LogRhythm.Tools is a PowerShell module for interacting with LogRhythm APIs. The module is a powerful addition to a LogRhythm analyst's toolbox, and can be used interactively within PowerShell or as a framework for developing SmartResponse plugins - without requiring an understanding of LogRhythm's API layer.

LogRhythm Components:

• Admin (Agents, Entities, Hosts, Identities, lists, Locations, LogSources, Networks, Users)
• AI Engine Drilldown for Alarms
• Cases (Evidence, Metrics, Playbooks, Tags)
• Search (LR version 7.5 required)
• Alarms (LR version 7.7 required)
• LogRhythm Echo

Third Party Integrations:

LogRhythm.Tools supports API access to various third party vendors. Access to these services requires authorization keys provided by the third party and is not granted as a part of the LogRhythm.Tools module.

• Microsoft Active Directory
• Microsoft Graph API
• Microsoft Defender API
• Mimecast
• MACVendors
• Proofpoint
• Recorded Future
• Shodan
• Urlscan
• Virus Total

Each command included in the LogRhythm.Tools module is deigned to be modular and built to leverage the power of the PowerShell pipeline. The output of one LRT command can be sent for processing as input to the another command. And that output can be sent to yet another command. The result is a complex command chain or pipeline that is composed of a series of simple commands.

Operating Systems

• Windows 7
• Windows 8.1
• Windows 10
• Windows Server 2008r2
• Windows Server 2012
• Windows Server 2012r2
• Windows Server 2019

Software

• Windows Management Framework 5.1
• Windows .Net Framework 4.5.2

Permissions

• Ability to download resources from Github.com
• Ability to extract archive files from zip
• User level privileges to run PowerShell
• User level privileges to install PowerShell modules

Credentials

Required

• LogRhythm API Key

Optional

• Microsoft Azure App Registration
• Recorded Future API Key
• Shodan API Key
• Urlscan API Key
• VirusTotal API Key

NOTE: For specific Cmdlet requirements reference the section Cmdlet Version Requirements

• Download and extract the LogRhythm.Tools release package
• Run Setup.ps1 on a host that meets LogRhythm.Tools system requirements
• Follow the directions presented through the interactive installer
  • To apply configuration changes re-run the Setup.ps1
• Once installation has been complete follow these steps to test basic functionality
  • Open powershell.exe
  • Enter Import-Module LogRhythm.Tools
    • Verify no errors were returned during module import
  • Execute LogRhythm.Tools Cmdlet(s)
    • Get-LrLists
    • Get-LrEntities
    • Get-LrUsers

For additional examples on how to leverage LogRhythm.Tools check out the Examples section.

Contributions are welcome. Please review the Contributing guide and the Code Style guide.

• Invoke-RfSync: Allow Entity to be specified for established and managed lists.
• New-LrList: Removed defect where UseContext was supplied on all requests.
• ConvertTo-Base64: Expanded to support additional encoding types.
• ConvertFrom-Base64: Expanded to support additional encoding types.
• Lrt.Config.Input.json: Added descriptor to the SSL Certification policy section.

• All Cmdlets: Reduced code complexity for Windows PowerShell and PowerShell Core Invoke-RestMethod calls.
• All Cmdlets: Implement PowerShell cmdlet standard for -PassThru switch paramater for any cmdlet that applies a add/delete/update operation.
• All LogRhythm API Cmdlets: Reduce configuration management complexity by converting AdminBaseUrl, CaseBaseUrl, AieBaseUrl, SearchBaseUrl, AlarmBaseUrl into BaseUrl.
• Invoke-PIEUrlDNSLookup: Removed error output when no DNS results are found.
• Get-PIEURLsFromHTML: Updated URL scrape method to review each HTML Tag. Now able to detect baseStriker URLs.
• Remove-LrTag: Removed unneccisary JSON Body from cmdlet.
• Get-LrAieDrilldown: Changed data type from Systems.Collection.Generic.Dictionary[string,string] to System.Object for Summary Fields.
• Get-LrAieDrilldown: Added Log Count, AIERuleID, and AIEDrilldownRetryCount to returned data results.
• Show-LrLocations: Removed this cmdlet from LogRhythm.Tools. This cmdlet was a stop-gap to provide location data in pre-7.5 Deployments.
• Get-LrThreatIntelligence: Retrieve the associated Threat Providers and Categories from the Threat Intelligence API.
• Get-LrCases: Fix defect that would prevent return of exact case matches to not return if the submitted request did not include a metrics summary.
• Get-InputApiUrl: Update the working logic of the Get-InputApiUrl to support LogRhythm Cloud operating over port 443 in place of the pre-configured 8501.
• Initial release for LogRhythm Alarms API: Get-LrAlarm, Get-LrAlarmComment, Get-LrAlarmEvents, Get-LrAlarms, Get-LrAlarmSummary, Get-LrAlarmHistory, Test-LrAlarmStatus, Update-LrAlarm
• Get-LrIdentities: Updated -exact to function for Name and Identifier property fields.
• Get-LrtAzUserManager: Updated Error handler for Get-LrtAzUserManager cmdlet.
• Invoke-LrSearchExample: Example to serve as a reference to perform searches for Hostname (Origin/Impacted) OR IP Address (Origin/Impacted) over a given time frame with a maximum of 30,000 logs returned.
• Proxy Support: Enables all Invoke-RestMethod/HTTP requests to go through a configured Proxy.
• Add-LrIdentity: Added support for TrueIdentity data element Title.

