LogRhythm SIEM Integration
AI-powered security analytics and automated threat response
AI-powered security analytics and automated threat response
LogRhythm provides next-generation SIEM capabilities with AI-powered security analytics and automated threat response. TYCHON Quantum Readiness integrates with LogRhythm through custom log source configuration and message processing rules.
Next-Gen SIEM: AI-driven threat detection, automated response workflows, compliance reporting, and integrated SOAR capabilities.
Configure LogRhythm to collect and parse TYCHON Quantum Readiness output
<?xml version="1.0" encoding="UTF-8"?>
<LogRhythm MPE Rule>
<rule name="TYCHON Certificate Event" group="Custom">
<pattern>
<![CDATA[
^(?<datetime>\S+\s\S+)\s+(?<hostname>\S+)\s+TYCHON:\s+(?<event_data>.+)$
]]>
</pattern>
<!-- Field Mappings -->
<field name="Classification" value="Information" />
<field name="CommonEvent" value="Certificate Discovery" />
<field name="Process" value="TYCHON Scanner" />
<field name="Object" value="SSL Certificate" />
<field name="Subject" xpath="/event_data/certificate/subject/common_name" />
<field name="Object" xpath="/event_data/target_host/address" />
<field name="VendorMessageID" value="1001" />
<field name="Priority" value="Medium" />
</rule>
<rule name="TYCHON Cipher Analysis" group="Custom">
<pattern>
<![CDATA[
TYCHON.*cipher.*(?<cipher_name>[A-Z0-9_-]+).*security_level.*(?<security_level>[a-z]+)
]]>
</pattern>
<field name="Classification" value="Security" />
<field name="CommonEvent" value="Cipher Analysis" />
<field name="Process" value="TYCHON Scanner" />
<field name="Object" value="Cipher Suite" />
<field name="VendorMessageID" value="1002" />
<!-- Dynamic priority based on security level -->
<condition field="security_level" operator="equals" value="low">
<field name="Priority" value="High" />
<field name="Classification" value="Security Violation" />
</condition>
<condition field="security_level" operator="equals" value="medium">
<field name="Priority" value="Medium" />
</condition>
<condition field="security_level" operator="equals" value="high">
<field name="Priority" value="Low" />
</condition>
</rule>
</LogRhythm># Configure Windows Event Log forwarding to LogRhythm
.\certscanner-windows-amd64.exe -host production-hosts.txt -cipherscan `
-outputformat eventlog `
-tags "logrhythm,production,siem"
# Alternative: Direct syslog to LogRhythm
.\certscanner-windows-amd64.exe -host production-hosts.txt -cipherscan `
-outputformat flatndjson `
-syslog "logrhythm-collector.company.com:514" `
-tags "logrhythm,production"
# CEF format for LogRhythm
.\certscanner-windows-amd64.exe -host production-hosts.txt -cipherscan `
-outputformat cef `
-output "\\.\pipe\logrhythm-cef" `
-tags "logrhythm,cef"
# Scheduled scanning with LogRhythm integration
$action = New-ScheduledTaskAction -Execute "C:\Tools\certscanner.exe" `
-Argument "-mode local -scanmemory -scanfilesystem -outputformat flatndjson -syslog 'logrhythm-collector:514' -tags 'logrhythm,scheduled'"
$trigger = New-ScheduledTaskTrigger -Daily -At 2:00AM
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "TYCHON LogRhythm Integration"# Configure rsyslog to forward to LogRhythm
# Add to /etc/rsyslog.conf:
# *.* @logrhythm-collector.company.com:514
# Scanner with syslog integration
./certscanner-linux-x64 -host production-hosts.txt -cipherscan \
-outputformat flatndjson \
-output /dev/stdout | \
logger -t TYCHON -p local0.info
# Direct file output for LogRhythm collection
./certscanner-linux-x64 -host production-hosts.txt -cipherscan \
-outputformat tychon \
-output "/var/log/tychon/scan-$(date +%Y%m%d_%H%M%S).json" \
