Skip to main content
Skip table of contents

LogRhythm Echo API

Echo hosts a REST API that can be used to view and run use cases without the Echo web interface. The APIs can be called using the command line—for example, using curl—or a scripting language such as PowerShell.

List all use cases

API: https://localhost:33333/api/usecases

 

Results:

{

"num_results": 2,

"objects": [{"dateupdated": "2018-06-15T21:43:50.501Z", "description": "This use case demonstrates LogRhythm's Privileged User Monitoring and UEBA capabilities to detect a rogue user (Carl Wilson) attempting to hide their activity via temporary account (Steven Jacobs) and proceeding to exfiltrate financial data.\n\nVertical: Finance\nTechnology: FIM, UEBA\n\nRequired AIE Rules: Finance Account Anomaly: Privilege Escalation (UC1a_AIERule.airx)\nFinance Account Anomaly: Suspicious File Access (UC1b_AIERule.airx)\nFinance Account Anomaly: Temporary Account Usage (UC1c_AIERule.airx)\nFinance Account Compromise: Corroborated Anomalies (UC1d_AIERule.airx)\n\nRequired General Value List: Sensitive Files List (UC1_8_SensitiveFilesList.txt)", "enabled": null, "id": 1, "logs": 15, "pcaps": 0, "timedelay": 10, "title": "UEBA - Finance Data"}, {"dateupdated": "2017-11-14T17:35:11.555Z", "description": "Rouge user Beth Nickels finds a sensitive file (Executive Salaries.doc) and proceeds to attached the document to an email in Outlook and sends it to a Gmail account. \n\nVertical: Finance, General\nTechnology: FIM, NetMon\n\nRequired AIE Rule: Suspicious: Sensitive Data Exfiltration (UC8_AIERule.airx) \n\nRequired General Value List: Sensitive Files List (UC1_8_SensitiveFilesList.txt)", "enabled": null, "id": 8, "logs": 1, "pcaps": 1, "timedelay": 0, "title": "FIM - Sensitive Data Exfiltration"}],

"page": 1,

"total_pages": 1

}

View a specific use case

API: https://localhost:33333/api/usecase/<use case id>

 

Results:

{

    "dateupdated": "2017-11-14T17:35:11.555Z",

    "description": "Rogue user Beth Nickels finds a sensitive file (Executive Salaries.doc) and proceeds to attached the document to an email in Outlook and sends it to a Gmail account. \n\nVertical: Finance, General\nTechnology: FIM, NetMon\n\nRequired AIE Rule: Suspicious: Sensitive Data Exfiltration (UC8_AIERule.airx) \n\nRequired General Value List: Sensitive Files List (UC1_8_SensitiveFilesList.txt)",

    "enabled": null,

    "id": 8,

    "logs": [

        {

            "description": "Realtime FIM alert of Beth Nickels using Outlook to read Executive Salaries.doc",

            "id": 12,

            "log": "REALTIME FILEMON EVENT=READ OBJECT=C:\\Sensitive\\Executive Salaries.doc USER=SANDBOX\\beth.nickels PROCESS=outlook.exe OFFSET=0 LENGTH=65536 SIZE=11971 DETAILS=lastaccess=9/6/2016 11:08:26 PM lastwrite=4/17/2015 10:20:40 AM create=9/10/2013 12:22:04 PM usersid=S-1-5-21-4140510078-396723217-1023477983-6166 pid=5852",

            "message": "Realtime FIM alert of Beth Nickels using Outlook to read Executive Salaries.doc",

            "msg_src_id": 3,

            "msg_src_name": "LogRhythm File Monitor (Windows)",

            "owner_id": 8,

            "timestamp": null

        }

    ],

    "pcaps": [

        {

            "byte_size": 48136,

            "description": "Replaying network traffic connecting to Gmail via SMTP",

            "filename": "6f8ab13a-9d2e-47a2-a7fd-6e307867a609.pcap",

            "id": 16,

            "message": "Replaying network traffic connecting to Gmail via SMTP",

            "owner_id": 8

        }

    ],

    "timedelay": 0,

    "title": "FIM - Sensitive Data Exfiltration"

}

Run a use case

API: https://localhost:33333/api/execute/<use case id>

 

Results:

SUCCESS

 

Number of logs sent to SIEM: 1/1

Number of PCAPs sent to Network Monitor: 1/1

Sample PowerShell Script to Run Use Cases

The following example PowerShell script can be used to run use cases 1, 8, and 9 on the host ECHOBASE:

echo 'Running ECHO use cases...'

add-type @"

using System.Net;

using System.Security.Cryptography.X509Certificates;

public class TrustAllCertsPolicy : ICertificatePolicy {

    public bool CheckValidationResult(ServicePoint s,

                                      X509Certificate c,

                                      WebRequest r, int p) {

        return true;

    }

}

"@

[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

 

Invoke-WebRequest -URI https://ECHOBASE:33333/api/execute/1

Invoke-WebRequest -URI https://ECHOBASE:33333/api/execute/8

Invoke-WebRequest -URI https://ECHOBASE:33333/api/execute/9

 

echo 'Done running ECHO use cases.'

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close