The LogRhythm Intelligence Sync Service is a standalone service that establishes bi-directional enrichment between LogRhythm SIEM alarms and Exabeam New-Scale cases. This service automatically correlates New-Scale Cases to LogRhythm SIEM Alarms via the Vendor Message ID and enriches LogRhythm SIEM alarms with real-time case updates through comments and Risk-Based Priority (RBP) synchronization.
The LogRhythm Intelligence Sync Service is available in LogRhythm SIEM version 7.25.0 and later.
Configuration Manager Setup
In order to configure the LogRhythm Intelligence Sync Service to sync LogRhythm Alarms with Exabeam Cases, you must first create an API connection between the Web Console and New-Scale.
Create an API Key in New-Scale
To create an API key in the New-Scale platform:
-
Click on the Settings gear located at the lower-right hand corner of the screen.
The Main Menu screen opens. -
In the Developer section, click on API keys.
-
Click + New Keys.
The API Keys dialog box opens. -
Enter the following details:
-
Key Name: Give a unique identifying name to the key.
-
Permissions: Open the Permissions drop-down and select Threat Center.
-
-
Click Create to generate the API key.
-
Copy the Key ID and Key Secret to a secure location, as they will be needed for the next section.
Setup the Web Console Configuration Manager
To add the API key to the Configuration Manager settings:
-
Open the LogRhythm Configuration Manager.
-
Select the All tab on the left.
-
Locate the LR Intelligence fields and enter the following information:
|
Field |
Description |
|---|---|
|
LR Intelligence API Base URL |
Enter the New-Scale API base URL to which the API connection is made. To find your API base URL, refer to the Exabeam API Gateways topic. |
|
LR Intelligence Client ID |
Enter the Key ID that was generated in the previous section. |
|
LR Intelligence Client Secret |
Enter the Key Secret that was generated in the previous section. |
-
Select the Web Services tab on the left-hand side of the Configuration Manager.
-
Locate the LogRhythm Intelligence Sync Service fields and enter the following information:
|
Field |
Description |
|---|---|
|
Sync Interval |
Enter a value, in minutes, to determine how frequently the Sync Service operates. By default, this value is 10 minutes. It can range anywhere from 5 minutes to 1440 minutes (24 hours). |
|
Case Comment Fields |
Click any of the provided fields to determine which Exabeam Case fields are included in the LogRhythm Alarm comments. |
|
Include Nova Summary |
Select True or False to determine whether the Exabeam Nova Case Summary (alertDescription field) is included as a separate LogRhythm Alarm comment. |
|
Log Level |
Select a level to determine the amount of information logged to the lr-intelligence-sync.log file:
|
-
Click Save.
The API connection settings are successfully saved.
Use the LogRhythm Intelligence Sync Service
Once the LogRhythm Intelligence Sync Service is configured and your New-Scale API credentials have been updated in the Configuration Manager, the LogRhythm Web Console is automatically able to sync with New-Scale and update LogRhythm Alarms with information from Exabeam Cases using the Vendor Message ID field to match the two.
When the link is initially made, a “Case Snapshot” is added to the LogRhythm Alarm to indicate that the sync has been made. Each time an analyst updates any of the following information on a Case in New-Scale, those changes are reflected in the LogRhythm Web Console whenever the Sync Service runs (configured using the Sync Interval field in the Web Console Options):
-
Risk score
-
Status
-
Assignee
-
Notes
The complete New-Scale Case history can be viewed directly from the LogRhythm Alarm in the Web Console. Any updates to the New-Scale Case’s Risk score also update the LogRhythm Alarm’s Risk-Based Priority (RBP).
At this time, changes made to LogRhythm Alarms do not yet sync to New-Scale Cases.