0
11.2.1
Zurich, Yokohama, Xanadu, Washington DC, Vancouver Patch 4, Vancouver, Utah, Tokyo
The Security Operations LogRhythm integration allows Security Operations Center (SOC) analysts to automatically generate Security Incident Response (SIR) incidents when certain configured LogRhythm alarms are triggered. The SOC analyst responds to the incidents using workflows that automate incident response activities and close out the LogRhythm alarms after closing the SIR incident.
The integration includes the following key features:
- Flexibility to create multiple alarm profiles such as phishing and malware.
- Drag-and-drop mapping of LogRhythm alarm field values to associated SIR security incident fields.
- A preview of the SIR security incident layout based on sample alarms to validate configuration setup.
- Ingest historical alarms as well as ongoing, future alarms on configurable intervals.
- Automated alarm closeout upon incident closure, which includes a SIR security incident ID and URL for easy linking.
- New:
-
- Upgraded all dictionary-level read-only fields to Strict Read-Only to enhance security and prevent unauthorized changes. This ensures the server consistently enforces read-only behaviour across all UIs, scripts, and integrations.
- Replaced all occurrences of the
adminrole within the integration logic with the more restrictivesn_si.adminrole to ensure proper access control and adherence to least-privilege principles.
- Fixed:
-
- System property "Max Security Incident can be created in a day" not working.
- Schedule Script "LogRhythm Data Cleanup" not executing.
The following Security Incident Response plugins must be installed and activated:
- Security Incident Response (com.snc.security_incident)
- Security Support Orchestration (com.snc.secops.orchestration)
List of Business Rules:
- LogRhythm Default Profile
- Initialize pulling tracker
- getAlarmRules
- Show schedule job status
- closeLogRhythmAlarm
List of Scripts includes:
- LogRhythmIntegration
- LogRhythmSOAPEnvelope
- LogRhythmProfileAjax
- LogRhythmFieldMapProcessor
- LogRhythmAlarmLogic
- LogRhythmAlarmRuleLogic
- LogRhythmCacheDrillDown
Modules:
LogRhythm Integration:
- LogRhythm Configurations
- Alarm Profiles
- LogRhythm Field Translations
Tables:
- LogRhythm Alarm Event
- Alarm Profile
- Alarm Rule
- LogRhythm Configuration
- LogRhythm Field Translation
- LogRhythm Source to Task
List of Client Scripts:
- Profile Refresh Alarm Rules
- LogRhythm Profile Review Logic
- LogRhythm Profile Nav Buttons
- LogRhythm Profile Slush Filter Logic
- addSecurityIncidentFields
The Scope(s) used:
- sn_sec_logrhythm
List of properties (including system properties):
- sn_sec_logrhythm.glide.script.block.client.globals
List of transformation maps:
- LogRhythm Alarm Transform
List of Scheduled jobs for data imports:
- Process LogRhythm Integration