LimaCharlie is launching Replay: a powerful new capability that allows organizations to perform retroactive hunting or build Continuous Delivery (CD) / Continuous Integration (CI) into their detection systems.
At its heart , Replay allows you to retroactively apply Detection & Response (D&R) rules to LimaCharlie traffic from any point in time during the last year or whenever the telemetry storage feature, Insight, was turned on.
This ability enables you to look for specific indicators of compromise (IOC) and run complete D&R rules, including threat feeds, APIs or operators against historical telemetry.
Replay is currently available through the LimaCharlie CLI and REST API with a web interface coming soon.
An example of how Replay can add value:
An attacker is found and it is believed that the common technique used is to drop executables in System32 which perform network connections outbound to port 443. These executables are not signed.
detect: event: NETWORK_SUMMARY op: and rules: - op: is windows - op: is path: event/PROCESS/FILE_IS_SIGNED value: 0 - op: contains path: event/PROCESS/FILE_PATH value: system32 case sensitive: false - op: is path: event/PROCESS/NETWORK_ACTIVITY/IS_OUTGOING value: 1 - op: is path: event/PROCESS/NETWORK_ACTIVITY/DESTINATION/PORT value: 443 respond: - action: report name: sys32-outbound-unsigned
And then to launch the query given as an example above you would run the following.
limacharlie-replay --entire-org --last-seconds 604800 --rule-content ./rule.yaml
Not only can Replay help LimaCharlie users search their historical telemetry for IOCs and build CD/CI into their detection pipelines, it also speeds up rule creation. New rules can immediately be directed against historical data to test their effectiveness.
The team at LimaCharlie is extremely excited about all the possibilities that this new functionality opens up. If you have any questions regarding Replay - or any other capability - please not hesitate to contact us.