Skip to main content
Skip table of contents

LogRhythm Rest

LAST UPDATED: DECEMBER 1, 2025

Overview

LogRhythm's SIEM Platform delivers comprehensive security analytics, log management, network and endpoint monitoring for rapid detection, response, and neutralization of threats. D3's integration with the LogRhythm latest REST API (version 7.8) provides the ability to ingest alarm, update alarm, and admin operations.

D3 SOAR is providing REST operations to function with LogRhythm Rest.

LogRhythm Rest is available for use in:

D3 SOAR

V14.0.582+

Category

SIEM XDR

Deployment Options

Option I, Option III

Connection

To connect to LogRhythm Rest from D3 SOAR, please follow this part to collect the required information below:

Parameter

Description

Example

Server URL

The server URL of the LogRhythm instance to connect to.

https://<Replace.Me>:8501

API Token

The API token to authenticate the connection.

********

Permission Requirements

Currently, all commands are compatible with several administrative roles in LogRhythm, including Global Administrator, Restricted Administrator, Global Analyst, and Restricted Analyst. However, LogRhythm’s documentation states that only the Global Administrator and Restricted Administrator roles provide the required permissions, with the Restricted Administrator role serving as the minimum.

For more information, see Generate LR API Token from LogRhythm's documentation.

Configuring LogRhythm Rest to Work with D3 SOAR

Creating a User Profile

  1. Log into the LogRhythm console as a Global Administrator.

  2. Navigate to Tools > Administration > User Profile Manager.

  3. Click +New, then Allow Access.

  4. Enter a name for the user profile, then select either Restrict Administrator or Global Administrator for the Security Role field.

    • The Restrict Administrator also requires users to select specific entities to access from the Entities tab.

    • The Global Administrator grants access to all entities automatically.

  5. Navigate to the Management Permissions tab to assign the following permissions.

    • Entities > Display / Manage Entities > View

    • General Administration > Deployment Manager > View

    • General Administration > Manage TrueIdentity > Manage

For more information about user profiles, refer to Generate LR API Token.

Creating a Person

  1. Navigate to Deployment Manager > People, then right-click and select New.

  2. Fill in the required information for the new user and click OK to proceed.

  3. Right-click on the recently created user and select Create User Account.

  4. Assign a username for the user, then link the login to the user’s profile. Next, select the appropriate default entity and set a secure password. Click OK to complete the process.

Generating an API Token

  1. Navigate to Deployment Manager > Third Party Applications tab. In the grid area, right-click and choose New to open the 3rd-Party Application Properties dialog.

  2. Input the Application Name and Description. The application name must be unique. Click OK to save.

    Optionally, edit the Token Expiry in Days value.

  3. Confirm that the client ID and secret have been auto-generated by the system. Refresh the page if they are not present.

  4. Right-click on the new application and select Properties. Click Generate Token to open the Credentials dialog.

  5. Input a user name and password, then click OK to generate a token.

  6. Copy and store the token in a secure location.

    The token will not be visible again after this stage.

Configuring D3 SOAR to Work with LogRhythm Rest

  1. Log in to D3 SOAR.

  2. Find the LogRhythm Rest integration.

    Frame 55 (2).png

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type LogRhythm Rest in the search box to find the integration, then click it to select it.

    4. Click + Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to LogRhythm Rest.

    Frame 56 (2).png

    1. Connection Name: The desired name for the connection.

    2. Site: The site on which to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.

    4. Agent Name (Optional): The proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): The description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, users can choose the specific tenant sites with which to share the connection. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.

    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: The checkbox that enables the connection to be used when selected.

    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      Frame 57 (1).png


      1. Input the Server URL. The default value is https://<Replace.Me>:8501.
      2. Input the API Token. Refer to Generating an API Token for instructions.

    10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.

    11. Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.

  4. Test the connection.

    Frame 58 (1).png

    1. Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

LogRhythm Rest includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, users can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the LogRhythm Rest API, refer to the links below:

READER NOTE

Certain permissions are required for each command. Refer to the Permission Requirements and Configuring LogRhythm Rest to Work with D3 SOAR for details.

Note for Time-related parameters

The input format of time-related parameters may vary based on user account settings, which may cause the sample data in commands to differ from what is displayed. To adjust the time format, follow these steps:

  1. Navigate to Configuration > Application Settings. Select Date/Time Format.

  2. Choose the desired date and time format, then click on the Save button.

The selected time format will now be visible when configuring Date/Time command input parameters.

