LogRhythm Axon

the logrhythm axon connector enables seamless integration with swimlane turbine, facilitating automated case management and activity tracking for enhanced security operations logrhythm axon is a powerful security analytics and case management solution that enables organizations to streamline their threat detection and response efforts this connector allows swimlane turbine users to integrate with logrhythm axon, providing the ability to create, update, and manage cases and activities directly within the swimlane platform by leveraging this integration, users can automate case management workflows, enhance incident response, and maintain a centralized view of security operations, all without the need for coding the swimlane logrhythm axon siem connector integrates with swimlane to do the case management (create, update, retrieve and search for cases) prerequisites to effectively utilize the logrhythm axon connector within swimlane turbine, ensure you have the following prerequisites api key authentication url the endpoint url for the logrhythm axon api api key a valid api key provided by logrhythm axon for authentication capabilities the swimlane logrhythm axon siem connector has the following capabilities create a case create an activity change status for multiple cases search for cases in a tenant using a string retrieve activity entries retrieve all the cases for a tenant retrive all cases for tenant retrieve an activity by id for a tenant update a activity description update a activity update a case api keys analysts are able to manage api keys from their profile, authorizing third party software to connect with axon to manage api keys, from the dashboard in the upper right corner, click the user menu icon click my account the my account page appears click the api keys tab a list of the user's api keys appears add new api key to add a new api key, from the api keys tab click + add new api key in the top right corner the add new api key pop up appears enter a descriptive, unique api key name for this new api key click generate key the copy api key pop up appears click the copy icon to copy the generated api key save the key in a secure location for your records generated api keys are not able to be retrieved once this window is closed click the copy and close button the pop up closes and the new api key is added to the list authorization to authorize an axon api request, you must use an axon api key in the authorization header of your request for instructions on how to get an axon api key, see api keys the authorization header should not have a prefix for example authorization abcd 1234 efghijk 567 lmno 8910pqr notes axion case api documentation https //docs logrhythm com/axon/docs/axon case management api endpoints configurations logrhythm axon api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required authorization api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions change status for multiple cases updates the status, severity, and adds comments to multiple cases in logrhythm axon, requiring tenantid, status, severity, and comment endpoint url /case management svc/v1/tenants/{{tenantid}}/cases method put input argument name type required description path parameters tenantid string required parameters for the change status for multiple cases action status string optional status value severity string optional parameter for change status for multiple cases ownerid string optional unique identifier description string optional parameter for change status for multiple cases comment string optional parameter for change status for multiple cases caseids string optional unique identifier input example {"json body" {"status" "new","severity" "critical","ownerid" "de4e","description" "description","comment" "comment","caseids" "dew234"},"path parameters" {"tenantid" "lrcxc"}} output parameter type description status code number http status code of the response reason string response reason phrase computed object output field computed computed additionalprop1 object output field computed additionalprop1 computed additionalprop2 object output field computed additionalprop2 computed additionalprop3 object output field computed additionalprop3 requestid string unique identifier error object error message if any error status number status value error message string response message error validationfailures array unique identifier error validationfailures field string unique identifier error validationfailures message string unique identifier status string status value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"computed" {"additionalprop1" {},"additionalprop2" {},"additionalprop3" {}},"requestid" "string","error" {"status" 0,"message" "string","validationfailures" \[]},"status" "ok"}} create a case create a new case in logrhythm axon with specified tenant id, name, status, and severity endpoint url /case management svc/v1/tenants/{{tenantid}}/cases method post input argument name type required description path parameters tenantid string required parameters for the create a case action owneruserid string optional unique identifier name string optional name of the resource description string optional parameter for create a case incident boolean optional unique identifier valid boolean optional unique identifier status string optional status value severity string optional parameter for create a case observationname string optional name of the resource collaborators array optional parameter for create a case collaborators collaboratorid string required unique identifier input example {"json body" {"owneruserid" "123456789","name" "phishing from sweden","description" "possible phishing attempt from sweden","incident"\ true,"valid"\ true,"status" "in progress","severity" "critical","observationname" "string","collaborators" \[{"collaboratorid" "11223344"}]},"path parameters" {"tenantid" "8zcdjvs csleiyhr9nxq pg6mymsdr"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier tenantid string unique identifier createdon string output field createdon updatedon string output field updatedon owneruserid string unique identifier number number output field number name string name of the resource description string output field description incident boolean unique identifier valid boolean unique identifier status string status value severity string output field severity observationname string name of the resource createdby string output field createdby updatedby string output field updatedby firstlogdate string date value lastlogdate string date value collaborators array output field collaborators collaborators tenantid string unique identifier collaborators id string unique identifier collaborators createdon string output field collaborators createdon collaborators updatedon string output field collaborators updatedon collaborators caseid string unique identifier output example {"id" "12345678 1234 1234 1234 123456789abc","tenantid" "string","createdon" "string","updatedon" "string","owneruserid" "string","number" 123,"name" "example name","description" "string","incident"\ true,"valid"\ true,"status" "active","severity" "string","observationname" "example name","createdby" "string","updatedby" "string"} create an activity generates a new activity in logrhythm axon linked to a specific case, requiring tenantid, caseid, description, and type endpoint url /case management svc/v1/tenants/{{tenantid}}/activities method post input argument name type required description path parameters tenantid string required tenantid caseid string optional unique identifier description string optional parameter for create an activity queryfilter string optional parameter for create an activity type string optional type of the resource logs array optional parameter for create an activity logs logid string required unique identifier attachments array optional parameter for create an activity attachments name string required name of the resource attachments location string required parameter for create an activity input example {"json body" {"caseid" "123456789","description" "details of the event","queryfilter" "details of the event","type" "comment | log | attachment","logs" \[{"logid" "123456789"}],"attachments" \[{"name" "file name","location" "file location"}]},"path parameters" {"tenantid" "8zcdjvs csleiyhr9nxq pg6mymsdr"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier tenantid string unique identifier createdon string output field createdon updatedon string output field updatedon activityid string unique identifier comment string output field comment output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "8zcdjvs csleiyhr9nxq pg6mymsdr","tenantid" "string","createdon" "2023 12 26t05 41 41 544z","updatedon" "2023 12 26t05 41 41 544z","activityid" "123456789","comment" "details of the event"}} retrieve activity entries retrieve all activity entries associated with a given case and tenant in logrhythm axon, requiring caseid and tenantid as path parameters endpoint url /case management svc/v1/tenants/{{tenantid}}/activities/bycaseid/{{caseid}} method get input argument name type required description path parameters caseid string required parameters for the retrieve activity entries action path parameters tenantid string required parameters for the retrieve activity entries action parameters afterid string optional parameters for the retrieve activity entries action parameters limit number optional parameters for the retrieve activity entries action parameters sort string optional parameters for the retrieve activity entries action input example {"parameters" {"afterid" "0f54a194 d75a 4a60 8c68 d4b8e66c971c","limit" 10,"sort" "asc"},"path parameters" {"caseid" "ders","tenantid" "lrcxc"}} output parameter type description status code number http status code of the response reason string response reason phrase computed object output field computed computed additionalprop1 object output field computed additionalprop1 computed additionalprop2 object output field computed additionalprop2 computed additionalprop3 object output field computed additionalprop3 requestid string unique identifier error object error message if any error status number status value error message string response message error validationfailures array unique identifier error validationfailures field string unique identifier error validationfailures message string unique identifier status string status value paginationinfo object output field paginationinfo paginationinfo totalcount number count value paginationinfo nextpage string output field paginationinfo nextpage content array response content content tenantid string unique identifier content id string unique identifier content createdon string response content content updatedon string response content content caseid string unique identifier content description string response content content queryfilter string response content output example {"computed" {"additionalprop1" {},"additionalprop2" {},"additionalprop3" {}},"requestid" "string","error" {"status" 123,"message" "string","validationfailures" \[{}]},"status" "active","paginationinfo" {"totalcount" 123,"nextpage" "string"},"content" \[{"tenantid" "string","id" "12345678 1234 1234 1234 123456789abc","createdon" "string","updatedon" "string","caseid" "string","description" "string","queryfilter" "string","type" "string","createdby" "string","updatedby" "string","firstlogdate" "stri retrieve all the cases for a tenant retrieve all cases associated with a specified tenant id in logrhythm axon, requiring the tenantid as a path parameter endpoint url /case management svc/v1/tenants/{{tenantid}}/cases method get input argument name type required description path parameters tenantid string required the identifier of the tenant parameters afterid string optional parameters for the retrieve all the cases for a tenant action parameters limit string optional parameters for the retrieve all the cases for a tenant action parameters sort string optional parameters for the retrieve all the cases for a tenant action input example {"parameters" {"afterid" "0f54a194 d75a 4a60 8c68 d4b8e66c971c","limit" "10","sort" "field\ asc"},"path parameters" {"tenantid" "8zcdjvs csleiyhr9nxq pg6mymsdr"}} output parameter type description status code number http status code of the response reason string response reason phrase computed object output field computed computed additionalprop1 object output field computed additionalprop1 computed additionalprop2 object output field computed additionalprop2 computed additionalprop3 object output field computed additionalprop3 requestid string unique identifier error object error message if any error status number status value error message string response message error validationfailures array unique identifier error validationfailures field string unique identifier error validationfailures message string unique identifier status string status value paginationinfo object output field paginationinfo paginationinfo totalcount number count value paginationinfo nextpage string output field paginationinfo nextpage content array response content content tenantid string unique identifier content id string unique identifier content createdon string response content content updatedon string response content content owneruserid string unique identifier content number number response content content name string name of the resource output example {"computed" {"additionalprop1" {},"additionalprop2" {},"additionalprop3" {}},"requestid" "string","error" {"status" 123,"message" "string","validationfailures" \[{}]},"status" "active","paginationinfo" {"totalcount" 123,"nextpage" "string"},"content" \[{"tenantid" "string","id" "12345678 1234 1234 1234 123456789abc","createdon" "string","updatedon" "string","owneruserid" "string","number" 123,"name" "example name","description" "string","incident"\ true,"valid"\ true,"status" "active","severity" "st retrieve an activity by id for a tenant retrieve details of a specific activity by its id for a given tenant in logrhythm axon, requiring both 'id' and 'tenantid' endpoint url /case management svc/v1/tenants/{{tenantid}}/activities/{{id}} method get input argument name type required description path parameters tenantid string required the identifier of the tenant path parameters id string required the system identifier for this object input example {"path parameters" {"tenantid" "8zcdjvs csleiyhr9nxq pg6mymsdr","id" "qo0kzv3omjlq75a"}} output parameter type description status code number http status code of the response reason string response reason phrase computed object output field computed computed additionalprop1 object output field computed additionalprop1 computed additionalprop2 object output field computed additionalprop2 computed additionalprop3 object output field computed additionalprop3 requestid string unique identifier error object error message if any error status number status value error message string response message error validationfailures array unique identifier error validationfailures field string unique identifier error validationfailures message string unique identifier status string status value content object response content content tenantid string unique identifier content id string unique identifier content createdon string response content content updatedon string response content content caseid string unique identifier content description string response content content queryfilter string response content content type string type of the resource content createdby string response content content updatedby string response content output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"computed" {"additionalprop1" {},"additionalprop2" {},"additionalprop3" {}},"requestid" "string","error" {"status" 0,"message" "string","validationfailures" \[]},"status" "ok","content" {"tenantid" "string","id" "gtk 6p8cqbqaowsl2 2yqcm uzewxmtfz","createdon" "2023 12 27t05 41 31 122z","updatedon" "2023 12 27t05 41 31 122z","caseid" "123456789","description" "details of the event","queryfilter" "details of the event","type" "comm retrive all cases for tenant retrieves all cases for a specified tenant in logrhythm axon, with options to filter by severity or status endpoint url /case management svc/v1/tenants/{{tenantid}}/cases/bystatusandpriorityandownerpattern method get input argument name type required description path parameters tenantid string required parameters for the retrive all cases for tenant action parameters afterid string optional parameters for the retrive all cases for tenant action parameters limit number optional parameters for the retrive all cases for tenant action parameters owneremail string optional parameters for the retrive all cases for tenant action parameters severity string optional parameters for the retrive all cases for tenant action parameters sort string optional parameters for the retrive all cases for tenant action parameters status string optional parameters for the retrive all cases for tenant action input example {"parameters" {"afterid" "0f54a194 d75a 4a60 8c68 d4b8e66c971c","limit" 10,"owneremail" "%road runn%","severity" "crit","sort" "field\ asc","status" "clo"},"path parameters" {"tenantid" "lrcxc"}} output parameter type description status code number http status code of the response reason string response reason phrase requestid string unique identifier paginationinfo object output field paginationinfo paginationinfo nextpage string output field paginationinfo nextpage content array response content content tenantid string unique identifier content id string unique identifier content createdon string response content content updatedon string response content content owneruserid string unique identifier content number number response content content name string name of the resource content description string response content content incident boolean unique identifier content valid boolean unique identifier content status string status value content severity string response content content createdby string response content content updatedby string response content content createdbyemail string response content content updatedbyemail string response content content observationname string name of the resource content observation string response content content firstlogdate string response content output example {"requestid" "string","paginationinfo" {"nextpage" "string"},"content" \[{"tenantid" "string","id" "12345678 