This article will show you how to use the LogRhythm API. It is important to understand what the API can do and how you can use it. This will help you gain better value from your SIEM deployment.
To showcase use of the API, let’s walk through a use case by provisioning a user Identity within LogRhythm. This will allow you to tie logs that contain different logins to the same user. This is known as the TrueIdentity feature.
To achieve this, I will first show you how to connect to the LogRhythm API using Postman. We will then do some basic test requests. Finally, we will create a custom Python script which will write Identities via the LogRhythm API. Here is a little background information before we get started.
In computer programming, an application programming interface (API) is a set method of communication among software components. This simplifies programming by abstracting the implementation and only exposing actions the developer needs.
A SIEM API will allow you to administer a SIEM platform. This is powerful because it allows you to automate tasks with scripting. Some use cases for a SIEM API are:
Ultimately, the API can be your friend in automating tasks and therefore increasing the efficiency of your security operations.
Postman is a software testing tool for APIs which make it easy to develop API based integrations. In this article we will use Postman to test interactions with the LogRhythm API. We will also use Postman to generate code snippets which we will use in our custom script.
Download and install Postman here. After installing Postman for the first time, you will see a screen that looks like this:
We can test the LogRhythm API using Requests. Under Start Something New, select Create New > HTTP Request. Give it a name (for example “API Test”), then click Create Collection, call this “LogRhythm,” and click Save.
Lastly, click the gear icon in the top right of Postman and click Settings. Within the Settings dialog, turn SSL Certificate Verification to “OFF.”
Now that Postman is installed, we need to create an access token within LogRhythm. To do this, open the LogRhythm Client Console, navigate to the Deployment Manager > Third-Party Applications tab > Add a New Application.
Name it appropriately and click Apply. Next, click Generate Token. Be aware of the token expiry because this will cause your script to cease functioning!
Now we shall save this access token within Postman. This will authorize Postman to make API requests to LogRhythm.
In your Postman workspace, click on the Authorization tab and choose type as Bearer Token. Paste your token into the token field:
Now we shall test if Postman can correctly connect to the LogRhythm API. In the Enter Request URL field, enter this string:
https://<IP of your Platform Manager>:8501/lr-admin-api/lists/
If this works, you will see a Status: 200 OK, along with a JSON output which contains details of the lists configured within LogRhythm.
Now we will use Postman to write a test identity to LogRhythm using the API.
Click the + icon toward the top of Postman to start a new tab. In the Method dropdown, select POST and in the URL field enter this:
https://<IP of your Platform Manager>:8501/lr-admin-api/identities/bulk/?entityID=1
Then click Body and select the Raw radio button. In the field below, paste this text and click Send:
{
"friendlyName": "John Doe",
"accounts": [
{
"nameFirst": "John",
"nameLast": "Doe",
"vendorUniqueKey": "jdoe@mail.com",
"identifiers": [
{
"identifierType": "Login",
"value": "jdoe"
}
]
}
]
}
If all goes well, you should see the Status in the lower right 201 Created and the bottom pane will display an identityID value:
You can also verify that your test identity appears within the LogRhythm Web Console if you open Administration > TrueIdentity then filter for your new identity:
Now that we have a working Request, we can use Postman to generate our Python code.
In Postman, click the Code link on the far right hand side of the screen and select Python Requests:
We can now use this as the starting point for creating a custom script which will interact with the LogRhythm API.
As an example, you could write a script to read a list of usernames from a text file and write them as identities using the following pseudocode:
Open a text file of usernames
For each username in the file:
Format a JSON object as the payload (similar to the sample code)
Use the sample code to post the request
A sample Python script which performs this task is available on GitHub here.
The LogRhythm API documentation is a resource which will help you to identify the available API functions and their requirements.
The API documentation is available here:
https://<IP of your Platform Manager>:8505/lr-admin-api/docs
Further documentation can be found on the LogRhythm Docs site.
Congratulations, you have now added an identity to LogRhythm SIEM using the API! There are many other use cases for the API. Try experimenting further to explore more automation possibilities within your environment.
Security strategies are evolving; driven by regulatory requirements, customer expectations around data privacy and AI-driven…
In our April 2024 quarterly release, LogRhythm Axon showcases new enhancements from its two week…
In our April 2024 quarterly release, LogRhythm SIEM introduces new enhancements to bring you faster…