Creating an alarm profile for LogRhythm

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read

    • In an alarm profile that you create and name, you specify which alarms you want to pull from the LogRhythm Client Console. You also define how they are mapped to fields on a ServiceNow AI Platform security incident.

    Before you begin

    Role required: sn_si.admin

    About this task

    Based on the Alarm Profile configured, one alarm profile can ingest all types of alarms out of the box, but you can use filter criteria to ingest specific types of alarms. Using this ServiceNow AI Platform integration, all configured alarm rules or specific ones based on the profile created are ingested. Alarm rules such as only high-risk level alarms can then be filtered to specify which alarms should create security incidents. Before security incidents are created, individual field values on the filtered alarms are mapped to corresponding fields on the ServiceNow AI Platform security incident. This configuration is done via an alarm profile within your ServiceNow AI Platform instance.

    Procedure

    1. Navigate to All > LogRhythm Integration.
    2. Select the LogRhythm Alarm Profiles module to display the Alarm Profiles list.
      Figure 1. Alarm Profile
      Create an alarm profile
    3. To create a new alarm profile, click New.
      A new alarm profile form is displayed. At the top of the page in the progress bar, Name is selected. This bar tracks your progress during the configuration.
    4. On the form, fill the fields.
      Table 1. Alarm Profile
      Field Description
      Name Name for the alarm profile. This name helps you identify the alarm types such as Unauthorized access (VPN), malware, or phishing.
      Short description Short text for additional information about the alarm profile, which may include the type of alarms, or an alarm category. An example description: All alarms associated with unauthorized Powershell and Sudo access attempts.
      Source Source server from the choice list. The list consists of LogRhythm configurations you have already set up, for example, logrhythm-server-a. See Install the plugin and configure LogRhythm.
      Order

      Alarm profile priority. This field indicates the order in which the alarm profiles are executed when two or more alarm profiles share the triggering conditions.
      Active By default this option is not selected. After you complete all alarm profile setup steps and click Finish, you are prompted to select this check box to activate the alarm profile. When the alarm profile is active, it pulls alarms from the LogRhythm Client Console automatically.
    5. Click Continue to save your data and proceed to the Mapping form.

      If the validation is successful, the page reloads and the Mapping form is displayed. You cannot proceed with the configuration until you have successfully validated your connection and credentials.