CCF Deployment Guide – Use the CCF SmartResponse Plugin
Introduction
This section describes the CCF V2 SmartResponse Plugin, the plugin’s available actions, and how to configure the plugin. This plugin performs creates cases for compliance-related data in LR-Console.
Prerequisites
- This SmartResponse Plugin is compatible with LogRhythm Enterprise 7.3.5 and later.
- To use this plugin, you must be running PowerShell v3.0 or later. To determine your PowerShell version, open PowerShell and enter $PSVersionTable.PSVersion at the prompt. If necessary, download a new version from the Microsoft Download Center.
- The PowerShell execution policy on the host running the SmartResponse plugin must allow the execution of scripts. Set the ExecutionPolicy parameter to either RemoteSigned or Unrestricted.
Import the Plugin
To import a SmartResponse Plugin:
- Log in to the Client Console as a Global Administrator.
- On the main toolbar, click Deployment Manager.
- On the Tools menu, click Administration, and then click SmartResponse Plugin Manager.
The SmartResponse Plugin Manager window appears. - On the Actions menu, click Import.
- Locate and select the SmartResponse Plugin (.lpi file) that you want to import, and then click Open.
If you are prompted to accept the terms of the Sample Code License Agreement, read and accept the terms, and then click OK.
The plugin loads in the SmartResponse Plugin Manager, and the associated actions are now available in the Actions tab of LogRhythm AI Engine Rules and Web Console Inspector.
For more information about SmartResponse actions or manual execution from the Client Console, see the application Help in the LogRhythm Client Console or Web Console.
Create the Configuration File
The CCF V2 SmartResponse Plugin includes a configuration file with fixed-value parameters that store information, such as your Case API key, that does not change frequently and is required for all other plugin actions. This allows you to perform multiple plugin actions without having to enter the same credentials for each one.
You must execute the Create CCF V2 Configuration File action before using the plugin’s other actions and rerun it whenever the fixed-value parameters change.
Run the Plugin from the Web Console
- Log in to the LogRhythm Web Console, and then click Dashboards.
- In the lower-right corner of the screen, click the Logs tab.
- Click a log entry, and then click the gear symbol that appears in any column.
The Inspector panel appears at the right side of the screen. - Scroll to the Smart Response section of the Inspector panel.
- From the Plugin menu, select CCF V2.
- From the Action menu, select Create CCF V2 Configuration File.
For more information on other plugin actions, see SmartResponse Plugin Actions. Configure the following parameters:
Name
Type
Details
Required
Case API Server
String
IP address of the system set up for Case Management.
Yes
Case API Port
Integer
Port used to access the Case API. The default value is 8501.
Yes
List of Collaborators (Display Name)
String
Display names of users who can be added to the Case as collaborators, separated by semicolons.
Yes
Case API Key
String
Case API key for API authentication. For more information, see key.
Yes
- From the Execute menu, select whether to run this plugin from either the Platform Manager or a designated Agent.
- Click Run.
The SRP results open in a new tab.
Deploy Smart Response Plugin Actions
Each SmartResponse Plugin has one or more actions. This plugin contains the following actions:
- Add to Existing Case
- Create Case
- Create CCF V2 Configuration File
Add to Existing Case
Description
This action adds a compliance framework and control details to an existing Case.
Use Case
In response to an alarm that may affect an organization’s compliance, an analyst runs this action to add a required compliance framework to a LogRhythm Case that includes the alarm details.
Parameters
This action expects the following parameters to be configured in the Actions tab of an Alarm.
Name | Type | Details | Required |
Alarm ID | Integer | The ID of the Alarm whose details are sent to the Case. | No |
Alarm Rule Name | String | Name of the Alarm whose details are sent to the Case. | No |
Origin-Host Name | String | Origin-Host being added to the Case. | No |
Impacted Host Name | String | Impacted Host is being added to the Case. | No |
Override List of Collaborators (Display Name) | String | Display names of users who can be added to the Case as collaborators, separated by semicolons. | No |
Notes
- The existing Case is searched in the following format:
<AIE Rule name><Keyfield from AIE JSON file><Keyfield value> - All impacted compliance frameworks and control families are added as tags in the Case, and corresponding framework controls are added to the Case as note evidence.
- The details of a triggered alarm (if entered) are added to the Case as evidence.
Create Case
Description
This action creates a Case and populates it with specified data.
Use Case
To meet compliance requirements, an analyst creates a Case populated with evidence tailored to the required compliance framework.
Parameters
This action expects the following parameters to be configured in the Actions tab of an Alarm.
Name | Type | Details | Required |
Alarm ID | Integer | The ID of the Alarm whose details are sent to the Case. | No |
Alarm Rule Name | String | Name of the Alarm whose details are sent to the Case. | No |
Origin-Host Name | String | Origin-Host being added to the Case. | No |
Impacted Host Name | String | The impacted Host is being added to the Case. | No |
Add Playbook Switch | String | Yes/No value indicating whether to add a Playbook in Case. The default value is No. If this value is set to Yes, the Playbook mapped to an AIE Rule is added to the Case. | No |
Override List of Collaborators (Display Name) | String | Display names of users who can be added to the Case as collaborators, separated by semicolons. | No |
Notes
- The name of the newly created Case appears in the following format:
<AIE Rule name><Keyfield from AIE JSON file><Keyfield value> - The created Case includes all impacted compliance frameworks and control families as tags and corresponding framework controls are added to the Case as note evidence.
- The details of a triggered alarm (if entered) are added to the Case as evidence.
Create CCF V2 Configuration File
You must execute this action before using the plugin’s other available actions and rerun it whenever the fixed-value parameters change. For more information, see configfile.
Generate the LogRhythm Case API Key
- Log in to the LogRhythm Console.
- Click Deployment Manager, and then click the People tab.
- Right-click the user for whom you want to generate the API token, and then click Service Account Properties.
The Service Account Properties dialog box appears. - Copy and paste the API Key in the Case API Key field.
The API key is valid until generated again.