CRAWL WALK RUN SOAR

LogRhythm SOAR Ecosystem

November 2021

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 1 OF 47

© LogRhythm, Inc. All rights reserved.
This document contains proprietary and confidential information of LogRhythm, Inc., which is protected
by copyright and possible non-disclosure agreements. The Software described in this Guide is furnished
under the End User License Agreement or the applicable Terms and Conditions (“Agreement”) which
governs the use of the Software. This Software may be used or copied only in accordance with the
Agreement. No part of this Guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying and recording for any purpose other than what is
permitted in the Agreement.

Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes
no warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the
implied warranty of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be
liable for any direct, indirect, incidental, consequential, or other damages alleged in connection with the
furnishing or use of this information.

Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned
may be trademarks, registered trademarks, or service marks of their respective holders.

LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 2 OF 48

Contents
1. About LogRhythm
2. Building Your SOC on a Strong Foundation
3. LogRhythm SOAR Echo System

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 3 OF 48

1. About LogRhythm
LogRhythm is the world leader in NextGen SIEM, empowering organizations on six continents to
successfully reduce risk by rapidly detecting, responding to and neutralizing damaging cyberthreats. The
LogRhythm platform combines user and entity behavior analytics (UEBA), network traffic and behaviour
analytics (NTBA) and security automation & orchestration (SAO) in a single end-to-end solution.
LogRhythm’s Threat Lifecycle Management (TLM) workflow serves as the foundation for the AI-enabled
security operations center (SOC), helping customers measurably secure their cloud, physical and virtual
infrastructures for both IT and OT environments. Built for security professionals by security professionals,
the LogRhythm
platform has won many accolades, including being positioned as a Leader in Gartner’s SIEM Magic
Quadrant.

• NextGen-SIEM • SOC Enablement

• User and Entity Behavior Analytics (UEBA) • Security Analytics
• Network Traffic and Behavioral Analytics • Threat Detection
(NTBA) • Cloud Security
• Security Automation and Orchestration • Network Forensics
(SAO) • Log Management
• Compliance • File Integrity Monitoring

At LogRhythm, we believe in empowering a culture of success — for you and for your business. Our
platform is designed by security professionals who understand how complicated your job is. This laser
focus on security translates into targeted innovation that gives your team solutions that help reduce the
challenges and complexities your team faces every day.

In our world, threats don’t stop, and they’re constantly changing. Our LogRhythm Labs team continually
provides research and relevant content updates that help to protect your organization from the latest-
breaking threat.

From R&D to customer success, we see ourselves as a partner in your fight against cyberthreats. It’s one
of our core values as a company.

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 4 OF 48

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 5 OF 48
2. Building Your SOC on a Strong Foundation
To protect your organization from risk, your team must be able to detect and respond to a threat early in
the Cyber Attack Lifecycle. To do this successfully, you must shorten your Mean Time-to-Detect™
(MTTD™) and Mean-Time-to Respond™ (MTTR™) to a cyber threat.

Threat Lifecycle Management is the fundamental workflow of an effective security operations center
(SOC). This series of aligned SecOps capabilities and processes gives your team holistic visibility of your
IT and OT environments so you can quickly detect, mitigate, and recover from a security incident.
LogRhythm delivers Threat Lifecycle Management by bringing together traditionally disparate
capabilities into one unified platform. With LogRhythm, your team has a single UI where they can
evaluate alarms, investigate threats, and respond to incidents.

NextGen SIEM
Our NextGen SIEM solution operates as your team’s central nervous system to alert on threats and enact
countermeasures — all in real time. With LogRhythm, your team will detect and respond to threats
measurably faster.

User and Entity Behavioral Analytics (UEBA)

User and entity behavioral analytics play a critical role in giving your team visibility into user behavior.
LogRhythm UEBA uses advanced machine learning to perform profiling and anomaly detection so your
team can easily identify insider threats, privilege abuse, compromised accounts, and more.

Network Traffic & Behavioral Analytics (NTBA)

With NTBA, your team can detect, analyze, and prioritize network-based threats and automate actions to
stop an attack on your network.

Security Automation & Orchestration (SAO)

Whether you have a team of one or a team of twenty, LogRhythm accelerates threat qualification,
investigation, and response to make your team more efficient and effective so you can do more with the
resources you already have.

Compliance
LogRhythm helps you address unique compliance challenges with preconfigured compliance automation
modules that address regulatory frameworks such as GDPR, SOX, PCI-DSS, HIPAA, and many more.

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 6 OF 47

Organisations that strive to seek reductions in MTTD and MTTR must optimize the end-to-end threat
detection and response lifecycle. At each stage of the process, and in between, inefficiencies can exist that
can dramatically impede an organisation’s overall effectiveness. However, organisations that can optimize
the effectiveness of their security operations processes across each stage can realize profound
improvements in MTTD and MTTR.

