How can I use SnapAttack Community Edition in LimaCharlie?
Ross avatar
Written by Ross
Updated over a week ago

SnapAttack Community Edition includes access to open source intelligence objects and behaviorally-oriented detections developed by SnapAttack threat research team as well as popular community tools, such as Atomic Red Team and Sigma. The ruleset contains high-confidence detections for most platforms that have been verified against true positive data by the SnapAttack’s threat detection team. To learn more about SnapAttack and their Enterprise Edition, visit

To enable SnapAttack Community edition in your LimaCharlie tenant, navigate to the Add-Ons marketplace, search for snapattack-community, choose the organization you want to subscribe, and hit the “Subscribe” button. You can access the SnapAttack Add-On directly via this link:

Once your tenant has been subscribed to the add-on, you will see the detection & response rules populate in the D&R section of the organization. Note that while SnapAttack Community Edition includes hundreds of detection and response rules, LimaCharlie will only import the subset that has been verified by SnapAttack's threat detection team and is deemed to be high-fidelity. Taking this approach will result in less false positives.

Clicking on the rule will make the content of the rule visible (but not editable) in the web app. LC will also expose MITRE ATT&CK and other mapping as tags.

Lastly, users can replay the rule against historical telemetry enabling retroactive threat hunting.

When the detection & response rule is triggered, users can see detections (alerts) appear on the Detection page of the web app.

Did this answer your question?