Running Detections Against Historical Data

 

LimaCharlie is launching Replay: a powerful new capability that allows organizations to perform retroactive hunting or build Continuous Delivery (CD) / Continuous Integration (CI) into their detection systems.

At its heart , Replay allows you to retroactively apply Detection & Response (D&R) rules to LimaCharlie traffic from any point in time during the last year or whenever the telemetry storage feature, Insight, was turned on.

This ability enables you to look for specific indicators of compromise (IOC) and run complete D&R rules, including threat feeds, APIs or operators against historical telemetry.

Replay is currently available through the LimaCharlie CLI and REST API with a web interface coming soon.

An example of how Replay can add value:

An attacker is found and it is believed that the common technique used is to drop executables in System32 which perform network connections outbound to port 443. These executables are not signed.

 
detect:
  event: NETWORK_SUMMARY
  op: and
  rules:
    - op: is windows
    - op: is
      path: event/PROCESS/FILE_IS_SIGNED
      value: 0
    - op: contains
      path: event/PROCESS/FILE_PATH
      value: system32
      case sensitive: false
    - op: is
      path: event/PROCESS/NETWORK_ACTIVITY/IS_OUTGOING
      value: 1
    - op: is
      path: event/PROCESS/NETWORK_ACTIVITY/DESTINATION/PORT
      value: 443
respond:
- action: report
  name: sys32-outbound-unsigned

And then to launch the query given as an example above you would run the following.

 
limacharlie-replay --entire-org --last-seconds 604800 --rule-content ./rule.yaml

Not only can Replay help LimaCharlie users search their historical telemetry for IOCs and build CD/CI into their detection pipelines, it also speeds up rule creation. New rules can immediately be directed against historical data to test their effectiveness.

The team at LimaCharlie is extremely excited about all the possibilities that this new functionality opens up. If you have any questions regarding Replay - or any other capability - please not hesitate to contact us.

History
 

Christopher Luft

My name is Christopher Luft and I am an artist turned computer scientist turned something else.