Add-Ons
  • 22 Mar 2023
  • 2 Minutes to read
  • Contributors
  • Dark
    Light

Add-Ons

  • Dark
    Light

Article Summary

LimaCharlie allows you to extend the capability of the platform via various add-ons. These can be enabled via the add-ons marketplace.

Types of Add-Ons

We categorize our add-ons into three different categories, depending on the functionality or method in which the add-on augments the LimaCharlie platform.

  • api add-ons are tightly integrated add-ons that enable LimaCharlie's core features
  • lookup add-ons are lists of values that can be used in detection and response rules to match known threat indicators.
  • service add-ons are cloud services that can perform jobs on behalf of or add new capabilities to an organization.

Subscribing to Add-ons

Add-ons can be found and added to organizations through the add-ons marketplace or by searching from within the Add-ons view in an organization (see below). The description of the add-on may include usage information about how to use it once it's installed.

Untitled.png

The following add-ons enable additional functionality in the web application:

  • atomic-red-team - scan Windows sensors right from their Overview page
  • exfil - enables Exfil Control to configure which events should be collected per platform
  • infrastructure-service - enable Templates in the UI to manage org config in yaml
  • insight - enables retention & browsing events and detections via Timeline and Detections
  • logging - enables Artifact Collection to configure which paths to collect from
  • replay - adds a component next to D&R rules for testing them against known / historical events
  • responder - sweep sensors right from their Overview page to find preliminary IoCs
  • yara - enables YARA Scanners view to pull in sources of YARA rules and automate scans with them

Creating Add-ons

Users can create their own add-ons and optionally share them in the marketplace. Add-ons are your property, but may be evaluated and approved / dismissed due to quality or performance concerns. If you are not sure, contact us.

You can publish add-ons of your own from within the Published add-ons view when logged in to the web application.

Creating an add-on does not immediately grant the organizations you're a member of access to it. After creating it, you must still subscribe each organization to your add-on.

When making an add-on public, keep these in mind to ensure your add-on is understood and has a good chance at adoption:

  • Test it!
  • Make the purpose and usage of the add-on clear for users not aware of the capability.
  • Include a link to more information if possible.
  • Your email address will be included in the add-on description. If you plan on publishing many rules, you may want to create a separate account specifically for the purpose of being an add-on owner.
Got an idea?

Are you interested in creating an add-on or developing another project for LimaCharlie? Check out our Developer Grant Program.

Next Steps

  • Got / need a list of threat indicators? Check out Lookups.
  • Interested in writing a service? Check out the lc-service framework on GitHub.

Was this article helpful?