Open in app

Sign in

Write

Sign in

Scaling your SOC startup with LimaCharlie.io

@mikecybersec
3 min readAug 19, 2022

--

LimaCharlie prsents itself as a ‘Security Infrastructure as a Service’ platform. The platform can connect to multiple sources via ‘sensors’ and then provides scalable access to security tools such as AtomicRedTeam, Velociraptor, VirusTotal etc.

In addition, deployment is easy and pricing is transparent, making it a perfect storm to scale a SOC.

LimaCharlie integrates with many different sources, but a common one being Windows endpoints. It installs via a sensor, and reports telemetry to the console, where you can then apply D&R (Detection & Response) rules as well as collect artefacts for forensics analysis.

Deployment

The following sources are currently supported:

  • Windows (Ingest events such as process events, file system, registry, network, WEL) you can then run YARA rules via the sensor and directly connect to the machine via a shell where you can then respond directly.
  • MacOS and Linux (same as above)
  • Docker (same capabilities as above)
  • VMWare Carbon Black (Ingest EDR events from CB)
  • Office 365 (audit events)
  • Windows Event Logs
  • Microsoft Defender
  • Duo
  • Common Event Format logs (ArcSight CEF logs)
  • Net (Network events)

Deploying the sensor to Windows was super simple, within near real-time of running the one liner PowerShell command to install the sensor (.exe), it was reporting telemetry to the LimaCharlie console.

Detection & Response via LimaCharlie

The rules in LC are split into ‘Detection’ & ‘Response’, the syntax is very similar to Sigma.

A basic rule to detect DNS requests to ‘example.com’, which then generates an alert called “DNS Hit example.com”:

# Detection

event: DNS_REQUEST

op: is

path: event/DOMAIN_NAME

value: example.com

# Response

- action: report

name: DNS Hit example.com

An example view of the D&R interface.

Add-Ons & Marketplace

The real scalability comes in here, LC offers 3 categories of ‘add-ons’:

  • API
  • Services
  • Lookups

Lookups

Essentially an area full of currated IOC and IOA lists that embed directly into the D&R rules.

Services

Multiple services are available, which provide additional capabilities:

  • PCAP
  • Memory dumper
  • Atomic red team
  • Pager Duty
  • SOC Prime
  • Sigma
  • Velociraptor
  • YARA
  • Zeek

It’s free to get started: free tier with 2 max sensors and no charge for add-ons / usage.

Incident Response
Dfir
Blue Team
Cybersecurity

--

--

@mikecybersec
@mikecybersec

Written by @mikecybersec

75 Followers
20 Following

Twitter: @mikecybersec

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams