LogRhythm Integration
Forward database audit events to LogRhythm SIEM for enterprise security analytics. Leverage AI Engine correlation and SmartResponse automation for comprehensive database threat detection.
AI Engine
Advanced correlation rules detect complex database attack patterns across multiple events.
SmartResponse
Automated response actions for database security incidents with playbook integration.
Case Management
Integrated case management for database security incidents with evidence collection.
Configuration Reference
1 Connection Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| name | string | Yes | - | A unique name for this SIEM connection (e.g., "logrhythm-prod") |
| provider | select | Yes | logrhythm | SIEM provider - select "LogRhythm" |
| enabled | boolean | No | true | Enable or disable event forwarding |
| api_url | string | Yes | - | LogRhythm API endpoint (e.g., "https://logrhythm.example.com:8501") |
| api_key | password | Yes | - | LogRhythm API key for log ingestion |
2 LogRhythm-Specific Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| log_source_type | string | No | Flat File - DB Audit | Log Source Type in LogRhythm |
| entity_id | number | No | - | LogRhythm Entity ID for log source assignment |
| host_id | number | No | - | LogRhythm Host ID for the log source |
| use_syslog | boolean | No | false | Send events via syslog instead of API |
| syslog_host | string | No | - | Syslog collector hostname (if use_syslog is true) |
| syslog_port | number | No | 514 | Syslog collector port |
3 Event Filtering
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| event_types | multiselect | No | all | Event types to forward: audit_events, alerts, ai_detections, policy_violations, classification_findings |
| severity_filter | multiselect | No | all | Filter by severity: critical, warning, info |
| database_filter | array | No | - | Limit to specific databases (empty = all databases) |
4 Batching & Reliability
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| batch_size | number | No | 100 | Number of events per batch (1-1000) |
| flush_interval_seconds | number | No | 30 | Maximum time between flushes (5-300 seconds) |
| retry_attempts | number | No | 3 | Number of retry attempts on failure |
Setup Instructions
1
Create API Key
Create an API key in LogRhythm with log ingestion permissions.
# Create API Key in LogRhythm:
# 1. Log in to LogRhythm Web Console
# 2. Navigate to Admin → API Management
# 3. Click "Create API Key"
# 4. Configure the following:
# - Name: DBaudit Integration
# - Permissions: Log Ingestion, Case Management
# - Expiration: Set appropriate expiration
# 5. Copy the generated API key
# LogRhythm API URL format:
# https://<platform-manager>:8501/lr-admin-api
# Required permissions:
# - logs.write - Log ingestion
# - cases.write - Case creation (optional)
# - entities.read - Entity lookup
2
Create Log Source
Create a log source in LogRhythm Deployment Manager for DB Audit events.
# Create Log Source in LogRhythm Deployment Manager:
# 1. Open Deployment Manager
# 2. Navigate to Log Sources → New Log Source
# 3. Configure:
# - Name: DB Audit
# - Log Source Type: Flat File - DB Audit (custom)
# - Collection Method: API
# - Entity: Select your database entity
# 4. Configure Message Processing Engine (MPE) rules
# Custom Log Source Type creation:
# 1. Tools → Knowledge → Log Source Type Manager
# 2. New Log Source Type
# 3. Name: Flat File - DB Audit
# 4. Set parsing rules (see MPE configuration below)
3
Configure MPE Rules
Create Message Processing Engine rules to parse DB Audit events.
// LogRhythm MPE (Message Processing Engine) Rules
// Create in Knowledge → MPE Rules
// Rule 1: DB Audit Event
Rule Name: DB Audit - Database Event
Log Source Type: Flat File - DB Audit
Base Rule Regex:
^\{"timestamp":"(?<timestamp>[^"]+)","event_type":"(?<eventtype>[^"]+)","severity":"(?<severity>[^"]+)",.*"database":"(?<database>[^"]+)".*"user":"(?<user>[^"]+)".*"client_ip":"(?<clientip>[^"]+)".*"type":"(?<action>[^"]+)".*"object":"(?<object>[^"]+)".*"rows_affected":(?<count>\d+).*\}$
Field Mappings:
- timestamp → Log Date
- eventtype → Classification
- severity → Priority
- database → Object
- user → Login
- clientip → Source IP
- action → Command
- object → Object Name
- count → Quantity
// Rule 2: Authentication Failure
Rule Name: DB Audit - Auth Failure
Log Source Type: Flat File - DB Audit
Base Rule Regex:
^\{"timestamp":"(?<timestamp>[^"]+)","event_type":"auth_failure".*"user":"(?<user>[^"]+)".*"client_ip":"(?<clientip>[^"]+)".*\}$
Classification: Authentication Failure
Note: MPE rules enable proper field extraction for AI Engine correlation.