-tags "logrhythm,production"
# CEF format output for LogRhythm
./certscanner-linux-x64 -host production-hosts.txt -cipherscan \
-outputformat cef \
-output /var/log/tychon/logrhythm-cef.log \
-tags "logrhythm,cef"
# Scheduled scanning with automatic forwarding
echo "0 2 * * * root /opt/tychon/certscanner -mode local -scanmemory -scanfilesystem -outputformat tychon -output /var/log/tychon/local-scan.json -tags 'logrhythm,scheduled' && logger -t TYCHON -f /var/log/tychon/local-scan.json" | crontab -# Configure syslog forwarding to LogRhythm (Intel Macs)
./certscanner-darwin-amd64 -host production-hosts.txt -cipherscan \
-outputformat flatndjson \
-output /dev/stdout | \
logger -t TYCHON
# File-based collection for LogRhythm (Apple Silicon)
./certscanner-darwin-arm64 -host production-hosts.txt -cipherscan \
-outputformat tychon \
-output "/var/log/tychon/scan-$(date +%Y%m%d_%H%M%S).json" \
-tags "logrhythm,production"
# CEF format for LogRhythm integration
./certscanner-darwin-arm64 -host production-hosts.txt -cipherscan \
-outputformat cef \
-output /var/log/tychon/logrhythm-cef.log \
-tags "logrhythm,cef"
# Create launchd plist for scheduled scanning
sudo launchctl load /Library/LaunchDaemons/com.tychon.logrhythm.plistCreate advanced analytics rules for crypto security events and certificate management
<rule name="TYCHON Certificate Expiring Soon" enabled="true">
<description>Detects certificates expiring within 30 days</description>
<baseRule>
<filter>
<and>
<condition field="CommonEvent" operator="equals" value="Certificate Discovery"/>
<condition field="Process" operator="equals" value="TYCHON Scanner"/>
<condition field="Object" operator="equals" value="SSL Certificate"/>
</and>
</filter>
</baseRule>
<!-- Custom logic for expiration date checking -->
<customCode>
// Parse certificate expiration date from message
var certData = JSON.parse(LogMessage.Message);
var expirationDate = new Date(certData.certificate.not_after);
var currentDate = new Date();
var daysUntilExpiration = (expirationDate - currentDate) / (1000 * 60 * 60 * 24);
if (daysUntilExpiration <= 30 && daysUntilExpiration > 0) {
return true; // Trigger alarm
}
return false;
</customCode>
<actions>
<alarm priority="High" summary="Certificate Expiring Soon">
<field name="AlarmRuleGroup" value="Certificate Management"/>
<field name="AlarmStatus" value="New"/>
</alarm>
<notification type="email" recipients="security-team@company.com"/>
<response action="AutoResponse" workflow="CertificateRenewal"/>
</actions>
</rule><rule name="TYCHON Weak Cipher Detection" enabled="true">
<description>Identifies weak or non-PQC ready cipher suites</description>
<baseRule>
<filter>
<and>
<condition field="CommonEvent" operator="equals" value="Cipher Analysis"/>
<condition field="Process" operator="equals" value="TYCHON Scanner"/>
<or>
<condition field="Priority" operator="equals" value="High"/>
<condition field="Classification" operator="equals" value="Security Violation"/>
</or>
</and>
</filter>
</baseRule>
<!-- Advanced pattern matching for cipher analysis -->
<advancedIntelligence>
<aiEngine enabled="true">
<model name="CryptoSecurityModel">
<parameters>
<parameter name="algorithm_type" source="Object"/>
<parameter name="key_length" source="Message.cipher.key_length"/>
<parameter name="security_level" source="Message.cipher.intel.security_level"/>
<parameter name="pqc_ready" source="Message.cipher.intel.pqc_ready"/>
</parameters>
</model>
</aiEngine>
</advancedIntelligence>
<aggregation>
<groupBy fields="OriginHost, Object"/>
<timeWindow value="1" unit="hours"/>
<threshold count="3" operator="greaterThanOrEqual"/>
</aggregation>