Create Case

Creates a new case.

READER NOTE

Entity ID is an optional parameter to run this command.

  • Run the List Entities command to obtain the Entity ID. Entity IDs can be found in the raw data at $.Results[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Case Name

Required

The name of the new case. The maximum length is 250 characters. Characters beyond this limit are truncated.

Test2

Priority

Optional

The priority for the new case. Valid options are:

  • Priority(High) - 1

  • Priority - 2

  • Priority - 3

  • Priority - 4

  • Priority(Low) - 5

By default, the value is set to Priority – 3.

Priority(High) - 1

Due Date

Optional

The date when the case is due.

03/06/2022 13:00

Summary

Optional

The summary note for the case. The maximum length is 10000 characters. Characters beyond this limit are truncated.

Investigated a potential system compromise. More details at http://example.com/.

Entity ID

Optional

The entity to assign to the case. This parameter currently does not function until LogRhythm resolves the issue. The value accepts only integers. A value of 0 creates a case without an entity restriction.

By default, the case is assigned to the user default entity. Entity ID can be obtained using the List Entities command.

*****

External ID

Optional

The externally assigned identifier for the case. The maximum length is 250 characters. The value cannot be assigned to multiple cases.

EXTERNAL-*****

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Case failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogRhythm Rest portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Create Case failed.

Status Code: 401.

Message: Unauthorized.

Fetch Event

Retrieves alarms from the LogRhythm platform based on the specified criteria. When the command is scheduled to gather events from a specified start time, set the Order By parameter to Date Inserted and the Direction parameter to Ascending to prevent the command from retrieving only the most recent alarms.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The start of the time range (in UTC) from which to fetch alarms.

2021-01-05 00:00

Number of Event(s) Fetched

Optional

The maximum number of alarms to return. By default, the value is 20 when this parameter is not defined or set to a non-positive number. The maximum permissible value is 100.

2

Alarm Rule Name

Optional

Filters alarms by alarm rule name.

AIE: Test Rule - Calc.exe

Entity Name

Optional

Filters alarms by entity name.

AIE: Test Rule - Calc.exe

Alarm Status

Optional

Filters alarms by status. Valid options are:

  • None

  • New

  • Opened

  • Working

  • Escalated

  • Closed

  • Closed False Alarm

  • Closed Resolved

  • Closed Unresolved

  • Closed Reported

  • Closed Monitor

Opened

Order By

Optional

The field used to sort retrieved alarms. Valid options are:

  • Date Inserted

  • Alarm Rule Name

  • Alarm Status

  • Entity Name

When scheduling a job, set to Date Inserted to ensure each schedule retrieves new alarms.

By default, the value is Date Inserted.

DateInserted

Direction

Optional

Sorts the results in ascending or descending order.

When scheduling a job, set to Ascending to ensure each schedule retrieves new alarms.

By default, the value is Descending.

Descending

Including Events

Optional

Indicates whether to include alarm-related events in the response. When set to True, alarm-related events are included in the response.

By default, the value is set to False.

False

Including DrillDown

Optional

Indicates whether to include alarm Drill-Down logs in the response. When set to True, alarm Drill-Down logs are included.

By default, the value is set to False.

False

Output

To view the sample output data for all commands, refer to this article.

Fetch Event Field Mapping

See Field Mappings

The LogRhythm Rest system integration includes pre-configured field mappings for the default event source.

The Default Event Source is the default system-provided set of field mappings applied when the fetch event command is executed. It includes a Main Event JSON Path, which is the JSONPath expression that points to the base array of event objects. The source field path continues from this array to locate the required data. 

The Main Event JSON Path can be viewed by clicking on the Edit Event Source button.

  • Main Event JSON Path: $.alarmsSearchDetails
    The alarmsSearchDetails array contains the event objects. Within each event object, the key alarmId denotes the Unique Event Key field. As such, the full JSONPath expression to extract the Unique Event Key is $.alarmsSearchDetails.alarmId.

