We make it very easy to onboard & hit the ground running. Through our marketplace, you can quickly enable Sigma and Soteria rules to start receiving detections.
Sigma Rules
Sigma is an open source project that aims at creating a generic query language for security and D&R rules. It looks up known anomalies and Common Vulnerabilities and Exposures (CVEs). The hundreds of rules that are a part of Sigma get subscribed to the tenant for free.
A lot of people use Sigma as the community tends to respond quickly, but also puts interesting anomalies often in there. Every 15 minutes we re-process those rules in your organization; there's no management required, it just happens.
To enable the Sigma rules, you want to navigate to the Add-ons section and search for Sigma.
Under the Organization dropdown, select a tenant (organization) you want to subscribe to Sigma rules and click Subscribe.
Please note that add-ons are applied on the per-tenant basis. If you have multiple organizations you want to subscribe to Sigma, you will need to subscribe each organization to the add-on separately.
You can also manage add-ons from the Subscriptions menu under Billing.
Tenants that have been subscribed to the add-on, will be marked with a green check mark in the Organization dropdown.
Please note that some Sigma rules on Windows rely on Windows Event Logs that are not collected by LimaCharlie by default. In order to leverage these you will need to configure an automated collection of relevant Windows Event Logs through the Artifact Collection service.
Soteria Rules
Soteria is a US-based MSSP that has been using LimaCharlie for a long time. They developed a corpus of hundreds of behavioral signatures for Windows / Mac / Linux (signature not in terms of a hash, but in terms of a rule that describes a behavior). With one click, you can apply their rules in a managed way. When Soteria updates the rules for their customers, you will get those updates in real time as well.
Soteria rules come at a cost of $0.5 per endpoint per month once you are on a paid tier. Soteria rules (as well as all other add-ons) are free for up to two endpoints.
Please note that Soteria won’t get access to your data, and you won’t be able to see or edit their rules - LimaCharlie acts as a broker between the two parties.
To enable the Soteria rules, you want to navigate to the Add-ons section and search for Soteria.
Under the Organization dropdown, select a tenant (organization) you want to subscribe to Soteria rules and click Subscribe.
You can also manage add-ons from the Add-ons menu within the organization.
Tenants that have been subscribed to the add-on, will be marked with a green check mark in the Organization dropdown.
Create your own D&R rules
Every customer is unique and so is every network. We don’t believe in one size fits all approach; instead, we enable you to create your own D&R rules leveraging our powerful rules engine. Learn how to write D&R rules by taking the course and visiting our technical documentation.
Infrastructure as Code
To manage tenants and LimaCharlie functionality at scale, you can leverage our Infrastructure as Code functionality.