer has granted access to a user or service SUGGESTEDACTION=None ADDITIONALINFO=[Name:[lr-soap-api]][Role:[globalAdmin]][PersonID:[1]][ID:[1af934a9-4a1e-46ac-9201-63d33f884347]][Action:[search]]",
"logSourceHost": "HOSTNAME",
"logSourceHostId": 1,
"logSourceHostName": "HOSTNAME",
"logSourceId": 16,
"logSourceName": "LogrhythmDXMonitor",
"logSourceType": 1000648,
"logSourceTypeName": "Flat File - LogRhythm Data Indexer Monitor",
"messageId": "8641126b-db6a-437f-9e67-07b9f51ee3e9",
"messageTypeEnum": 1,
"mpeRuleId": 1490984,
"mpeRuleName": "Authorization Success",
"normalDate": 1635624729870,
"normalDateHour": 1635624000000,
"normalDateMin": 1635624729870,
"normalMsgDateMax": 1635624729870,
"originEntityId": 1,
"originEntityName": "Primary Site",
"originHost": "HOSTNAME *",
"originHostId": 1,
"originHostName": "HOSTNAME",
"originName": "HOSTNAME",
"originZone": 0,
"originZoneName": "Internal",
"priority": 22,
"process": "data indexer has granted access to a user or service",
"protocolId": -1,
"rootEntityId": 1,
"rootEntityName": "Primary Site",
"serviceId": -1000012,
"serviceName": "LogRhythm Data Indexer",
"session": "columbo",
"severity": "low",
"subject": "none",
"vendorMessageId": "000030"
},
{
"action": "none",
"classificationId": 1400,
"classificationName": "Startup and Shutdown",
"classificationTypeName": "Audit",
"command": "servicestarted",
"commonEventId": -1100491,
"commonEventName": "LogRhythm DX Started",
"count": 1,
"direction": 1,
"directionName": "Local",
"entityId": 1,
"entityName": "Primary Site",
"impactedEntityId": 1,
"impactedEntityName": "Primary Site",
"impactedHost": "HOSTNAME *",
"impactedHostId": 1,
"impactedHostName": "HOSTNAME",
"impactedZoneName": "Internal",
"indexedDate": 1635624839736,
"insertedDate": 1635206489338,
"keyField": "messageId",
"logDate": 1635206479386,
"logMessage": "2021-10-26 00:01:19.386 CODE=000002 MESSAGE=ServiceStarted HOST=HOSTNAME SEVERITY=Low SERVICENAME=carpenter TRIGGEREDWHEN=Any service completes startup SUGGESTEDACTION=None ADDITIONALINFO=",
"logSourceHost": "HOSTNAME",
"logSourceHostId": 1,
"logSourceHostName": "HOSTNAME",
"logSourceId": 16,
"logSourceName": "LogrhythmDXMonitor",
"logSourceType": 1000648,
"logSourceTypeName": "Flat File - LogRhythm Data Indexer Monitor",
"messageId": "88997979-edf6-4b1f-82ed-7ebbd7bcce46",
"messageTypeEnum": 1,
"mpeRuleId": 1349763,
"mpeRuleName": "Service Started",
"normalDate": 1635206479415,
"normalDateHour": 1635206400000,
"normalDateMin": 1635206479415,
"normalMsgDateMax": 1635206479415,
"originEntityId": 1,
"originEntityName": "Primary Site",
"originHost": "HOSTNAME *",
"originHostId": 1,
"originHostName": "HOSTNAME",
"originName": "HOSTNAME",
"originZone": 0,
"originZoneName": "Internal",
"priority": 31,
"process": "any service completes startup",
"protocolId": -1,
"rootEntityId": 1,
"rootEntityName": "Primary Site",
"serviceId": -1000012,
"serviceName": "LogRhythm Data Indexer",
"session": "carpenter",
"severity": "low",
"subject": "none",
"vendorMessageId": "000002"
}
],
"TaskId": "88e1a446-b49d-4197-b599-26d4b3d1d1ac",
"TaskStatus": "Completed: All Results"
}
}
}
}

