Organizing Detection & Response Rules


Serverless Detection & Response rules are a game changer for most of our customers. Being able to deploy a rule within seconds that immediately takes effect which provides the ability to interact, investigate or mitigate using the LimaCharlie agent will do that to you.

An aspect that is often overlooked initially though is the organization of the rules themselves. This is important for most organizations and it is critical for Managed Security Service Providers that manage multiple other organizations.

Having a clear reference of which rules are running where - and which version of those rules - is critical to smooth operations.

If only you had a solution for this that didn't force you into some sub-par vendor-mandated interface. If only you could use Git (or your favorite source code repository), since after all it's the perfect system for tracking configuration through time and versions.

Organizing Detections

Enters the LimaCharlie Python API. This API provides you the ability to get specific feeds of live data from your agents, query your LimaCharlie configuration, change it, send tasks to agents etc.

New to the Python API is a Sync functionality. It's available as a pure API but we'll discuss the command line portion here since it is easier to explain.

This tool allows you to download your current LimaCharlie Detection & Response rules configuration to a config file, and to do the reverse by pushing the rules into your organization.

What makes this particularly useful is also the ability to format your configuration files using an "include" statement which allows you to create hierarchy of rules, combining in whatever way you see fit.

Let's see a quick example:

LCConf (the default config file name)

version: 1
  - subsets/secondary.yml
      event: CODE_IDENTITY
        length of: true
        op: is greater than
        path: /
        value: 0
      op: lookup
      path: event/HASH
      resource: lcr://api/vt
    - action: report
      name: virustotal


version: 1
      op: external
      resource: lcr://detection/win-suspicious-exec-name
    name: win-suspicious-exec-name
    - action: report
      name: win-suspicious-exec-name
    - action: task
      command: history_dump

The top file defines a single D&R rule named "VirusTotal", but it also includes a file in the "subsets" directory called "secondary.yml". This secondary file contains a detection called "win-suspicious-exec-name". So if you do a "push" using Sync, those files will get combined and put into effect in your organization.

The configuration files are YML. Since the files get combined at push time, it means you can maintain them in a repository independently and tweak them as a team.

How exactly do you fetch the config and push the rules? Doesn't get any easier:

Download the configs locally:

python -m limacharlie.Sync ORGANIZATION-ID fetch

Push the local config to the cloud:

python -m limacharlie.Sync ORGANIZATION-ID push

The sync tool also supports arguments like --dry-run and --force. For a full description see the documentation here.