← Back to Blog

Infrastructure as code service

Picture of Christoper Luft, LimaCharlie Co-Founder and Creative Technologist

Christopher Luft

Infrastructure as code service

LimaCharlie users are able to leverage our infrastructure as code (IaC) approach to quickly create new tenants with complex configurations. This DevOps approach to scale exemplifies how LimaCharlie envisions the future of cybersecurity.

This feature has been so successful that we decided to make it more accessible and have made it available directly in the web application. Inside of any given Organization, under Setup, you will find a new menu item labeled Infrastructure Config.

From this new view users can edit and update their configuration file directly as it applies to the given organization.

Here you will find the flattened config representing all of the organization's configurable features. You can modify it here, copy it to another organization, or manage it in version control, setting it via API like this demo.

And as most things with LimaCharlie, this is just the beginning. We already have the next steps for what this can be and will be making more announcements shortly. Below you will find an example config for a well developed Organization. Here is a link to the documentation.

LimaCharlie webapp interface of Infrastructure Config

YAML
version: 3
resources:
  api:
  - insight
  - net
  - vt
  lookup:
  - alienvault-ip-reputation
  replicant:
  - reliable-tasking
  - replay
  - responder
  - sigma
  - dumper
  - infrastructure-service
  - pagerduty
  - soteria-rules
  - cuttingedge
  - integrity
  - logging
  - yara
  - exfil
  - sensor-cull
  - zeek
  - lc-net-install
rules:
  artifact-rule:
    namespace: general
    detect:
      artifact type: zeek
      case sensitive: false
      op: lookup
      path: query
      resource: lcr://lookup/lc-cutting-edge-dns
      target: artifact
    respond:
    - action: report
      name: cutting-edge-artifact
  broken:
    namespace: general
    detect:
      event: lookup
      op: exists
      path: /
      target: artifact_event
    respond:
    - action: service request
      name: zeek
      request:
        action: run_on
        artifact_id: <<routing/log_id>>
        retention: 30
  hafnium-cve:
    namespace: general
    detect:
      event: WEL
      op: and
      rules:
      - op: contains
        path: event/EVENT/EventData/*
        value: System.InvalidCastException
      - op: contains
        path: event/EVENT/System/*
        value: MSExchange Unified Messaging
    respond:
    - action: report
      name: hafnium-cve
  scope-test:
    namespace: general
    detect:
      events:
      - NETWORK_CONNECTIONS
      op: scope
      path: event/NETWORK_ACTIVITY/
      rule:
        op: and
        rules:
        - op: or
          rules:
          - op: starts with
            path: event/SOURCE/IP_ADDRESS
            value: "10."
        - op: or
          rules:
          - not: true
            op: starts with
            path: event/DESTINATION/IP_ADDRESS
            value: "10."
        - op: or
          rules:
          - op: is
            path: event/DESTINATION/PORT
            value: 445
          - op: is
            path: event/DESTINATION/PORT
            value: 137
    respond:
    - action: report
      name: test-scope
  subtest:
    namespace: general
    detect:
      event: _TRACE-TEST
      op: exists
      path: detect
    respond:
    - action: report
      name: subtest
  svc-coreCommsService-ex:
    namespace: managed
    detect: {}
    respond: []
  test:
    namespace: general
    detect:
      artifact type: wel
      op: and
      rules:
      - case sensitive: false
        op: is
        path: Event/System/EventID
        value: "4688"
      - case sensitive: false
        op: matches
        path: Event/EventData/NewProcessName
        re: .*\\\\powershell(?:_ise)?\.exe$
      - case sensitive: false
        op: contains
        path: Event/EventData/CommandLine
        value: $client = New-Object System.Net.Sockets.TCPClient