A great place to start is reviewing all of the lists that are available to us through our API access. It's important to note that our access is defined and controlled by LogRhythm's RBAC policies.

listType        : GeneralValue
status           : Active
name            : LRT : Hash : Recently Quarantined Files
shortDescription : List of file hashes populated in response to Anti-Virus quarantine actions.
longDescription  :  This list is leveraged to identify any additional Information System that may have activity corresponding with the identified file hash.
useContext       : {Hash}
autoImportOption : @{enabled=False; usePatterns=False; replaceExisting=False}
importFileName   :
id               : 2001
guid             : BC952970-2AF3-46B7-BB1F-4282102EB1FE
dateCreated      : 2020-06-11T16:47:13.823Z
dateUpdated      : 2020-06-11T16:47:14.677Z
revisitDate      : 2030-06-11T10:47:14.677Z
readAccess       : PublicRestrictedAdmin
writeAccess      : PublicRestrictedAdmin
restrictedRead   : False
entityName       : Primary Site
entryCount       : 12
needToNotify     : False
doesExpire       : False
owner            : 1

 
listType         : GeneralValue
status            : Active
name             : LRT : Domain : ConfLo : Blacklisted Dns Name
shortDescription : List of URLs that have a low level of confidence associated with Blacklisted DNS names.
longDescription  :  This list is leveraged to identify Information Systems that may have activity with suspicious domain names.
useContext       : {URL}
autoImportOption : @{enabled=False; usePatterns=False; replaceExisting=False}
importFileName   :
id               : 2019
guid             : 7328F064-6E70-45E8-8881-B9917F15C9D3
dateCreated      : 2020-06-12T14:23:01.853Z
dateUpdated      : 2020-06-12T14:23:02.743Z
revisitDate      : 2030-06-12T08:23:02.743Z
readAccess       : PublicRestrictedAdmin
writeAccess      : PublicRestrictedAdmin
restrictedRead   : False
entityName       : Primary Site
entryCount       : 12
needToNotify     : False
doesExpire       : False
owner            : 1

The list LRT : Domain : ConfLo : Blacklisted Dns Name appears interesting and we want to review only the list values populated on the list. For this we'll make use of the Get-LrListItems cmdlet where we can reference our target list by its name, LRT : Domain : ConfLo : Blacklisted Dns Name or by its GUID 7328F064-6E70-45E8-8881-B9917F15C9D3. This is thanks to the implementation design of the LogRhythm Tools cmdlets.

www.plxipr.com
imagescmeraclub.com
tutorialsalk.info
buildingmsu.ac.th
www.haecaklaw.com
bolizarsspos.com
logrhythm.com
boilersadfurnaces.com
appum.com
avacarvisual.com.br
amle-sun.eu
icst.na.its.ac.id

Reviewing the results from our Blacklisted Dns Name's it looks like a mistake has been introduced with the logrhythm.com entry. This example will showcase how to remove a specific value from this list. With this method we will change from referencing the list from the name property and instead reference the list by its GUID.

listType         : GeneralValue
status           : Active
name             : LRT : Domain : ConfLo : Blacklisted Dns Name
shortDescription : List of URLs that have a low level of confidence associated with Blacklisted DNS names.
longDescription  : This list is leveraged to identify Information Systems that may have activity with suspicious domain names.
useContext       : {URL}
autoImportOption : @{enabled=False; usePatterns=False; replaceExisting=False}
importFileName   :
id               : 2025
guid             : 7328F064-6E70-45E8-8881-B9917F15C9D3
dateCreated      : 2020-06-12T14:23:04.917Z
dateUpdated      : 2020-06-22T20:32:09.853Z
revisitDate      : 2030-06-22T14:32:09.857Z
readAccess       : PublicRestrictedAdmin
writeAccess      : PublicRestrictedAdmin
restrictedRead   : False
entityName       : Primary Site
entryCount       : 11
needToNotify     : False
doesExpire       : False
owner            : 1
listItemsCount   : 0

To validate we can check our list's results to verify the removal.

www.plxipr.com
imagescmeraclub.com
tutorialsalk.info
buildingmsu.ac.th
www.haecaklaw.com
bolizarsspos.com
boilersadfurnaces.com
appum.com
avacarvisual.com.br
amle-sun.eu
icst.na.its.ac.id

Lets say we want to carry out some maintenance and clear out all the results from our Blacklisted Dns Name list. For this example we'll utiize Powershell's pipeline processing and two LogRhythm Tools cmdlets. The first cmdlet is from our earlier retrieving list items example that will be paired with the removing an item example.

listType         : GeneralValue
status           : Active
name             : LRT : Domain : ConfLo : Blacklisted Dns Name
shortDescription : List of URLs that have a low level of confidence associated with Blacklisted DNS names.
longDescription  : This list is leveraged to identify Information Systems that may have activity with suspicious domain names.
useContext       : {URL}
autoImportOption : @{enabled=False; usePatterns=False; replaceExisting=False}
importFileName   :
id               : 2025
guid             : 7328F064-6E70-45E8-8881-B9917F15C9D3
dateCreated      : 2020-06-12T14:23:04.917Z
dateUpdated      : 2020-06-22T20:39:56.247Z
revisitDate      : 2030-06-22T14:39:56.247Z
readAccess       : PublicRestrictedAdmin
writeAccess      : PublicRestrictedAdmin
restrictedRead   : False
entityName       : Primary Site
entryCount       : 0
needToNotify     : False
doesExpire       : False
owner            : 1
listItemsCount   : 0

This example begins to show some of the flexibility and capability of the LogRhythm Tools PowerShell module. The results show we successfully cleared out the number of entries contained in our target list through a single line of code with two cmdlets. The same method we've applied for removing items from LogRhythm Lists can also be applied to adding items to lists.

LogRhythm.Tools was developed and has undergone testing leveraging LogRhythm SIEM versions 7.4.X and 7.5.X. Validate the SIEM version with the Minimum Version specification below prior to submitting Cmdlet issues.