REST API

September 29, 2023

© LogRhythm, Inc. All rights reserved.
This document contains proprietary and confidential information of LogRhythm, Inc., which is protected by copyright
and possible non-disclosure agreements. The Software described in this Guide is furnished under the End User License
Agreement or the applicable Terms and Conditions (“Agreement”) which governs the use of the Software. This Software
may be used or copied only in accordance with the Agreement. No part of this Guide may be reproduced or transmitted
in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other
than what is permitted in the Agreement.

Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no warranty of
any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied warranty of
merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any direct, indirect,
incidental, consequential, or other damages alleged in connection with the furnishing or use of this information.

Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned may be
trademarks, registered trademarks, or service marks of their respective holders.

LogRhythm
385 Interlocken Crescent, Suite 1050
Broomfield, CO 80021
(303) 413-8745
www.logrhythm.com

Phone
Support (7am - 6pm, Monday-Friday)
Toll Free in North America
(MT) +1-866-255-0862
Direct Dial in the Americas
(MT) +1-720-407-3990
EMEA (GMT) +44 (0) 844 3245898
META (GMT+4) +971 8000-3570-4506
APAC (SGT) +65 31572044
Table of Contents
Security............................................................................................................................. 4
Postman and the LogRhythm API ................................................................................... 4
Register Third-Party Applications to Use the API ........................................................... 5
Disable Third-Party Applications for the API .................................................................. 6
Administration API ........................................................................................................... 7
Administration API Endpoints .................................................................................................................8
AI Engine Cache Drilldown API ........................................................................................ 9
AI Engine Cache Drilldown API Endpoints ............................................................................................10
Alarm API ........................................................................................................................ 11
Alarm API Endpoints ..............................................................................................................................12
Case API .......................................................................................................................... 13
Set Up the Case API ................................................................................................................................14
Case API Endpoints ................................................................................................................................15
Metrics API ...................................................................................................................... 16
Metrics API Endpoints ............................................................................................................................17
Search API....................................................................................................................... 18
Search API Endpoints.............................................................................................................................19

LogRhythm, Inc. | Contents 3

REST API

This section provides information on LogRhythm's suite of REST APIs.

The LogRhythm's REST APIs communicate over HTTPS and use JSON. The available routes and methods are used for a
variety of administration, investigative, and search functions. To configure third-party applications to communicate
with the REST API, see Register Third-Party Applications to Use the API. To remove access, see Disable Third-Party
Applications for the API.
LogRhythm currently offers the following REST APIs:
• Administration API
• AI Engine Cache Drilldown API
• Alarm API
• Case API
• Metrics API
• Search API

Security
The Admin API uses a number of standard protocols to ensure the security and integrity of solutions built using the API.
• All communication is encrypted using HTTPS. Supported versions of TLS are 1.1 and 1.2.
• By default, self-signed certifications and keys are generated at the time of installation. You can provide your own
certificates and keys by modifying the service configuration files (.env files). For more information, see
the LogRhythm Software Installation Guide, available at https://docs.logrhythm.com/deploy/7.14.0/.
• Services are stateless and require a valid API token to be sent with every request. There is no login process and
no session is maintained.
• API tokens are JSON web tokens that are generated through the Client Console and are associated with an API
account.
• To revoke API access for a particular token, you can disable the API account associated with it or delete the
token that was generated for it. This immediately causes any API requests using that token to be rejected.

Postman and the LogRhythm API

Postman is an API Development environment that makes it easy to develop against RESTful APIs in any common
programming language. You can use it to save parameters and set environmental variables. You can also use it to build
and save collections of requests. The LogRhythm Community offers a help guide to get you started with Postman and
the suite of LogRhythm’s RESTful APIs.

