LogRhythm Integration GuideContentsIntegration Overview . 1Prerequisites . 1ObserveIT Configuration . 2LogRhythm Configuration . 3Web UI Configuration . 4Creating Alarms. 6Support . 7Version 1.0.0 - January 2019

Integration OverviewThe LogRhythm integration with ObserveIT provides security analysts and investigation teams withpowerful user activity meta-data and smart user behaviour alerts. By correlating this powerful usercontext with the other data sources in your SIEM, a complete picture of a user’s activities emerges,allowing for creation of smarter alerts and quicker threat elimination.The LogRhythm System Monitor agent will be used to forward the events from the ObserveIT SIEMlogs into LogRhythm.PREREQUISITESThe ObserveIT integration is generally available in LogRhythm.Update the LogRhythm Knowledgebase to the latest version to ensure the latest log processingpolicies are installed. ObserveIT (Minimum supported version: 7.4) LogRhythm (Minimum supported version: 7.x)LogRhythm System Monitor installed with ObserveIT Application Server or with ObserveIT SIEM logsavailable remotely.Copyright 2020All rights reserved.Version 1.0.0 - January 20191

ObserveIT ConfigurationTo configure ObserveIT for integration with LogRhythm:1. From the ObserveIT Web Console, in the Configuration tab, select Integrated SIEM in theleft menu. Select the SIEM Log Integration tab.2. Select the logs you want LogRhythm to ingest. The User Activity, Alert, Audit, and InternalEvent logs are supported.3. Enable export to ArcSight format must be checked.4. Enable the file clean-up process to run every hour. This prevents the log file from becomingtoo large by deleting the older events and leaving the newer ones.Copyright 2020All rights reserved.Version 1.0.0 - January 20192

LogRhythm ConfigurationAs detailed above LogRhythm is configured to read the CEF files generated by the ObserveITapplication server.1. To configure this, navigate to LR Console Deployment Manager System Monitor.2. Check the System Monitor agent that is either installed on the ObserveIT or will have accessto the CEF files produced.3. Right-click on the agent and navigate to Add Flat File Log Source (see below screenshot).4. Use the search box to find the ObserveIT Enterprise log source. Highlight this entry and clickOK.5. In the flat file configuration settings, select Basic Configuration tab.6. Change the processing policy to the LogRhythm Default.Copyright 2020All rights reserved.Version 1.0.0 - January 20193

7. Click Flat File Settings and change the file path to the location of where the .CEF files arebeing written to, as configured in the ObserveIT Configuration.8. Click on the ellipses next to the Date Parsing Format and add a new entry with the belowregex: MM \s d \s yy \s h : m : s 9. Wait a few minutes and verify that the last log message is updating (Deployment Manager Log Sources).10. You can also select to Tail Log Sources to ensure that new entries are being parsed.Web UI ConfigurationA basic dashboard has been created to provide visualisation of the ObserveIT data. Download thedashboard file and import to the Web UI. Dashboard.wdlt.zipCopyright 2020All rights reserved.Version 1.0.0 - January 20194

Copyright 2020All rights reserved.Version 1.0.0 - January 20195

Creating AlarmsYou can configure alarms in LogRhythm for ObserveIT alerts.To configure an alarm: In the AI Engine tab, create a new rule, then drag a Log Observed Rule Block onto the mainworking area.Set the primary criteria to look for the Common Event: Error: General Alert Message. In the Log Source Criteria, filter by the ObserveIT Log Source. Group by User and Object.Copyright 2020All rights reserved.Version 1.0.0 - January 20196

Support For help configuring LogRhythm, consult LogRhythm SupportFor help using or configuring the ObserveIT platform, contact the ObserveIT supportorganization can also send an email to [email protected] with questions about this and otherObserveIT integrations.Copyright 2020All rights reserved.Version 1.0.0 - January 20197