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 7 OF 48

3. LogRhythm SOAR Ecosystem

Vendor Actions Description Use Case

1. SRP - Add Item to This action will add an item— A-LogRhythm-List
List typically a parsed metadata containing privileged
value—to a file. You can then users is created to
configure a LogRhythm List to assist in privileged
auto-import that item user monitoring. To
automatically
maintain this list, an
alarm is created to
trigger when
accounts are added
to the Domain
Administrators group
in Active Directory.
When this occurs with
a legitimate user, an
analyst can use the
Smart Response
Plugin to approve
adding the new user
to the LogRhythm List
1. SRP - Account Log This action queries a system An account is logging
Off User for all RDP sessions and then in from some
removes a specified user’s blacklisted location
session. and security
personnel want to
end the connection
before investigating
further
1. SRP - Anue - Apply This plugin works together Budget and storage
Dynamic Filter with the Anue Net Tool constraints do not
Optimizer™ (NTO) and your allow an organization
security tools — forensic to store full packet
recorders, analyzers, IPS/IDS, capture data on a
data loss prevention tools — to 24x7 basis. Security
protect your network. operations creates an
AI Engine rule to
monitor for
suspicious activity on

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 8 OF 48

 a highly sensitive
host. When that
activity is identified,
the Anue
SmartResponse
forwards a few hours
of SPAN data
containing all traffic
to or from the host to
a packet capture
appliance for the SOC
team to analyze.
1. SRP - Cisco AMP This plugin contains the This plugin contains
Threat Grid following actions: the following actions:

• Add File to File List • Add File to File

• Create Cisco AMP V1 List
Configuration File • Create Cisco
• Display File Lists AMP V1
• Get Computers by a Configuration
User's Activities File
• Get Events in a • Display File
Computer's User Lists
Trajectory • Get Computers
• Get Infected Computers by a User's
list Activities
• Get Latest Events • Get Events in a
• Get Vulnerabilities Computer's
• Isolate Computer User Trajectory
• Stop Isolation on • Get Infected
Computer Computers list
• Get Latest
Events
• Get
Vulnerabilities
• Isolate
Computer
• Stop Isolation
on Computer

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 9 OF 48

 1. SRP - Cisco ISE This SmartResponse Plugin This SmartResponse
Quarantine Host allows an analyst to Plugin allows an
quarantine a host via Cisco ISE analyst to quarantine
based on IP, MAC Address, or a host via Cisco ISE
Session ID based on IP, MAC
Address, or Session
ID
1. SRP - Disable This SmartResponse Plugin This SmartResponse
Local Windows allows an analyst to disable a Plugin allows an
Account local Windows user on a analyst to disable a
remote machine local Windows user
on a remote machine

1. SRP - Extra This action queries a .csv data A user accesses many
Context source to return contextual data on potentially sensitive files,
any value you define. Any type of but this user’s role is
data can be entered, as long as it unclear, as it is not
exists in the data source. The result defined within Active
can help reveal additional Directory. Because you
information on a value that would have this user’s user
not otherwise be captured in the name, you access an HR
SIEM. spreadsheet that provides
information about the
user’s employee status
and role to gain further
insight into whether the
user’s activity is
legitimate
1. SRP - This action queries In the course of
HaveIBeenPwned HaveIBeenPwned.com to investigating a user
determine whether a given credential
email address or user account compromise, it is
name is associated with any determined that the
breached websites user used the same
password internally
as on external
websites. A quick
lookup determines
the source of the
credential
compromise and the
extent of the user’s
compromise

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 10 OF 48

 1. SRP - Infoblox - This action adds an FQDN or • It is determined
Add Item to Policy client IP address to the that an external
Infoblox Response Policy Zone host is hosting
malicious files or
acting as a
command and
control server for
malware. The
domain name is
added to a
Response Policy
Zone so that
internal clients are
unable to perform
DNS lookups of
that domain.
• An internal client
is believed to be
infected with
malware. If
isolating it from
the network is a
manual process,
this action adds
the IP address to a
Response Policy
Zone so that no
DNS queries from
this client return
IP addresses.

1. SRP - Kill Process This SmartResponse Plugin This SmartResponse

allows for the remote Plugin allows for the
termination of a Windows remote termination
Process of a Windows Process

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 11 OF 48

 1. SRP - NeXpose This action opens an HTTPS
Scan connection to the Nexpose
web console on the port
specified by the user—the
default port is 3780—and
launches an existing site-listing
vulnerability scan.
1. SRP - Palo Alto This action creates a new IP
Networks Address object and adds it to an
existing Address Group on the PAN This plugin, when
firewall.
1. SRP - Service This action first checks to see if the With whitelisting of
Management target service is running—if it is
running, the service is stopped. The non-whitelisted service
(Start, Stop,
service is then disabled. This action enters a running state. An
Disable) is run with user-supplied
credentials.
1. SRP - VirusTotal The VirusTotal plugin submits a file or URL
to VirusTotal (www.virustotal.com) for
analysis. The returned information
includes:
• Detection information from
multiple scan engines
• The date of the first
scan/submission
• The positive detection ratio
• VirusTotal’s permanent link
for the scan report, which can
contain additional submission
type-specific scan results and
other information
After you have
pushed out the latest
security patches to all
the hosts in your
environment and the
patches are applied,
this plugin kicks off a
vulnerability scan to
verify that the
patched hosts are
secure
An external host is
attacking the network.
attached to an AI Engine
Rule or run manually,
adds the IP address of the
external host to a PAN
firewall rule and prevents
further attacks
processes implemented, a
alarm triggers upon the
process starting and this
action is applied to the
alarm, automatically
killing the non-
whitelisted process
The VirusTotal plugin submits
a file or URL to VirusTotal
(www.virustotal.com) for
analysis. The returned
information includes:
• Detection
information from
multiple scan
engines
• The date of the first
scan/submission
• The positive
detection ratio
• VirusTotal’s
permanent link for
the scan report,
which can contain
additional

