6 Steps to Using the LogRhythm API
This article will show you how to use the LogRhythm SIEM API. It is important to understand what the API can do and how you can use it. This will help you get better value from your SIEM deployment.
A Practical Use Case
To showcase use of the API, we will walk through a practical use case. That is, we will provision a user Identity within LogRhythm. This will allow you to tie logs that contain different logins to the same user. This is known as the TrueIdentity feature.
To achieve this, I will firstly show you how to connect to the LogRhythm API using Postman. We will then do some basic test requests. Finally we will create a custom Python script which will write Identities via the LogRhythm API.
What is an API?
In computer programming, an Application Programming Interface (API) is a set methods of communication among software components. This simplifies programming by abstracting the implementation and only exposing actions the developer needs.
What is a SIEM API?
A SIEM API will allow you to administer a SIEM platform. This is powerful because it allows you to automate tasks with scripting. Some example use cases for a SIEM API are:
- Add and remove user identities as employees join or leave the company
- Automatically updating a list of privileged users
- Create a case when an Alarm is raised
- Integrating the SIEM with an external application (for example, write EDR search results to a case)
Ultimately, the API can be your friend in automating tasks and therefore increasing the efficiency of your security operations.
What is Postman?
Postman is a software testing tool for APIs which make it easy to develop API based integrations. In this article we will use Postman to test interactions with the LogRhythm API. We will also use Postman to generate code snippets which we will use in our custom script.
The Steps
Step 1: Setup Postman
Download and install Postman here. After installing Postman for the first time you will see a screen that looks like this:
We can test the LogRhythm API using Requests. Under Start Something New, select Create New > HTTP Request. Give it a name (for example ‘API Test’), and then click Create Collection, and call this ‘LogRhythm’, and then click Save.
Lastly, click the gear icon in the top right of Postman and then click Settings. Within the Settings dialog, turn SSL Certificate Verification to ‘OFF’.
Step 2: Create an API Access Token in LogRhythm
Now that Postman is installed, we need to create an access token within LogRhythm. To do this, open the LogRhythm Client Console, navigate to the Deployment Manager > Third-Party Applications tab > Add a new application.
Name it appropriately and click Apply. Next, click Generate Token. Be aware of the token expiry because this will cause your script to cease functioning!
Step 3: Configure Access Token in Postman
Now we shall save this access token within Postman. This will authorise Postman to make API requests to LogRhythm.
In your Postman workspace, click on the Authorization tab and choose type as Bearer Token. Paste your token into the token field:
Step 4: Test Postman
Now we shall test if Postman can correctly connect to the LogRhythm API. In the Enter Request URL field, enter this string:
https://<IP of your Platform Manager>:8501/lr-admin-api/lists/
If this works, you will see a Status: 200 OK, along with a JSON output which contains details of the lists configured within LogRhythm.
Step 5: Write a Test Identity
Now we will use Postman to write a test identity to LogRhythm using the API.
Click the + icon toward the top of Postman to start a new tab. In the Method dropdown, select POST and in the URL field enter this:
https://<IP of your Platform Manager>:8501/lr-admin-api/identities/bulk/?entityID=1
Then click Body and select the Raw radio button. In the field below, paste this text and click Send:
{
"friendlyName": "John Doe",
"accounts": [
{
"nameFirst": "John",
"nameLast": "Doe",
"vendorUniqueKey": "jdoe@mail.com",
"identifiers": [
{
"identifierType": "Login",
"value": "jdoe"
}
]
}
]
}
If all goes well, you should see the Status in the lower-right 201 Created and the bottom pane will display an identityID value:
You can also verify that your test identity appears within the LogRhythm Web Console if you open Administration > TrueIdentity and then filter for your new identity:
Step 6: Customise the Request
Now that we have a working Request, we can use Postman to generate our Python code.
In Postman, click the Code link on the far right hand side of the screen and select Python Requests:
We can now use this as the starting point for creating a custom script which will interact with the LogRhythm API.
As an example, you could write a script to read a list usernames from a text file and write them as identities using the following pseudocode:
Open a text file of usernames
For each username in the file:
Format a JSON object as the payload (similar to the sample code)
Use the sample code to post the request
A sample Python script which performs this task is available on GitHub here.
LogRhythm API Documentation
The LogRhythm API documentation is a resource which will help you to identify the available API functions and their requirements.
The API documentation is available here:
https://<IP of your Platform Manager>:8505/lr-admin-api/docs
Further documentation can be found on the LogRhythm Docs site here.
Conclusion
Congratulations, you have now added an identity to LogRhythm SIEM using the API. There are many other use cases for the API, and I encourage you to experiment further to explore the automation possibilities within your environment.