<actions>
<alarm priority="High" summary="Multiple Weak Ciphers Detected">
<field name="AlarmRuleGroup" value="Crypto Security"/>
<field name="ThreatLevel" value="High"/>
</alarm>
<case priority="Medium" category="Security Incident"/>
<response action="SOAR" playbook="WeakCipherResponse"/>
</actions>
</rule>Direct log file monitoring by LogRhythm System Monitor
# Configure scanner for file output
./certscanner -mode local -outputformat tychon \
-output /var/log/tychon/scan.json
# LogRhythm monitors /var/log/tychon/*.json
# Log Source Type: Custom TYCHON ScannerReal-time syslog forwarding to LogRhythm
# Scanner outputs to syslog
./certscanner -host targets.txt -outputformat flatndjson \
-output /dev/stdout | logger -t TYCHON
# Syslog forwards to LogRhythm collector
# Protocol: UDP/TCP 514 or TLS 6514Common Event Format for structured security events
# Scanner outputs CEF format
./certscanner -host targets.txt -outputformat cef \
-output /var/log/tychon/cef-events.log
# LogRhythm parses CEF automatically
# Enhanced field mapping and correlationDirect API integration for real-time event ingestion
# Custom integration via LogRhythm REST API
curl -X POST "https://logrhythm.company.com/lr-admin-api/logs" \
-H "Authorization: Bearer $LR_TOKEN" \
-H "Content-Type: application/json" \
-d @tychon-scan-results.json-- TYCHON Certificate Inventory Dashboard Query
SELECT
LogDate,
OriginHost,
Object AS CertificateName,
Subject AS Issuer,
CASE
WHEN DATEDIFF(day, GETDATE(), CAST(JSON_VALUE(NormalizedMessage, '$.certificate.not_after') AS DATETIME)) <= 0
THEN 'EXPIRED'
WHEN DATEDIFF(day, GETDATE(), CAST(JSON_VALUE(NormalizedMessage, '$.certificate.not_after') AS DATETIME)) <= 30
THEN 'EXPIRING_SOON'
ELSE 'VALID'
END AS CertificateStatus,
JSON_VALUE(NormalizedMessage, '$.certificate.not_after') AS ExpirationDate,
JSON_VALUE(NormalizedMessage, '$.target_host.address') AS HostIP
FROM LogMessage
WHERE
CommonEvent = 'Certificate Discovery'
AND Process = 'TYCHON Scanner'
AND LogDate >= DATEADD(day, -7, GETDATE())
ORDER BY ExpirationDate ASCSELECT
OriginHost,
Object AS CipherSuite,
JSON_VALUE(NormalizedMessage, '$.cipher.intel.pqc_ready') AS PQCReady,
JSON_VALUE(NormalizedMessage, '$.cipher.intel.security_level') AS SecurityLevel,
COUNT(*) AS UsageCount
FROM LogMessage
WHERE
CommonEvent = 'Cipher Analysis'
AND Process = 'TYCHON Scanner'
AND LogDate >= DATEADD(day, -30, GETDATE())
AND JSON_VALUE(NormalizedMessage, '$.cipher.intel.pqc_ready') = 'false'
GROUP BY OriginHost, Object,
JSON_VALUE(NormalizedMessage, '$.cipher.intel.pqc_ready'),
JSON_VALUE(NormalizedMessage, '$.cipher.intel.security_level')
ORDER BY UsageCount DESCSELECT
JSON_VALUE(NormalizedMessage, '$.cipher.intel.security_level') AS SecurityLevel,
COUNT(DISTINCT OriginHost) AS HostCount,
COUNT(*) AS TotalInstances,
CAST(COUNT(*) * 100.0 / SUM(COUNT(*)) OVER() AS DECIMAL(5,2)) AS Percentage
FROM LogMessage
WHERE
CommonEvent = 'Cipher Analysis'
AND Process = 'TYCHON Scanner'
AND LogDate >= DATEADD(day, -7, GETDATE())
AND JSON_VALUE(NormalizedMessage, '$.cipher') IS NOT NULL
GROUP BY JSON_VALUE(NormalizedMessage, '$.cipher.intel.security_level')
ORDER BY TotalInstances DESC# PowerShell SmartResponse: TYCHON Follow-up Scan
param(
[Parameter(Mandatory=$true)]
[string]$AlarmID,
[Parameter(Mandatory=$true)]
[string]$HostIP,
[Parameter(Mandatory=$true)]
[string]$SecurityEvent
)
# Initialize LogRhythm Case API connection
$headers = @{
'Authorization' = "Bearer $env:LR_API_TOKEN"
'Content-Type' = 'application/json'
}
try {
