← Back to Blog
July 6th, 2021
Infrastructure as code service
Christopher Luft
LimaCharlie users are able to leverage our infrastructure as code (IaC) approach to quickly create new tenants with complex configurations. This DevOps approach to scale exemplifies how LimaCharlie envisions the future of cybersecurity.
This feature has been so successful that we decided to make it more accessible and have made it available directly in the web application. Inside of any given Organization, under Setup, you will find a menu item labeled Infrastructure Config.
From this view users can edit and update their configuration file directly as it applies to the given organization.
Here you will find the flattened config representing all of the organization's configurable features. You can modify it here, copy it to another organization, or manage it in version control, setting it via API like this demo.
And as most things with LimaCharlie, this is just the beginning. We already have the next steps for what this can be and will be making more announcements shortly. Below you will find an example config for a well developed Organization. Here is a link to the documentation.
YAML
version: 3
resources:
api:
- insight
- net
- vt
lookup:
- alienvault-ip-reputation
replicant:
- reliable-tasking
- replay
- responder
- sigma
- dumper
- infrastructure-service
- pagerduty
- soteria-rules
- cuttingedge
- integrity
- logging
- yara
- exfil
- sensor-cull
- zeek
- lc-net-install
rules:
artifact-rule:
namespace: general
detect:
artifact type: zeek
case sensitive: false
op: lookup
path: query
resource: lcr://lookup/lc-cutting-edge-dns
target: artifact
respond:
- action: report
name: cutting-edge-artifact
broken:
namespace: general
detect:
event: lookup
op: exists
path: /
target: artifact_event
respond:
- action: service request
name: zeek
request:
action: run_on
artifact_id: <<routing/log_id>>
retention: 30
hafnium-cve:
namespace: general
detect:
event: WEL
op: and
rules:
- op: contains
path: event/EVENT/EventData/*
value: System.InvalidCastException
- op: contains
path: event/EVENT/System/*
value: MSExchange Unified Messaging
respond:
- action: report
name: hafnium-cve
scope-test:
namespace: general
detect:
events:
- NETWORK_CONNECTIONS
op: scope
path: event/NETWORK_ACTIVITY/
rule:
op: and
rules:
- op: or
rules:
- op: starts with
path: event/SOURCE/IP_ADDRESS
value: "10."
- op: or
rules:
- not: true
op: starts with
path: event/DESTINATION/IP_ADDRESS
value: "10."
- op: or
rules:
- op: is
path: event/DESTINATION/PORT
value: 445
- op: is
path: event/DESTINATION/PORT
value: 137
respond:
- action: report
name: test-scope
subtest:
namespace: general
detect:
event: _TRACE-TEST
op: exists
path: detect
respond:
- action: report
name: subtest
svc-coreCommsService-ex:
namespace: managed
detect: {}
respond: []
test:
namespace: general
detect:
artifact type: wel
op: and
rules:
- case sensitive: false
op: is
path: Event/System/EventID
value: "4688"
- case sensitive: false
op: matches
path: Event/EventData/NewProcessName
re: .*\\\\powershell(?:_ise)?\.exe$
- case sensitive: false
