A common use case for D&R rules is to use them to compare telemetry against known malicious IPs, domain names or file hashes via threat feeds. With LimaCharlie it is easy to leverage public threat feeds or to create your own.
An example of leveraging a threat feed from LimaCharlie's Add-ons section is as follows.
First select a threat feed. Navigate to the Add-ons section and select
Lookups. For this example we are going to choose
crimeware-ips from the plethora that are available for free.
Once you have selected the
crimeware-ips Add-on, click
Once subscribed it is time to go and write a rule to detect whenever there is a match with an IP in the threat feed. Go to your the main view for your organization and navigate to the
D&R Rules view. Click
+ New Rule and fill in the detection as follows.
Additional Threat Feed Types
op: lookupevent: CODE_IDENTITY
op: lookupevent: DNS_REQUEST