      target: artifact
    respond:
    - action: report
      name: another
  test-fail:
    namespace: general
    detect:
      events:
      - NETWORK_CONNECTIONSLOL
      op: exists
      path: /
    respond:
    - action: service request
      name: zeek
      request:
        action: run_on
        artifact_id: <<routing/log_id>>
        retention: 30
  trace:
    namespace: general
    detect:
      event: NEW_PROCESS
      op: contains
      path: event/COMMAND_LINE
      value: lc_tracer
    respond:
    - action: report
      name: trace-test
    - action: add tag
      entire_device: true
      tag: full_pcap
      ttl: 600
  vt-domains:
    namespace: general
    detect:
      event: DNS_REQUEST
      metadata_rules:
        length of: true
        op: is greater than
        path: /
        value: 4
      op: lookup
      path: event/DOMAIN_NAME
      resource: lcr://api/vt
    respond:
    - action: report
      name: vt-bad-domain
  vt-hashes:
    namespace: general
    detect:
      event: CODE_IDENTITY
      metadata_rules:
        length of: true
        op: is greater than
        path: /
        value: 3
      op: lookup
      path: event/HASH
      resource: lcr://api/vt
    respond:
    - action: report
      name: vt-bad-hash
  zeek:
    namespace: general
    detect:
      artifact type: pcap
      event: ingest
      op: exists
      path: /
      target: artifact_event
    respond:
    - action: service request
      name: zeek
      request:
        action: run_on
        artifact_id: <<routing/log_id>>
        retention: 30
outputs:
  chronicle:
    bucket: lc-demo-chronicle
    module: gcs
    name: chronicle
    secret_key: |
      {
        "type": "service_account",
        "project_id": "lc-customer-data",
        "private_key_id": "REDACTED",
        "private_key": "REDACTED",
        "client_email": "REDACTED",
        "client_id": "REDACTED",
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_x509_cert_url": "REDACTED"
      }
    type: event
integrity:
  linux-key:
    patterns:
    - /root/.ssh/authorized_keys
    - /home/*/.ssh/*
    tags: []
    platforms:
    - linux
  test:
    patterns:
    - c:\\test.txt
    tags: []
    platforms:
    - windows
exfil:
  list:
    default-chrome:
      events:
      - CONNECTED
      - DNS_REQUEST
      - HISTORY_DUMP_REP
      - HTTP_REQUEST
      - OS_PACKAGES_REP
      - RECEIPT
      filters:
        tags: []
        platforms:
        - chrome
    default-linux:
      events:
      - AUTORUN_CHANGE
      - CODE_IDENTITY
      - CONNECTED
      - DIR_FINDHASH_REP
      - DIR_LIST_REP
      - DNS_REQUEST
      - DRIVER_CHANGE
      - EXEC_OOB
      - EXISTING_PROCESS
      - FILE_DEL_REP
      - FILE_GET_REP
      - FILE_HASH_REP
      - FILE_INFO_REP
      - FILE_MOV_REP
      - FILE_TYPE_ACCESSED
      - FIM_HIT
      - FIM_LIST_REP
      - GET_DOCUMENT_REP
      - GET_EXFIL_EVENT_REP
      - HIDDEN_MODULE_DETECTED
      - HISTORY_DUMP_REP
      - LOG_GET_REP
      - LOG_LIST_REP
      - MEM_FIND_HANDLE_REP
      - MEM_FIND_STRING_REP
      - MEM_HANDLES_REP
      - MEM_MAP_REP
      - MEM_READ_REP
      - MEM_STRINGS_REP
      - MODULE_MEM_DISK_MISMATCH
      - NETSTAT_REP
      - NETWORK_CONNECTIONS
      - NETWORK_SUMMARY
      - NEW_DOCUMENT
      - NEW_PROCESS
      - OS_AUTORUNS_REP
      - OS_DRIVERS_REP
      - OS_KILL_PROCESS_REP
      - OS_PACKAGES_REP
      - OS_PROCESSES_REP
      - OS_RESUME_REP
      - OS_SERVICES_REP
      - OS_SUSPEND_REP
      - OS_VERSION_REP
      - PCAP_LIST_INTERFACES_REP
      - POSSIBLE_DOC_EXPLOIT
      - RECEIPT
      - RECON_BURST
      - SELF_TEST_RESULT
      - SENSITIVE_PROCESS_ACCESS
      - SERVICE_CHANGE
      - TERMINATE_PROCESS
      - THREAD_INJECTION
      - USER_OBSERVED
      - VOLUME_MOUNT
      - VOLUME_UNMOUNT
      - YARA_DETECTION
      filters:
        tags: []
        platforms:
        - linux
    default-macos:
      events:
      - NEW_PROCESS
      - TERMINATE_PROCESS
      - CODE_IDENTITY