Human Readable Output#

Search results for task 88e1a446-b49d-4197-b599-26d4b3d1d1ac#

ActionClassification IdClassification NameClassification Type NameCommandCommon Event IdCommon Event NameCountDirectionDirection NameEntity IdEntity NameImpacted Entity IdImpacted Entity NameImpacted HostImpacted Host IdImpacted Host NameImpacted Zone NameIndexed DateInserted DateKey FieldLog DateLog MessageLog Source HostLog Source Host IdLog Source Host NameLog Source IdLog Source NameLog Source TypeLog Source Type NameMessage IdMessage Type EnumMpe Rule IdMpe Rule NameNormal DateNormal Date HourNormal Date MinNormal Msg Date MaxOrigin Entity IdOrigin Entity NameOrigin HostOrigin Host IdOrigin Host NameOrigin NameOrigin ZoneOrigin Zone NamePriorityProcessProtocol IdRoot Entity IdRoot Entity NameService IdService NameSessionSeveritySubjectVendor Message Id
none1020Authentication SuccessAuditauthorizationsuccess-1100516LogRhythm DX Authorization Success11Local1Primary Site1Primary SiteHOSTNAME *1HOSTNAMEInternal16356248397361635624765372messageId16356247574142021-10-30 20:12:37.414 CODE=000030 MESSAGE=AuthorizationSuccess HOST=HOSTNAME SEVERITY=Low SERVICENAME=columbo TRIGGEREDWHEN=Data Indexer has granted access to a user or service SUGGESTEDACTION=None ADDITIONALINFO=[Name:[lr-soap-api]][Role:[globalAdmin]][PersonID:[1]][ID:[1af934a9-4a1e-46ac-9201-63d33f884347]][Action:[search]]HOSTNAME1HOSTNAME16LogrhythmDXMonitor1000648Flat File - LogRhythm Data Indexer Monitor209782fc-e20e-4fb1-ae24-834e8aba893f11490984Authorization Success16356247574371635624000000163562475743716356247574371Primary SiteHOSTNAME *1HOSTNAMEHOSTNAME0Internal22data indexer has granted access to a user or service-11Primary Site-1000012LogRhythm Data Indexercolumbolownone000030
none1020Authentication SuccessAuditauthorizationsuccess-1100516LogRhythm DX Authorization Success11Local1Primary Site1Primary SiteHOSTNAME *1HOSTNAMEInternal16356248397361635344585283messageId16353445797932021-10-27 14:22:59.793 CODE=000030 MESSAGE=AuthorizationSuccess HOST=HOSTNAME SEVERITY=Low SERVICENAME=columbo TRIGGEREDWHEN=Data Indexer has granted access to a user or service SUGGESTEDACTION=None ADDITIONALINFO=[Name:[lr-soap-api]][Role:[globalAdmin]][PersonID:[1]][ID:[1af934a9-4a1e-46ac-9201-63d33f884347]][Action:[search]]HOSTNAME1HOSTNAME16LogrhythmDXMonitor1000648Flat File - LogRhythm Data Indexer Monitorc820d31f-181f-49bc-95bf-f8017fe43b2811490984Authorization Success16353445798371635343200000163534457983716353445798371Primary SiteHOSTNAME *1HOSTNAMEHOSTNAME0Internal22data indexer has granted access to a user or service-11Primary Site-1000012LogRhythm Data Indexercolumbolownone000030
none1020Authentication SuccessAuditauthorizationsuccess-1100516LogRhythm DX Authorization Success11Local1Primary Site1Primary SiteHOSTNAME *1HOSTNAMEInternal16356248397361635624765372messageId16356247573822021-10-30 20:12:37.382 CODE=000030 MESSAGE=AuthorizationSuccess HOST=HOSTNAME SEVERITY=Low SERVICENAME=columbo TRIGGEREDWHEN=Data Indexer has granted access to a user or service SUGGESTEDACTION=None ADDITIONALINFO=[Name:[lr-soap-api]][Role:[globalAdmin]][PersonID:[1]][ID:[1af934a9-4a1e-46ac-9201-63d33f884347]][Action:[search]]HOSTNAME1HOSTNAME16LogrhythmDXMonitor1000648Flat File - LogRhythm Data Indexer Monitor69480e5e-75d4-43ee-9cb1-cbd7e1bbf6ac11490984Authorization Success16356247574051635624000000163562475740516356247574051Primary SiteHOSTNAME *1HOSTNAMEHOSTNAME0Internal22data indexer has granted access to a user or service-11Primary Site-1000012LogRhythm Data Indexercolumbolownone000030
