A common use case for D&R rules is to use them to compare telemetry against known malicious IPs, domain names or file hashes via threat feeds. With LimaCharlie it is easy to leverage public threat feeds or to create your own.

An example of leveraging a threat feed from LimaCharlie's Add-ons section is as follows.

First select a threat feed. Navigate to the Add-ons section and select Lookups. For this example we are going to choose crimeware-ips from the plethora that are available for free.

Once you have selected the crimeware-ips Add-on, click Subscribe.

Once subscribed it is time to go and write a rule to detect whenever there is a match with an IP in the threat feed. Go to your the main view for your organization and navigate to the D&R Rules view. Click + New Rule and fill in the detection as follows.

op: lookup
resource: lcr://lookup/crimeware-ips

Additional Threat Feed Types


op: lookupevent: CODE_IDENTITY
path: event/HASH
resource: 'lcr://lookup/my-hash-lookup'

Domain Names

op: lookupevent: DNS_REQUEST
path: event/DOMAIN_NAME
resource: 'lcr://lookup/my-dns-lookup'

Did this answer your question?