      - DNS_REQUEST
      - HIDDEN_MODULE_DETECTED
      - NETWORK_SUMMARY
      - FILE_GET_REP
      - FILE_DEL_REP
      - FILE_MOV_REP
      - FILE_HASH_REP
      - FILE_INFO_REP
      - DIR_LIST_REP
      - MEM_MAP_REP
      - MEM_READ_REP
      - MEM_HANDLES_REP
      - MEM_FIND_HANDLE_REP
      - MEM_STRINGS_REP
      - MEM_FIND_STRING_REP
      - OS_SERVICES_REP
      - OS_DRIVERS_REP
      - OS_KILL_PROCESS_REP
      - OS_SUSPEND_REP
      - OS_RESUME_REP
      - OS_PROCESSES_REP
      - OS_AUTORUNS_REP
      - EXEC_OOB
      - GET_EXFIL_EVENT_REP
      - MODULE_MEM_DISK_MISMATCH
      - YARA_DETECTION
      - SERVICE_CHANGE
      - DRIVER_CHANGE
      - AUTORUN_CHANGE
      - NEW_DOCUMENT
      - GET_DOCUMENT_REP
      - VOLUME_MOUNT
      - VOLUME_UNMOUNT
      - RECON_BURST
      - POSSIBLE_DOC_EXPLOIT
      - HISTORY_DUMP_REP
      - USER_OBSERVED
      - FILE_TYPE_ACCESSED
      - EXISTING_PROCESS
      - SELF_TEST_RESULT
      - RECEIPT
      - OS_VERSION_REP
      - CONNECTED
      - OS_PACKAGES_REP
      - DIR_FINDHASH_REP
      - FIM_HIT
      - FIM_LIST_REP
      - NETSTAT_REP
      - THREAD_INJECTION
      - SENSITIVE_PROCESS_ACCESS
      - LOG_GET_REP
      - LOG_LIST_REP
      filters:
        tags: []
        platforms:
        - mac
    default-windows:
      events:
      - AUTORUN_CHANGE
      - CODE_IDENTITY
      - CONNECTED
      - DIR_FINDHASH_REP
      - DIR_LIST_REP
      - DNS_REQUEST
      - DRIVER_CHANGE
      - EXEC_OOB
      - EXISTING_PROCESS
      - FILE_DEL_REP
      - FILE_GET_REP
      - FILE_HASH_REP
      - FILE_INFO_REP
      - FILE_MOV_REP
      - FILE_TYPE_ACCESSED
      - FIM_HIT
      - FIM_LIST_REP
      - GET_DOCUMENT_REP
      - GET_EXFIL_EVENT_REP
      - HIDDEN_MODULE_DETECTED
      - HISTORY_DUMP_REP
      - LOG_GET_REP
      - LOG_LIST_REP
      - MEM_FIND_HANDLE_REP
      - MEM_FIND_STRING_REP
      - MEM_HANDLES_REP
      - MEM_MAP_REP
      - MEM_READ_REP
      - MEM_STRINGS_REP
      - MODULE_MEM_DISK_MISMATCH
      - NETSTAT_REP
      - NETWORK_CONNECTIONS
      - NETWORK_SUMMARY
      - NEW_DOCUMENT
      - NEW_PROCESS
      - OS_AUTORUNS_REP
      - OS_DRIVERS_REP
      - OS_KILL_PROCESS_REP
      - OS_PACKAGES_REP
      - OS_PROCESSES_REP
      - OS_RESUME_REP
      - OS_SERVICES_REP
      - OS_SUSPEND_REP
      - OS_VERSION_REP
      - POSSIBLE_DOC_EXPLOIT
      - RECEIPT
      - RECON_BURST
      - REGISTRY_LIST_REP
      - SELF_TEST_RESULT
      - SENSITIVE_PROCESS_ACCESS
      - SERVICE_CHANGE
      - TERMINATE_PROCESS
      - THREAD_INJECTION
      - USER_OBSERVED
      - VOLUME_MOUNT
      - VOLUME_UNMOUNT
      - WEL
      - YARA_DETECTION
      filters:
        tags: []
        platforms:
        - windows
artifact:
  linux-logs:
    is_ignore_cert: false
    is_delete_after: false
    days_retention: 30
    patterns:
    - /var/log/syslog.1
    - /var/log/auth.log.1
    tags: []
    platforms:
    - linux
  windows-logs:
    is_ignore_cert: false
    is_delete_after: false
    days_retention: 30
    patterns:
    - c:\\windows\\system32\\winevt\\logs\\System.evtx
    - c:\\windows\\system32\\winevt\\logs\\Security.evtx
    - c:\\windows\\system32\\winevt\\logs\\Application.evtx
    - wel://system:*
    - wel://security:*
    - wel://application:*
    tags: []
    platforms:
    - windows
net-policy:
  allow-all-outbound:
    expires_on: 0
    type: firewall
    policy:
      bpf_filter: ""
      is_allow: true
  capture-dns:
    expires_on: 0
    type: capture
    policy:
      bpf_filter: udp port 53
      days_retention: 7
      ingest_dest: https://REDACTED.ingest.limacharlie.io/ingest
      ingest_key: REDACTED
  dns-telemetry:
    expires_on: 0
    type: dns-tracking
    policy: {}
  netflow-telemetry:
    expires_on: 0
    type: conn-tracking
    policy: {}
  no-dropbox:
    expires_on: 0
    type: dns
    policy:
      domain: dropbox.com
      to_cname: www.google.com
      with_subdomains: true
org-value:
  domain: app.limacharlie.io
  otx: ""
  pagerduty: ""
  shodan: ""
  twilio: ""
  vt: REDACTED