The LogRhythm AIE Cache Drilldown API a REST API that communicates over HTTPS and uses JSON. The API’s available routes and methods are used to provide details about alarms. The LogRhythm AIE Drill Down API includes the following endpoints:

  • Get Drill-Down Logs and Summary. This endpoint returns drill-down logs per rule block for a specific alarm Id that fired associated with an AIE alarm. The metadata for each rule block includes the rule block Id, number of logs triggered for the rule block as identified by the AI Engine, number of logs for the rule block stored in the Data Indexer (DX), the Summary Field type, and a summary based on the Summary field type. This endpoint is used for alarm notifications.

  • Get Drill-Down Summary. This endpoint returns drill-down summary information per rule block for a specific alarm Id that fired associated with an AIE alarm. The Summary Field type and the aggregate counts for the Summary Field type are displayed.

AIE Drilldown Cache supports a maximum daily alarm rate of 10,000 alarms. If your deployment processes more than 10,000 alarms per day, AIE Drilldown Cache performance, as well as overall deployment performance, could be degraded.  For XMs and single node Linux clusters, the maximum alarm rate should be 5,000. You can check your alarm rate in the Client Console's Deployment Monitor.