Endpoint Protection

Overview

The Endpoint Protection (EPP) management in LimaCharlie enables users to view the status of existing EPP solutions (including Windows Free Defender), manage parameters of the deployment and unify alerting from the deployment at scale. This makes it perfect for teams wanting a unified view of the EPP solution, or service providers looking to offer Managed EPP to their customers at scale.

The only requirement is for the LimaCharlie agent to be deployed and the EPP Extension enabled (free).

Once deployed, EPP can be used natively along with the rest of LimaCharlie’s automation and routing capabilities.

How it Works

LimaCharlie Endpoint Protection integrates with third-party EDR solutions to provide a better view of security operations and extend agent’s capabilities. Currently this extension applies to:

• Microsoft Windows Defender

The LimaCharlie agent communicates with Windows Defender to determine its status, transfer events, and trigger remediation commands. LimaCharlie Endpoint Protection codifies the best practices of collecting events and alerting on detections. When enabled, this extension creates a starter set of rules. In addition to alerting, these rules can be customized to better align with the operational complexity of user’s environments. The LC Endpoint Protection extension provides a reliable and cost efficient way of securing endpoints at scale.

The Endpoint Protection add-on requires agent version 4.33.5 or higher.

Enabling and configuring Endpoint Protection

To enable Endpoint Protection, first ensure LimaCharlie Endpoint Agent version is 4.33.5 and above, update if necessary.

Navigate to the Endpoint Protection extension page in the Add-Ons marketplace. Choose the target Organization and select Subscribe.

Once subscribed, you can see the Endpoint Protection in the list of Extensions.

The Endpoint Protection extension does two things once both sync settings are enabled:

1. Creates an artifact collection rule named defender-log-streaming

   • This rule adds a WEL pattern that collects MS Defender logs, wel://Microsoft-Windows-Windows Defender/Operational:* so that LimaCharlie receives the events the Defender produces.

     Note

     If you already have Defender logs coming in via the Artifact extension, you can uncheck the Sync Extension Config box to avoid duplicating entries.

2. Creates D&R rules

   • Generates several D&R rules that alert on various detections and actions taken by Defender.

3. To apply the Artifact extension configuration and D&R rules, click Apply Configuration.

When the SYNC toggles are on, the collection rules and D&R rules are continuously synchronized with LimaCharlie library of best practices.

Once the extension is enabled, it also extends the Web UI with Endpoint Protection functionality, as described below.

Using the Endpoint Protection extension

Endpoint Protection capabilities are used in three ways.

Verify Protection

Select a Windows Sensor in the organization. In the Sensor Overview, there is a new section, “Endpoint Protection” that shows the current protection status. Verify that Defender is listed as active on the sensor.

Perform Scan

Select a Windows Sensor.

Click on File System. Select the folder, and click on the scan icon  Scan with EPP

Endpoint Protection Commands

Select a Windows Sensor. Open the Sensor Console As you type “epp” you’ll see the available commands. Try epp_status  - it will return the status.

Events required in Exfil config

The EPP solution relies on some new events. They are now defaults, and the extension adds them to existing orgs. In rare case you may need to add them manually to Sensor / Event Collection / Event Collection or your Infra As Code. Here is the list:

EPP_STATUS_REP,EPP_LIST_EXCLUSIONS_REP,EPP_ADD_EXCLUSION_REP,EPP_REM_EXCLUSION_REP,
EPP_LIST_QUARANTINE_REP,EPP_SCAN_REP

Plain text

Copy

For reference, this is a list of Endpoint Protection commands: