Using the Internet of Things and SmartResponse to Receive SIEM Alarms

Wouldn’t it be great if you could be notified of SIEM alarms through the Internet of Things (IoT)? Well, now you can!

Introducing the Philips Hue SmartResponse and PowerShell script.

Imagine that your analysts are busy working on other things, and may not have the SIEM alarms page up at the moment. Then, the entire room goes red. Time to check the SIEM and see what just went down!

What is a SmartResponse?

SmartResponse™ uniquely enables automated incident response. SmartResponse plug-ins allow alarms that trigger in LogRhythm to launch actions—adding malicious hostnames to a blacklist, quarantining infected machines, removing users from an Active Directory Group, or nearly anything that can be scripted. This has been usually done through PowerShell.

However, the SmartResponse framework allows for any language or program to be used, so long as it can be installed on the system that contains the LogRhythm Alarming and Response Manager (ARM) service.

The Philips Hue

For those of you who are unfamiliar, the Philips Hue is a “personal wireless lighting system” that allows users to control and change the color of household lights from their mobile device. ## Philips Hue SmartResponse and PowerShell Script

The Philips Hue SmartResponse is very simple. Essentially, whenever an alarm fires, you can change the shade of all of the lights in a room or trigger a single light change if desired. You just need to ensure that the host you fire the SmartResponse from can talk to the Philips Hue Hub.

Figure 1: SmartResponse Integration with Philips Hue Changes the Light in the Room from White to Red

Figure 1: SmartResponse Integration with Philips Hue Changes the Light in the Room from White to Red

AI Engine (AIE) is a fully integrated component of the LogRhythm platform. Its wizard-based drag-and-drop GUI can be used for creating and customizing even complex rules, such as a rule that sets a specific color to correspond with a threatening alarm.

Figure 2: AI Engine Rule Wizard Helps Create and Customize a Rule that Changes Light Color to Red When an Alarm is Triggered

Figure 2: AI Engine Rule Wizard Helps Create and Customize a Rule that Changes Light Color to Red When an Alarm is Triggered

When the SmartResponse runs, a confirmation is also displayed within the LogRhythm platform, notifying the team of the SmartResponse plug-in execution and changing the light(s). (Assuming they didn’t already notice all of the lights in the vicinity change…)

Figure 3: A Confirmation is Displayed within LogRhythm, Accompanying the Light Change When the SmartResponse Runs

Figure 3: A Confirmation is Displayed within LogRhythm, Accompanying the Light Change When the SmartResponse Runs

Using a PowerShell Script to Configure the Hue Hub

Given that most environments will not allow you to connect a mobile device to the corporate network in order to configure the Hue Hub for the first time, you’ll need another way to do this.

So, in addition to the SmartResponse, I’ve included a PowerShell script that allows you to interact with the hub, discover lights, and more. This enables SOC analysts to control the lights while connected to the same network as the hub, without the need to install unapproved applications or permit insecure devices on the corporate network. See the PowerShell script below:

.INSTALL
PoSHue is required - download it here or install it via command line
    https://github.com/lwsrbrts/PoSHue
    PS C:\> Install-Module -Name PoSHue

.CONFIGURE
Import the module and obtain an API key from the HUE Hub.
Push the button on the top of the hub and then run the following command:
    PS C:\> Invoke-Hue -hueIPaddress 10.10.10.10 -generateAPIkey

.SYNOPSIS
Prepare HUE authentication and groups for use
PS C:\> Invoke-Hue -generateAPIkey

.SYNOPSIS
Gather information on lights and rooms
PS C:\> Invoke-Hue -lightInfo -hueIPaddress <ip> -hueAPIkey <key>

.SYNOPSIS
Interact with the lights

First, turn the light on:
    PS C:\> Invoke-Hue -hueIPaddress <ip> -hueAPIkey <key> -room –on

Then, change colors as desired:
    PS C:\> Invoke-Hue -lightInfo -hueIPaddress <ip> -hueAPIkey <key> -red

The first step is pulling an API key. Just hit the pairing button on the hub and run “Invoke-Hue” with the “-generateAPIkey” flag.

Figure 4: Generating an API key

Figure 4: Generating an API key

The script will automatically find the Hue Hub, obtain an API key, and set the key variable that is returned into the current session. Make sure to document this key for later usage. You may also choose to add this key to the script directly, if you don’t want to include it every time that you want to change the lights.

Remember to be cautious of the security of storing your key within the script. Once you’re connected, you can obtain a listing of the lights and rooms by using the “-lightInfo” switch.

Figure 5: The PowerShell Script Connects to the Hue Hub and Obtains a List of Available Lights

Figure 5: The PowerShell Script Connects to the Hue Hub and Obtains a List of Available Lights

Then, you’re ready to start controlling the lights via the “-room” and “-light” switches.

Figure 6: The PowerShell Turns Office Lights On

Figure 6: The PowerShell Turns Office Lights On

There are various color options configured. I normally default to “red” for AI Engine alarms that are of significant concern.

Figure 7: The Color Option “Red” is Used for Alarms that are of Significant Concern

Figure 7: The Color Option “Red” is Used for Alarms that are of Significant Concern

Figure 8: The PowerShell Turns Office Lights Off

Figure 8: The PowerShell Turns Office Lights Off

I’m looking to add more options and include patterns, such as pulse / disco mode. So, if you have ideas, don’t be afraid to leave a comment!

“Your Personal Wireless Lighting System.” Philips Hue. N.p., n.d. Web. 21 June 2017.

How to Extract SCSM Log Files from a Remote Windows Host

Detecting Home Network Issues with Network Monitor

How to Build a Miniature Network Monitor Device

Adding Items to a LogRhythm List via SmartResponse Plugins

Making Sense of IoT Data

SmartResponse Shell