none1400Startup and ShutdownAuditservicestarting-1100490LogRhythm DX Starting11Local1Primary Site1Primary SiteHOSTNAME *1HOSTNAMEInternal16356248397361635206479279messageId16352064770202021-10-26 00:01:17.020 CODE=000001 MESSAGE=ServiceStarting HOST=HOSTNAME SEVERITY=Low SERVICENAME=carpenter TRIGGEREDWHEN=Any service is requested to start SUGGESTEDACTION=None ADDITIONALINFO=HOSTNAME1HOSTNAME16LogrhythmDXMonitor1000648Flat File - LogRhythm Data Indexer Monitor5ce64f92-430c-4d4c-9279-0606daedd67011349761Sevice Starting16352064770491635206400000163520647704916352064770491Primary SiteHOSTNAME *1HOSTNAMEHOSTNAME0Internal31any service is requested to start-11Primary Site-1000012LogRhythm Data Indexercarpenterlownone000001
none1020Authentication SuccessAuditauthorizationsuccess-1100516LogRhythm DX Authorization Success11Local1Primary Site1Primary SiteHOSTNAME *1HOSTNAMEInternal16356248397361635352038849messageId16353520290232021-10-27 16:27:09.023 CODE=000030 MESSAGE=AuthorizationSuccess HOST=HOSTNAME SEVERITY=Low SERVICENAME=columbo TRIGGEREDWHEN=Data Indexer has granted access to a user or service SUGGESTEDACTION=None ADDITIONALINFO=[Name:[lr-soap-api]][Role:[globalAdmin]][PersonID:[1]][ID:[1af934a9-4a1e-46ac-9201-63d33f884347]][Action:[search]]HOSTNAME1HOSTNAME16LogrhythmDXMonitor1000648Flat File - LogRhythm Data Indexer Monitorc6d33902-89d3-4395-a240-56569f4d17a011490984Authorization Success16353520290711635350400000163535202907116353520290711Primary SiteHOSTNAME *1HOSTNAMEHOSTNAME0Internal22data indexer has granted access to a user or service-11Primary Site-1000012LogRhythm Data Indexercolumbolownone000030
none1020Authentication SuccessAuditauthorizationsuccess-1100516LogRhythm DX Authorization Success11Local1Primary Site1Primary SiteHOSTNAME *1HOSTNAMEInternal16356248397361635624745374messageId16356247298472021-10-30 20:12:09.847 CODE=000030 MESSAGE=AuthorizationSuccess HOST=HOSTNAME SEVERITY=Low SERVICENAME=columbo TRIGGEREDWHEN=Data Indexer has granted access to a user or service SUGGESTEDACTION=None ADDITIONALINFO=[Name:[lr-soap-api]][Role:[globalAdmin]][PersonID:[1]][ID:[1af934a9-4a1e-46ac-9201-63d33f884347]][Action:[search]]HOSTNAME1HOSTNAME16LogrhythmDXMonitor1000648Flat File - LogRhythm Data Indexer Monitor8641126b-db6a-437f-9e67-07b9f51ee3e911490984Authorization Success16356247298701635624000000163562472987016356247298701Primary SiteHOSTNAME *1HOSTNAMEHOSTNAME0Internal22data indexer has granted access to a user or service-11Primary Site-1000012LogRhythm Data Indexercolumbolownone000030
none1400Startup and ShutdownAuditservicestarted-1100491LogRhythm DX Started11Local1Primary Site1Primary SiteHOSTNAME *1HOSTNAMEInternal16356248397361635206489338messageId16352064793862021-10-26 00:01:19.386 CODE=000002 MESSAGE=ServiceStarted HOST=HOSTNAME SEVERITY=Low SERVICENAME=carpenter TRIGGEREDWHEN=Any service completes startup SUGGESTEDACTION=None ADDITIONALINFO=HOSTNAME1HOSTNAME16LogrhythmDXMonitor1000648Flat File - LogRhythm Data Indexer Monitor88997979-edf6-4b1f-82ed-7ebbd7bcce4611349763Service Started16352064794151635206400000163520647941516352064794151Primary SiteHOSTNAME *1HOSTNAMEHOSTNAME0Internal31any service completes startup-11Primary Site-1000012LogRhythm Data Indexercarpenterlownone000002

