APIs: The Basics

Anna Podoplelova & Matt Willems

August 2019
 2019

Agenda

Introduction

What Are APIs?

What Tools to Use

How to Authenticate

What LogRhythm APIs are Available?

What Can These APIs Do?

©LogRhythm 2019. All rights reserved. 2

 2019

Speakers

Matt Willems Anna Podoplelova

Technical Product Software Engineer, SOAR
Manager, SOAR

©LogRhythm 2019. All rights reserved. 3

 2019

Audience Question

Do you know what an API is?

Have you used an API?

©LogRhythm 2019. All rights reserved. 4

 2019

What are APIs?

• API - Application Programming Interface

- How a service/application exposes functionality to other services/applications

• REST API - Representational State Transfer

- An architectural style for APIs
- Like a language – sets expectations of how to communicate

©LogRhythm 2019. All rights reserved. 5

 2019

What are APIs – An Example

• There are lots of great public APIs out there – like NASA’s!
• One of their post popular ones: Astronomy Picture of the Day 🤓

GET https://api.nasa.gov/planetary/apod?api_key=DEMO_KEY

©LogRhythm 2019. All rights reserved. 6

 2019

What are APIs – An Example

©LogRhythm 2019. All rights reserved. 7

 2019

“APIs First” Approach at LogRhythm

POST
/cases/:id/evidence/note

{ “text”: ”Add note…” }

• Design philosophy of APIs first

• APIs are how you interface with our application (even if you don’t realize it)
• We use our APIs internally - they need to be powerful, versatile, and stable

©LogRhythm 2019. All rights reserved. 8

 2019

How Can I Leverage APIs?

• Write scripts to interact with LogRhythm APIs

• Programmatically integrate LogRhythm with other applications

©LogRhythm 2019. All rights reserved. 9

 2019

APIs Available in LogRhythm

- Manage LogRhythm deployment

- Get details about alarms

- Build LogRhythm deployment

- Get case and playbook details, manage playbooks

- Get network session details, manage NetMon

©LogRhythm 2019. All rights reserved. 10

 2019

Working with LogRhythm APIs - Tools

• Postman and other API
development tools
• Save parameters and set
environment variables
• Build and save collections of
requests

©LogRhythm 2019. All rights reserved. 11

 2019

Working with LogRhythm APIs - Languages

• Python
- Most popular language
for security automation
import requests
url = "https://10.6.0.107:8501/lr-admin-api/lists/..."
payload = {..."listType": "IP", "name": "TestList"}}]}
headers = {...}

• PowerShell response = requests.request("POST", url, data=payload, headers=headers,

verify=false)
- Already available on
print(response.text)
Platform Manager and
System Monitor hosts
function Get-CaseId
- Built-in methods for {
working with REST APIs param(
[string] [Parameter(Mandatory=$true)] $OutputPath,
> Invoke-RestMethod [long] [Parameter(Mandatory=$true)] $AlarmId
)
$path = [io.path]::combine($OutputPath, $AlarmId, "Case.txt")
if (test-path $path)
{
return (gc $path)
} else {
return $null
}
}

©LogRhythm 2019. All rights reserved. 12

 2019

Working with LogRhythm APIs - Getting a Token

©LogRhythm 2019. All rights reserved. 13

 2019

Working with LogRhythm APIs - Documentation

Where to get help

• Documentation
- ReDoc hosted at

https://<PM-IP>:8501/lr-case-api/docs

https://<PM-IP>:8501/lr-admin-api/docs

• Community Site
• Community Slack
- API channel

©LogRhythm 2019. All rights reserved. 14

 2019
https://<netmon-ip>
NetMon API Go to NetMon Help->Appendices->Web API

• Get session information, general REQUEST:

POST
appliance information, capture https://{{Host}}/api/pcap/actions/download
configurations, download PCAPs and
reconstructed file attachments REQUEST BODY:
{
• Everything you can do from the UI! "sessions": ["..."]
}

RESPONSE:
• Use cases: Zip file containing PCAPs
- “I need to retrieve PCAP when a
certain type of traffic is observed.”

