May 22nd, 2024
Automating Incident Response Workflows with LimaCharlie
Eric Capuano
Introduction
As a security professional, you know that the ability to swiftly and effectively respond to threats is crucial. In this post, we’ll explore how LimaCharlie, a SecOps Cloud Platform, can help automate comprehensive Incident Response (IR) workflows, including forensic triage acquisition, evidence processing, and forensic timeline generation.
LimaCharlie: A versatile SecOps Cloud Platform
LimaCharlie is a flexible, scalable SecOps Cloud Platform that provides comprehensive enterprise protection with open APIs, centralized telemetry, and automated detection and response capabilities. By integrating various security tools, LimaCharlie reduces the need for multiple vendors and simplifies security operations.
LimaCharlie Extensions for DFIR
As a vendor-neutral provider of security capabilities, LimaCharlie offers several powerful extensions, which can be enabled individually to meet your unique needs. To enhance your DFIR capabilities, we’ll be using the following extensions:
Velociraptor
Velociraptor is an endpoint visibility and collection tool that can be deployed at scale through LimaCharlie. It enables easy artifact collection and incident analysis, allowing users to inspect or collect artifacts with configurable options for specifying artifacts, sensor selectors, and additional arguments. Collected data is ingested into LimaCharlie’s Artifact system, streamlining forensic investigations. Our new extensions benefit greatly from the capabilities of Velociraptor such as its ability to rapidly collect forensic data from compromised endpoints. Learn more about the Velociraptor extension.
Hayabusa
Hayabusa, a fast forensics timeline generator and threat hunting tool for Windows event logs, is integrated within LimaCharlie. It automates the log analysis for forensic timelines and threat detection, providing critical insights into what happened on a system *prior* to EDR sensor installation. Hayabusa's output, compatible with tools like Timesketch, enhances LimaCharlie’s forensic capabilities, allowing for retroactive threat identification and analysis in event logs. Learn more about the Hayabusa extension.
Plaso
Plaso, a Python-based engine, automates the creation of detailed forensic timelines from endpoint artifacts. Integrated into LimaCharlie, it processes evidence and generates timelines for further analysis, facilitating comprehensive timeline generation crucial for understanding the sequence of events during an incident. Learn more about the Plaso extension.
Dumper
The Dumper extension enables memory dumping from a victim endpoint. While less common than disk-based artifact analysis, this extension allows for automatic memory dumping when specific conditions are met or on a manual trigger. Dumper can be easily enabled from the Add-On marketplace (this extension is not included in the IaC below).
The High-Level Process
Deploy the LC EDR agent on the target endpoints
Initiate triage acquisition of compromised endpoints with the Velociraptor extension (can be automated).
Triage acquisitions are automatically processed by Plaso extension (automated).
Acquired EVTX files are automatically processed by Hayabusa extension (automated).
Generated forensic timelines are sent to LC Artifacts storage (automated).
Download the timelines for viewing or automatically send them to Elastic/OpenSearch/Timesketch for analysis.
Replicating the Workflow in Your SecOps Cloud Platform Environment
Easy! To replicate this workflow in your own LimaCharlie environment, simply copy and paste the provided Infrastructure-as-Code (IaC) template into your LimaCharlie Org. This will instantly grant you the capabilities mentioned above.
version: 3
extensions:
- ext-infrastructure
- ext-plaso
- ext-velociraptor
- ext-artifact
- ext-hayabusa
- ext-reliable-tasking
hives:
dr-general:
hayabusa-to-detections:
data:
detect:
event: hayabusa_event
op: and
rules:
- op: is
path: routing/hostname
value: ext-hayabusa
- op: matches
path: event/results/Level
re: (med|high|crit)
respond:
- action: report
name: Hayabusa Detection - {{ .event.results.Level }} - {{ .event.results.message }} - {{ .event.results.Computer }}
usr_mtd:
enabled: true
expiry: 0
tags: []
vr-to-hayabusa:
data:
detect:
op: and
rules:
- op: is
path: routing/log_type
value: velociraptor
- not: true
op: is
path: routing/event_type
value: export_complete
target: artifact_event
respond:
- action: extension request
extension action: generate
extension name: ext-hayabusa
extension request:
artifact_id: '{{ .routing.log_id }}'
min_rule_level: '{{ "informational" }}'
profile: '{{ "timesketch-verbose" }}'
send_to_timeline: true
usr_mtd:
enabled: true
expiry: 0
tags: []
vr-to-plaso:
data:
detect:
op: and
rules:
- op: is
path: routing/log_type
value: velociraptor
- not: true
op: is
path: routing/event_type
value: export_complete
target: artifact_event
respond:
- action: extension request
extension action: generate
extension name: ext-plaso
extension request:
artifact_id: '{{ .routing.log_id }}'
usr_mtd:
enabled: true
expiry: 0
tags: []
wel-to-hayabusa:
data:
detect:
artifact type: wel
event: ingest
op: exists
path: /
target: artifact_event
respond:
- action: extension request
extension action: generate
extension name: ext-hayabusa
extension request:
artifact_id: '{{ .routing.log_id }}'
min_rule_level: '{{ "informational" }}'
profile: '{{ "timesketch-verbose" }}'
send_to_timeline: true
usr_mtd:
enabled: true
expiry: 0
tags: []
To apply the template, follow these steps:
Ensure that `ext-infrastructure` is enabled in your org. This allows use of IaC templates.
Within your org, browse to Organization Settings > Infrastructure As Code
In the “Config” dialog on the “Apply New Config” tab, paste in the IaC template and click “Apply Additive Changes”
Once the template is in your org, initiate the process to collect a triage acquisition from an endpoint with the Velociraptor extension. Follow these steps to initiate the process:
Browse to the ext-velociraptor page nested under “Extensions”.
Fill out the “Collect Artifact” details:
Artifacts: `Windows.KapeFiles.Targets`
Sensor ID: <victim system> (or use Sensor Selector to target many systems)
Arguments: `KapeTriage=Y` to utilize the KapeTriage target list (recommended)
Click “Collect Artifact”.
The rest of the process is automated! You can now view the “Live Feed” or “Timeline” of the following sensors to monitor the progress of the timeline generation process:
ext-velociraptor: Provides feedback on the acquisition process
ext-hayabusa: Provides feedback on EVTX processing; output is sent to this sensor’s timeline as well as uploaded as a CSV Artifact
ext-plaso: Provides feedback on timeline generation; queues jobs and runs them back-to-back for multiple acquisitions
Once the jobs are done, you can download the Plaso and Hayabusa timelines from the Artifacts page and see all Hayabusa-generated detections on the Detections page.
By leveraging LimaCharlie's DFIR extensions and the provided IaC template, security teams can automate incident response workflows, streamline forensic investigations, and gain valuable insights into security incidents.
Want to take it further?
Check out our tutorials to learn how to further utilize tools like BigQuery to analyze output from tools like Velociraptor and Hayabusa. For an even more exciting analysis capability, check out this guide for sending Plaso timelines directly to Timesketch via Output.
To explore LimaCharlie’s SecOps Cloud Platform, try it for free or book a demo with our solutions engineers.