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 12 OF 48


1. SRP - Cisco Determine the proper Stealthwatch
Stealthwatch Domain ID numbers for use in a
“Top” Stealthwatch query
Each SmartResponse Plugin can
have one or more actions. This
plugin contains the following
actions:
• Get Domains Map
• Get Host Groups Map
• Top Applications
• Top Conversations
• Top Hosts
• Top Peers
• Top Ports
• Top Services
1. SRP - Freq.py This action calculates the entropy
of the target string using the
“English, lower-case” frequency
table provided by Freq.py. This
action is recommended for strings
that contain only lower-case
characters.
This plugin has two action types:
• Contextual. Executed on-demand
by an end user from the
LogRhythm Web Console.
• Automatic/Remediation. Executed
as the result of an Alarm action
(ARM or AI Engine)
1. SRP - Cisco This action queries the OpenDNS
Umbrella Investigate API to return contextual
data about a domain name or IP
(OpenDNS)
address. Data returned contains
information such as associated IP
addresses and domain names,
content categorization, and whether
the item has been classified as
malicious. This action can add the
© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM
submission type-
specific scan results
and other
information
This action queries the
Stealthwatch API for all
Domain ID numbers that
exist on the Stealthwatch
deployment, returning a
list of all Domain ID
numbers. A Domain ID
number is a required
parameter for all plugin
actions, with the
exception of Get
Domains Map and Get
Host Groups Map.
Determine the entropy of
a file name, URL,
account name, or other
string encountered
during an investigation
An internal host is
communicating with an
unknown external host.
Using this plugin, an
analyst determines if the
external host is malicious
and finds associated IP
addresses and domains to
PAGE 13 OF 48
 returned information to a
LogRhythm Alarm in the form of a
comment. This ensures that the data
will be available for future
investigations, if necessary.
1. SRP - Endpoint This action performs the following
Lockdown operations on the target host:
•All network interfaces are disabled alarm from LogRhythm
•Any logged on user(s) are force-
logged out
•System is locked
1. SRP - Cisco ASA : The Cisco ASA : SSH
SSH SmartResponse plugin connects to a
Cisco ASA Firewall via SSH, then
adds the target IP address to the
specified security group
1. SRP - CyberARK Actions
Response
• Account History
Manager
• Disable/Enable User
• Force Credential Change
• Raise/Lower Account Security
Policy
1. SRP - Cb This plugin adds Cb Response
Response integration to the LogRhythm
SIEM. Available Cb Response
functions include host
isolation, process termination,
list all processes on a remote
© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM
assist with the
investigation
An IT/SOC team
receives a “Malware” or
“System Compromised”
SIEM. As an alarm
remediation action, the
team can quickly and
easily isolate the
compromised system
until further mitigation
actions can be
undertaken
A particular IP address
on the local network
exhibits abnormal
network activity. Prior to
investigating the system
in detail, a system
administrator quickly
adds the host’s IP
address to a quarantined
security group in Cisco
ASA to block some or all
network traffic.
Actions
• Account History
• Disable/Enable User
• Force Credential
Change
• Raise/Lower
Account Security
Policy
This plugin adds Cb
Response integration
to the LogRhythm
SIEM. Available Cb
Response functions
include host isolation,
PAGE 14 OF 48
 host, dump memory of a
remote host, delete file on a
remote host, and download
file from remote host. A Cb
Response API key is required
for all plugin actions (available
from the Cb Response
interface).
1. SRP - EnCase This plugin integrates EnCase
Endpoint Security Endpoint Security incident
response and automation
actions with LogRhythm SIEM.
An analyst can perform
forensic/incident response
actions from LogRhythm, such
as capturing a memory
snapshot of a target host.
1. Case Automation: SRP Action: “Add to Existing
Add alarm & Case”
context to case
1. Ensure the customer is on
LR 7.3.3+
2. Find the Tag Id of the
Case-SRP tag; create a
new Case Tag if it doesn’t
exist
3. Search for an existing
case:
1. Last updated within the
past CaseSearchDays d
ays (default 3)
2. Status
is CaseSearchStatus (de
process termination,
list all processes on a
remote host, dump
memory of a remote
host, delete file on a
remote host, and
download file from
remote host. A Cb
Response API key is
required for all plugin
actions (available
from the Cb
Response interface).
This plugin integrates
EnCase Endpoint
Security incident
response and
automation actions
with LogRhythm
SIEM. An analyst can
perform
forensic/incident
response actions
from LogRhythm,
such as capturing a
memory snapshot of
a target host.

