← Back to Blog

Automating Incident Response Workflows with LimaCharlie

Eric Capuano
blog post header image

Introduction

As a security professional, you know that the ability to swiftly and effectively respond to threats is crucial. In this post, we’ll explore how LimaCharlie, a SecOps Cloud Platform, can help automate comprehensive Incident Response (IR) workflows, including forensic triage acquisition, evidence processing, and forensic timeline generation.

LimaCharlie: A versatile SecOps Cloud Platform

LimaCharlie is a flexible, scalable SecOps Cloud Platform that provides comprehensive enterprise protection with open APIs, centralized telemetry, and automated detection and response capabilities. By integrating various security tools, LimaCharlie reduces the need for multiple vendors and simplifies security operations.

LimaCharlie Extensions for DFIR

As a vendor-neutral provider of security capabilities, LimaCharlie offers several powerful extensions, which can be enabled individually to meet your unique needs. To enhance your DFIR capabilities, we’ll be using the following extensions:

Velociraptor

Velociraptor is an endpoint visibility and collection tool that can be deployed at scale through LimaCharlie. It enables easy artifact collection and incident analysis, allowing users to inspect or collect artifacts with configurable options for specifying artifacts, sensor selectors, and additional arguments. Collected data is ingested into LimaCharlie’s Artifact system, streamlining forensic investigations. Our new extensions benefit greatly from the capabilities of Velociraptor such as its ability to rapidly collect forensic data from compromised endpoints. Learn more about the Velociraptor extension.

Hayabusa

Hayabusa, a fast forensics timeline generator and threat hunting tool for Windows event logs, is integrated within LimaCharlie. It automates the log analysis for forensic timelines and threat detection, providing critical insights into what happened on a system *prior* to EDR sensor installation. Hayabusa's output, compatible with tools like Timesketch, enhances LimaCharlie’s forensic capabilities, allowing for retroactive threat identification and analysis in event logs. Learn more about the Hayabusa extension.

Plaso

Plaso, a Python-based engine, automates the creation of detailed forensic timelines from endpoint artifacts. Integrated into LimaCharlie, it processes evidence and generates timelines for further analysis, facilitating comprehensive timeline generation crucial for understanding the sequence of events during an incident. Learn more about the Plaso extension.

Dumper

The Dumper extension enables memory dumping from a victim endpoint. While less common than disk-based artifact analysis, this extension allows for automatic memory dumping when specific conditions are met or on a manual trigger. Dumper can be easily enabled from the Add-On marketplace (this extension is not included in the IaC below).

The High-Level Process

  1. Deploy the LC EDR agent on the target endpoints

  2. Initiate triage acquisition of compromised endpoints with the Velociraptor extension (can be automated).

  3. Triage acquisitions are automatically processed by Plaso extension (automated).

  4. Acquired EVTX files are automatically processed by Hayabusa extension (automated).

  5. Generated forensic timelines are sent to LC Artifacts storage (automated).

  6. Download the timelines for viewing or automatically send them to Elastic/OpenSearch/Timesketch for analysis.

Replicating the Workflow in Your SecOps Cloud Platform Environment

Easy! To replicate this workflow in your own LimaCharlie environment, simply copy and paste the provided Infrastructure-as-Code (IaC) template into your LimaCharlie Org. This will instantly grant you the capabilities mentioned above.

YAML
version: 3
extensions:
    - ext-infrastructure
    - ext-plaso
    - ext-velociraptor
    - ext-artifact
    - ext-hayabusa
    - ext-reliable-tasking
hives:
    dr-general:
        hayabusa-to-detections:
            data:
                detect:
                    event: hayabusa_event
                    op: and
                    rules:
                        - op: is
                          path: routing/hostname
                          value: ext-hayabusa
                        - op: matches
                          path: event/results/Level
                          re: (med|high|crit)
                respond:
                    - action: report
                      name: Hayabusa Detection - {{ .event.results.Level }} - {{ .event.results.message }} - {{ .event.results.Computer }}
            usr_mtd:
                enabled: true
                expiry: 0
                tags: []
        vr-to-hayabusa:
            data:
                detect:
                    op: and
                    rules:
                        - op: is
                          path: routing/log_type
                          value: velociraptor
                        - not: true
                          op: is
                          path: routing/event_type
                          value: export_complete
                    target: artifact_event
                respond:
                    - action: extension request
                      extension action: generate
                      extension name: ext-hayabusa
                      extension request:
                        artifact_id: '{{ .routing.log_id }}'
                        min_rule_level: '{{ "informational" }}'
                        profile: '{{ "timesketch-verbose" }}'
                        send_to_timeline: true
            usr_mtd:
                enabled: true
                expiry: 0
                tags: []
        vr-to-plaso:
            data:
                detect:
                    op: and
                    rules:
                        - op: is
                          path: routing/log_type
                          value: velociraptor
                        - not: true
                          op: is
                          path: routing/event_type
                          value: export_complete
                    target: artifact_event
                respond:
                    - action: extension request
                      extension action: generate
                      extension name: ext-plaso
                      extension request:
                        artifact_id: '{{ .routing.log_id }}'
            usr_mtd:
                enabled: true
                expiry: 0
                tags: []
        wel-to-hayabusa:
            data:
                detect:
                    artifact type: wel
                    event: ingest
                    op: exists
                    path: /
                    target: artifact_event
                respond:
                    - action: extension request
                      extension action: generate
                      extension name: ext-hayabusa
                      extension request:
                        artifact_id: '{{ .routing.log_id }}'
                        min_rule_level: '{{ "informational" }}'
                        profile: '{{ "timesketch-verbose" }}'
                        send_to_timeline: true
            usr_mtd:
                enabled: true
                expiry: 0
                tags: []

To apply the template, follow these steps:

  1. Ensure that `ext-infrastructure` is enabled in your org. This allows use of IaC templates.

  2. Within your org, browse to Organization Settings > Infrastructure As Code

  3. In the “Config” dialog on the “Apply New Config” tab, paste in the IaC template and click “Apply Additive Changes”

Once the template is in your org, initiate the process to collect a triage acquisition from an endpoint with the Velociraptor extension. Follow these steps to initiate the process:

  1. Browse to the ext-velociraptor page nested under “Extensions”.

  2. Fill out the “Collect Artifact” details: a. Artifacts: `Windows.KapeFiles.Targets` b. Sensor ID: <victim system> (or use Sensor Selector to target many systems) c. Arguments: `KapeTriage=Y` to utilize the KapeTriage target list (recommended)

  3. Click “Collect Artifact”.

  4. The rest of the process is automated! You can now view the “Live Feed” or “Timeline” of the following sensors to monitor the progress of the timeline generation process: a. ext-velociraptor: Provides feedback on the acquisition process b. ext-hayabusa: Provides feedback on EVTX processing; output is sent to this sensor’s timeline as well as uploaded as a CSV Artifact c. ext-plaso: Provides feedback on timeline generation; queues jobs and runs them back-to-back for multiple acquisitions

  5. Once the jobs are done, you can download the Plaso and Hayabusa timelines from the Artifacts page and see all Hayabusa-generated detections on the Detections page.

By leveraging LimaCharlie's DFIR extensions and the provided IaC template, security teams can automate incident response workflows, streamline forensic investigations, and gain valuable insights into security incidents.

Want to take it further?

Check out our tutorials to learn how to further utilize tools like BigQuery to analyze output from tools like Velociraptor and Hayabusa. For an even more exciting analysis capability, check out this guide for sending Plaso timelines directly to Timesketch via Output.

To explore LimaCharlie’s SecOps Cloud Platform, try it for free or book a demo with our solutions engineers.