The pre-configured field mappings are detailed below:

Field Name

Source Field

Unique Event Key

.alarmId

Event Type

.alarmRuleName

Start Time

.dateInserted

Status

.alarmStatus

READER NOTE

The Unique Event Key field mapping is used to prevent duplicate event ingestions. D3 SOAR will check if the value of a selected JSON path matches any Unique Event Key of previously ingested events. If a match is found, the event will be dismissed. If no match is found, an event will be created. However, if no Unique Event Key is mapped, then the hash value from the event pending ingestion will be used to check for any matches with existing events. If no match is found, the event will be created.

Unlike most other D3 SOAR integrations, the LogRhythm Rest integration’s Fetch Event command’s Default Event Source mapping does not include Unique Event Key in order to fetch the same fetched alarm with multiple updates.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Event failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogRhythm Rest portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The value for parameter (Number of Event(s) Fetched) is invalid.

Error Sample Data

Fetch Event failed.

Status Code: 400.

Message: The value for parameter (Number of Event(s) Fetched) is invalid.

Get Alarm Details

Returns detailed information on specified alarms.

READER NOTE

Alarm IDs is an optional parameter to run this command.

  • Run the Fetch Event command to obtain the Alarm IDs. Alarm IDs can be found in the raw data at $.alarmsSearchDetails[*].alarmId.

Input

Input Parameter

Required/Optional

Description

Example

Alarm IDs

Optional

Filters alarms by alarm IDs. Alarm IDs can be obtained using the Fetch Event command.

When this parameter has a value, the system will omit all other parameters.

JSON 
[*****, *****]

Start Time

Optional

Filters alarms by the start time of the selected time range (in UTC).

2021-01-05 03:47:49

Limit

Optional

The maximum number of alarms with details to return. The maximum permissible value is 1000.

2

Alarm Rule Name

Optional

Filters alarms by full alarm rule names.

AIE: Test Rule - Calc.exe

Entity Name

Optional

Filters alarms by full entity names.

Entity name 01

Alarm Status

Optional

Filters alarms by alarm statuses. Valid options are:

  • None

  • New

  • Opened

  • Working

  • Escalated

  • Closed

  • Closed False Alarm

  • Closed Resolved

  • Closed Unresolved

  • Closed Reported

  • Closed Monitor

By default, the value is set to None.

Opened

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Alarm Details failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogRhythm Rest portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Get Alarm Details failed.

Status Code: 401.

Message: Unauthorized.

Get Alarm Drill Down

Returns drill-down logs per rule block for a specified alarm ID associated with an AIE alarm.

READER NOTE

Alarm IDs is a required parameter to run this command.

  • Run the Fetch Event command to obtain the Alarm IDs. Alarm IDs can be found in the raw data at $.alarmsSearchDetails[*].alarmId.

Input

Input Parameter

Required/Optional

Description

Example

Alarm IDs

Required

Filters the returned records by alarm IDs. Alarm IDs can be obtained using the Fetch Event command.

JSON 
[*****,*****]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Alarm Drill Down failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogRhythm Rest portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Get Alarm Drill Down failed.

Status Code: 401.

Message: Unauthorized.

Get Alarm Events

Returns all events associated with the given alarm IDs.

READER NOTE

Alarm IDs is a required parameter to run this command.

  • Run the Fetch Event command to obtain the Alarm IDs. Alarm IDs can be found in the raw data at $.alarmsSearchDetails[*].alarmId.

Input

Input Parameter

Required/Optional

Description

Example

Alarm IDs

Required

The IDs of the alarms to retrieve events. Alarm IDs can be obtained using the Fetch Event command.

JSON 
[*****]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Alarm Events failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogRhythm Rest portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Alarm does not exist for the supplied AlarmId.

Error Sample Data

Get Alarm Events failed.

Status Code: 404.

Message: Alarm does not exist for the supplied AlarmId.

Get Search Result

Returns indexed results from the web indexer based on the provided Task ID.

READER NOTE

Task ID is a required parameter to run this command.

  • Run the Initiate Search command to obtain the Task ID. Task IDs can be found in the raw data at $.TaskId.

Input

Input Parameter

Required/Optional

Description

Example

Task ID

Required

The ID of the search task used to retrieve results. Task ID can be obtained using the Initiate Search command.

a1f1*****c68d

Limit

Optional

The maximum number of records to return. The total number of available records depends on the Max Results parameter defined in the Initiate Search command.

If this parameter is not defined or set to a non-positive number, the default value of 10000 will be used. The maximum permissible value is 10000.

