Introducing LogRhythm.Tools
LogRhythm.Tools is a PowerShell framework which acts as a wrapper for the LogRhythm API. This simplifies interactions with the LogRhythm API because you only need to run a PowerShell cmdlet to call an API function, rather than a direct interaction with your own code.
Automating tasks with the LogRhythm API is a great way to improve your security operations. This tutorial will show you how to use LogRhythm.Tools and walk through some sample use cases.
Big shout out to the developers of LogRhythm.Tools, Eric Hart and Gene Cupstid. LogRhythm.Tools is an open source project and information on contributing can be found here.
Getting Started
Installation is simple, all you need to do is extract a zip file and run two commands.
To get started, download LogRhythm.Tools here, and then follow the steps here. To interact with the API, you can now simply run a PowerShell cmdlet. To test the setup, open a PowerShell prompt, navigate to the folder where you extracted the file, and then run these commands:
Import-Module LogRhythm.ToolsGet-LrLists
The output should show details of the lists configured within your LogRhythm deployment.
3 Automation Use Cases
Now that we have setup LogRhythm.Tools, lets look at some example use cases.
1. Monitoring Recently Resigned Employees
A common scenario is performing additional monitoring on employees who have recently resigned and working their notice period. This can be done by setting up a list of employee names in LogRhythm. Automating the maintenance of this list is important. For LogRhythm Cloud users, this can only be done via the API.
Using LogRhythm.Tools, you can synchronise a list using this cmdlet:
Sync-LrListItems
If you can obtain a list of ‘leavers’, you can automatically add them to a list, for closer monitoring by the security team.
This can be done with a small PowerShell script that is scheduled to read a specified text file. It can then call the LogRhythm.Tools cmdlet to update the list.
The following PowerShell snippet is all you need to sync the usernames to the ‘user_list’ within LogRhythm:
$names = Get-Content C:\folder\users.txtSync-LrListItems -name 'user_list' $names
Lists are very important in any SIEM deployment. They can contain items of interest such as hostnames, usernames, IP addresses and so on. You can use lists in your dashboard filters, searches, reports and correlation rules.
2. Adding EDR Search Results to a Case
A SIEM integrated with an Endpoint Detection and Response (EDR) tool provides powerful automation opportunities.
For example, a correlation rule on the SIEM automatically triggering an Indicator of Compromise (IOC) search on the EDR. This process flow could be triggered by a conviction on a malware sandbox, which in turn triggers a search on the EDR. The search can look for a known bad file hash, process hash or network connection across all endpoints.
If any matches are found, the results, such as hostnames, can be automatically added to a case in LogRhythm. This means that when an analyst picks up the case, it will already have the relevant information.
A note can be added to a case with this LogRhythm.Tools cmdlet:
Add-LrNoteToCase
Example usage of this cmdlet is:
Add-LrNoteToCase -Id <caseID> -Text <Hostnames extracted from EDR search results> -PassThru
3. Matching Log Sources to an Asset List
Another common SIEM administration task is to ensure all relevant assets that require monitoring, are being monitored. This type of (boring) administration task can divert a security analyst’s valuable time away from detecting threats.
Therefore, we must ensure to automate such tasks as much as possible. Luckily LogRhythm.Tools can help solve this challenge, with this cmdlet:
Get-LrLogSources
The PowerShell required to retrieve a formatted list of log sources using LogRhythm.Tools is as basic as the two lines below. With some processing, this list can be then compared with an asset list to identify any log sources which require onboarding:
$cmdOutput = Get-LrLogSources$cmdOutput | Format-Table | Out-String | Write-Host
This article contains some examples and basic usage for LogRhythm.Tools. Obviously there is more scripting work that is required for each example. However, LogRhythm.Tools will significantly shorten the development time by removing the need to interface directly with the LogRhythm API.
Conclusion
An integrated and automated security architecture is something all organisations should strive towards. LogRhythm.Tools is one tool to help you along this journey.