EDR Rules
  • 26 Jan 2024
  • 1 Minute to read
  • Contributors
  • Dark
    Light
  This documentation version is deprecated, please click here for the latest version.

EDR Rules

  • Dark
    Light

Article summary

Soteria's EDR ruleset provides coverage across Windows, Linux, and macOS. You can check the dynamic MITRE ATT&CK mapping here:

Data access

Please note that Soteria won’t get access to your data, and you won’t be able to see or edit their rules - LimaCharlie acts as a broker between the two parties.

The following events are utilized by Soteria rules. Please ensure that they are configured within your Organization:

  • CODE_IDENTITY
  • DNS_REQUEST
  • EXISTING_PROCESS
  • FILE_CREATE
  • FILE_MODIFIED
  • MODULE_LOAD
  • NETWORK_CONNECTIONS
  • NEW_DOCUMENT
  • NEW_NAMED_PIPE
  • NEW_PROCESS
  • REGISTRY_WRITE
  • REGISTRY_CREATE
  • SENSITIVE_PROCESS_ACCESS
  • THREAD_INJECTION

This can also be done in the Add-ons Marketplace.

Enabling Soteria's EDR Rules

Soteria's EDR rules can be activated via two means.

Activating via the Web UI

To enable Soteria's EDR ruleset, navigate to the Extensions section of the Add-On Marketplace and search for Soteria. You can also directly select soteria-rules-edr.

image.png

Please note: Pricing may reflect when the screenshot was taken, not the actual pricing

Under the Organization dropdown, select a tenant (organization) you want to subscribe to Soteria rules and click Subscribe.

image.png

You can also manage add-ons from the Subscriptions menu under Billing.

image.png

Organizations that have been subscribed to Soteria's EDR rules will be marked with a green check mark in the Organization dropdown.

Infrastructure as Code

Alternatively, to manage tenants and LimaCharlie functionality at scale, you can leverage our Infrastructure as Code functionality.


Was this article helpful?

What's Next