Go to LimaCharlie
All Collections
Detect & Respond
Detect & Respond
31 articles in this collection
Written by
Ross,
Amrik Randhawa,
and
Christopher Luft
How does sleeper deployment work with LimaCharlie?
Written by
Ross
Updated over a week ago
Do YARA scans apply to files in memory?
Written by
Amrik Randhawa
Updated over a week ago
Can I replay the detection logic run on WEL events?
Written by
Ross
Updated over a week ago
What is the difference between segregation and isolation in LimaCharlie?
Written by
Ross
Updated over a week ago
How does the network isolation feature work in LimaCharlie?
Written by
Ross
Updated over a week ago
Detection & Response Rules
Do you have an example of the D&R rule based on Windows Defender data?
Written by
Ross
Updated over a week ago
How do I determine which D&R rule (or other actor) triggered a command on an endpoint?
Written by
Ross
Updated over a week ago
How can I suppress response actions in LimaCharlie?
Written by
Ross
Updated over a week ago
How can I create a D&R rule using a threat feed?
Written by
Christopher Luft
Updated over a week ago
How to add a D&R rule to detect a specific domain
Detect DNS events
Written by
Amrik Randhawa
Updated over a week ago
Will I get a detection when a specific directory or registry path changes?
Written by
Ross
Updated over a week ago
How do I create a detection & response (D&R) rule based on artifacts/logs collected?
Written by
Ross
Updated over a week ago
How can I get an alert when my organization is over quota?
Written by
Ross
Updated over a week ago
How can I get details around the format for regular expressions used in D&R rules?
Written by
Ross
Updated over a week ago
False Positive Rules
How can I create a False Positive (FP) rule?
Written by
Ross
Updated over a week ago
Soteria Rules
What are Soteria rules?
Written by
Ross
Updated over a week ago
How do I enable Soteria rules?
Written by
Ross
Updated over a week ago
What is the difference between Sigma and Soteria rules?
Written by
Ross
Updated over a week ago
How do I know what Soteria rules cover?
Written by
Ross
Updated over a week ago
Sigma Rules
Why are some Sigma detections classified with a level such as Critical, High, Medium, and Low?
The (optional) Sigma Add-On provides pre-defined detection rules which can include
Written by
Amrik Randhawa
Updated over a week ago
What are Sigma rules?
Written by
Ross
Updated over a week ago
How do I enable Sigma Rules?
Written by
Ross
Updated over a week ago
How can I tell if a detection has come in through a managed Sigma rule?
Written by
Ross
Updated over a week ago
How to configure SOC Prime integration in LimaCharlie?
Written by
Ross
Updated over a week ago
Threat Feeds
I have my own threat feed - how can I use it?
Written by
Ross
Updated over a week ago
How do I create a lookup?
Written by
Christopher Luft
Updated over a week ago
How can I fix a problem related to OTX when I get the error "Too many indicators, stopping after 20001"?
Written by
Ross
Updated over a week ago
Commands and Executables
What are payloads and how do they work in LimaCharlie?
Written by
Ross
Updated over a week ago
How do I run a script or executable on the endpoint?
Written by
Ross
Updated over a week ago
Why don't arguments I pass via the run command work properly?
Written by
Ross
Updated over a week ago
Integrations
How to use Twilio integration?
Written by
Ross
Updated over a week ago