lr-add-host#


Add a new host to an entity.

Base Command#

lr-add-host

Input#

Argument NameDescriptionRequired
entity-idThe entity ID for the host.Optional
entity-nameThe entity name for the host.Required
nameThe name of the host.Required
short-descriptionA brief description of the component.Optional
long-descriptionA full description of the component.Optional
risk-levelThe host risk level. Possible values: "None", "Low-Low", "Low-Medium", "Low-High", "Medium-Low", "Medium-Medium", "Medium-High", "High-Low", "High-Medium", and "High-High". Possible values are: None, Low-Low, Low-Medium, Low-High, Medium-Low, Medium-Medium, Medium-High, High-Low, High-Medium, High-High.Required
threat-levelThe host threat level. Possible values: "None", "Low-Low", "Low-Medium", "Low-High", "Medium-Low", "Medium-Medium", "Medium-High", "High-Low", "High-Medium", and "High-High". Possible values are: None, Low-Low, Low-Medium, Low-High, Medium-Low, Medium-Medium, Medium-High, High-Low, High-Medium, High-High.Optional
threat-level-commentsComments for the host threat level.Optional
host-statusThe host status. Possible values: "Retired" and "Active". Possible values are: Retired, Active.Required
host-zoneThe host zone. Possible values: "External", "DMZ", and "Internal". Possible values are: External, DMZ, Internal.Required
use-eventlog-credentialsWhether to use the event log credentials. Possible values: "true" and "false". Possible values are: true, false.Required
os-typeThe Agent server type on which the operating system is installed. Possible values: "None", "Server", and "Desktop". Possible values are: None, Server, Desktop.Optional
osThe operating system type supported by LogRhythm. Possible values: "Unknown", "Other", "WindowsNT4","Windows2000Professional", "Windows2000Server", "Windows2003Standard", "Windows2003Enterprise", "Windows95", "WindowsXP", "WindowsVista", "Linux", "Solaris", "AIX", "HPUX", and "Windows". Possible values are: Unknown, Other, WindowsNT4, Windows2000Professional, Windows2000Server, Windows2003Standard, Windows2003Enterprise, Windows95, WindowsXP, WindowsVista, Linux, Solaris, AIX, HPUX, Windows.Required

Context Output#

PathTypeDescription
LogRhythm.Host.idNumberThe host ID.
LogRhythm.Host.entity.idNumberThe host entity ID.
LogRhythm.Host.entity.nameStringThe host entity name.
LogRhythm.Host.nameStringThe host name.
LogRhythm.Host.riskLevelStringThe host risk level
LogRhythm.Host.threatLevelStringThe host threat level.
LogRhythm.Host.threatLevelCommentsStringThe threat level comments.
LogRhythm.Host.recordStatusNameStringThe host record status name.
LogRhythm.Host.hostZoneStringThe host zone.
LogRhythm.Host.location.idNumberThe host location ID.
LogRhythm.Host.osStringThe operating system type supported by LogRhythm.
LogRhythm.Host.useEventlogCredentialsBooleanWhether to use the event log credentials.
LogRhythm.Host.osTypeStringThe agent server type on which the operating system is installed.
LogRhythm.Host.dateUpdatedDateThe date the host was updated.

Command Example#

!lr-add-host entity-name=`Global Entity` host-status=Retired host-zone=DMZ name=test_host223322 os=AIX risk-level="High-High" use-eventlog-credentials=false

Context Example#

{
"LogRhythm": {
"Host": {
"dateUpdated": "2021-10-30T20:33:51.01Z",
"entity": {
"id": -100,
"name": "Global Entity"
},
"hostZone": "DMZ",
"id": 9,
"location": {
"id": -1
},
"name": "test_host223322",
"os": "AIX",
"osType": "Server",
"recordStatusName": "Retired",
"riskLevel": "High-High",
"threatLevel": "None",
"threatLevelComments": "",
"useEventlogCredentials": false
}
}
}

Human Readable Output#

Host added successfully#

Date UpdatedEntityHost ZoneIdLocationNameOsOs TypeRecord Status NameRisk LevelThreat LevelThreat Level CommentsUse Eventlog Credentials
2021-10-30T20:33:51.01Zid: -100
name: Global Entity
DMZ9id: -1test_host223322AIXServerRetiredHigh-HighNonefalse

endpoint#


Returns information about an endpoint.

Base Command#

endpoint

Input#

Argument NameDescriptionRequired
idThe endpoint ID.Optional
hostnameThe endpoint hostname.Optional

Context Output#

PathTypeDescription
Endpoint.HostnameStringThe endpoint's hostname.
Endpoint.IPAddressStringThe endpoint's IP address.
Endpoint.IDStringThe endpoint's ID.