10

Offset

Optional

The number of records to skip.

By default, the value is 0. The maximum permissible value is 10000.

1

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Search Result failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogRhythm Rest portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Get Search Result failed.

Status Code: 401.

Message: Unauthorized.

Initiate Search

Initiates a search and returns the Task ID and Task Status. Users can then run the Get Search Result command to retrieve the search results. The results are sorted by inserted time in descending order.

READER NOTE

Log Source IDs is an optional parameter to run this command.

  • Run the List Log Sources command to obtain the Log Source IDs. Log Source IDs can be found in the raw data at $[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Optional

The start of the time range for the search. By default, the value is 30 days before End Time.

2023-11-03T21:16:00Z

End Time

Optional

The end of the time range for the search. By default, the value is the current time.

2023-11-03T21:20:00Z

Max Results

Optional

The maximum number of records to return within a search task. This parameter affects the total number of results returned when using the Get Search Result command. The maximum permissible value is 10000. By default, the value is set to 100.

10

Log Source IDs

Optional

Search results by log source IDs. Log Source IDs can be obtained using the List Log Sources command. By default, all log sources are searched.

JSON 
[*****]

Search Event

Optional

Indicates whether to search events. Set to True to search events. Set to False to search logs. By default, the value is set to True.

True

Filter Items

Optional

The JSON array of filter conditions applied to the search task. Refer to Initiate Search for more information.

JSON 
[
  {
    "filterItemType": 0,
    "fieldOperator": 0,
    "filterMode": 1,
    "filterType": 0,
    "values": [
      {
        "filterType": 43,
        "valueType": 4,
        "value": {
          "value": "{userName}",
          "matchType": 0
        }
      }
    ]
  }
]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Initiate Search failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogRhythm Rest portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Initiate Search failed.

Status Code: 401.

Message: Unauthorized.

List Cases

Returns a filtered list of cases.

READER NOTE

Owner Numbers and Collaborator Number are optional parameters to run this command.

  • Run the List Case Users command with the User Type set to Owner to obtain the Owner Numbers. Owner Numbers can be found in the raw data at $.Results[*].number.

  • Run the List Case Users command with the User Type set to Collaborator to obtain the Collaborator Number. Collaborator Numbers can be found in the raw data at $.Results[*].number.

Input

Input Parameter

Required/Optional

Description

Example

Case Number Or Name

Optional

Filters results by case numbers or names that contain the provided value.

test2

Created After

Optional

Filters results by creation times that occur after the specified time (in UTC).

01/06/2022 01:00

Created Before

Optional

Filters results by creation times that occur before the specified time (in UTC).

03/06/2022 13:00

Updated After

Optional

Filters results by updated times that occur after the specified time (in UTC).

03/06/2022 13:00

Updated Before

Optional

Filters results by updated times that occur before the specified time (in UTC).

03/06/2022 13:00

Due Before

Optional

Filters results by due times that occur before the specified time (in UTC).

03/06/2022 13:00

Priorities

Optional

Filters results by priority numbers. The available values, from highest to lowest priority, are:

  • 1

  • 2

  • 3

  • 4

  • 5

JSON 
[1,2,3]

Status Numbers

Optional

Filters results by status numbers. The available values are:

  • 1 (Created)

  • 2 (Completed)

  • 3 (Incident)

  • 4 (Mitigated)

  • 5 (Resolved)

JSON 
[2, 4]

Owner Numbers

Optional

Filters results by owner numbers. Owner Numbers can be obtained using the List Case Users command with the User Type set to Owner.

JSON 
[-100, -101]

Collaborator Number

Optional

Filters results by a collaborator number. Collaborator Number can be obtained using the List Case Users command with the User Type set to Collaborator.

-100

Tag Numbers

Optional

Filters results by tag numbers.

JSON 
[1, 2]

Evidence Types

Optional

Filters results by evidence types. The available values are:

  • "alarm"

  • "userEvents"

  • "log"

  • "note"

  • "file"

JSON 
["note", "file"]

Reference ID

Optional

Filters results by a reference identifier. Use this parameter to return only cases that include evidence associated with the provided identifier, such as an alarm ID.

541

Count

Optional

The maximum number of results to return. By default, the value is 25. The maximum permissible value is 10000.

30

Offset

Optional

The number of results to skip. The maximum permissible value is 10000.

