RW 2019 Hands-On Lab

Lab: LogRhythm API Lab

Lab Summary
Objective: This lab will guide you through connecting to the LogRhythm API, performing some test
requests and finally creating a script to interface with the LogRhythm API. This is achieved through the
following steps:

1. Install Postman
2. Postman Setup
3. Setup LogRhythm for API Access
4. Test Requests in Postman
5. Generate a Python code sample using Postman
6. Create a custom Python script using the code sample

Estimated Time: 30 minutes

Target: Integrator or Administrator

Scenario: You wish to automate the process of adding items to lists, the Lab will cover LogRhythm’s
Admin API, the use of Postman and python for querying and updating list items

What is an API
In computer programming, an application programming interface (API) is a set of clearly defined
methods of communication among various software components. This simplifies programming by
abstracting the underlying implementation and only exposing objects or actions the developer needs.

A good API makes it easier to develop a computer program by providing all the building blocks which are
then put together by the programmer.

What does the LogRhythm API do

The LogRhythm API facilitates programmatic administration of the LogRhythm platform and automation
of certain tasks.

Some examples are: -

- Add an item to a list

- Create a case
- Change the status of a case to declare an Incident
- Add a playbook to a case
This lab will guide you through the creation of a script which will add an item to a list using the
LogRhythm API.

LogRhythm API Lab 1

RW 2019 Hands-On Lab
What is Postman
- Postman is a software testing tool that tests APIs directly and make it easy to develop API based
integrations in any common programming language.
- We will use Postman in this lab to test interactions with the LogRhythm API and generate code
samples to use in our custom scripts.
- Postman will be used to test interactions with the LogRhythm API and so must be installed on a host
which has network connectivity to the LogRhythm Platform Manager on TCP port 8501.

A note on scripting languages

The term scripting language generally refers to a high level and general-purpose programming language.
The examples used in this lab will be Python but there are many different types of scripting languages
that can be used for the same purpose. For example, many LogRhythm integrations are written in
PowerShell.

Lab Instructions
Getting Started
Established Environment
- LogRhythm 7.4 (preferably not production)
- Postman
- Python with the Requests module
System Requirements
Windows Credentials: localhost/administrator, logrhythm!1

LogRhythm Console Credentials: LoghythmAdmin, logrhythm!1

LogRhythm API Lab 2

RW 2019 Hands-On Lab
Task 1 – Setup LogRhythm for API Access
Now that Postman is installed, we need to configure LogRhythm to accept API requests. To do this:

Open the LogRhythm Client Console, navigate to the Deployment Manager, and the Third-Party
Applications tab.

Add a new application. Name it and add a description so that it’s clear what that integration will be used
for. For example, if we wanted an integration into our inventory management system, you might call the
application Inventory Management and add a description so that others will know what the integration
is intended to do. Be descriptive!

LogRhythm API Lab 3

RW 2019 Hands-On Lab
After writing the Name and Description, click Apply. After a few moments, you should see the Client ID
and Client Secret appear. If you don’t then Ok and click on the refresh icon at the top of
the page below File in Deployment Manager and then go back into the Third-Party
Application Properties.

Now we can create an API token. You can configure how long the token will live before it expires. Next,
click Generate Token. You’ll need to tie the token to a LogRhythm user, so enter the username and
password of the account you’d like to connect with the token. In this instance LogRhythmAdmin and
Password of logrhythm!1. Copy the token, so it is available to paste into PostMan.

Task 2 – Set up Postman

After running Postman for the first time you will see a screen that looks like this:

LogRhythm API Lab 4

RW 2019 Hands-On Lab
We can test the LogRhythm API calls using ‘Requests’. Select Request and then provide a Request name.
For this we can call it API Test. Postman allows you to save requests, so click Create Collection and we
can call this LogRhythm:

To complete, click Save to LogRhythm.

Lastly, click the spanner icon in the top right of Postman and then click Settings. Within the
Settings dialog, turn SSL Certificate Verification to OFF.

LogRhythm API Lab 5

RW 2019 Hands-On Lab
Task 3 – Configure Bearer Token in Postman
In your Postman workspace, in the tab we just created, in the Authorization section, choose type as
‘Bearer Token’. Paste your token into the token field.

LogRhythm API Lab 6

RW 2019 Hands-On Lab
Task 4 – Navigate the LogRhythm API Documentation

Next, we will review the LogRhythm API documentation to identify the correct Request syntax. Open
Chrome web browser on your lab XM and browse to: http://localhost:8505/lr-admin-api/docs

This will display the LogRhythm API documentation. This is self-documenting, which means the API
documentation relevant to your deployment version will be displayed. TIP: Bookmark this page for
future reference!

Click on Lists > Get List Details. This will display the documentation for the Get List Details Request. This
will show relevant Request and Response parameters, along with a Response sample in the right-hand
column.

To copy the Request URI (Uniform Resource Identifier), in the right-hand column, click the down arrow
next to GET /lists/.

LogRhythm API Lab 7

RW 2019 Hands-On Lab

Select and copy the URI string as shown above.

