SMS Alerting Via SmartResponse

The Problem

Security analysts can’t always dedicate their time to monitoring the security operations center (SOC), nor do they always check the alerts that they receive via email, due to various reasons. Also, some alerts are simply more important than other alerts—important enough that you want to know about them right away and be notified in the most effective way possible, even when out of the office and disconnected from email. However, most people always have their phone with them and often have different alarms configured, depending on the type of message received (email, text, social media, etc.).

The Solution

SMS alert SmartResponse™!

This can be done multiple ways—one of which is to register a free Twilio account and use their API to send text messages via PowerShell. You can download the script at the link here.

Figure 1: Twilio Script

Click images to expand

The available script parameters are below:

-from_number : Defines the number to send the SMS from
-to_numbe : Defines the number that SMS messages should be sent to
-account_sid : Twilio Account SID
-auth_token : Twilio Authentication Token
-message : The SMS message text to send to the desired phone number

This SmartResponse allows SOC analysts to configure a separate alarm sound for SMS messages from the defined phone number, ensuring that they are adequately notified of a significant event. We did something similar when I worked for an IT consulting firm, and everyone had loud ring tones set for their on-call shift alerts, such as this:

Figure 2: LogRhythm SMS Alert Ring Tone

The SmartResponse itself has one action associated. However, you can configure this with different messages for each AI Engine rule. You just need to have a Twilio Phone Number, User ID, and Authentication Token—all of which you can get for free. The paid service just removes their “sent from free account” messages. I also left the message field completely open, so you can add whatever content you would like to the message text and customize per alarm.

Figure 3: Initiate SmartResponse

When the SmartResponse is launched, a notification is written to stdout, letting the SOC team know that the SMS alert was sent successfully.

Figure 4: Stdout Notification

There is potentially a lot more that can be done here. One of the reasons I went with Twilio was because you can also receive text messages at this number. So, it may be possible to send a response back and perform actions via text message response. (Potentially—I haven’t really looked into it yet.)

The Value

So, in setting this up, you can ensure that your security operations personnel and on-call IT staff are always able to be notified of significant alerts within your environment, enabling them to be reached easily when away from a computer and disconnected from an email.