A common use case for D&R rules is to use them to compare telemetry against known malicious IPs, domain names or file hashes via threat feeds. With LimaCharlie it is easy to leverage public threat feeds or to create your own.
An example of leveraging a threat feed from LimaCharlie's Add-ons section is as follows.
First select a threat feed. Navigate to the Add-ons section and select Lookups. For this example we are going to choose crimeware-ips from the plethora that are available for free.
Once you have selected the crimeware-ips Add-on, click Subscribe.
Once subscribed it is time to go and write a rule to detect whenever there is a match with an IP in the threat feed. Go to your the main view for your organization and navigate to the D&R Rules view. Click + New Rule and fill in the detection as follows.
event: NETWORK_CONNECTIONS
op: lookup
path: event/NETWORK_ACTIVITY/?/IP_ADDRESS
resource: lcr://lookup/crimeware-ips
Additional Threat Feed Types
Hashes
op: lookupevent: CODE_IDENTITY
path: event/HASH
resource: 'lcr://lookup/my-hash-lookup'
Domain Names
op: lookupevent: DNS_REQUEST
path: event/DOMAIN_NAME
resource: 'lcr://lookup/my-dns-lookup'