Security 4
REST API

Register Third-Party Applications to Use the API

Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
1. Log in to the Client Console as a Global Administrator.
2. On the main toolbar, click Deployment Manager.
3. Click the Third Party Applications tab.
4. Right-click the blank area of the grid, and then click New.
The Third Party Application Properties dialog box appears.
5. Type an Application Name and Description. The Application Name must be unique.
6. Click OK.
The application is saved.
7. Right-click the newly created application, and then click Properties.
8. (Optional) Change the number of days you want the token to be valid.
9. Click Generate Token.
The Credentials dialog box appears.
10. Enter the password for the user, and then click OK. A Client ID, Client Secret, and token are generated for the
application.
11. Copy the token and use as needed.

 You will not be able to get back to this screen to copy the token. It appears only one time and, for
security purposes, is not stored. If you do not copy and save the token, you will have to regenerate it
later.

Register Third-Party Applications to Use the API 5

REST API

Disable Third-Party Applications for the API

You must be logged in as a Global Administrator to take this action.
1. Log in to the Client Console as a Global Administrator.
2. On the main toolbar, click Deployment Manager.
3. Click the Third Party Applications tab.
4. Right-click the application you want to disable, and then click Properties.
The Third Party Application Properties dialog box appears.
5. Clear the Enabled check box, and then click OK.
The application is disabled, and all tokens related to that app are revoked and invalidated immediately.

 You may need to click the refresh button for the Enabled column to update.

6. (Optional) To re-enable the application, double-click it, select the Enabled check box, and click OK.

Disable Third-Party Applications for the API 6

REST API

Administration API
The LogRhythm Client Console's Admin API is a REST API that communicates over HTTPS and uses JSON. The API’s
available routes and methods are used primarily for performing administrative functions in the Client Console, such as
modifying lists, creating entities, adding people to notification groups, and searching identities. All API actions are
performed on behalf of an API Account that is identified by the API key passed in with each request.
To see the current list of methods and endpoints, including request and response samples, go to Administration API
Endpoints.

 The Admin API does not adhere to the customized, elevated privileges for Restricted Administrators that are
granted on the Management Permissions tab of the User Profile Manager. Only standard Restricted
Administrator permissions are granted through the API. For more information, see the User Profile Manager
topic in the SIEM Help.

The Log Level for the Admin API is configured in the Configuration Manager.

Administration API 7
REST API

Administration API Endpoints

(Open API documentation is only available to view online)

Administration API 8
REST API

AI Engine Cache Drilldown API

The LogRhythm AIE Cache Drilldown API a REST API that communicates over HTTPS and uses JSON. The API’s available
routes and methods are used to provide details about alarms. The LogRhythm AIE Drill Down API includes the following
endpoints:
• Get Drill-Down Logs and Summary. This endpoint returns drill-down logs per rule block for a specific alarm Id that
fired associated with an AIE alarm. The metadata for each rule block includes the rule block Id, number of logs
triggered for the rule block as identified by the AI Engine, number of logs for the rule block stored in the Data
Indexer (DX), the Summary Field type, and a summary based on the Summary field type. This endpoint is used
for alarm notifications.
• Get Drill-Down Summary. This endpoint returns drill-down summary information per rule block for a specific
alarm Id that fired associated with an AIE alarm. The Summary Field type and the aggregate counts for the
Summary Field type are displayed.
AIE Drilldown Cache supports a maximum daily alarm rate of 10,000 alarms. If your deployment processes more than
10,000 alarms per day, AIE Drilldown Cache performance, as well as overall deployment performance, could be
degraded. For XMs and single node Linux clusters, the maximum alarm rate should be 5,000. You can check your alarm
rate in the Client Console's Deployment Monitor.

AI Engine Cache Drilldown API 9

REST API

AI Engine Cache Drilldown API Endpoints

(Open API documentation is only available to view online)

AI Engine Cache Drilldown API 10

REST API

Alarm API
The LogRhythm Client Console's Alarm API is a REST API that communicates over HTTPS and uses JSON. The API’s
available routes and methods are used primarily for retrieving Alarm Details and performing actions on alarms based on
Alarm ID.
All API actions are performed on behalf of an API Account that is identified by the API key passed in with each request.
The LogRhythm Alarm API includes the following endpoints:
• Get Alarm by Alarm ID
• Add Alarm Comment
• Update Alarm Status and RBP
• Get Alarm History
• Get Alarms
• Get Alarm Summary
• Get Alarm Events
For more information on methods and endpoints, including request and response samples, go to Alarm API Endpoints.
The Log Level for the Alarm API is configured in the Configuration Manager.
To utilize the API, users must generate a token in the Client Console. For more information, see Register Third-Party
Applications to Use the API.

