Detect & Respond
31 articles in this collection
Written by Ross, Amrik Randhawa, and Christopher Luft
Written by Ross, Amrik Randhawa, and Christopher Luft
How does sleeper deployment work with LimaCharlie?
Written by Ross
Updated over a week ago
Updated over a week ago
Do YARA scans apply to files in memory?
Written by Amrik Randhawa
Updated over a week ago
Updated over a week ago
Can I replay the detection logic run on WEL events?
Written by Ross
Updated over a week ago
Updated over a week ago
What is the difference between segregation and isolation in LimaCharlie?
Written by Ross
Updated over a week ago
Updated over a week ago
How does the network isolation feature work in LimaCharlie?
Written by Ross
Updated over a week ago
Updated over a week ago
Detection & Response Rules
Do you have an example of the D&R rule based on Windows Defender data?
Written by Ross
Updated over a week ago
Updated over a week ago
How do I determine which D&R rule (or other actor) triggered a command on an endpoint?
Written by Ross
Updated over a week ago
Updated over a week ago
How can I suppress response actions in LimaCharlie?
Written by Ross
Updated over a week ago
Updated over a week ago
How can I create a D&R rule using a threat feed?
Written by Christopher Luft
Updated over a week ago
Updated over a week ago
How to add a D&R rule to detect a specific domain
Detect DNS events
Written by Amrik Randhawa
Updated over a week ago
Updated over a week ago
Will I get a detection when a specific directory or registry path changes?
Written by Ross
Updated over a week ago
Updated over a week ago
How do I create a detection & response (D&R) rule based on artifacts/logs collected?
Written by Ross
Updated over a week ago
Updated over a week ago
How can I get an alert when my organization is over quota?
Written by Ross
Updated over a week ago
Updated over a week ago
How can I get details around the format for regular expressions used in D&R rules?
Written by Ross
Updated over a week ago
Updated over a week ago
False Positive Rules
How can I create a False Positive (FP) rule?
Written by Ross
Updated over a week ago
Updated over a week ago
Soteria Rules
What are Soteria rules?
Written by Ross
Updated over a week ago
Updated over a week ago
How do I enable Soteria rules?
Written by Ross
Updated over a week ago
Updated over a week ago
What is the difference between Sigma and Soteria rules?
Written by Ross
Updated over a week ago
Updated over a week ago
How do I know what Soteria rules cover?
Written by Ross
Updated over a week ago
Updated over a week ago
Sigma Rules
Why are some Sigma detections classified with a level such as Critical, High, Medium, and Low?
The (optional) Sigma Add-On provides pre-defined detection rules which can include
Written by Amrik Randhawa
Updated over a week ago
Updated over a week ago
What are Sigma rules?
Written by Ross
Updated over a week ago
Updated over a week ago
How do I enable Sigma Rules?
Written by Ross
Updated over a week ago
Updated over a week ago
How can I tell if a detection has come in through a managed Sigma rule?
Written by Ross
Updated over a week ago
Updated over a week ago
How to configure SOC Prime integration in LimaCharlie?
Written by Ross
Updated over a week ago
Updated over a week ago
Threat Feeds
I have my own threat feed - how can I use it?
Written by Ross
Updated over a week ago
Updated over a week ago
How do I create a lookup?
Written by Christopher Luft
Updated over a week ago
Updated over a week ago
How can I fix a problem related to OTX when I get the error "Too many indicators, stopping after 20001"?
Written by Ross
Updated over a week ago
Updated over a week ago
Commands and Executables
What are payloads and how do they work in LimaCharlie?
Written by Ross
Updated over a week ago
Updated over a week ago
How do I run a script or executable on the endpoint?
Written by Ross
Updated over a week ago
Updated over a week ago
Why don't arguments I pass via the run command work properly?
Written by Ross
Updated over a week ago
Updated over a week ago