System Settings
System Settings is the admin configuration hub for all RhythmX integrations and services. It is organized into three tabs: Integrations, DX Clusters, and LDAP & Auth.
Integrations
The Integrations tab configures how RhythmX connects to LogRhythm and external services.
LogRhythm SIEM Integration
Configure the connection to your LogRhythm platform for case synchronization and API access.
| Field | Description |
|---|---|
| LogRhythm Server IP | IP address or hostname of your LogRhythm server |
| LogRhythm JWT Token | Bearer token for the LogRhythm Case API. Obtain this from LogRhythm Admin > API Tokens |
Use Test Connection to verify connectivity before saving.
LogRhythm SQL Server (Alarms)
Connection to the LogRhythm alarm database for alarm retrieval, actor-based grouping, risk scoring, and MITRE ATT&CK mapping.
| Field | Description |
|---|---|
| SQL Server Host | IP address or hostname of the LogRhythm SQL Server |
| Port | SQL Server port (default: 1433) |
| Username | SQL Server login username |
| Password | SQL Server login password |
| Database | Database containing the Alarm tables (e.g., LogRhythm_Alarms) |
| Retention Days | How long to cache alarms locally (1–365 days) |
| Poll Interval (seconds) | Sync frequency (60–3600 seconds) |
Use Test Connection to validate credentials, View Status to check the current sync state, and Save Configuration to apply changes.
Syslog Forwarding
Configure syslog forwarding to send RhythmX detections to external SIEM systems or log collectors.
| Field | Description |
|---|---|
| Syslog Server Host | IP address or hostname of the destination syslog server |
| Port | Syslog port (default: 514) |
| Protocol | Transport protocol — TCP or UDP |
| Source Hostname | Identifier for RhythmX in syslog messages |
| Poll Interval (seconds) | How frequently to forward new detections |
AI/ML Services
Configure AI-powered threat triage and analysis capabilities.
Data Privacy
AI features are entirely opt-in. No data is sent to any external AI service until you configure an API key here. Without a key, all processing remains fully on-premises.
| Field | Description |
|---|---|
| API Key | OpenAI API key for AI-powered threat analysis |
| Azure OpenAI Configuration | Optional toggle to use Azure-hosted OpenAI instead of direct OpenAI |
DX Clusters
Configure the Data Indexer (DX) cluster connection for Hunt Mode. This determines which Elasticsearch cluster RhythmX queries when performing threat hunting and log searches.
Primary DX Cluster
The primary cluster is typically the local LogRhythm Data Indexer.
| Field | Description |
|---|---|
| Cluster Name | Display name for this cluster |
| Host / IP | DX Elasticsearch IP address |
| Port | HTTP API port (default: 9200) |
Use Test Connection to verify Elasticsearch connectivity and Save Primary Cluster to apply.
Remote DX Clusters
For multi-site deployments, additional remote DX clusters can be configured to enable cross-site threat hunting from a single RhythmX instance.
LDAP & Auth
Configure LDAP user synchronization and Active Directory authentication.
LDAP User Sync Configuration
Syncs users from your LDAP directory to the local RhythmX database for entity enrichment and risk scoring.
| Field | Description |
|---|---|
| LDAP Server Address | Hostname or IP of the LDAP server (e.g., ldap.company.local) |
| Service Account Username | LDAP bind account (e.g., DOMAIN\ldap_service) |
| Service Account Password | Password for the LDAP bind account |
| Base Distinguished Name | LDAP search base (e.g., DC=company,DC=local) |
AD Authentication Configuration
Enables LDAP/AD-based authentication for RhythmX user login. When enabled, users authenticate with their domain credentials instead of local accounts. The domain and credentials are extracted from the service account configured above.
Jira Integration
Configure the Jira integration to push incidents as tickets. See Jira & ServiceNow Integration for the full integration guide.
| Field | Description |
|---|---|
| Jira URL | Your Jira instance URL (e.g., https://yourcompany.atlassian.net) |
| Jira account email for API authentication | |
| API Token | Jira API token (generated from Atlassian account settings) |
| Project Key | The Jira project where tickets will be created |
| Issue Type | Ticket type (default: Task) |
| Enabled | Toggle the Jira integration on or off |
Use Test Connection to verify credentials before enabling.
ServiceNow Integration
Configure the ServiceNow integration to push incidents as tickets. See Jira & ServiceNow Integration for the full integration guide.
| Field | Description |
|---|---|
| Instance | Your ServiceNow instance (e.g., yourcompany.service-now.com) |
| Username | ServiceNow account username |
| Password | ServiceNow account password |
| Assignment Group | Default group for ticket assignment |
| Enabled | Toggle the ServiceNow integration on or off |
Use Test Connection to verify credentials before enabling.
API Key Management
Manage API keys for the External Feed API. Keys provide read-only access to all incidents and cases across all entities. See Integration Admin for the full API key lifecycle reference.
Incident Syslog Export
Configure syslog export to forward incident and case events to an external SIEM or log collector.
| Field | Description |
|---|---|
| Syslog Host | Destination syslog server hostname or IP |
| Port | Syslog port (default: 514) |
| Protocol | Transport protocol — TCP or UDP |
| Facility | Syslog facility code (default: 17 / local1) |
| Enabled | Toggle syslog export on or off |