©LogRhythm 2019. All rights reserved. 15

 2019
8.0.0+
LRDeploy API

• Install and upgrade LogRhythm components

• Use cases:
- Coming soon!

©LogRhythm 2019. All rights reserved. 16

 2019

Cache Drilldown API On Community (see Resources slide)

• Get aggregate data or raw REQUEST: GET https://{{Host}}:8501/lr-drilldown-

logs that triggered an AIE rule
• Use cases:
- “This AIE alarm may
represent an incident - I’d
like to pull all the drilldown
results associated with it.”
©LogRhythm 2019. All rights reserved.
cache-api/drilldown/{{AlarmID}}
RESPONSE BODY:
{
"Data": {
"DrillDownResults": {
"AlarmID": 5177,
"AIERuleID": 1000000008,
"AIERuleName": "Network Anomaly: Suspicious IP",
"Status": 4,
"LastDxTimeStamp": "0001-01-01T00:00:00",
"RuleBlocks": [ ... ]
"DateInserted": "2018-05-12T16:25:12.167",
"AlarmGuid": ”...",
"EventID": 2324750,
"AIEMsgXml": “...”,
"NormalMessageDate": "2018-05-12T16:25:04.71",
"WebConsoleId": ”...",
"Priority": 81
},
"DrillDownSummary": null
}
}
17
 2019
7.4.0+
Administration API https://<PM-IP>:8501/lr-admin-api/docs

• List management REQUEST: POST https://{{Host}}:8501/lr-

admin-api/hosts
• User management RESPONSE BODY:
{
• Entity management "id": 0,
"entity": {
• TrueIdentity management "id": 1,
"name": "Primary Site"
},
• Use cases: "name": "Test Host",
"riskLevel": "Medium-Medium",
- “I need to create a batch of "threatLevel": "Medium-Medium",
users since we’re onboarding lots "recordStatusName": "New",
"hostZone": "Internal",
of new employees.” "location": {
- “I need to create a Host record "id": 17813,
"name": "Boulder"
in a specific Entity.” },
"os": "Windows",
"useEventlogCredentials": false,
"osType": "Windows"
}
©LogRhythm 2019. All rights reserved. 18
 2019
7.3.1+
Case Management API https://<PM-IP>:8501/lr-case-api/docs

• Create, edit, and filter cases REQUEST: GET https://{{Host}}:8501/lr-case-

api/cases?tagNumber=2
• Add evidence to cases RESPONSE BODY:
[ {
• Playbook and procedures "id": "51228EF1-75EA-4D6A-99E2-
management 64B719AFFE12",
"number": 791,
"name": ”Phishing Email",
"owner":
• Use cases: {
- “I want to create custom metrics },
"name": "LogRhythm Analyst", ...

around case management ...

usage.” "tags": [
{
- “I want to see how many cases "number": 2,
we have with a ‘phishing’ tag to "text": ”phishing"
}
decide whether our employees ]
need more training around },
phishing.” { ... }
]
©LogRhythm 2019. All rights reserved. 19
 2019

API Roadmap

- Search for log data

- Execute SmartResponse actions and get results

- Query alarms and details, set status, add comments

What other APIs would help you? How would you use them?

©LogRhythm 2019. All rights reserved. 20

 2019

Additional Resources

Related Sessions Key Resources

• Deep Dive Labs – Tuesday & Thursday • Getting Started with the LogRhythm

- LogRhythm APIs 101 REST APIs using Postman [Link]

- Building SmartResponse Plugins • AIE Drilldown API Documentation

[Link]
• Threat Hunting Automation Using
LogRhythm – Thursday • LogRhythm Community Slack [Link]

• Postman [Link]

Want help implementing what you just

saw? Ask your Customer Success
Manager about our Co-Pilot Services.

©LogRhythm 2019. All rights reserved. 21

 More Resources on the LogRhythm 2019

Community

Dedicated RhythmWorld Section The LogRhythm

with all presentation content Community also
includes discussions
with other users and
LogRhythm experts,
documentation,
software downloads,
shareable resources
— SmartResponse
plugins, dashboards,
playbooks, DPA
rules, and more!

©LogRhythm 2019. All rights reserved. 22

The next Deep Dives
will start at:

1:45pm & 2:30pm