Wouldn’t it be great if you could be notified of SIEM alarms through the Internet of Things (IoT)? Well, now you can!
Introducing the Philips Hue SmartResponse™ and PowerShell script.
Imagine that your analysts are busy working on other things, and may not have the SIEM alarms page up at the moment. Then, the entire room goes red. Time to check the SIEM and see what just went down!
What is a SmartResponse?
SmartResponse uniquely enables automated incident response. SmartResponse plug-ins allow alarms that trigger in LogRhythm to launch actions—adding malicious hostnames to a blacklist, quarantining infected machines, removing users from an Active Directory Group, or nearly anything that can be scripted. This has been usually done through PowerShell.
However, the SmartResponse framework allows for any language or program to be used, so long as it can be installed on the system that contains the LogRhythm Alarming and Response Manager (ARM) service.
The Philips Hue
For those of you who are unfamiliar, the Philips Hue is a “personal wireless lighting system” that allows users to control and change the color of household lights from their mobile device.
Philips Hue SmartResponse and PowerShell Script
The Philips Hue SmartResponse is very simple. Essentially, whenever an alarm fires, you can change the shade of all of the lights in a room or trigger a single light change if desired. You just need to ensure that the host you fire the SmartResponse from can talk to the Philips Hue Hub.
Figure 1: SmartResponse Integration with Philips Hue Changes the Light in the Room from White to Red
AI Engine (AIE) is a fully integrated component of the LogRhythm platform. Its wizard-based drag-and-drop GUI can be used for creating and customizing even complex rules, such as a rule that sets a specific color to correspond with a threatening alarm.
Click on images to expand
Figure 2: AI Engine Rule Wizard Helps Create and Customize a Rule that Changes Light Color to Red When an Alarm is Triggered
When the SmartResponse runs, a confirmation is also displayed within the LogRhythm platform, notifying the team of the SmartResponse plug-in execution and changing the light(s). (Assuming they didn’t already notice all of the lights in the vicinity change…)
Figure 3: A Confirmation is Displayed within LogRhythm, Accompanying the Light Change When the SmartResponse Runs
Using a PowerShell Script to Configure the Hue Hub
Given that most environments will not allow you to connect a mobile device to the corporate network in order to configure the Hue Hub for the first time, you’ll need another way to do this.
So, in addition to the SmartResponse, I’ve included a PowerShell script that allows you to interact with the hub, discover lights, and more. This enables SOC analysts to control the lights while connected to the same network as the hub, without the need to install unapproved applications or permit insecure devices on the corporate network. See the PowerShell script below:
The first step is pulling an API key. Just hit the pairing button on the hub and run “Invoke-Hue” with the “-generateAPIkey” flag.
Figure 4: Generating an API key
The script will automatically find the Hue Hub, obtain an API key, and set the key variable that is returned into the current session. Make sure to document this key for later usage. You may also choose to add this key to the script directly, if you don’t want to include it every time that you want to change the lights.
Remember to be cautious of the security of storing your key within the script. Once you’re connected, you can obtain a listing of the lights and rooms by using the “-lightInfo” switch.
Figure 5: The PowerShell Script Connects to the Hue Hub and Obtains a List of Available Lights
Then, you’re ready to start controlling the lights via the “-room” and “-light” switches.
Figure 6: The PowerShell Turns Office Lights On
There are various color options configured. I normally default to “red” for AI Engine alarms that are of significant concern.
Figure 8: The PowerShell Turns Office Lights Off
I’m looking to add more options and include patterns, such as pulse / disco mode. So, if you have ideas, don’t be afraid to leave a comment!