Manage LogRhythm Echo Use Cases
From the Echo user interface, users can perform all management functions for an Echo use case, including creating, importing, exporting, modifying, deleting, and running use cases. To view the inventory of use cases and their associated logs and PCAPs, click Use Cases.
Create or Modify Use Cases
- To modify a use case, click the Edit Use Case icon for the use case. Skip to step 3.
- To create a use case, click New Use Case.
- Enter a title and description for your use case, and then select one of the Log Message Dates fields.
The Description field can contain URLs to external information pertaining to the use case. The link opens in a new browser tab.
The message date and time for logs in the use case is specified as either:- Use collection time (now). Use the current time for each log. This is the default setting.
- Delay. Build a delay between logs, going backward a set number of seconds, minutes, or hours from the specified time.
Note that this is not a real-world delay—Echo timestamps each log going back in time from when the use case runs based on the delay but sends all the logs to the Data Processor instantly and simultaneously. For example, if there are 10 logs in the use case and the delay is set to 30 seconds, then the logs are backdated starting at 5 minutes ago (10 logs * 30s between logs = 300s or 5 minutes) and then every 30 seconds up until when the use case started to run.
Regardless of the log message date setting, all logs in a use case are sent immediately and at the same time to the Data Processor.
The delay accounts for Echo logs with more than one raw log in them (separated by <echo> tags). For example, if you have two logs in your use case but one of them has 10 logs in it (using <echo> to delineate them), then the delay would be applied the same to all 11 logs, not just the two.
On the Create/Modify Log page, you can set a custom message date and time that overrides the date and time specified here.
Use Case Hosts
Echo can include Known Hosts with use cases. These Known Hosts can then appear in the Origin Host/Impacted Host fields of logs in the use case and get resolved to Known Hosts in LogRhythm when they are processed. This builds more authentic and compelling use cases by using real hosts within a deployment rather than unidentified (unresolved) hosts.
To view, create, modify, or delete Known Hosts associated with a use case, click the Manage Hosts icon for the use case.
- To modify a host, click the Edit Host icon for the host. Skip to step 3.
- To create a host, click New Host.
- Edit the Host Name, IP Address, Operating System, and Description fields as necessary.
Use Case Logs
To view, create, modify, delete, or duplicate logs associated with a use case, click the Manage Logs icon for the use case.
- To modify a log, click the Edit Log icon for the log. Skip to step 3.
- To create a log, click New Log.
Edit the Description, Replay Message, Log Source Type, and Log fields as necessary.
The Log field contains the raw log that will be sent to the Data Processor. The text can be a single raw log of the specified type or multiple raw logs of the specified type separated by the <echo> tag.The <echo> tag is not an HTML tag and does not need a closing </echo> tag—a single <echo> between each raw log is sufficient.- (Optional) To specify a custom log message date, select the Custom Log Message Date check box and enter a date and time in the text field. By default, a log’s message date and time is set when the use case is run, as specified in Create or Modify Use Cases. However, when a custom log message date is specified, it overrides the date and time specified at the use case level.
LLX File Browser
Users can open and view the contents of LogRhythm Log Export (.llx) files. Users can also import selected logs directly from the .llx files into their use cases.
- To browse the contents of LLX files, click LLX File Browser.
The Log Export File Browser page appears. - Click Choose LLX File, and then select the file whose logs you want to view or import into a use case.
- Select one or more logs, and then click Add to Use Case to import the selected logs into the current use case. Once the logs have been imported, they can be edited as needed.
Use Case PCAPs
To view, create, or delete PCAPs associated with a use case, click the Manage PCAPs icon for the use case.
- To create a PCAP, click New PCAP.
- Edit the Description and Replay Message fields as necessary, and then select a PCAP file to import.
Export Use Cases
Use cases and their associated logs, hosts, and PCAPs can be exported to a file that can be shared with other Echo users.
- Click Use Cases.
The Manage Use Cases page appears. - Select one or more use cases, and then click Export on the batch operations menu.
Import Use Cases
- To import use case files from other Echo deployments, click Import Use Case.
The Import Use Case page appears. - Select a use case file to import.
- Edit the Title Description and Log Message Dates fields as necessary, and then click Save.