op: contains
path: Event/EventData/CommandLine
value: $client = New-Object System.Net.Sockets.TCPClient
target: artifact
respond:
- action: report
name: another
test-fail:
namespace: general
detect:
events:
- NETWORK_CONNECTIONSLOL
op: exists
path: /
respond:
- action: service request
name: zeek
request:
action: run_on
artifact_id: <<routing/log_id>>
retention: 30
trace:
namespace: general
detect:
event: NEW_PROCESS
op: contains
path: event/COMMAND_LINE
value: lc_tracer
respond:
- action: report
name: trace-test
- action: add tag
entire_device: true
tag: full_pcap
ttl: 600
vt-domains:
namespace: general
detect:
event: DNS_REQUEST
metadata_rules:
length of: true
op: is greater than
path: /
value: 4
op: lookup
path: event/DOMAIN_NAME
resource: lcr://api/vt
respond:
- action: report
name: vt-bad-domain
vt-hashes:
namespace: general
detect:
event: CODE_IDENTITY
metadata_rules:
length of: true
op: is greater than
path: /
value: 3
op: lookup
path: event/HASH
resource: lcr://api/vt
respond:
- action: report
name: vt-bad-hash
zeek:
namespace: general
detect:
artifact type: pcap
event: ingest
op: exists
path: /
target: artifact_event
respond:
- action: service request
name: zeek
request:
action: run_on
artifact_id: <<routing/log_id>>
retention: 30
outputs:
chronicle:
bucket: lc-demo-chronicle
module: gcs
name: chronicle
secret_key: |
{
"type": "service_account",
"project_id": "lc-customer-data",
"private_key_id": "REDACTED",
"private_key": "REDACTED",
"client_email": "REDACTED",
"client_id": "REDACTED",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "REDACTED"
}
type: event
integrity:
linux-key:
patterns:
- /root/.ssh/authorized_keys
- /home/*/.ssh/*
tags: []
platforms:
- linux
test:
patterns:
- c:\\test.txt
tags: []
platforms:
- windows
exfil:
list:
default-chrome:
events:
- CONNECTED
- DNS_REQUEST
- HISTORY_DUMP_REP
- HTTP_REQUEST
- OS_PACKAGES_REP
- RECEIPT
filters:
tags: []
platforms:
- chrome
default-linux:
events:
- AUTORUN_CHANGE
- CODE_IDENTITY
- CONNECTED
- DIR_FINDHASH_REP
- DIR_LIST_REP
- DNS_REQUEST
- DRIVER_CHANGE
- EXEC_OOB
- EXISTING_PROCESS
- FILE_DEL_REP
- FILE_GET_REP
- FILE_HASH_REP
- FILE_INFO_REP
- FILE_MOV_REP
- FILE_TYPE_ACCESSED
- FIM_HIT
- FIM_LIST_REP
- GET_DOCUMENT_REP
- GET_EXFIL_EVENT_REP
- HIDDEN_MODULE_DETECTED
- HISTORY_DUMP_REP
- LOG_GET_REP
- LOG_LIST_REP
- MEM_FIND_HANDLE_REP
- MEM_FIND_STRING_REP
- MEM_HANDLES_REP
- MEM_MAP_REP
- MEM_READ_REP
- MEM_STRINGS_REP
- MODULE_MEM_DISK_MISMATCH
- NETSTAT_REP
- NETWORK_CONNECTIONS
- NETWORK_SUMMARY
- NEW_DOCUMENT
- NEW_PROCESS
- OS_AUTORUNS_REP
- OS_DRIVERS_REP
- OS_KILL_PROCESS_REP
- OS_PACKAGES_REP
- OS_PROCESSES_REP
- OS_RESUME_REP
- OS_SERVICES_REP
- OS_SUSPEND_REP
- OS_VERSION_REP
- PCAP_LIST_INTERFACES_REP
- POSSIBLE_DOC_EXPLOIT
- RECEIPT
- RECON_BURST
- SELF_TEST_RESULT
- SENSITIVE_PROCESS_ACCESS
- SERVICE_CHANGE
- TERMINATE_PROCESS
- THREAD_INJECTION
- USER_OBSERVED
- VOLUME_MOUNT
- VOLUME_UNMOUNT
- YARA_DETECTION
filters:
tags: []
platforms:
- linux
default-macos:
events:
- NEW_PROCESS
- TERMINATE_PROCESS
- CODE_IDENTITY
- DNS_REQUEST
