EDR Rules
- 26 Jan 2024
- 1 Minute to read
- Contributors
- Print
- DarkLight
EDR Rules
- Updated on 26 Jan 2024
- 1 Minute to read
- Contributors
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Soteria's EDR ruleset provides coverage across Windows, Linux, and macOS. You can check the dynamic MITRE ATT&CK mapping here:
Data access
Please note that Soteria won’t get access to your data, and you won’t be able to see or edit their rules - LimaCharlie acts as a broker between the two parties.
The following events are utilized by Soteria rules. Please ensure that they are configured within your Organization:
CODE_IDENTITYDNS_REQUESTEXISTING_PROCESSFILE_CREATEFILE_MODIFIEDMODULE_LOADNETWORK_CONNECTIONSNEW_DOCUMENTNEW_NAMED_PIPENEW_PROCESSREGISTRY_WRITEREGISTRY_CREATESENSITIVE_PROCESS_ACCESSTHREAD_INJECTION
This can also be done in the Add-ons Marketplace.
Enabling Soteria's EDR Rules
Soteria's EDR rules can be activated via two means.
Activating via the Web UI
To enable Soteria's EDR ruleset, navigate to the Extensions section of the Add-On Marketplace and search for Soteria. You can also directly select soteria-rules-edr.
Please note: Pricing may reflect when the screenshot was taken, not the actual pricing
Under the Organization dropdown, select a tenant (organization) you want to subscribe to Soteria rules and click Subscribe.
You can also manage add-ons from the Subscriptions menu under Billing.
Organizations that have been subscribed to Soteria's EDR rules will be marked with a green check mark in the Organization dropdown.
Infrastructure as Code
Alternatively, to manage tenants and LimaCharlie functionality at scale, you can leverage our Infrastructure as Code functionality.
Was this article helpful?