SmartResponse™ Automation Plugin Library

SmartResponse™ Automation Plugin Library

RespondX is LogRhythm’s security orchestration, automation, and response (SOAR) solution.

SmartResponse™ automation is a RespondX feature that automates tasks for streamlined efficiency across the security response workflow.

Automated response workflows help empower your SOC team to accomplish more and reduce the time it takes to protect against evolving security threats. Activate the full potential of your SOC by using SmartResponse™ automation for seamless execution of actions right at the source of your SIEM data and alarms, resulting in maximum productivity with minimum wasted effort or expense.

Tested & certified plugins

LogRhythm SmartResponse automation Plugins (SRPs) enable trusted workflows by packaging a collection of fully tested and certified prebuilt actions for third-party integrations. Look up integrations with your existing security solutions below:

Collaboration plugins

Plugin creates an incident in Demisto and populates it with Alarm data from LogRhythm.

Plugin creates a new Jira issue or updates an open issue with alarm details.

Plugin uses PagerDuty to create incidents, list on-call users, and run response plays on a specified incident.

Plugin sends push notifications with alarm details to applicable devices using Pushover.

Plugin creates and manages incidents in ServiceNow to execute queries, add comments or notes, and close incidents. Plugin also syncs cases across LogRhythm Case Management and ServiceNow.

Plugin sends alarm notifications with details to a Slack channel.

Plugin sends alarm notifications with details as SMS messages to applicable devices using Twilio.

Contextualization plugins

Plugin uses VirusTotal to scan domains, file hashes, IP addresses, and URLs for malicious content and generate reports.

Ixia Anue logo

Plugin uses Anue to forward a few hours of SPAN data containing all traffic to or from the host to a packet capture appliance.

Plugin launches a vulnerability scan against a specified host using BeyondTrust Retina Network Security Scanner.

Plugin scans a file, domain, IP, hash, or process using Cisco Advanced Malware Protection AMP and Threat Grid.

Plugin pulls domain name information and blocks a domain or URL using Cisco Umbrella DNS.

Cylance logo

Plugin pulls previous scan results and quarantines select files using Cylance.

Plugin pulls host information using Forescout CounterACT.

Plugin tests text strings for entropy. A high score is commonly used to help expose generated names and identify malware using Freq.py.

Plugin queries HaveIBeenPwned site to determine whether a given email address or user account name is associated with any breached websites.

Plugin launches a NeXpose vulnerability scan.

Plugin launches a Nmap open-source network scan or query.

Plugin pulls O365 email message text, attachment information, and hyperlink details.

SentinelOne Logo

Plugin initiates a scan, pulls host processes and application information, queries host status, hash reputation information, and blacklisting by hash using SentinelOne.

Plugin launches a Tenable.io vulnerability scan against a specified IP address or hostname, displays scan results, and allows searches for vulnerability CVEs in scan results.

Remediation plugins

Plugin uses VirusTotal to scan domains, file hashes, IP addresses, and URLs for malicious content and generate reports.

Plugin uses Meraki to block or unblock hosts, enable or disable switch ports, display host information, and set host policy

Plugin uses ClearPass to quarantine hosts by IP address, MAC address or an associated username.

Plugin queries any Windows system for all RDP sessions and terminates a specified user’s session.

Plugin detects, enables, unlocks, or forces a password reset for Active Directory (AD) user accounts, and displays user information.

Plugin disables, enables, displays info, and resets passwords for Azure AD accounts.

Carbon Black logo

Plugin executes CB Defense status queries, directory look-ups, file/directory deletions, memory dumps, file retrieval, process look-ups and process termination on target hosts.

Carbon Black logo

Plugin executes CB Response host isolation, process termination, list all processes on a remote host, dump memory of a remote host, delete file on a remote host, and download file from remote host.

Plugin adds hosts, IP addresses, or IP ranges to groups in Check Point R80.

Plugin adds target IP address to specified security group for Cisco ASA Firewall.

Plugin quarantines a host based on IP, MAC Address, or Session ID using Cisco ISE.

Plugin pulls account history, forces credential changes, enables or disables users, and raises or lowers account security privileges using CyberArk Response Manager.

Plugin disables a local Windows user on a remote machine.

Plugin captures a memory snapshot of target host and enables response actions using EnCase Endpoint Security.

Fortinet logo

Plugin uses FortiGate to view group information and add IP addresses or domains to a group.

Plugin adds a FQDN or client IP address to the Infoblox Response Policy Zone.

Plugin terminates Windows process.

Plugin adds URLs, files, or SHA-256 hashes to the application blacklist using Netskope and maintains a local copy in the LogRhythm List Manager.

Plugin allows users to leverage Okta’s authentication, authorization, and user management capabilities to disable users, reset user passwords, and perform group membership actions, among other functions.

Plugin adds an IP or Fully Qualified Domain Name (FQDN) to an address group on a Palo Alto Firewall.

Plugin executes routine Windows service management tasks.