- Print
- DarkLight
LimaCharlie allows you to extend the capability of the platform via various add-ons. These can be enabled via the add-ons marketplace.
Types of Add-Ons
We categorize our add-ons into three different categories, depending on the functionality or method in which the add-on augments the LimaCharlie platform.
api
add-ons are tightly integrated add-ons that enable LimaCharlie's core featureslookup
add-ons are lists of values that can be used in detection and response rules to match known threat indicators.service
add-ons are cloud services that can perform jobs on behalf of or add new capabilities to an organization.
Subscribing to Add-ons
Add-ons can be found and added to organizations through the add-ons marketplace or by searching from within the Add-ons view in an organization (see below). The description of the add-on may include usage information about how to use it once it's installed.
The following add-ons enable additional functionality in the web application:
atomic-red-team
- scan Windows sensors right from theirOverview
pageexfil
- enablesExfil Control
to configure which events should be collected per platforminfrastructure-service
- enableTemplates
in the UI to manage org config inyaml
insight
- enables retention & browsing events and detections viaTimeline
andDetections
logging
- enablesArtifact Collection
to configure which paths to collect fromreplay
- adds a component next to D&R rules for testing them against known / historical eventsresponder
- sweep sensors right from theirOverview
page to find preliminary IoCsyara
- enablesYARA Scanners
view to pull in sources of YARA rules and automate scans with them
Creating Add-ons
Users can create their own add-ons and optionally share them in the marketplace. Add-ons are your property, but may be evaluated and approved / dismissed due to quality or performance concerns. If you are not sure, contact us.
You can publish add-ons of your own from within the Published add-ons view when logged in to the web application.
Creating an add-on does not immediately grant the organizations you're a member of access to it. After creating it, you must still subscribe each organization to your add-on.
When making an add-on public, keep these in mind to ensure your add-on is understood and has a good chance at adoption:
- Test it!
- Make the purpose and usage of the add-on clear for users not aware of the capability.
- Include a link to more information if possible.
- Your email address will be included in the add-on description. If you plan on publishing many rules, you may want to create a separate account specifically for the purpose of being an add-on owner.
Are you interested in creating an add-on or developing another project for LimaCharlie? Check out our Developer Grant Program.
Next Steps
- Got / need a list of threat indicators? Check out Lookups.
- Interested in writing a service? Check out the
lc-service
framework on GitHub.