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 15 OF 48

 fault 1=Open or
3=Incident)
3. Contains Alarm
Evidence with the same
Alarm Name
4. If you’ve defined any
“group-
by” Field1, Field2, Field3
:
1. Has the Case-SRP Tag
2. Has an Evidence Note that
says [SRP-Case] Created
Case (Fields 107.189.1.138)
4. If it finds a case:
1. Adds this Alarm as
evidence
2. Adds an evidence note
[SRP-Case] Added
Alarm 5118 Case (Fields
107.189.1.138)
3. Ensures the Owner is a
collaborator (but will
not actually change the
case owner)
4. Ensures the SRP-Case
tag is on the case
5. If it doesn’t find a case,
creates one
1. Sets case name to
{Alarm Name} ({Group-
by fields values})
2. Sets case priority
to Priority (default 3)
3. Adds Owner as a
collaborator & makes
them the case owner
4. Adds this alarm as
evidence
5. Adds an evidence note
[SRP-Case] Created
Case (Fields
107.189.1.138)
6. Adds the SRP-Case tag

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 16 OF 48

 6. Saves the Case Id
1. OutputPath\{AlarmId}\
Case.txt
7. Saves a handy log file
1. OutputPath\SRP-
Case.log
8. Outputs the Case Details
1. [SRP-Case] Added
alarm to existing Case.
Number: '30', Name:
'AIE: Network Anomaly:
Threat List Suspicious
IP (107.189.1.138)’

SRP Action: “Create Case” does

everything above except steps
3 & 4 (and there are no group-
by fields). You’ll get a new case
for every alarm.

1. SRP - Cb Defense Cb Defense REST API Actions

• Device Status - Query the

sensor/device status of
a target host

Cb Defense Live Response API

Actions

• Delete File - Delete

specified file/directory
on target host
• Directory List - Display
directory
contents/information
for directory on target
host
• Dump Memory - Perform
full memory dump of
target host, writing
dump file to specified
output file

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 17 OF 48

 • Get File - Copy file from
target host to plugin
execution host
• Kill Process - Kill
specified process on
target host
• Process List - List all
active processes (and
associated information)
on target host

1. SRP - Update List This action adds an item or comma-
separated list of items to a list.
Comma-separated lists are added as
separate entities.
In the course of a
matched Alarm Rule
criteria, an analyst
performs a quick lookup
for a list. Items are
checked for existence
and are then added to a
list

This script is designed to function

as a LogRhythm SmartResponse to
carry out an install of Microsoft
Sysinternals Sysmon agent silently
to an endpoint domain joined
Windows device. The intended use
for this script is to enable the
collection of additional workstation
data as a result of an AIE rule that
warrants further host activity
investigation.

This has been used as a

troubleshooting aid to track down
and isolate anomalies that occur on
workstations by enabling advance
logging capabilities based on
observed events on the endpoint

1. SRP - Tenable.io This action creates and launches a In the course of a

scan against a given host for a
specified scan and scanner type.
matched Alarm Rule
criteria, an analyst
creates and launches a
vulnerability scan and
then verifies its details
via a provided link.

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 18 OF 48

 1. SRP - Invoke-Okta With the ever-increasing need for
organizations to centrally-manage
multiple accounts, across various
cloud and on-premise
infrastructures, Okta is one of the
solutions that help make this
process as seamless as possible for
IT, Security, and global employees.
This is a key component to
LogRhythm’s vision of embracing
the Zero Trust security model, and
will help the organization expand
services between on-premise and
the cloud, in as seamless a way as
possible. While integrating
applications and visualizing this
data within the SIEM is a great first
step, we want to take this further,
and fully automate Identity Access
Management (IAM) with the SIEM
at the center.
1. SRP - Mimecast This SmartResponse Plugin Actions
implements a number of
actions on the Mimecast • Block a Domain
platform that an analyst or from a URL
threat hunter may find useful • Block an explicit
when responding to an URL
incident. Each action allows for • Block a specific
commenting these updates or Email Address
including an Alarm ID so that • Block a Sender
they can be audited and/or Domain
revoked during post mortem
activities.
1. SRP - SailPoint Actions
IdentityIQ SIEM
Plugin Actions • Disable or delete a
single account on an
Identity cube
• Disable or delete all
accounts in an Identity
cube
• Remove a single
entitlement from a
single application
account on an Identity
cube

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 19 OF 48

 • Remove all entitlements
from a single application
account on an Identity
cube
• Remove all entitlements
from all accounts on an
Identity cube
• Reset a password on a
single application
account
o IMPORTANT
Currently only
works for Active
Directory type
applications - if
other application
types are desired,
the current
solution is to
specify a
'workflow', and
code
implementation
specific logic into
the workflow for
applications not
currently
supported by the
plugin
• Reset a password on all
application accounts
o IMPORTANT
Currently only
works for Active
Directory type
applications - if
other application
types are desired,
the current
solution is to
specify a
'workflow', and
code

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 20 OF 48


1. SRP - Beyond Trust
© 2021 LogRhythm Inc.
implementation
specific logic into
the workflow for
applications not
currently
supported by the
plugin
• Initiate an application
specific manager
certification for an
Identity
• Initiate a manager
certification for the
Identity that correlates
to the application/native
identity combination
specified
• Remove all users from a
specified group, and
make that group non-
requestable in the
IdentityIQ LCM access
request process
• Disable or delete ALL
accounts on the
specified application
o USE WITH
CAUTION
• Initiate an entitlement
owner certification for
the provided group
This action creates and launches a After matching Alarm
scan against a specified host Rule criteria, an analyst
creates and launches a
vulnerability scan against
a target host.
WWW.LOGRHYTHM.COM PAGE 21 OF 48
 1. SRP - SecureAuth This SmartResponse Plugin Actions
IdP implements a few key actions
within SecureAuth IdP via their • Pull Account
Management REST API. These History
actions can pull additional • Add User to
context from SecureAuth, or Group
interact with the API to impact • Change a
authentication behavior. Directory
Property
• Reset
Password

