Community Rules

The LimaCharlie Endpoint Agent is a cross platform endpoint Sensor. It is a low-level, light-weight sensor which executes detection and response functionality in real-time.

Our Community Rules feature leverages the power of AI to quickly transform a plethora of third-party rules into LimaCharlie syntax so you can make them your own. The process is fast and efficient: Browse thousands of community rules, select one as a starting point, convert it to LimaCharlie syntax with one click, and customize it to your liking.

Accessing the Community Rules

To access the Community Rules:

1. Log into LimaCharlie

2. Select an Organization

3. Click the Automation drop down on the left panel

4. Select Rules

5. Look in the upper right corner of the D&R Rules page for the Add Rule button

6. Click the Add Rule button

7. Look in the upper right corner of the rule creation page for the Community Library button

8. Click the Community Library button

This takes you to the Community Rules search page, and gives you access to thousands of third-party detection rules. The library currently contains detection rules written by Anvilogic, Sigma, Panther, and Okta. 

Rules are searchable by CVE number, keyword, or pre-defined descriptors (Tags). Searchable tags include attack techniques, MITRE ATT&CK id codes and other key rule identificators.

Loading a Community Rule

Once you find the rule you want to use, import it to the organization by clicking “Load Rule”, and our AI engine will create it using verified LimaCharlie syntax.

This process may take a few seconds so please be patient.   

Once the rule is ready, it will return you to the Add Rule page in LimaCharlie. The Detect and Response sections of the rule will be filled out with LimaCharlie logic that includes explanatory comments. From here you can manage this rule just as you would any other D&R rule.    

Digging Deeper

As these rules are the property of third parties you may be interested in knowing more about their licensing or source code. This information is accessible through the Community Rules search page. To see these details click on a rule.

The example below shows what appears when you click Anvilogic’s Potential CVE-2021-44228 - Log4Shell rule

Under the rule name you will see the options to load the rule, check its source code, and read additional licensing information. There is also a reference section at the bottom left corner of the window providing links related to the rule.