Version 1.0.2

• Remove traceback from logs in case of 404 error

Version 1.0.1

• Update auth errors message and handling assertion error
• Add traceback to log file

Version 1.0.0

v1.0.0

LogRhythm

The new LogRhythm integration empowers users to investigate an observable and determine if it is contained in an event stored in LogRhythm. It provides users with the date and time the observable was seen in the event and the raw event data.

This integration allows you to query IPv4 and IPv6 data types and it returns sightings of an observable from each event.

Implementation Details

This application was developed and tested under Python version 3.9.

Implemented Relay Endpoints

• POST /health
  • Verifies the Authorization Bearer JWT and decodes it to restore the original credentials.
  • Authenticates to the underlying external service to check that provided
    credentials are valid and the service is available at the moment
• POST /observe/observables
  • Accepts a list of observables and filters out unsupported ones.
  • Verifies the Authorization Bearer JWT and decodes it to restore the original credentials.
  • Makes a series of requests to the underlying external service to query for
    some cyber threat intelligence data on each supported observable.
  • Maps the fetched data into appropriate CTIM entities.
  • Returns a list per each of the following CTIM entities (if any extracted):
    • Sighting

Supported Types of Observables

• ip
• ipv6

CTIM Mapping Specifics

Each response from the LogRhythm API for the supported observables generates the following CTIM entities:

• Sightings are taken from each message in LogRhythm response.

Sightings are based on .Items[]

Used values:

• .TaskId
• .logDate