1234 1234 1234 123456789abc","createdon" "string","updatedon" "string","owneruserid" "string","number" 123,"name" "example name","description" "string","incident"\ true,"valid"\ true,"status" "active","severity" "string","createdby" "string","updatedby" "string","createdbyemail" "string"}]} search for cases in a tenant using a string performs a search for cases within a specified tenant in logrhythm axon using given search criteria endpoint url /case management svc/v1/tenants/{{tenantid}}/cases/search method get input argument name type required description path parameters tenantid string required parameters for the search for cases in a tenant using a string action parameters afterid string optional parameters for the search for cases in a tenant using a string action parameters casestatus string optional parameters for the search for cases in a tenant using a string action parameters searchcriteria string required parameters for the search for cases in a tenant using a string action parameters limit string optional parameters for the search for cases in a tenant using a string action parameters sort string optional parameters for the search for cases in a tenant using a string action input example {"parameters" {"afterid" "0f54a194 d75a 4a60 8c68 d4b8e66c971c","casestatus" "open or all","searchcriteria" "%feb%","limit" 10,"sort" "field\ asc"},"path parameters" {"tenantid" "8zcdjvs csleiyhr9nxq pg6mymsdr"}} output parameter type description status code number http status code of the response reason string response reason phrase computed object output field computed computed additionalprop1 object output field computed additionalprop1 computed additionalprop2 object output field computed additionalprop2 computed additionalprop3 object output field computed additionalprop3 requestid string unique identifier error object error message if any error status number status value error message string response message error validationfailures array unique identifier error validationfailures field string unique identifier error validationfailures message string unique identifier status string status value paginationinfo object output field paginationinfo paginationinfo totalcount number count value paginationinfo nextpage string output field paginationinfo nextpage content array response content content tenantid string unique identifier content id string unique identifier content createdon string response content content updatedon string response content content owneruserid string unique identifier content number number response content content name string name of the resource output example {"computed" {"additionalprop1" {},"additionalprop2" {},"additionalprop3" {}},"requestid" "string","error" {"status" 123,"message" "string","validationfailures" \[{}]},"status" "active","paginationinfo" {"totalcount" 123,"nextpage" "string"},"content" \[{"tenantid" "string","id" "12345678 1234 1234 1234 123456789abc","createdon" "string","updatedon" "string","owneruserid" "string","number" 123,"name" "example name","description" "string","incident"\ true,"valid"\ true,"status" "active","severity" "st update a activity updates an activity in logrhythm axon using specific ids and details such as caseid, description, and type endpoint url /case management svc/v1/tenants/{{tenantid}}/activities/{{id}} method put input argument name type required description path parameters tenantid string required the identifier of the tenant path parameters id string required the system identifier for this object caseid string optional unique identifier description string optional parameter for update a activity queryfilter string optional parameter for update a activity type string optional type of the resource logs array optional parameter for update a activity logs logid string required unique identifier attachments array optional parameter for update a activity attachments name string required name of the resource attachments location string required parameter for update a activity input example {"json body" {"caseid" "123456789","description" "details of the event","queryfilter" "details of the event","type" "comment | log | attachment","logs" \[{"logid" "123456789"}],"attachments" \[{"name" "file name","location" "file location"}]},"path parameters" {"tenantid" "8zcdjvs csleiyhr9nxq pg6mymsdr","id" "qo0kzv3omjlq75a"}} output parameter type description status code number http status code of the response reason string response reason phrase computed object output field computed computed additionalprop1 object output field computed additionalprop1 computed additionalprop2 object output field computed additionalprop2 computed additionalprop3 object output field computed additionalprop3 requestid string unique identifier error object error message if any error status number status value error message string response message error validationfailures array unique identifier error validationfailures field string unique identifier error validationfailures message string unique identifier status string status value content object response content content id string unique identifier content tenantid string unique identifier content createdon string response content content updatedon string response content content caseid string unique identifier content description string response content content queryfilter string response content content type string type of the resource content createdby string response content content updatedby string response content output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"computed" {"additionalprop1" {},"additionalprop2" {},"additionalprop3" {}},"requestid" "string","error" {"status" 0,"message" "string","validationfailures" \[]},"status" "ok","content" {"id" " hviox","tenantid" "string","createdon" "2023 12 27t06 02 43 005z","updatedon" "2023 12 27t06 02 43 005z","caseid" "123456789","description" "details of the event","queryfilter" "details of the event","type" "comment | log | attachment","c update a activity description updates the description of an activity in logrhythm axon using specified 'id' and 'tenantid' endpoint url /case