# Trigger additional TYCHON scan for detailed analysis
$scanCommand = "C:\Tools\certscanner.exe -host `"$HostIP`" -cipherscan -outputformat tychon -output `"C:\temp\incident-${AlarmID}-${HostIP}.json`" -tags `"incident-response,alarm-${AlarmID}`""
Write-Host "Executing TYCHON follow-up scan: $scanCommand"
Invoke-Expression $scanCommand
# Read scan results
$scanResults = Get-Content "C:\temp\incident-${AlarmID}-${HostIP}.json" | ConvertFrom-Json
# Update LogRhythm case with scan results
$caseUpdate = @{
'evidence' = @{
'type' = 'file'
'name' = "TYCHON Follow-up Scan - $HostIP"
'description' = "Detailed crypto asset analysis triggered by alarm $AlarmID"
'file_path' = "C:\temp\incident-${AlarmID}-${HostIP}.json"
'scan_timestamp' = (Get-Date).ToString('yyyy-MM-ddTHH:mm:ss')
'host_ip' = $HostIP
'findings_count' = $scanResults.Count
}
} | ConvertTo-Json -Depth 10
$caseApiUrl = "https://logrhythm.company.com/lr-case-api/cases/alarm/$AlarmID/evidence"
Invoke-RestMethod -Uri $caseApiUrl -Method POST -Headers $headers -Body $caseUpdate
# Send notification to security team
$slackWebhook = $env:SLACK_WEBHOOK_URL
$slackMessage = @{
'text' = "🔍 TYCHON follow-up scan completed for alarm $AlarmID on host $HostIP"
'attachments' = @(@{
'color' = 'good'
'fields' = @(
@{ 'title' = 'Host'; 'value' = $HostIP; 'short' = $true },
@{ 'title' = 'Alarm ID'; 'value' = $AlarmID; 'short' = $true },
@{ 'title' = 'Findings'; 'value' = $scanResults.Count; 'short' = $true },
@{ 'title' = 'Scan Time'; 'value' = (Get-Date).ToString('yyyy-MM-dd HH:mm:ss'); 'short' = $true }
)
})
} | ConvertTo-Json -Depth 10
Invoke-RestMethod -Uri $slackWebhook -Method POST -Body $slackMessage -ContentType 'application/json'
Write-Host "SmartResponse action completed successfully for alarm $AlarmID"
} catch {
Write-Error "SmartResponse action failed: $($_.Exception.Message)"
# Log failure to LogRhythm
$errorLog = @{
'message' = "TYCHON SmartResponse failed for alarm $AlarmID"
'error' = $_.Exception.Message
'host' = $HostIP
'timestamp' = (Get-Date).ToString('yyyy-MM-ddTHH:mm:ss')
} | ConvertTo-Json
# Send to LogRhythm via syslog or API
Write-EventLog -LogName Application -Source "TYCHON SmartResponse" -EventID 1001 -Message $errorLog -EntryType Error
}Set up custom MPE rules for TYCHON event parsing
# Access LogRhythm Deployment Manager
# Navigate to Rules → Message Processing Engine
# Import TYCHON-ACDI-Scan-Engine.xml MPE rules
# Test pattern matching with sample eventsConfigure System Monitors to collect TYCHON scanner output
# Deployment Manager → Host Manager → System Monitor
# New Log Source → Select collection method (Syslog/File/API)
# Set Log Source Type: TYCHON ACDI Scanner
# Apply Message Processing PolicyDeploy custom analytics rules for crypto security events
# Advanced Intelligence → Analytics Rules → New Rule
# Import certificate expiration and weak cipher rules
# Configure AI Engine parameters for enhanced detection
# Set thresholds and aggregation windowsSet up automated response workflows and SmartResponse actions
# SOAR → SmartResponse → New Action
# Upload PowerShell playbooks for automated responses
# Configure case management workflows
# Test notification and remediation actionsConfigure TYCHON scanners with LogRhythm integration
# Configure scanners to output in LogRhythm-compatible format
./certscanner -host targets.txt -outputformat tychon \
-output /var/log/tychon/logrhythm-feed.json \
-tags "logrhythm,production"Test event ingestion, rule triggering, and automated responses
# Run test scan and verify events in LogRhythm
./certscanner -host test-host.com -cipherscan -outputformat tychon
# Check Log Sources → Log Analysis for parsed events
# Verify custom fields are populated correctly
# Test analytics rules with synthetic data