1. SRP - AD Account This action disables an AD user AD Account

Management account. Management plugin
detects, enables,
unlocks, or forces a
password reset for
Active Directory (AD)
user accounts, and
also displays
information for any
user account,
including the user’s
full name, group
membership, and
more.
1. SRP - Nmap Nmap is a free and open
source utility for network
discovery and security
auditing. This SmartResponse
plugin integrates Nmap with
LogRhythm SIEM, allowing
users to execute Nmap
queries "on-demand" via the
LogRhythm Web Console, or as
automatic remediation actions
triggered by a LogRhythm
SIEM Alarm. Several commonly
used Nmap queries are
included in the plugin as pre-
defined actions, as well as a

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 22 OF 48


1. SRP - Cylance
1. SRP - FortiGate
1. SRP - Slack
1. SRP - Pushover
© 2021 LogRhythm Inc.
"custom" action that can be
configured using any of the
available Nmap options.
This action uses information such
as host name or IP address to return
information about that host,
including previous scan results
Each SmartResponse Plugin has
one or more actions. This plugin
contains the following actions:
• Display Host Status
• Quarantine Global File
FortiGate plugin uses
FortiGate’s RESTful API to view
group information and add IP
addresses or domains to a
group.
Slack Integration
SmartResponse plugin sends
an automated message
containing the details of a
triggered alarm to a Slack
channel, which analysts can
use for further investigation,
analysis, or actions.
Pushover SmartResponse
Plugin, uses Pushover’s API to
send push notifications
containing alarm details to
supported devices
WWW.LOGRHYTHM.COM
In the course of a
matched Alarm Rule
criteria, an analyst
checks the details of a
given host, including
previous scan results and
last logged-on user.
While investigating an
alarm, an analyst
determines that a
compromised public
website is hosting
malware that has infected
several corporate
systems. The analyst
uses this plugin action to
block traffic to the
domain, preventing
further infection.
When an alarm triggers,
an analyst receives its
detailed information in a
Slack message,
facilitating quick
response measures
A high-priority alarm
fires, and the plugin
automatically alerts one
or more analysts via push
notification. The
notification contains
enough detail that an
analyst can immediately
determine the
PAGE 23 OF 48
 appropriate level of
urgency needed for
response.

1. SRP - AzureAD AzureAD SmartResponse

Plugin contains the following
actions:

• Disable Azure AD
Account
• Display Azure AD
Account Info
• Enable Azure AD
Account
• Reset Password for
Azure AD Account

1. SRP - Shodan
Supports the following
actions:

• API Info
o Returns the
current API usage
and remaining
queries available
• Host Info
o Returns the host
information
based on Shodan
observations.
o Enumerates all
services.
o Inspects SSL
certificates and
notates expired,
self-signed, and
Let's Encrypt
observations.
• Request Scan

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 24 OF 48

 o Submits a scan
request for a
given target host
to Shodan.
• Scan Status
o Returns the
status of a given
scan request
based on Scan ID.

1. SRP - Palo Alto Palo Alto Wildfire

Wildfire SmartResponse plugin sends a
file's SHA256 to the Wildfire
API service and returns the
files status. Optionally, the
plugin supports sending the
results directly to a LogRhythm
case via the Case API.

1. SRP - Netskope Netskope SmartResponse

Plugin uses Netskope’s REST
API to add URLs, files, or SHA-
256 hashes to the application
blacklist in Netskope, and
maintains a local copy in the
LogRhythm List Manager.

This plugin contains the

following actions:

• Blacklist URL or File

1. SRP - SentinelOne This plugin integrates with

SentinelOne to perform
actions like initiating a scan,
listing host processes and
applications, querying host
status and hash reputation
information, and blacklisting
by hash.

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 25 OF 48

 1. SRP - Office365 Office365 SmartResponse
Plugin uses Microsoft’s Office
365 API to allow users to
display email message text,
attachment information, and
hyperlink details in the
LogRhythm Console.
This plugin contains the
following actions:

• Display Message Text

• Get Attachments
• Get Links

1. SRP - ServiceNow This plugin contains the

following actions:

• Create ServiceNow
Incident
• Get ServiceNow Incident
• Close ServiceNow
Incident
• ServiceNow Incident:
Add Comment
• ServiceNow Incident:
Add Work Note
• ServiceNow Incident to
LogRhythm Case
• LogRhythm Case to
ServiceNow Incident
• ServiceNow Table Query

1. SRP - Cisco Cisco Umbrella

Umbrella SmartResponse Plugin uses
(OpenDNS) the Cisco Umbrella API to
perform actions in the
LogRhythm Console, such as
blocking domains from your
network or determining
whether an IP address has

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 26 OF 48

 been flagged as potentially
malicious.
This plugin contains the
following actions:

• Block Domain or URL

• Enrich Alarm IP or
Domain Name
• Query IP or Domain
Name
• ThreatGrid Query

1. SRP - CyberArk CyberArk SmartResponse

Plugin performs a variety of
actions in the CyberArk
Response Manager platform,
including viewing account
history details, forcing
credential changes, and raising
or lowering account security
privileges.
This plugin contains the
following actions:

• Account History
• Disable User
• Enable User
• Force Credential Change
• Lower Account Security
Policy
• Raise Account Security
Policy

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 27 OF 48

 1. SRP - Forescout Forescout SmartResponse
Plugin accesses the ForeScout
CounterACT visibility platform
through an API to display host
information in the LogRhythm
Console.
This plugin contains the
following action:

• Display Host Info

1. SRP - 365 Security Microsoft Office 365 Security &

and Compliance Compliance controller. This
plugin was designed to enable
initiation of content searches
and content removal.