management svc/v1/tenants/{{tenantid}}/activities/{{id}} method patch input argument name type required description path parameters tenantid string required parameters for the update a activity description action path parameters id string required parameters for the update a activity description action input example {"path parameters" {"tenantid" "8zcdjvs csleiyhr9nxq pg6mymsdr","id" "123456789"}} output parameter type description status code number http status code of the response reason string response reason phrase computed object output field computed computed additionalprop1 object output field computed additionalprop1 computed additionalprop2 object output field computed additionalprop2 computed additionalprop3 object output field computed additionalprop3 requestid string unique identifier error object error message if any error status number status value error message string response message error validationfailures array unique identifier error validationfailures field string unique identifier error validationfailures message string unique identifier status string status value content object response content content id string unique identifier content tenantid string unique identifier content createdon string response content content updatedon string response content content caseid string unique identifier content description string response content content queryfilter string response content content type string type of the resource content createdby string response content content updatedby string response content output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"computed" {"additionalprop1" {},"additionalprop2" {},"additionalprop3" {}},"requestid" "string","error" {"status" 0,"message" "string","validationfailures" \[]},"status" "ok","content" {"id" "xxs1jzd","tenantid" "string","createdon" "2023 12 27t06 55 29 980z","updatedon" "2023 12 27t06 55 29 980z","caseid" "123456789","description" "details of the event","queryfilter" "details of the event","type" "comment | log | attachment","c update a case updates a specific case in logrhythm axon by id and tenantid, allowing changes to name, status, severity, and creator endpoint url /case management svc/v1/tenants/{{tenantid}}/cases/{{id}} method put input argument name type required description path parameters id string required parameters for the update a case action path parameters tenantid string required parameters for the update a case action owneruserid string optional unique identifier name string optional name of the resource description string optional parameter for update a case incident boolean optional unique identifier valid boolean optional unique identifier status string optional status value severity string optional parameter for update a case createdby string optional parameter for update a case observationname string optional name of the resource collaborators array optional parameter for update a case collaborators collaboratorid string optional unique identifier input example {"json body" {"owneruserid" "123456789","name" "phishing from sweden","description" "possible phishing attempt from sweden","incident"\ true,"valid"\ true,"status" "in progress","severity" "critical","createdby" "a913a019 3d35 44cb b444 5abc993b4195","observationname" "string","collaborators" \[{"collaboratorid" "11223344"}]},"path parameters" {"id" "515c5526 4ddd 4de1 bc5c 950052320bc4","tenantid" "lrcxc"}} output parameter type description status code number http status code of the response reason string response reason phrase computed object output field computed computed additionalprop1 object output field computed additionalprop1 computed additionalprop2 object output field computed additionalprop2 computed additionalprop3 object output field computed additionalprop3 requestid string unique identifier error object error message if any error status number status value error message string response message error validationfailures array unique identifier error validationfailures field string unique identifier error validationfailures message string unique identifier status string status value content object response content content tenantid string unique identifier content id string unique identifier content createdon string response content content updatedon string response content content owneruserid string unique identifier content number number response content content name string name of the resource content description string response content content incident boolean unique identifier content valid boolean unique identifier output example {"computed" {"additionalprop1" {},"additionalprop2" {},"additionalprop3" {}},"requestid" "string","error" {"status" 123,"message" "string","validationfailures" \[{}]},"status" "active","content" {"tenantid" "string","id" "12345678 1234 1234 1234 123456789abc","createdon" "string","updatedon" "string","owneruserid" "string","number" 123,"name" "example name","description" "string","incident"\ true,"valid"\ true,"status" "active","severity" "string","observationname" "example name","createdby" "strin response headers header description example content length the length of the response body in bytes 5428 content security policy http response header content security policy frame ancestors 'self'; content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt permissions policy http response header permissions policy camera=(), microphone=(), geolocation=(), encrypted media=(), payment=(), usb=() referrer policy http response header referrer policy same origin server information about the software used by the origin server istio envoy strict transport security http response header strict transport security max age=31536000; includesubdomains x content type options http response header x content type options nosniff x dns prefetch control http response header x dns prefetch control off x download options http response header x download options noopen x envoy upstream service time http response header x envoy upstream service time 58 x frame options http response header x frame options sameorigin x xss protection http response header x xss protection 1; mode=block