How to Make Your SIEM Speak

Your security teams can be responsible for managing a number of logs, so how do you make malicious behavior and alerts stand out? Using LogRhythm’s SmartResponse™, you can make your SIEM speak to you and audibly alert to a threat.

In the LogRhythm security operations center (SOC), we’re all about finding new ways to be notified of alarms, and we’re constantly building integrations to help our customers improve their security automation and orchestration (SAO).

So, we decided to look into some simple audible alarms. You, in fact, have the ability to talk through remote systems using PowerShell. However, it’s a bit more complicated than the “say” command that is available on the Mac OS X.

Creating a Say Command in PowerShell

The first step is to recreate a rudimentary version of “say” in PowerShell. This function is only a few lines of code and I’ve placed it in a Gist, so that you can download and run it quickly.

Click images to expand

Figure 1: Say Function Running the Audible Command LogRhythm in PowerShell

Figure 1: Say Function Running the Audible Command “LogRhythm” in PowerShell

 
function say {

    param( [string]$comment = $_ )

    [Reflection.Assembly]::LoadWithPartialName('System.Speech') | Out-Null

    $object = New-Object System.Speech.Synthesis.SpeechSynthesizer

    $object.SelectVoiceByHints('Female')

    $object.Speak("$comment")

Figure 2: Say Function Running the Audible Command LogRhythm in PowerShell

Figure 2: Say Function Running the Audible Command “LogRhythm” in PowerShell

When the alarm fires, make sure that you have your volume up! Or, better yet, configure a SmartResponse action to run a say command on the system that just committed the security violation.

Making the Affected System Speak

Figure 3: SmartResponse Runs Say Function on the System that Committed a Security Violation

Figure 3: SmartResponse Runs Say Function on the System that Committed a Security Violation

If you do put this SmartResponse capability into use, there is a bit of a caveat. You will need to string the sentences together using hyphens, “like-this-for-example.” When you run the script directly, regular sentences work fine. However, when tied in with SmartResponse, the script will only say the first word of the phrase unless you hyphenate or otherwise connect all of the words.

This SmartResponse capability has proven useful for alarms that require the use of other tools to investigate, such as physical security breaches and malware outbreak events.

Figure 4: The SIEM Speaks and Alerts to a Physical Security Breach

Figure 4: The SIEM Speaks and Alerts to a Physical Security Breach

This SmartResponse application is very simple, and it can only sometimes annoy those in the immediate vicinity of the SOC. However, it is able to easily and effectively alert your security team to a breach, allowing for an improved response time.