LogRhythm API Lab 8

RW 2019 Hands-On Lab
Task 5 – Test a GET Request in Postman
Open Postman and paste the copied URI into the Request URL field. Ensure that the Request Type is Get
and the Bearer Token has been copied into the Authorization tab > Bearer Token (described in Step 4
above) and click Send.

This should return a JSON formatted output which contains details of all Lists currently configured in
LogRhythm, including the List type, status, date created, permissions and number of entries (not the
entries themselves):

LogRhythm API Lab 9

RW 2019 Hands-On Lab
Task 6 – Test a POST Request in Postman (Creating a List)
In this step we will use the API to create a list. This will require additional parameters to be sent with the
Request such as the list name, type etc. There are a few ways to do this in Postman, for this lab we will
use JSON.

In Postman, click the + arrow along the top to create a new Request tab.

Change the Request type to POST, and enter the URL as https://localhost:8501/lr-admin-api/lists/.
Ensure Authorization is set to Bearer Token Select the Body tab and then the raw radio button and then
choose JSON (application/json) from the final drop down.

LogRhythm API Lab 10

RW 2019 Hands-On Lab
Paste the following JSON in the field below:
{
"listType": "IP",
"name": "TestList",
"autoImportOption": {
"enabled": false,
"usePatterns": false,
"replaceExisting": false
},
"readAccess": "PublicAll",
"writeAccess": "PublicGlobalAdmin",
"restrictedRead": false,
"entityName": "Global Entity",
"needToNotify": false,
"doesExpire": false,
"owner": 0
}

LogRhythm API Lab 11

RW 2019 Hands-On Lab
The Postman Request should now look like this:

Click Send and the Response should be presented at the bottom of the screen, as above. Keep this tab
open in Postman as you will need some values from this output.

LogRhythm API Lab 12

RW 2019 Hands-On Lab
To ensure the Request has worked, open the LogRhythm Client Console - > Deployment Manager and
navigate to the List Manager. Filter on the Name column by entering the name TestList and confirm
your new list has been created:

Task 7 – Test a POST Request in Postman (Creating a List)

Test another POST Request in Postman (Adding an item to a List)

Now we will use the API to add an item to our list. In Postman, click the + arrow along the top to create a
new Request tab.

Change the Request type to POST, and enter the URL as https://localhost:8501/lr-admin-
api/lists/<guid>/items/ (the GUID for your new list was returned in the previous step output).

LogRhythm API Lab 13

RW 2019 Hands-On Lab
Ensure Authorization is set to Bearer Token

Select the Body tab and then the raw radio button and select JSON (application/ json) as before

Paste the following JSON in the field below (update the value of listed and guid from the previous
query):
{
"items": [
{
"displayValue": "1.1.1.1",
"expirationDate": null,
"isExpired": false,
"isListItem": false,
"isPattern": false,
"listItemDataType": "IP",
"listItemType": "IP",
"value": "1.1.1.1",
"valueAsListReference": {
"listId": <List ID from previous step output>,
"guid": "<GUID from previous step output>",
"listType": "IP",
"name": "TestList"
}
}
]
}

LogRhythm API Lab 14

RW 2019 Hands-On Lab
(Note that the syntax for this request parameter is documented in the API documentation for the Add
Items to List method).

Click Submit, and again the result should be shown in the output window below:

Task 7 – Use Postman to generate a Python code sample

Now that we have a working Request, we can use Postman to generate a code sample. For this step, you
will need to have the Python interpreter installed with the Python Requests library.

In Postman, while still in the tab for your Request, click the Code link (just underneath the Submit
button).

LogRhythm API Lab 15

RW 2019 Hands-On Lab
In the dropdown, select Python Requests and click Copy to Clipboard:

Copy the code to your code editor of choice, on this Lab VM we will use NotePad ++ which is found on
the taskbar, save it as a .py file! (Remember to change the save as type to python in Notepad ++)

LogRhythm API Lab 16

RW 2019 Hands-On Lab
Note that you need to append ‘verify=False’ to the end of the requests request (shown in line 20 in the
screenshot below).

Run this in Python IDLE Gui, right click the file you saved and edit with IDLE

Run Module via IDLE

LogRhythm API Lab 17

RW 2019 Hands-On Lab
Verify in the LogRhythm Client Console that your new value has been added to your list:

Congratulations, you have now programmatically added an item to a List in LogRhythm using the
LogRhythm API. There are many applications for this function, including automatically adding Indicators
of Compromise which may have been harvested from an internal control such as a malware sandbox.
Analytics can then be applied by way of an AIE rule that alerts on a match.

There are countless other applications for the LogRhythm API, hopefully this lab will demonstrate the
general workflow when designing an API integration.

Completing the Lab

You are Finished When…
You should be able to generate a bearer token to connect to LogRhythm Rest API via Postman.

Understand how to get to the API’s documentation and how to use Post Man to write a python script to
automate the updating of a list of ip addresses.

Get CPE Credit

Once you have completed all steps in the lab, ask for a proctor to verify your work and register for the CPE credit.

Additional Resources
https://community.logrhythm.com/t5/SIEM-Best-Practice-Articles/Getting-Started-with-the-LogRhythm-
REST-APIs-using-Postman/ta-p/59306

LogRhythm API Lab 18