Automation Use Cases Using LogRhythm.Tools

Screen shot of GitHub showing LogRhythm.Tools information.

LogRhythm.Tools is a PowerShell framework which acts as a wrapper for the LogRhythm API. This simplifies interactions with the LogRhythm API because you only need to run a PowerShell cmdlet to call an API function, rather than a direct interaction with your own code.

Automating tasks with the LogRhythm API is a great way to improve your security operations. This tutorial will show you how to use LogRhythm.Tools and walk you through some sample use cases.

How to Get Started with LogRhythm.Tools

Installation is simple: All you need to do is extract a zip file and run two commands.

To get started, download LogRhythm.Tools and follow the steps here. To interact with the API, you can now simply run a PowerShell cmdlet. To test the setup, open a PowerShell prompt, navigate to the folder where you extracted the file, then run these commands:

Import-Module LogRhythm.ToolsGet-LrLists

The output should show details of the lists configured within your LogRhythm deployment.

3 Automation Use Cases

Now that we have setup LogRhythm.Tools, let’s look at several automation use cases.

1. Monitoring Recently Resigned Employees

A common scenario is performing additional monitoring on employees who have recently resigned and are working through their notice period. This can be done by setting up a list of employee names in LogRhythm. Automating the maintenance of this list is important. For LogRhythm Cloud users, this can only be done via the API.

Using LogRhythm.Tools, you can synchronize a list using this cmdlet:

Sync-LrListItems

If you obtain a list of “leavers,” you can automatically add them to a list for closer monitoring by the security team.

This can be done with a small PowerShell script that is scheduled to read a specified text file. It can then call the LogRhythm.Tools cmdlet to update the list.

Automation LogRhythm Cloud graphic
Figure 1: Automate adding a list of users

The following PowerShell snippet is all you need to sync the usernames to the ‘user_list’ within LogRhythm:

$names = Get-Content C:\folder\users.txtSync-LrListItems -name 'user_list' $names

Lists are very important in any SIEM deployment. They can contain items of interest such as hostnames, usernames, IP addresses, and more. You can use lists in your dashboard filters, searches, reports, and correlation rules.

2. Adding EDR Search Results to a Case

A SIEM integrated with an endpoint detection and response (EDR) tool provides powerful automation opportunities.

For example, a correlation rule on the SIEM automatically triggering an indicator of compromise (IOC) search on the EDR. This process flow could be triggered by a conviction on a malware sandbox, which in turn triggers a search on the EDR. The search can look for a known bad file hash, process hash, or network connection across all endpoints.

If any matches are found, the results (such as hostnames) can be automatically added to a case in LogRhythm. This means that when an analyst picks up the case, it will already have the relevant information.

A note can be added to a case with this LogRhythm.Tools cmdlet:

Add-LrNoteToCase

 

Sample automation workflow including LogRhyhtm.Tools
Figure 2: Sample automation workflow including LogRhyhtm.Tools

Example usage of this cmdlet is:

Add-LrNoteToCase -Id <caseID> -Text <Hostnames extracted from EDR search results> -PassThru

3. Matching Log Sources to an Asset List

Another common SIEM administration task is to ensure all relevant assets that require monitoring are being monitored. However, this can divert a security analyst’s valuable time away from detecting threats.

Therefore, you must automate such tasks as much as possible. Luckily, LogRhythm.Tools can help solve this challenge with this cmdlet:

Get-LrLogSources

 

Automating asset list checking
Figure 3: Automating asset list checking

The PowerShell required to retrieve a formatted list of log sources using LogRhythm.Tools is as basic as the two lines below. With some processing, this list can be then compared with an asset list to identify any log sources which require onboarding:

$cmdOutput = Get-LrLogSources$cmdOutput | Format-Table | Out-String | Write-Host

This article contains some examples and basic usage for LogRhythm.Tools. There is more scripting work that is required for each example, however, LogRhythm.Tools will significantly shorten the development time by removing the need to interface directly with the LogRhythm API.

An integrated and automated security architecture is something all organizations should strive towards. LogRhythm.Tools is one tool to help you along this journey and is an open source project. Information on contributing can be found here.