Contents x
    Configuration
    • 02 Mar 2023
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents
      This documentation version is deprecated, please click here for the latest version.

    Configuration

    • Updated on 02 Mar 2023
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    Configs are a YAML representation of an organization's configured features. This includes, but is not limited to, the following:

    • Enabled Add-ons
    • Detection & Response Rules
    • Event / Artifact Collection Rules
    • File / Integrity Monitoring Rules
    • Outputs

    The config makes it easy to reproduce setups across organizations, effectively turning organizations into containers for security environments.

    Example

    Here's a basic config for an organization in LimaCharlie:

    version: 3
resources:
  api:
  - insight
  replicant:
  - infrastructure-service
  - integrity
  - reliable-tasking
  - responder
  - sigma
  - soteria-rules
  - logging
  - yara
integrity:
  linux-key:
    patterns:
    - /home/*/.ssh/*
    tags: []
    platforms:
    - linux
artifact:
  linux-logs:
    is_ignore_cert: false
    is_delete_after: false
    days_retention: 30
    patterns:
    - /var/log/syslog.1
    - /var/log/auth.log.1
    tags: []
    platforms:
    - linux
  windows-logs:
    is_ignore_cert: false
    is_delete_after: false
    days_retention: 30
    patterns:
    - wel://system:*
    - wel://security:*
    - wel://application:*
    tags: []
    platforms:
    - windows

    Applying this would get an org started with some basics:

    • Add-ons that enable incident response (insight, reliable-tasking, responder)
    • Managed detection & response rulesets (sigma, soteria-rules)
    • Services that add sensor capabilities (integrity, logging, yara)
    • Some basic configurations to monitor file integrity of */.ssh on Linux and collect syslog, auth logs, and Windows event logs

    Applying Configs

    Methods

    The web application offers two main modes of syncing:

    • Apply: Add new config and apply changes additively
    • Modify: Edit existing config and apply changes destructively

    Apply mode can be especially useful for applying partial configs from online examples and community solutions. LimaCharlie has a GitHub repository with some starter config templates.

    For finer-grained control of config, or updating configs as part of a CI pipeline, we recommend reading the documentation for infrastructure service.

    Was this article helpful?
    What's Next