Using the Full Power of SmartResponse Automation

Security analyst using LogRhythm's SmartResponse automation

Mitigating identified threats is necessary to prevent any breach. Are you wondering how to respond to alerts provided by the LogRhythm NextGen SIEM Platform for identified threats?

Analysts can use SmartResponse™ automation to initiate preventive actions such as blocking, blacklisting, and isolating or use contextual actions such as get info or reputation to learn more about suspicious IPs, hashes, or devices.

Analysts can start up the LogRhythm SmartResponse automation plugin (SRP) in the Web Console two ways:

  • Manual: Run the imported SmartResponse on logs manually from Logs Pane in the Dashboard
  • Automatic: Execute the SmartResponse by tying with Alarm Cards

How to Initiate SmartResponse Automation

Here is a four-step framework to help you achieve the full power of initiating SmartResponse for security automation:

    1. Log Normalization: Ensure that your data processing includes parsing of metadata, classification of logs, normalization of timestamps, and correlation is working well in the SIEM. It will generate alarms that meet criteria of Events and Alarms.
    2. Alarm or Events Selection: SmartResponse is managed and processed through AI Engine and the platform manager, Alarming and Response Manager (ARM). AI Engine provides a more advanced form of generating events compared to Alarms. Be sure to check the complete guide of creating events via AI Engine from the Community page.
    3. Set the Alarm Rule: Use an Alarm Rule to define criteria to trigger alarms. You can access a list of predefined rules, which are continually updated by knowledge base updates. You can also create an alarm by following these steps: Go to LogRhythm Console -> Deployment Manager -> Alarms tab -> New Alarm to set a new alarm.

A) Filter Selection: Proceed further to set the criteria of alarm generation by following selection:

    • Primary Selection: This would specify alarm criteria to identify events from the log message to shoot alarms. You can select a field, mention a filter condition (direction) such as “filter in” or “filter out”, and modify the null condition field values. This step defines alarms and removes unwanted logs.
    • Include Filters: This step creates additional filters to consider for alarming. If “include filters” are mentioned, they would be considered as an “And’” condition to primary filters to get the alarms.
    • Exclude Filters: These are “ignore” value filters. Values mentioned in these filters generate the alarms on ignore condition.
    • Log Sources Filters: These filters allow you to condition log sources bases on their type, name, and timeframe.
    • Date and Time Filters: These filters let you pick the time frame of logs and initiate alarms on the logs with a specified time frame.

Here is an example:

Example criterion for alarm generation with LogRhythm
Figure 1: Example criterion for alarm generation

B) Connect the SRP: Import the .LPI file in Console using the SmartResponse plugin manager before setting the rule. You can download the SRP from our Community page. Proceed further in tying SmartResponse to the rule as follows:

    • SRP Actions Selection: The LPI that is imported has actions which are visible in the “set actions” dropdown. Select the action of the SmartResponse from the dropdown.
    • Parameters of SmartResponse: This section will take the values to fields expected in the action. For example, a configuration action would API URL as fields and the corresponding value could be a constant value or alarm field to be picked from logs.
    • Approval: You can choose frequency of approval and role which would approve them.
    • Run Actions: Select the sequence of running order of actions, such as:
      • Run at same time will ensure all the actions run simultaneously. Use this option when all the actions are independent of each other.
      • Run in order listed will ensure all the actions run consecutively. Use this option when actions may be dependent of each other. For example, in the case of configuration running for the first time.
    • Lastly, save the action located at the top of the action’s tabs.

Here is an example that creates a LogRhythm Case form a ServiceNow incident with alarm ID as case number and add tag “ServiceNow SRP.”

LogRhythm Case shows a ServiceNow incident with alarm ID as case number and includes the tag “ServiceNow SRP”
Figure 2: LogRhythm Case shows a ServiceNow incident with alarm ID as case number and includes the tag “ServiceNow SRP”

C) Miscellaneous settings: Use the following settings to generate more specific alarms:

    • Threshold: This setting lets you know after how many counts of events an alarm should be raised. For example, if a suspicious IP occurs five times, the alarm would be raised once.
    • Group by fields make up an event by grouping together logs with identical values in the selected fields.
    • Suppression: This setting lets you mute the alarms for an identified time period. It can be useful to enable suppression when appropriate to reduce alarm fatigue.

Always save and enable the rule and restart the ARM service to make the rule effective.

  1. Verification and Debugging of SmartResponse: Verify that the SmartResponse is automated in Alarm You may face some of the following errors:
    • Errors retaining to execution may be privilege issues. Set the PS execution policy as unsigned or RemoteSigned.
    • If SmartResponse is displaying an API error, there may be an issue with API being used internally for action. Check the respective API read, write, and execution permissions.
    • You can debug SmartResponse from ARM service logs.

Mitigate Threats with Security Automation

SmartResponse, part of RespondX, LogRhythm’s security orchestration, automation, and response (SOAR) solution, provides the power of effectively mitigating threats using automation. You can build your own SmartResponse using PowerShell or python and share in the Community. Do not forget to check out some of the latest SmartResponse updates in our community portal.