- 28 Jul 2025
- 2 Minutes to read
- Print
- DarkLight
Community Rules
- Updated on 28 Jul 2025
- 2 Minutes to read
- Print
- DarkLight
The LimaCharlie Endpoint Agent is a cross platform endpoint Sensor. It is a low-level, light-weight sensor which executes detection and response functionality in real-time.
Our Community Rules feature leverages the power of AI to quickly transform a plethora of third-party rules into LimaCharlie syntax so you can make them your own. The process is fast and efficient: Browse thousands of community rules, select one as a starting point, convert it to LimaCharlie syntax with one click, and customize it to your liking.
Accessing the Community Rules
To access the Community Rules:
Log into LimaCharlie
Select an Organization
Click the Automation drop down on the left panel
Select Rules
Look in the upper right corner of the D&R Rules page for the Add Rule button
Click the Add Rule button
Look in the upper right corner of the rule creation page for the Community Library button
Click the Community Library button
This takes you to the Community Rules search page, and gives you access to thousands of third-party detection rules. The library currently contains detection rules written by Anvilogic, Sigma, Panther, and Okta.
Rules are searchable by CVE number, keyword, or pre-defined descriptors (Tags). Searchable tags include attack techniques, MITRE ATT&CK id codes and other key rule identificators.
Loading a Community Rule
Once you find the rule you want to use, import it to the organization by clicking “Load Rule”, and our AI engine will create it using verified LimaCharlie syntax.
This process may take a few seconds so please be patient.
Once the rule is ready, it will return you to the Add Rule page in LimaCharlie. The Detect and Response sections of the rule will be filled out with LimaCharlie logic that includes explanatory comments. From here you can manage this rule just as you would any other D&R rule.
Digging Deeper
As these rules are the property of third parties you may be interested in knowing more about their licensing or source code. This information is accessible through the Community Rules search page. To see these details click on a rule.
The example below shows what appears when you click Anvilogic’s Potential CVE-2021-44228 - Log4Shell rule
Under the rule name you will see the options to load the rule, check its source code, and read additional licensing information. There is also a reference section at the bottom left corner of the window providing links related to the rule.