0

Order By

Optional

The field used to sort the returned results. Valid options are:

  • Date Created

  • Date Closed

  • Date Updated

  • Name

  • Case Number

  • Priority

  • Due Date

  • Age

  • Status Number

By default, the value is set to Date Created.

Date Created

Direction

Optional

Sorts the results in ascending or descending order. By default, the value is set to Descending.

Ascending

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Cases failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogRhythm Rest portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

List Cases failed.

Status Code: 401.

Message: Unauthorized.

List Case Users

Returns a list of users who are case owners, collaborators, or users configured in the system.

Input

Input Parameter

Required/Optional

Description

Example

Name

Optional

Filters results by partial or full user names.

thm a

User Type

Optional

The type of users to return.

  • Owner returns users designated as case owners.

  • People returns all individuals configured in the system.

  • Collaborator returns active individuals and notification groups configured for collaboration.

By default, the value is set to People

Owner

Count

Optional

The maximum number of results to return.

By default, the value is 25. The maximum permissible value is 10000.

4

Offset

Optional

The number of records to skip.

The maximum permissible value is 10000.

0

Direction

Optional

Sorts the results in ascending or descending order. The sort field is user number.

By default, the value is set to Descending.

Ascending

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Case Users failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogRhythm Rest portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

List Case Users failed.

Status Code: 401.

Message: Unauthorized.

List Entities

Returns all entities that match the specified criteria.

Input

Input Parameter

Required/Optional

Description

Example

Entity Name

Optional

Filters results by partial or full entity names.

AI

Limit

Optional

The maximum number of entities to return.

If this parameter is not defined or set to a non-positive number, the default value of 20 will be used. The maximum permissible value is 1000.

10

Offset

Optional

The number of items to skip.

If this parameter is not defined or set to a non-positive number, the default value of 0 will be used.

1

Order By

Optional

The field used to sort retrieved records. Valid options are:

  • ID

  • Name

By default, the value is set to ID.

ID

Direction

Optional

Sorts the results in ascending or descending order.

By default, the value is set to Ascending.

Ascending

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Entities failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogRhythm Rest portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The value for parameter (Limit) is invalid.

Error Sample Data

List Entities failed.

Status Code: 400.

Message: The value for parameter (Limit) is invalid.

List Log Sources

Returns a summary of all accepted log sources.

Input

Input Parameter

Required/Optional

Description

Example

Source Name

Optional

Filters records by log source names. The value must be a prefix (e.g., AI) or the full source name (e.g., AI Engine).

AI

Status

Optional

Filters records by log source status. Valid options are:

  • All

  • Active

  • Retired

By default, the value is set to All.

All

Description

Optional

Filters records by description text. The value must be a prefix (e.g., CS) or the full source name (e.g., CS Falcon).

description

Limit

Optional

The maximum number of records to return.

If this parameter is not defined or set to a non-positive number, the default value of 20 will be used. The maximum permissible value is 1000.

10

Offset

Optional

The number of items to skip.

If this parameter is not defined or set to a non-positive number, the default value of 0 will be used.

1

Order By

Optional

The field used to sort retrieved records. Valid options are:

  • ID

  • Name

By default, the value is set to ID.

ID

Direction

Optional

Sorts the results in ascending or descending order.

By default, the value is set to Ascending.

Ascending

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Log Sources failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogRhythm Rest portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The value for parameter (Limit) is invalid.

Error Sample Data

List Log Sources failed.

Status Code: 400.

Message: The value for parameter (Limit) is invalid.

List Users

Returns all users that match the specified criteria.

Input

Input Parameter

Required/Optional

Description

Example

User Name

Optional

Filters results by partial or full user names.

AI

User IDs

Optional

Filters results by user IDs.

[ 1, 3, 5 ]

Has User Account

Optional

Filters results by account status.

Set to True to return both users who have an account and users who do not have an account.

True

User Status

Optional

Filters results by user status. Valid options are:

  • Active

  • Retired

By default, all users are returned regardless of their status.

True

Limit

Optional

The maximum number of users to return.

If this parameter is not defined or set to a non-positive number, the default value of 100 will be used. The maximum permissible value is 1000.

10

Offset

Optional

The number of items to skip.

If this parameter is not defined or set to a non-positive number, the default value of 0 will be used. The maximum permissible value is 1000.