 While LogRhythm provides the API and usage instructions and supports the API's continued health,
LogRhythm is not responsible for the support or configuration of third-party tools and applications designed
to interact with our APIs.

Alarm API 11
REST API

Alarm API Endpoints

(Open API documentation is only available to view online)

Alarm API 12
REST API

Case API
The LogRhythm Web Console’s Case API is a REST API that communicates over HTTPS and uses JSON. The API’s
available routes and methods are used primarily for pushing information into LogRhythm, such as synchronizing tickets
from a bug tracking system with LogRhythm Cases.
All API actions are performed on behalf of an API Account that is identified by the API key passed in with each request.
To see the current list of the Web Console's Case APIs, including request and response samples for Case API, go to Case
API Endpoints.

Case API 13
REST API

Set Up the Case API

If the Web Console is not installed on the same machine as the Client Console, the CaseAPIURL property must be edited
to reflect the URL of the Web Console. This allows central LogRhythm Administration to know the location of the Case
API and API authorization. If the Web Console is installed on the same machine as the Client Console, you do not need to
update the Case API URL. You can go straight to the process to create an API Account for your integration. The process
for doing so is described in the second set of instructions below.
To update the Case API URL:
1. Log in to the Client Console as a Global Administrator.
2. Click Deployment Manager and then the Platform Manager tab.
3. On the Platform Manager tab, click Properties.
4. In the Platform Manager Properties dialog box, click Advanced. The Alarming and Reporting Services Advanced
Properties dialog box appears.
5. In the CaseAPIURL row, click in the Value cell and type the URL of the machine on which the Web Console is
installed (for example: https://10.1.1.192).
6. Click OK to save the changes. The Platform Manager Properties dialog box appears.
7. Click OK to close the Platform Manager Properties dialog box.

 For instructions on generating a token for the Case API, see Register Third-Party Applications to Use
the API.

Case API 14
REST API

Case API Endpoints

(Open API documentation is only available to view online)

Case API 15
REST API

Metrics API
The LogRhythm Client Console's Metrics API is a REST API that communicates over HTTPS and uses JSON. The API’s
available routes and methods are used primarily for retrieving log volume for a time period provided by user.
To see the current list of methods and endpoints, including request and response samples, go to Metrics API Endpoints.
To utilize the API, users must generate a token in the Client Console. For more information, see Register Third-Party
Applications to Use the API.
The Log Level for the Metrics API is configured in the Configuration Manager.

 While LogRhythm provides the API and usage instructions and supports the API's continued health,
LogRhythm is not responsible for the support or configuration of third-party tools and applications designed
to interact with our APIs.

Metrics API 16
REST API

Metrics API Endpoints

(Open API documentation is only available to view online)

Metrics API 17
REST API

Search API
The LogRhythm Web Console's Search API is a REST API that communicates over HTTPS and uses JSON. The API’s
available routes and methods are used primarily for searching the Web Indexer for logs and events. Users can submit a
request to the search and interface with the data directly, allowing for integration with third-party applications and
custom applications designed for specific business needs.
All API actions are performed on behalf of an API Account that is identified by the API key passed in with each request.
To see the current list of Web Console's Search APIs, including request and response samples for Search API, go
to Search API Endpoints.
To utilize the API, users must:
• Have a working Web Console installation, as the API uses Web Indexer to return results.
• Generate a token in the Client Console. For more information, see Register Third-Party Applications to Use the
API.

 While LogRhythm provides the API and usage instructions and supports the API's continued health,
LogRhythm is not responsible for the support or configuration of third-party tools and applications designed
to interact with our APIs.

Search API 18
REST API

Search API Endpoints

(Open API documentation is only available to view online)

Search API 19