Supports the following actions:

• Search
o Initiates a Content
Search based on
the following
criteria
Sender
Recipient
Subject
Attachment
Name
• Purge
o Initiates a Content
SoftDelete based
on a previously
completed search
• Search & Purge
o Combines the
functionality of
actions Search
and Purge

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 28 OF 48

 1. SRP - Checkpoint Checkpoint R80
R80 SmartResponse Plugin adds
hosts, IP addresses, or IP
ranges to groups in Check
Point.
This plugin contains the
following actions:
• Add Existing Host to
Group
• Add IP/IP Range to
Group

1. SRP - Load User Load User

Profile Profile SmartResponse
Plugin loads a user profile in
Windows System Monitor
Agent so that the service can
be upgraded remotely.
This plugin contains the
following actions:
• LoadUserProfile

1. SRP - List List Management

Management SmartResponse Plugin looks
up a list by name or ID, checks
if an item exists, adds or
removes items, and searches
lists for specific items.
This plugin contains the
following actions:
• Add Item To List
• Look Up Item
• Remove Item from List

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 29 OF 48

 1. Juniper SRX smart Add an IP to a block list
response plugin

1. SRP - JIRA JIRA SmartResponse

Plugin creates a new Jira issue
or updates an existing, open
issue with Alarm details.
This plugin contains the
following actions:
• Create-Issue
• Update-NonClosed
Issue

1. SRP - FortiGate This FortiGate plugin uses

Blackhole & Block plink scripting to blackhole IP
or add IP addresses to lists in a
FortiGate. Tested with 5.6.x /
6.x FortiOS releases.

1. SRP - Alarm The Alarm Management

Management SmartResponse Plugin closes
an Alarm using the Alarm ID,
with the option of adding
comments before closing.

This plugin contains the

following actions:

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 30 OF 48

 • Auto Close Alarm

1. SRP - Twilio Twilio SmartResponse

Plugin uses Twilio’s admin API
to send SMS messages
containing LogRhythm Alarm
details.
This plugin contains the
following actions:
• Send SMS

1. SRP - PagerDuty PagerDuty SmartResponse

Plugin uses PagerDuty’s API to
create incidents, list on-call
users, and run response plays
on a specified incident.
This plugin contains the
following actions:

• Create Incident
• List On-Call
• Run Response Play

1. SRP - LogRhythm LogRhythm

NetMon NetMon SmartResponse Plugin
creates a case using PCAP
(packet capture) files from
NetMon for use in analysis or
investigations.
This plugin contains the
following actions:

• Create Case with

NetMon Metadata

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 31 OF 48

 1. SRP - Aruba Smart Response for Aruba
ClearPass ClearPass to add a quarantine
attribute to endpoints with
various inputs. This
SmartResponse supports the
following actions:

• Add/remove
"quarantine=true"
attribute to endpoint
given an IP address
• Add/remove
"quarantine=true"
attribute to endpoint
given a MAC address
• Add/remove
"quarantine=true"
attribute to endpoint(s)
associated with a
username

1. SRP - Meraki V2 Meraki SmartResponse Plugin

uses Meraki’s API to run a
series of administrative
actions, including blocking or
unblocking hosts, enabling or
disabling switch ports, setting
host policy, and displaying
host information.
Updates to version 2 include
saving configuration file values
in .xml format and the ability

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 32 OF 48

 to run actions using a client ID
or IP address.

This plugin contains the

following actions:

• Block Host
• Create Meraki
Configuration File
• Disable Switch Port
• Display Host
Information
• Display Network List
• Enable Switch Port
• Set Host Policy
• Unblock Host

1. SRP - VirusTotal
V2 VirusTotal SmartResponse
Plugin V2 uses the VirusTotal
API to scan domains, file
hashes, IP addresses, and
URLs for malicious content and
generate reports to help guide
follow-up actions.
This plugin contains the
following actions:

• Create VirusTotal
Configuration File
• Get Domain Report
• Get File Hash Report
• Get IP Report
• Get URL Report

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 33 OF 48

 1. SRP - pxGrid pxGrid SmartResponse Plugin
performs several actions
within Cisco pxGrid (Platform
Exchange Grid), including
applying or clearing host
policies and retrieving host,
user, and policy information.

This plugin contains the

following actions:

• Apply/Clear Host Policy

• Create pxGrid
Configuration File
• Get Host Information
• Get User Information
• List All Policies

1. SRP - Demisto V1 Demisto SmartResponse

Plugin creates an incident in
Demisto and populates it with
Alarm data from LogRhythm.

This plugin contains the

following actions:

• Create Demisto
Configuration File
• Create New Incident

1. SRP - MISP V1 MISP SmartResponse Plugin

uses the MISP (Malware
Information Sharing Platform)
API to send indicators of
compromise (IoCs) to MISP as
events and retrieve detailed
information about IoC.

This plugin contains the

following actions:

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 34 OF 48

 • Create MISP
Configuration File
• Get Contextual
Information for IoC
• Send IoC Details

1. SRP - Azure V1 Azure SmartResponse Plugin

performs several functions
within Microsoft Azure,
including blocking IP
addresses, dismissing security
alerts, retrieving Resource
details, and administrating
VMs (virtual machines).

