Looking for help on how to configure a feed via webhook or other means in Sec Ops for Twilio SMS, I could only thing a configuration for Twilio Audit or Twilio Authy. As anyone ever done this?
Question
Ingesting Twilio SMS into Sec Ops
+8- Bronze 2
Hello,
There isn’t a prebuilt integration for this at the moment, but there are a few good ways to approach it. One option is to export the logs via API and forward them to SecOps using tools like BindPlane or Functions.
With a combination of these tools and some basic API scripts, we should be able to store the logs and send them to Google SecOps without much trouble.
+11
For SecOps SIEM, we have two default labels for Twilio but without a default parser. For Twilio SMS, are you looking at ingestion label as well? You can create a custom log type like Twilio_SMS if required, document is below, then use auto extraction feature to extract the UDM fileds as extracted fileds.
https://docs.cloud.google.com/chronicle/docs/event-processing/request-log-type
https://docs.cloud.google.com/chronicle/docs/event-processing/auto-extraction
| Twilio Audit | TWILIO_AUDIT |
| Twilio Authy | TWILIO_AUTHY |
For SecOps SOAR, we have default integration to send SMS for example:
https://docs.cloud.google.com/chronicle/docs/soar/marketplace-integrations/twilio#send_sms
+6SecOps will let you configure a WebHook-based feed for either of the two Twilio log types that have labels out of the box. The same is probably true (direct WebHook support) if you create the label on your own.
The suggestion of using auto-extraction to UDM is valid if the Twilio output is JSON or XML. Today, that wouldn’t work for CSV/Syslog/KV pairs.
Something else I would try, once the data comes in, would be going into the AI Labs extensions in your tenant and using the NL Parser Extension feature. I’ve used it successfully to generate valid parsing definitions for unmapped log data.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.