All communications from SIEM (Security Information and Event Management) to Orchestrator (On-Premise and Azure) are performed via a webhook. This is where the SIEM will communicate by calling an API endpoint implemented within the Orchestrator. For LogRhythm to connect to this endpoint, it uses a functionality called SmartResponse.

SmartResponse allows the creation of a plugin containing a PowerShell script that accepts various parameters passed from a triggered alarm. This plugin is provided by SafeTitan, but you will need to install it in your LogRhythm instance and associate it with the alarms you have set up.

In order for SmartResponse to communicate with Orchestrator, it needs the full URL, which must be configured as an environment variable. A system environment variable called SMART_RESPONSE_URI must be added, which can be done as follows:

  1. Depending on whether you are using the On-Premise or Azure Orchestrator, the URL value for the environment variable has different formats:

    • For the On-Premise setup, the URL format is:

      {Orchestrator Site Path}/api/SIEM/logrhythm/smartresponse. As shown in the example below, this could be http://localhost:5555/api/SIEM/logrhythm/smartresponse.

    • If you are using Azure Orchestrator, the URL format is:{api-key}&orchid={id-of-orchestrator-from-portal}&orgId={organisation-id-from-portal}

  2. To add the SmartResponse plugin to LogRhythm, take the ARPlugin***.lpi file that was provided by SafeTitan and place it on the same server as the LogRhythm installation.

  3. Open the LogRhythm desktop client and select Deployment Manager from the tool bar.

  4. From the menu bar, select Tools > Administration > SmartResponse Plugin Manger.

  5. In the window that opens, select Actions > Import. Then select the ARPlugin.lpi file that you copied to the server, and select Open. This will install the plugin to LogRhythm.

    Once the plugin has been installed, it can be associated with both new and existing alarms.

  6. To associate SmartResponse with an alarm, open the LogRhythm desktop client, select Deployment Manager, and then select the AI Engine tab, which lists all the Alarm Rules that have been created.

  7. Double-click the Alarm Rule you want to associate with SmartResponse, and in the window that opens, select the Actions tab.

  8. From the Set Action dropdown menu, select the SmartResponse plugin. The parameters list appears.

    The majority of these parameters are auto-populated, so you will need to set one manually.

  9. Select the parameter User, and change the Type to Alarm Field and Value to User (Impacted) Identity.

  10. Once completed, select Save Action > OK. You will be asked to restart the AI Engine Servers to enact the changes. This can be done by selecting Restart AI Engine Servers at the top of the AI Engine tab.

  11. Repeat these steps for each alarm you want to associate with the SmartResponse plugin.