Contents x
    Add-Ons
    • 22 Mar 2023
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Add-Ons

    • Updated on 22 Mar 2023
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Article Summary

    LimaCharlie allows you to extend the capability of the platform via various add-ons. These can be enabled via the add-ons marketplace.

    Types of Add-Ons

    We categorize our add-ons into three different categories, depending on the functionality or method in which the add-on augments the LimaCharlie platform.

    • api add-ons are tightly integrated add-ons that enable LimaCharlie's core features
    • lookup add-ons are lists of values that can be used in detection and response rules to match known threat indicators.
    • service add-ons are cloud services that can perform jobs on behalf of or add new capabilities to an organization.

    Subscribing to Add-ons

    Add-ons can be found and added to organizations through the add-ons marketplace or by searching from within the Add-ons view in an organization (see below). The description of the add-on may include usage information about how to use it once it's installed.

    Untitled.png

    The following add-ons enable additional functionality in the web application:

    • atomic-red-team - scan Windows sensors right from their Overview page
    • exfil - enables Exfil Control to configure which events should be collected per platform
    • infrastructure-service - enable Templates in the UI to manage org config in yaml
    • insight - enables retention & browsing events and detections via Timeline and Detections
    • logging - enables Artifact Collection to configure which paths to collect from
    • replay - adds a component next to D&R rules for testing them against known / historical events
    • responder - sweep sensors right from their Overview page to find preliminary IoCs
    • yara - enables YARA Scanners view to pull in sources of YARA rules and automate scans with them

    Creating Add-ons

    Users can create their own add-ons and optionally share them in the marketplace. Add-ons are your property, but may be evaluated and approved / dismissed due to quality or performance concerns. If you are not sure, contact us.

    You can publish add-ons of your own from within the Published add-ons view when logged in to the web application.

    Creating an add-on does not immediately grant the organizations you're a member of access to it. After creating it, you must still subscribe each organization to your add-on.

    When making an add-on public, keep these in mind to ensure your add-on is understood and has a good chance at adoption:

    • Test it!
    • Make the purpose and usage of the add-on clear for users not aware of the capability.
    • Include a link to more information if possible.
    • Your email address will be included in the add-on description. If you plan on publishing many rules, you may want to create a separate account specifically for the purpose of being an add-on owner.
    Got an idea?

    Are you interested in creating an add-on or developing another project for LimaCharlie? Check out our Developer Grant Program.

    Next Steps

    • Got / need a list of threat indicators? Check out Lookups.
    • Interested in writing a service? Check out the lc-service framework on GitHub.
    Was this article helpful?
    What's Next