One of our primary goals when we started LimaCharlie was to make endpoint capability accessible to as many people as we could. We just took another small step towards that goal by creating a wizard that lets you create simple detection & response rules with just a few clicks.
The detection & response wizard allows less technical users, or users new to the platform, to create a wide variety of detection and response rules that can be applied to all endpoints, or subset thereof, at the click of a button.
The wizard enables you to create rules around the following indicators of compromise (IOC).
Executable path suffix (or simply executable name)
The IOC's can then be selected to target specific operating systems. Your detection can be enabled to only run on any combination of Windows, Mac, Linux.
Finally, once your detection rule has been created you can select what you want to do for a response. There are three responses you can choose from and they are as follows.
Kill the process that triggered the detection
Isolate the host (you are still able to communicate with the agent but the machine is unable to communicate across the network)
Send a report of the incident through the output channels
The GUI builder for rules does not stop there. Once you have created your detection and response you can switch over to the Advanced tab and edit the YAML directly. By editing the YAML directly you can make complex additions or chain multiple detection and response sequences together.
We think this new detection & response wizard is great and we hope you do as well. We are going to continue to work at making endpoint capability more accessible and welcome any feedback.