1

Order By

Optional

The field used to sort retrieved records. Valid options are:

  • ID

  • First Name

  • Last Name

  • Login Name

By default, the value is set to ID.

ID

Direction

Optional

Sorts the results in ascending or descending order.

By default, the value is set to Ascending.

Ascending

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Users failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogRhythm Rest portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

List Users failed.

Status Code: 401.

Message: Unauthorized.

Update Alarms

Updates the status and risk-based priority score for the specified alarms.

READER NOTE

Alarm IDs is a required parameter to run this command.

  • Run the Fetch Event command to obtain the Alarm IDs. Alarm IDs can be found in the raw data at $.alarmsSearchDetails[*].alarmId.

Input

Input Parameter

Required/Optional

Description

Example

Alarm IDs

Required

The IDs of the alarms to update. Alarm IDs can be obtained using the Fetch Event command.

JSON 
[*****]

Alarm Status

Optional

The updated status for the alarms. Valid options are:

  • None

  • New

  • Opened

  • Working

  • Escalated

  • Closed

  • Closed False Alarm

  • Closed Resolved

  • Closed Unresolved

  • Closed Reported

  • Closed Monitor

By default, the value is set to None.

Opened

Risk-Based Priority Score

Required

The updated risk-based priority score for the alarms. The value must be between 1 and 100.

60

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Alarms failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogRhythm Rest portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Alarm does not exist for the supplied AlarmId.

Error Sample Data

Update Alarms failed.

Status Code: 404.

Message: Alarm does not exist for the supplied AlarmId.

Update Cases

Updates the properties, status, or tags for the specified cases.

READER NOTE

Case ID Or Numbers is a required parameter to run this command.

  • Run the List Cases command to obtain the Case ID Or Numbers. Case ID Or Numbers can be found in the raw data at:

    • $.Results[*].id (Case IDs)

    • $.Results[*].number (Case Numbers)

Input

Input Parameter

Required/Optional

Description

Example

Case ID Or Numbers

Required

The case IDs or numbers to update. Case ID Or Numbers can be obtained using the List Cases command.

JSON 
["58E9*****E06B", "*****"]

Status

Optional

The updated status for the cases. Valid options are:

  • Created - 1

  • Completed - 2

  • Incident - 3

  • Mitigated - 4

  • Resolved - 5

Incident - 3

Alarm Numbers

Optional

The alarm identifiers to associate with the cases as evidence.

When multiple case IDs or names are provided, the designated alarms will be linked to each corresponding case.

JSON 
[*****, *****]

Case Name

Optional

The updated name for the cases.

The maximum length is 250 characters. Characters beyond this limit are truncated.

Test2

Priority

Optional

The updated priority for the cases. Valid options are:

  • Priority(High) - 1

  • Priority - 2

  • Priority - 3

  • Priority - 4

  • Priority(Low) - 5

Priority - 3

Due Date

Optional

The updated due date for the cases.

03/06/2022 13:00

Summary

Optional

The updated summary note for the cases.

The maximum length is 10000 characters. Characters beyond this limit are truncated.

Investigated a potential system compromise. More details at http://example.com/.

Resolution

Optional

The updated resolution description for the cases.

The maximum length is 500 characters. Characters beyond this limit are truncated.

Investigated a potential system compromise. More details at http://example.com/.

Entity ID

Optional

The updated entity to assign to the case.

This parameter currently does not function until LogRhythm resolves the issue. The value accepts only integers.

Entity ID can be obtained using the List Entities command.

*****

External ID

Optional

The updated externally defined identifier for the cases.

The maximum length is 250 characters. Characters beyond this limit are truncated.

EXTERNAL-*****

Tags

Optional

The tag identifiers to add or remove for the cases.

JSON 
[1, 4]

Tag Update Operation

Optional

The tag update operation. Valid options are:

  • Add

  • Remove

This parameter only applies if Tags is defined.

By default, the value is set to Add.

Remove

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Cases failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogRhythm Rest portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Update Cases failed.

Status Code: 401.

Message: Unauthorized.

Test Connection

Allows users to perform a health check on an integration connection. Users can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Output Type

Description

Return Data Type

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

More details about an error can be viewed in the Error tab.

String

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogRhythm Rest portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 400.

Message: Bad Request.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close