6 Steps to Using the LogRhythm API

This article will show you how to use the LogRhythm API. It is important to understand what the API can do and how you can use it. This will help you gain better value from your SIEM deployment.

A Practical Use Case for the LogRhythm API

To showcase use of the API, let’s walk through a use case by provisioning a user Identity within LogRhythm. This will allow you to tie logs that contain different logins to the same user. This is known as the TrueIdentity feature.

To achieve this, I will first show you how to connect to the LogRhythm API using Postman. We will then do some basic test requests. Finally, we will create a custom Python script which will write Identities via the LogRhythm API. Here is a little background information before we get started.

What is an API?

In computer programming, an application programming interface (API) is a set method of communication among software components. This simplifies programming by abstracting the implementation and only exposing actions the developer needs.

What is a SIEM API?

A SIEM API will allow you to administer a SIEM platform. This is powerful because it allows you to automate tasks with scripting. Some use cases for a SIEM API are:

• Add and remove user identities as employees join or leave the company
• Automatically update a list of privileged users
• Create a case when an Alarm is raised
• Integrate the SIEM with an external application (for example, write EDR search results to a case)

Ultimately, the API can be your friend in automating tasks and therefore increasing the efficiency of your security operations.

What is Postman?

Postman is a software testing tool for APIs which make it easy to develop API based integrations. In this article we will use Postman to test interactions with the LogRhythm API. We will also use Postman to generate code snippets which we will use in our custom script.

A Step-By-Step Guide to Get Stared with the LogRhythm API

Step 1: Setup Postman

Download and install Postman here. After installing Postman for the first time, you will see a screen that looks like this:

We can test the LogRhythm API using Requests. Under Start Something New, select Create New > HTTP Request. Give it a name (for example “API Test”), then click Create Collection, call this “LogRhythm,” and click Save.

Lastly, click the gear icon in the top right of Postman and click Settings. Within the Settings dialog, turn SSL Certificate Verification to “OFF.”

Step 2: Create an API Access Token in LogRhythm

Now that Postman is installed, we need to create an access token within LogRhythm. To do this, open the LogRhythm Client Console, navigate to the Deployment Manager > Third-Party Applications tab > Add a New Application.

Name it appropriately and click Apply. Next, click Generate Token. Be aware of the token expiry because this will cause your script to cease functioning!

Step 3: Configure Access Token in Postman

Now we shall save this access token within Postman. This will authorize Postman to make API requests to LogRhythm.

In your Postman workspace, click on the Authorization tab and choose type as Bearer Token. Paste your token into the token field:

Step 4: Test Postman

Now we shall test if Postman can correctly connect to the LogRhythm API. In the Enter Request URL field, enter this string:

https://<IP of your Platform Manager>:8501/lr-admin-api/lists/

If this works, you will see a Status: 200 OK, along with a JSON output which contains details of the lists configured within LogRhythm.

Step 5: Write a Test Identity

Now we will use Postman to write a test identity to LogRhythm using the API.

Click the + icon toward the top of Postman to start a new tab. In the Method dropdown, select POST and in the URL field enter this:

https://<IP of your Platform Manager>:8501/lr-admin-api/identities/bulk/?entityID=1

Then click Body and select the Raw radio button. In the field below, paste this text and click Send:

{
  "friendlyName": "John Doe",
  "accounts": [
    {
      "nameFirst": "John",
      "nameLast": "Doe",
      "vendorUniqueKey": "[email protected]",
      "identifiers": [
        {
          "identifierType": "Login",
          "value": "jdoe"
        }
      ]
    }
  ]
}

If all goes well, you should see the Status in the lower right 201 Created and the bottom pane will display an identityID value:

You can also verify that your test identity appears within the LogRhythm Web Console if you open Administration > TrueIdentity then filter for your new identity:

Step 6: Customize the Request

Now that we have a working Request, we can use Postman to generate our Python code.

In Postman, click the Code link on the far right hand side of the screen and select Python Requests:

We can now use this as the starting point for creating a custom script which will interact with the LogRhythm API.

As an example, you could write a script to read a list of usernames from a text file and write them as identities using the following pseudocode:

Open a text file of usernames
For each username in the file:
Format a JSON object as the payload (similar to the sample code)
Use the sample code to post the request

A sample Python script which performs this task is available on GitHub here.

LogRhythm API Documentation

The LogRhythm API documentation is a resource which will help you to identify the available API functions and their requirements.

The API documentation is available here:

https://<IP of your Platform Manager>:8505/lr-admin-api/docs

Further documentation can be found on the LogRhythm Docs site.

Congratulations, you have now added an identity to LogRhythm SIEM using the API! There are many other use cases for the API. Try experimenting further to explore more automation possibilities within your environment.

 

The post 6 Steps to Using the LogRhythm API appeared first on LogRhythm.

*** This is a Security Bloggers Network syndicated blog from LogRhythm authored by Kelsey Gast. Read the original post at: https://logrhythm.com/6-steps-to-using-the-logrhythm-api/