Command Example#

!endpoint hostname=HOSTNAME

Context Example#

{
"Endpoint": {
"Hostname": "HOSTNAME",
"ID": 1,
"OS": "Windows",
"OSVersion": "Microsoft Windows NT 10.0.17763.0",
"Status": "Online"
}
}

Human Readable Output#

Logrhythm endpoint#

Date UpdatedEntityHost IdentifiersHost RolesHost ZoneIdLocationNameOsOs TypeOs VersionRecord Status NameRisk LevelShort DescThreat LevelThreat Level CommentsUse Eventlog Credentials
2021-07-29T14:55:16.427Zid: 1
name: Primary Site
{'type': 'WindowsName', 'value': 'HOSTNAME', 'dateAssigned': '2021-07-27T15:55:40.717Z'},
{'type': 'IPAddress', 'value': '127.0.0.1', 'dateAssigned': '2021-07-27T15:55:40.717Z'}
Internal1id: -1HOSTNAMEWindowsServerMicrosoft Windows NT 10.0.17763.0ActiveMedium-MediumThis is the LogRhythm Platform Manager host.Nonefalse

lr-hosts-status-update#


Updates the status of a host to retire or active.

Base Command#

lr-hosts-status-update

Input#

Argument NameDescriptionRequired
host_idThe host ID.Required
host_statusThe host status. Possible values: "Retired" and "Active". Possible values are: Retired, Active.Required

Context Output#

There is no context output for this command.

Command Example#

!lr-hosts-status-update host_id=7 host_status=Active

Human Readable Output#

Host status updated successfully to Active.

lr-networks-list#


Returns all networks that match the specified criteria.

Base Command#

lr-networks-list

Input#

Argument NameDescriptionRequired
network_idFilter by network ID.Optional
nameFilter by name.Optional
record_statusFilter by object record status. Possible values: "all", "retired", "active". Possible values are: all, retired, active.Optional
bipThe starting IP address to allow records to be filtered on a specified IP address, e.g., 127.0.0.1.Optional
eipThe ending IP address to allow records to be filtered on a specified IP address, e.g., 127.0.0.1.Optional
countThe numbers of networks to return. Default is 50.Optional
offsetThe number of networks to skip before starting to collect the result set. Default is 0.Optional

Context Output#

PathTypeDescription
LogRhythm.Network.entity.idNumberThe network entity ID.
LogRhythm.Network.entity.nameStringThe network entity name.
LogRhythm.Network.nameStringThe network name.
LogRhythm.Network.shortDescStringThe network short description.
LogRhythm.Network.longDescStringThe network long description.
LogRhythm.Network.riskLevelStringThe network risk level.
LogRhythm.Network.threatLevelStringThe network threat level.
LogRhythm.Network.threatLevelCommentStringThe threat level comments
LogRhythm.Network.recordStatusNameStringThe network record status name.
LogRhythm.Network.hostZoneStringThe network zone.
LogRhythm.Network.location.idNumberThe network location ID.
LogRhythm.Network.location.nameStringThe network location name.
LogRhythm.Network.bipStringStarting IP address.
LogRhythm.Network.eipStringEnding IP address.
LogRhythm.Network.dateUpdatedDateThe date the network was last updated.
LogRhythm.Network.idNumberThe network ID.

Command Example#

!lr-networks-list count=2

Context Example#

{
"LogRhythm": {
"Network": [
{
"bip": "1.1.1.1",
"dateUpdated": "2021-10-12T13:48:43.133Z",
"eip": "2.2.2.2",
"entity": {
"id": -100,
"name": "Global Entity"
},
"hostZone": "Internal",
"id": 1,
"location": {
"id": 1,
"name": "Andorra"
},
"longDesc": "This is a test network",
"name": "Test network",
"recordStatusName": "Active",
"riskLevel": "None",
"shortDesc": "This is a test network",
"threatLevel": "None",
"threatLevelComment": "string"
},
{
"bip": "127.0.0.1",
"dateUpdated": "2021-10-12T14:01:21.54Z",
"eip": "127.0.0.2",
"entity": {
"id": -100,
"name": "Global Entity"
},
"hostZone": "Internal",
"id": 2,
"location": {
"id": 1,
"name": "Andorra"
},
"longDesc": "This is a test network",
"name": "Test network2",
"recordStatusName": "Active",
"riskLevel": "None",
"shortDesc": "This is a test network",
"threatLevel": "None",
"threatLevelComment": "string"
}
]
}
}

Human Readable Output#

Networks#

IdNameShort DescLong DescRecord Status NameBipEipEntityRisk LevelDate UpdatedThreat LevelThreat Level CommentHost ZoneLocation
1Test networkThis is a test networkThis is a test networkActive1.1.1.12.2.2.2id: -100
name: Global Entity
None2021-10-12T13:48:43.133ZNonestringInternalid: 1
name: Andorra
2Test network2This is a test networkThis is a test networkActive127.0.0.1127.0.0.2id: -100
name: Global Entity
None2021-10-12T14:01:21.54ZNonestringInternalid: 1
name: Andorra

Breaking changes from the previous version of this integration - LogRhythmRest v2#

The following sections list the changes in this version.

