Adding Items to a LogRhythm List via SmartResponse Plugins

SmartResponse™ Plugins allow LogRhythm alarm and AI Engine rules to launch nearly any scriptable action. The most widely-used SmartResponse Plugin is Add Item to List. This plugin makes additions to LogRhythm lists. For example, adding a benign IP or URL that triggered an alarm to a Whitelist so that false positives aren’t generated in the future. The default version of this plugin runs in PowerShell, but along with some performance issues, the script has a limited scope. For faster writes and additional functions, I am introducing a Python variant.

In addition to being faster than the default version, v2 adds three new actions. First, the Add Item to File action will allow alarms to write a metadata value directly to a text file. Unlike Lists in LogRhythm, this text file can be accessed by other programs. For example, this is useful when an administrator wants to track every user that logs into a particular system and keep that list of accounts indefinitely. With a few modifications, the action can also add a timestamp alongside each entry in the file.

The second action, Add Unique Items to File, will add an item to a file, but will only do so once for each item. This has come in handy while debugging AI Engine rules. For example, while creating a rule that uses regex to match suspicious values in a URL, unique URLs can be written to a text file to do further regex testing.

The last new addition is Add New Items to File. Unique values are also written to a text file, but in this case, each entry is dated. This is useful for tracking the first time that a value was seen. One use for this is helping to identify malicious domains. Most common domains are visited on a regular basis. On a large network and given enough time, there shouldn’t be too many URLs that haven’t be observed before. This rule then acts as a Discovery analytic. After a period of time, most legitimate domains should be in the list. New ones may be considered suspicious and further investigations can make this determination.

In all of these cases, the text files can be imported into LogRhythm as new Lists.

In my last post, I discussed configuring the Alarm and Response Manager on the Event Manager to work with Python and Wireshark. Because it doesn’t require Wireshark, the Add Item to List v2 Plugin is slightly simpler to implement.

Although not officially supported, this plugin is relatively easy to configure and use. This blog post will go through each process, step by step. The plugin can be downloaded here: Add Item to List v2 Plugin

Setting up the ARM to run Python scripts

1 Determine which LogRhythm appliance is hosting the Alarming and Response Manager service. From the LogRhythm Console Deployment Manager, the host will be listed under the “Event Manager” tab. To double check, it will be listed under “services.msc” on the machine.

event manager

2 Install Python 2.7 on the Event Manager.

3 On the Event Manager, hit the Windows key + Pause/Break. This will bring up the System Window. ‘Select Advanced System Settings’, and then ‘Environment Variables’.

SmartResponse plugin

SmartResponse plugin

4 In the Environment Variables window, scroll to ‘Path’ under the ‘System Variables’ subsection.

SmartResponse plugin

5 Click ‘Edit’ and append the string:

;C:\Python27\;C:\Python27\Scripts

— or the appropriate directory for the Python installation. Then close the window.

6 Open ‘services.msc’ and restart the ARM service. Python will now be ready to launch, and Python plugins that use the standard library can be used. This can be tested by opening a new PowerShell or Cmd prompt and entering ‘python’.

7 Optional: install PIP, a tool that will allow for one-line installation of non-standard Python libraries. Follow this guide to install PIP.

Importing a Plugin

1 From the LogRhythm Console, open Deployment Manager and then open the SmartResponse Plugin Manager via Tools -> Administration -> SmartResponse Plugin Manager

SmartResponse plugin

2 Select Actions -> Import

SmartResponse plugin

3 Navigate to the directory containing the SmartResponse Plugin, then select the file (of type AR Plugin File, .lpi) and click Open.

SmartResponse plugin

4 The SmartResponse Plugin should now be visible in the list of plugins in the SmartResponse Plugin Manager and the Actions tab for Alarms and AI Engine rules.

SmartResponse plugin

Configuring the SmartResponse Action

1 Find an alarm or AI Engine Rule that should trigger the Add Item to List action. For example, the AI Engine Rule ‘Network Anomaly: Internationalized Domain’ would be useful, because analysts can use a text list to determine which IDNs are observed, and then can conduct a quick analysis to determine which are acceptable to be whitelisted. Open the rule and go to the ‘Actions’ tab.

SmartResponse plugin

2 From the Actions tab, select the ‘Action’ dropdown at the top, and find the ‘Add Item to List – Python: Add New Items to File’ action and select it.

SmartResponse plugin

3 The Parameters section will then be populated. There are two values that need to be specified by the user:

  • File Name: This will be the path to the file where the items will be added. For example, ‘c:\tmp\idns.txt’. Remember that this will be in respect to the Event Manager, so network paths are also acceptable.
  • Item: This is the value that will be added to the file. Typically, the Type should be Alarm Field so that a dynamic metadata value can be used. For domain name, select Group at in the Value column.

SmartResponse plugin

4 If the action should not be automatic, use the ‘Approvals’ section to set the Person or Group that needs to authorize the action to run. The approval will need to be done through the Dashboard or Alarm Viewer. If using a new Rule, it’s recommended to require an approver so that the Action doesn’t fire too often or pull down very large amounts of data unintentionally. Leave this section blank to run the action automatically. SmartResponse plugin

5 When finished, hit ‘OK.’ The Plugin should now be working.

The LogRhythm Labs team will continue to release similar unofficial plugins as they are developed. We are also releasing revamped, official plugins, including plugins for integration with LogRhythm partner devices.

Again, the Retrieve NetMon PCAP SmartResponse Plugin can be downloaded here. The guide can be found here.