- HIDDEN_MODULE_DETECTED
- NETWORK_SUMMARY
- FILE_GET_REP
- FILE_DEL_REP
- FILE_MOV_REP
- FILE_HASH_REP
- FILE_INFO_REP
- DIR_LIST_REP
- MEM_MAP_REP
- MEM_READ_REP
- MEM_HANDLES_REP
- MEM_FIND_HANDLE_REP
- MEM_STRINGS_REP
- MEM_FIND_STRING_REP
- OS_SERVICES_REP
- OS_DRIVERS_REP
- OS_KILL_PROCESS_REP
- OS_SUSPEND_REP
- OS_RESUME_REP
- OS_PROCESSES_REP
- OS_AUTORUNS_REP
- EXEC_OOB
- GET_EXFIL_EVENT_REP
- MODULE_MEM_DISK_MISMATCH
- YARA_DETECTION
- SERVICE_CHANGE
- DRIVER_CHANGE
- AUTORUN_CHANGE
- NEW_DOCUMENT
- GET_DOCUMENT_REP
- VOLUME_MOUNT
- VOLUME_UNMOUNT
- RECON_BURST
- POSSIBLE_DOC_EXPLOIT
- HISTORY_DUMP_REP
- USER_OBSERVED
- FILE_TYPE_ACCESSED
- EXISTING_PROCESS
- SELF_TEST_RESULT
- RECEIPT
- OS_VERSION_REP
- CONNECTED
- OS_PACKAGES_REP
- DIR_FINDHASH_REP
- FIM_HIT
- FIM_LIST_REP
- NETSTAT_REP
- THREAD_INJECTION
- SENSITIVE_PROCESS_ACCESS
- LOG_GET_REP
- LOG_LIST_REP
filters:
tags: []
platforms:
- mac
default-windows:
events:
- AUTORUN_CHANGE
- CODE_IDENTITY
- CONNECTED
- DIR_FINDHASH_REP
- DIR_LIST_REP
- DNS_REQUEST
- DRIVER_CHANGE
- EXEC_OOB
- EXISTING_PROCESS
- FILE_DEL_REP
- FILE_GET_REP
- FILE_HASH_REP
- FILE_INFO_REP
- FILE_MOV_REP
- FILE_TYPE_ACCESSED
- FIM_HIT
- FIM_LIST_REP
- GET_DOCUMENT_REP
- GET_EXFIL_EVENT_REP
- HIDDEN_MODULE_DETECTED
- HISTORY_DUMP_REP
- LOG_GET_REP
- LOG_LIST_REP
- MEM_FIND_HANDLE_REP
- MEM_FIND_STRING_REP
- MEM_HANDLES_REP
- MEM_MAP_REP
- MEM_READ_REP
- MEM_STRINGS_REP
- MODULE_MEM_DISK_MISMATCH
- NETSTAT_REP
- NETWORK_CONNECTIONS
- NETWORK_SUMMARY
- NEW_DOCUMENT
- NEW_PROCESS
- OS_AUTORUNS_REP
- OS_DRIVERS_REP
- OS_KILL_PROCESS_REP
- OS_PACKAGES_REP
- OS_PROCESSES_REP
- OS_RESUME_REP
- OS_SERVICES_REP
- OS_SUSPEND_REP
- OS_VERSION_REP
- POSSIBLE_DOC_EXPLOIT
- RECEIPT
- RECON_BURST
- REGISTRY_LIST_REP
- SELF_TEST_RESULT
- SENSITIVE_PROCESS_ACCESS
- SERVICE_CHANGE
- TERMINATE_PROCESS
- THREAD_INJECTION
- USER_OBSERVED
- VOLUME_MOUNT
- VOLUME_UNMOUNT
- WEL
- YARA_DETECTION
filters:
tags: []
platforms:
- windows
artifact:
linux-logs:
is_ignore_cert: false
is_delete_after: false
days_retention: 30
patterns:
- /var/log/syslog.1
- /var/log/auth.log.1
tags: []
platforms:
- linux
windows-logs:
is_ignore_cert: false
is_delete_after: false
days_retention: 30
patterns:
- c:\\windows\\system32\\winevt\\logs\\System.evtx
- c:\\windows\\system32\\winevt\\logs\\Security.evtx
- c:\\windows\\system32\\winevt\\logs\\Application.evtx
- wel://system:*
- wel://security:*
- wel://application:*
tags: []
platforms:
- windows
net-policy:
allow-all-outbound:
expires_on: 0
type: firewall
policy:
bpf_filter: ""
is_allow: true
capture-dns:
expires_on: 0
type: capture
policy:
bpf_filter: udp port 53
days_retention: 7
ingest_dest: https://REDACTED.ingest.limacharlie.io/ingest
ingest_key: REDACTED
dns-telemetry:
expires_on: 0
type: dns-tracking
policy: {}
netflow-telemetry:
expires_on: 0
type: conn-tracking
policy: {}
no-dropbox:
expires_on: 0
type: dns
policy:
domain: dropbox.com
to_cname: www.google.com
with_subdomains: true
org-value:
domain: app.limacharlie.io
otx: ""
pagerduty: ""
shodan: ""
twilio: ""
vt: REDACTED