LogRhythm Intelligence Sync Service

The LogRhythm Intelligence Sync Service is a standalone service that establishes bi-directional enrichment between LogRhythm SIEM alarms and Exabeam New-Scale cases. This service automatically correlates New-Scale Cases to LogRhythm SIEM Alarms via the Vendor Message ID and enriches LogRhythm SIEM alarms with real-time case updates through comments and Risk-Based Priority (RBP) synchronization.

The LogRhythm Intelligence Sync Service is available in LogRhythm SIEM version 7.25.0 and later.

Configuration Manager Setup

In order to configure the LogRhythm Intelligence Sync Service to sync LogRhythm Alarms with Exabeam Cases, you must first create an API connection between the Web Console and New-Scale.

Create an API Key in New-Scale

To create an API key in the New-Scale platform:

  1. Click on the Settings gear located at the lower-right hand corner of the screen.
    The Main Menu screen opens.

  2. In the Developer section, click on API keys.

  3. Click + New Keys.
    The API Keys dialog box opens.

  4. Enter the following details:

    1. Key Name: Give a unique identifying name to the key.

    2. Permissions: Open the Permissions drop-down and select Threat Center.

  5. Click Create to generate the API key.

  6. Copy the Key ID and Key Secret to a secure location, as they will be needed for the next section.

Setup the Web Console Configuration Manager

To add the API key to the Configuration Manager settings:

  1. Open the LogRhythm Configuration Manager.

  2. Select the All tab on the left.

image-20250123-183958.png
  1. Locate the LR Intelligence fields and enter the following information:

Field

Description

LR Intelligence API Base URL

Enter the New-Scale API base URL to which the API connection is made.

To find your API base URL, refer to the Exabeam API Gateways topic.

LR Intelligence Client ID

Enter the Key ID that was generated in the previous section.

LR Intelligence Client Secret

Enter the Key Secret that was generated in the previous section.

  1. Select the Web Services tab on the left-hand side of the Configuration Manager.

  2. Locate the LogRhythm Intelligence Sync Service fields and enter the following information:

image-20260618-152128.png

Field

Description

Sync Interval

Enter a value, in minutes, to determine how frequently the Sync Service operates.

By default, this value is 10 minutes. It can range anywhere from 5 minutes to 1440 minutes (24 hours).

Case Comment Fields

Click any of the provided fields to determine which Exabeam Case fields are included in the LogRhythm Alarm comments.

Include Nova Summary

Select True or False to determine whether the Exabeam Nova Case Summary (alertDescription field) is included as a separate LogRhythm Alarm comment.

Log Level

Select a level to determine the amount of information logged to the lr-intelligence-sync.log file:

  • Error - displays only error messages.

  • Warning - displays warning and error messages.

  • Info - displays information messages, warning messages, and error messages.

  • Debug - Extremely detailed logs showing all data.

  1. Click Save.
    The API connection settings are successfully saved.

Use the LogRhythm Intelligence Sync Service

Once the LogRhythm Intelligence Sync Service is configured and your New-Scale API credentials have been updated in the Configuration Manager, the LogRhythm Web Console is automatically able to sync with New-Scale and update LogRhythm Alarms with information from Exabeam Cases using the Vendor Message ID field to match the two.

image-20260618-184315.png

When the link is initially made, a “Case Snapshot” is added to the LogRhythm Alarm to indicate that the sync has been made. Each time an analyst updates any of the following information on a Case in New-Scale, those changes are reflected in the LogRhythm Web Console whenever the Sync Service runs (configured using the Sync Interval field in the Web Console Options):

  • Risk score

  • Status

  • Assignee

  • Notes

The complete New-Scale Case history can be viewed directly from the LogRhythm Alarm in the Web Console. Any updates to the New-Scale Case’s Risk score also update the LogRhythm Alarm’s Risk-Based Priority (RBP).

At this time, changes made to LogRhythm Alarms do not yet sync to New-Scale Cases.