This plugin contains the

following actions:

• Azure Configuration
• Block IP
• Deallocate VM
• Delete NSG Rule
• Dismiss Security Alert
• Get Resource Details
• Restart VM
• Snapshot VM
• Start VM
• Stop VM

1. SRP - CB Defense CB Defense SmartResponse

V1 Plugin performs a number of
actions within Carbon Black’s
CB Defense platform, including
copying or deleting files,
obtaining directory or process
lists, and dumping memory.

This plugin contains the

following actions:

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 35 OF 48

 • Change Device Status
• Create CB Defense
Configuration File
• Delete File
• Device Status
• Directory List
• Dump Memory
• Get File
• Kill Process
• Process List

1. SRP - Carbon
Black Defense This plugin contains the
following actions:

• Change Device Status

• Create CB Defense
Configuration File
• Create Policy
• Delete Device
• Delete File
• Device Status
• Directory List
• Dump Memory
• Get File
• Kill Process
• Process List
• Quarantine Device

1. SRP - Carbon This plugin contains the

Black following actions:
ThreatHunter
• Create CB ThreatHunter
Configuration File
• Create Policy
• Delete File
• Device Status
• Directory List
• Dump Memory
• Get File

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 36 OF 48

 • Kill Process
• Process List
• Quarantine Device

1. SRP - Carbon This plugin contains the

Black LiveOps following actions:

• Create CB LiveOps
Configuration File
• Create Policy
• Delete File
• Device Status
• Directory List
• Dump Memory
• Get File
• Kill Process
• Process List
• Quarantine Device

1. SRP-Symantec SmartResponse plugin for

EndPoint integration with Symantec
Protection REST Endpoint Protection Manager
API REST API

Requirements:
SEPM Server IP/Name
Admin user username and
password
Actions:

• Request Active Scan for

Target Computer
• Request Active Scan for
Target Computer
• Request EOC Scan for
Target Computer
(Requires ATP)

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 37 OF 48

 • Get requested
Command Status using
system generated ID
• Cancel requested
Command using system
generated ID

1. SRP - The Hive V1 The Hive SmartResponse

The HIVE plugin uses TheHive’s REST API
to create alerts and cases in
TheHive using LogRhythm
Alarm details and indicators of
compromise (IoCs).

This plugin contains the

following actions:

• Create The Hive Alert

with IoC
• Create The Hive Case
from LR
• Create The Hive
Configuration File

1. SRP - Windows This SRP is intended to

Incident response execute Incident response
and investigation actions for windows
v1 This version only has feature
of executing the command
from SM locally
Future planned improvements:

1. Remote command
execution
2. Better Logging of SRP
output (Understands
some time LR won’t
keep whole output.)

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 38 OF 48

 1. SRP - Cisco Cisco Firepower
Firepower SmartResponse plugin
performs a number of actions
in the Cisco Firepower security
suite, including blocking a host,
adding a host to a group, and
retrieving detailed information
about a host.

This plugin contains the

following actions:

• Add Host to Group

• Block Host
• Create Cisco Firepower
Configuration File
• Get Host Information

1. SRP - Swimlane This plugin contains the

V1 following actions:

• Create New Incident

• Create Swimlane
Application Fields
• Create Swimlane
Configuration File

1. SRP - Google This plugin contains the

Cloud Platform following actions:

• Create GCP
Configuration File
• Get Resource Details
• Stop VM

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 39 OF 48

 1. SRP - SailPoint V2 SailPoint plugin contains the
following actions:

• Application Certification (Group)

• Application Certification (Owner)

• Certification for Identity Account

• Certification for Identity Accounts
• Create SailPoint Configuration File
• Disable/Delete Application Accounts

• Disable/Delete Identity Account

• Disable/Delete Identity Accounts
• Identity Password Reset
• Identity Password Reset (All
Applications)
• Remove Entitlement from All
Identities (Application)
• Remove Identity Entitlement
• Remove Identity Entitlements
(Account)
• Remove Identity Entitlements (All
Accounts)

1. SRP - G Suite This plugin contains the

following actions:

• Create G Suite
Configuration File
• Disable User
• Get User Information
• Permanently Delete Mail
• Reset Password
• Trash Mail

1. SRP - SANS ISC SANS ISC SmartResponse

Plugin retrieves information
from the SANS Internet Storm
Center (ISC) based on a host's
IP address or port number.
This plugin contains the
following actions:

• Get IP Information

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 40 OF 48

 • Get Port Information

1. SRP - AWS EC2 This plugin contains the

following actions:

• Block IP
• Create AWS EC2
Configuration File
• Get EC2 Instance Details
• Remove EC2 Instance
• Restart EC2 Instance
• SnapShot EC2 Instance
• Start EC2 Instance
• Stop EC2 Instance

1. SRP - LogRhythm The LogRhythm Case

Case Management SmartResponse
Management plugin performs several
functions with the LogRhythm
Case API to run a variety of
Case-related actions, including
adding Playbooks and
collaborators and creating or
finding cases.

This plugin contains the

following actions:

• Add Alarm Summary to

Case
• Add Collaborators to
Case
• Add Playbook
• Add Tags to Case

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 41 OF 48

 • Add Threat Intelligence
to a Case
• Add to Existing Case
• Create a New Case
• Create Case
Configuration File
• Update Earliest Evidence
Timestamp

1. SRP - Windows The Windows Update

Update SmartResponse Plugin displays
available updates in Windows
and allows users to select
which updates to install.