4
Configure in DB Audit
Add the LogRhythm integration in the DB Audit dashboard.
- Navigate to Integrations → SIEM in DB Audit
- Click Add SIEM Integration
- Select LogRhythm as the provider
- Enter your API URL and API key
- Configure log source settings
- Select event types to forward
- Test the connection and save
5
Create AI Engine Rules (Optional)
Create AI Engine rules to detect suspicious database activity patterns.
// LogRhythm AI Engine Rule
// AI Engine → Rules → New Rule
Rule Name: DB Audit - Suspicious Data Exfiltration
Description: Detects queries returning large amounts of sensitive data
// Rule Block 1: Large Data Access
Type: Log Count
Log Source Type: Flat File - DB Audit
Filter:
- Classification: SELECT
- Quantity > 10000
- Object contains "pii" OR Object contains "customer"
Count Threshold: 1
Time Window: 5 minutes
Group By: Login, Source IP
// Rule Block 2: Same user, multiple databases
Type: Unique Values
Log Source Type: Flat File - DB Audit
Filter:
- Classification: SELECT
- Quantity > 1000
Unique Field: Object
Threshold: 3
Time Window: 15 minutes
Group By: Login
// Response Actions
Primary:
- Create Case (Priority: High)
- Notify SOC Team
- Add to Threat List
Secondary (SmartResponse):
- Block IP at Firewall
- Disable Active Directory Account
Event Format
Events are sent to LogRhythm in JSON format for parsing by MPE rules.
{
"timestamp": "2024-01-15T10:30:45.123Z",
"event_type": "audit_event",
"severity": "warning",
"source": {
"database": "production-postgres",
"db_type": "postgresql",
"host": "db.example.com"
},
"actor": {
"user": "app_user",
"client_ip": "10.0.1.50",
"application": "backend-api"
},
"action": {
"type": "SELECT",
"object": "customers",
"schema": "public",
"statement": "SELECT * FROM customers WHERE...",
"rows_affected": 1500
},
"classification": {
"contains_pii": true,
"data_types": ["email", "phone"]
}
}
Sample LogRhythm Queries
Use these queries to search and analyze DB Audit events in LogRhythm.
// LogRhythm Log Search Queries
// All DB Audit events
Log Source Type:"Flat File - DB Audit"
// Filter by severity
Log Source Type:"Flat File - DB Audit" AND Priority:High
// Large data access
Log Source Type:"Flat File - DB Audit"
AND Classification:SELECT
AND Quantity:[10000 TO *]
// Specific user activity
Log Source Type:"Flat File - DB Audit"
AND Login:app_user
// Failed authentication attempts
Log Source Type:"Flat File - DB Audit"
AND Classification:"Authentication Failure"
| GROUP BY "Source IP"
| COUNT > 5
// PII access pattern
Log Source Type:"Flat File - DB Audit"
AND (Object:*customer* OR Object:*user* OR Object:*pii*)
AND Quantity:[1000 TO *]
// Cross-entity correlation
(Log Source Type:"Flat File - DB Audit" AND "Source IP":10.0.1.50)
OR (Log Source Type:"MS Windows Event Logging" AND "Source IP":10.0.1.50)
Sample Case Template
Use case templates for standardized incident response workflows.
// LogRhythm Case Template for DB Audit Alerts
// Case Management → Templates → New Template
Template Name: Database Security Incident
Priority: High
Due Date: +24 hours
Tags:
- database-security
- data-access
- potential-exfiltration
Playbook Tasks:
1. Initial Assessment
- Review triggering events in Log Timeline
- Identify affected database and data types
- Determine user identity and access context
2. Scope Analysis
- Query related events from same source IP
- Check for additional database access
- Review endpoint activity for user
3. Containment
- Evaluate need for account suspension
- Consider database access revocation
- Document containment actions
4. Evidence Collection
- Export relevant logs
- Capture database query history
- Document data potentially accessed
5. Resolution
- Implement long-term access controls
- Update monitoring rules
- Close case with findings
Troubleshooting
API authentication failed
Verify the API key is correct and not expired. Check that the API key has log ingestion permissions.
Events not parsing correctly
Verify MPE rules match the event JSON structure. Check the MPE rule tester in the Knowledge Manager.
Log source not receiving events
Verify the log source is enabled and assigned to the correct System Monitor Agent. Check the Log Source Status in Deployment Manager.
Syslog events not arriving
Verify network connectivity to the syslog collector. Check firewall rules for UDP/TCP port 514.
Ready to Integrate with LogRhythm?
Start forwarding database audit events to LogRhythm in minutes.