Commands#

The following commands were removed in this version:#

  • lr-execute-query
  • lr-get-persons
  • lr-get-logins
  • lr-get-privileges
  • lr-get-profiles
  • lr-add-login
  • lr-add-user
  • lr-get-hosts-by-entity - this command was replaced by lr-hosts-list.
  • lr-update-host-status - this command was replaced by lr-hosts-status-update.
  • lr-get-networks - this command was replaced by lr-networks-list.
  • lr-get-hosts - this command was replaced by lr-hosts-list.
  • lr-get-alarm-data - this command was replaced by lr-alarms-list.
  • lr-get-alarm-events - this command was replaced by lr-alarm-events-list.
  • lr-get-case-evidence - this command was replaced by lr-case-evidence-list.
  • lr-get-users - this command was replaced by lr-users-list.

Arguments#

The following arguments were removed in this version:#

In the lr-execute-search-query command:

  • max_massage - this argument was replaced by max_message.

Outputs#

The following outputs were removed in this version:#

In the lr-add-host command:

  • Logrhythm.Host.EntityId - this output was replaced by LogRhythm.Host.entity.id.
  • Logrhythm.Host.EntityName - this output was replaced by LogRhythm.Host.entity.name.
  • Logrhythm.Host.Status - this output was replaced by LogRhythm.Host.recordStatusName.

In the lr-get-query-result command:

  • Logrhythm.Search.Results.TaskStatus - this output was replaced by LogRhythm.Search.TaskStatus.
  • Logrhythm.Search.Results.TaskID - this output was replaced by LogRhythm.Search.TaskId.
  • Logrhythm.Search.Results.Items.originEntityId - this output was replaced by LogRhythm.Search.Results.originEntityId.
  • Logrhythm.Search.Results.Items.impactedIp - this output was replaced by LogRhythm.Search.Results.impactedIp.
  • Logrhythm.Search.Results.Items.classificationTypeName - this output was replaced by LogRhythm.Search.Results.classificationTypeName.
  • Logrhythm.Search.Results.Items.logSourceName - this output was replaced by LogRhythm.Search.Results.logSourceName.
  • Logrhythm.Search.Results.Items.entityName - this output was replaced by LogRhythm.Search.Results.entityName.
  • Logrhythm.Search.Results.Items.normalDate - this output was replaced by LogRhythm.Search.Results.normalDate.
  • Logrhythm.Search.Results.Items.vendorMessageId - this output was replaced by LogRhythm.Search.Results.vendorMessageId.
  • Logrhythm.Search.Results.Items.priority - this output was replaced by LogRhythm.Search.Results.priority.
  • Logrhythm.Search.Results.Items.sequenceNumber - this output was replaced by LogRhythm.Search.Results.sequenceNumber.
  • Logrhythm.Search.Results.Items.originHostId - this output was replaced by LogRhythm.Search.Results.originHostId.
  • Logrhythm.Search.Results.Items.mpeRuleId - this output was replaced by LogRhythm.Search.Results.mpeRuleId.
  • Logrhythm.Search.Results.Items.originIp - this output was replaced by LogRhythm.Search.Results.originIp.
  • Logrhythm.Search.Results.Items.mpeRuleName - this output was replaced by LogRhythm.Search.Results.mpeRuleName.
  • Logrhythm.Search.Results.Items.logSourceHostId - this output was replaced by LogRhythm.Search.Results.logSourceHostId.
  • Logrhythm.Search.Results.Items.originHost - this output was replaced by LogRhythm.Search.Results.originHost.
  • Logrhythm.Search.Results.Items.logDate - this output was replaced by LogRhythm.Search.Results.logDate.
  • Logrhythm.Search.Results.Items.classificationName - this output was replaced by LogRhythm.Search.Results.classificationName.

In the lr-execute-search-query command:

  • Logrhythm.Search.Task.TaskID - this output was replaced by LogRhythm.Search.TaskId.