This plugin contains the

following actions:

• Get Available Updates

• Install Updates

1. SRP - Crowdstrike The Crowdstrike

SmartResponse plugin uses
your CrowdStrike Client ID and
Secret ID to gather information
about specified hosts,
terminate processes, and add
specified hosts to an Indicators
of Compromise (IOC) list.

This plugin contains the

following actions:

• Add Domain to IOC

• Add File Hash to IOC
• Add IP to IOC
• Create CrowdStrike
Configuration File
• Display Host Details
• Get Detection Info

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 42 OF 48

 • Isolate Host
• Terminate Process

1. SRP - Pushbullet Pushbullet is a service that

allows mobile/tablet devices
and browsers
(Chrome/Firefox) to receive
real-time notifications
- https://www.pushbullet.com

This SmartResponse allows

pushing a note to the
Pushbullet REST API. The note
will go to all devices configured
in Pushbullet.

Sign up is free, requires no

upfront credit card details and
you also get a number of free
credits to start with.

For setup you will need the API

key from 'Settings > Account >
Access Tokens' section under
your Pushbullet account.

The zip file includes the

SmartResponse .LPI file for
importation into LR along with
the action.xml file and
PowerShell script in case you'd
like review the code or adapt it
for your needs.

Notes:

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 43 OF 48

 • Tested with PowerShell
v5
• This SRP should only be
run on the Platform
Manager

1. SRP - Carbon
Black Defense This plugin contains the
following actions:

• Change Device Status

• Create CB Defense
Configuration File
• Create Policy
• Delete Device
• Delete File
• Device Status
• Directory List
• Dump Memory
• Get File
• Kill Process
• Process List
• Quarantine Device

1. SRP - Carbon This plugin contains the

Black following actions:
ThreatHunter
• Create CB ThreatHunter
Configuration File
• Create Policy
• Delete File
• Device Status
• Directory List
• Dump Memory
• Get File
• Kill Process
• Process List
• Quarantine Device

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 44 OF 48

 1. SRP - Carbon This plugin contains the
Black LiveOps following actions:

• Create CB LiveOps
Configuration File
• Delete File
• Device Status
• Directory List
• Dump Memory
• Get File
• Kill Process
• Process List

1. SRP - Mimecast This plugin contains the

following actions:

• Blacklist a Domain from

URL
• Blacklist Domain
• Blacklist Sender
• Block URL
• Create Mimecast V1
Configuration File
• Get Group Members
Information
• Get Profile Information

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 45 OF 48

 1. SRP - Siemplify This plugin contains the
following actions:

• Create Siemplify
Configuration File
• Create Siemplify Case
• Close Siemplify Case
• Raise Incident

1. SRP - Zscaler The Zscaler SmartResponse

plugin performs several
actions including blacklisting a
URL, getting policy
information, and adding a URL
category. It contains the
following actions:

• Add URL Category

• Blacklist URL
• Create Zscaler V1
Configuration file
• Get Policy Information
• Get URL Category
• Remove URL From
BlackList

1. SRP - Cisco This plugin contains the

SecureX following actions:

• Create Case
• Create Cisco SecureX V1
Configuration File
• Create Incident
• View Incident(s)

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 46 OF 48

 1. SRP - GPO
This plugin contains the
following actions:

• Create GPO
Configuration File
• Get GPO Information
• Data Masking for GUID

1. SRP – Sophos This plugin contains the

Central following actions:

• Add Item
• Add URL in Web Control
Policy
• Block Item
• Create Sophos Central
V1 Configuration file
• List Endpoints
• Start Scan on Endpoint

1. SRP - SCCM This Plugin has two actions.

1. Get SCCM Updates - To view

all the software/updates
available in the software
center.

2. Install SCCM Updates - To

install all the software/updates
available in the software
center.

1. SRP – Pulse
Secure This plugin contains the
following actions:

• Create Pulse Secure V1

Configuration file
• Block Endpoint
• Get active session

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 47 OF 48

 • Quarantine Endpoint
Send Alarm
• Send Alarm
• Terminate User Session

1. SRP – Carbon • Create Carbon Black

Black Cloud V1 Configuration
File
• Add IOC to Watchlist
• Add Process to Approved
List
• Add Process to Banned
List
• Apply Policy to device
• Create Policy
• Delete Device
• Delete File
• Device Status
• Directory List
• Dismiss Alert
• Dump Memory
• Enriched Events Search
• Execute a custom Script
• Get Binary Metadata
• Get File
• Kill Process
• Process List
• Process Search GUID
• Quarantine Device
• Remove IOC from
watchlist
• Unquarantined Device

1. SRP – Sophos • Isolation of an endpoint

Central Expansion by hostname or IPv4
• Endpoint scan by
Pack
associated user
• Endpoint scan by IPv4

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 48 OF 48

 1. SRP - Cortex XDR • Allow List Files
• Block List Files
• Create Cortex XDR V1
Configuration File
• Get Alerts
• Get Endpoint Policy
• Get Extra Incident Data
• Isolate Endpoint
• Quarantine File
• Restore File
• Unisolate Endpoint
• Update Incident

© 2021 LogRhythm Inc. WWW.LOGRHYTHM.COM PAGE 49 OF 48