LimaCharlie partners with SOC Prime to deliver continuous content streaming of detections

The cybersecurity landscape is shifting because it has to. The breadth of challenges facing defenders is vast and we are constantly reminded about how unpredictable security can be with zero-days such as the recent Log4Shell vulnerability. New tools and a community-based approach offer a way forward in the face of overwhelming complexity.

In this new landscape, we see the rise of innovative companies working to overcome the challenges of a global talent shortage, threat complexity, data quality and cost efficiency. These companies come in many shapes and sizes but they tend to share some common qualities.

• They are integration-friendly and open - they put the needs of their users first.

• They let you try before you buy - the product speaks for itself and there is nothing to hide.

At LimaCharlie we are always excited to partner with other companies that share this philosophical outlook. Today we are happy to announce an integration with SOC Prime that will allow us to deliver cutting-edge threat detection logic directly to your LimaCharlie deployment.

Continuous Content Management with the SOC Prime Platform

SOC Prime takes a collaborative approach to cyber defense, threat hunting, and threat discovery. Powered by its Detection as Code platform that cultivates collaboration from a global cybersecurity community, SOC Prime curates the most up-to-date Sigma-based threat detection content from hundreds of researchers and integrates with over 25 SIEM, EDR, and XDR platforms. 

SOC Prime’s Detection as Code platform allows users to create custom Content Lists tailored to the organization’s stack and industry-specific threat profiles powered by the Continuous Content Management (CCM) capabilities. Leveraging the SOC Prime CCM API, LimaCharlie users can continuously stream the most up-to-date Sigma detections curated for their specific use case. To unlock more customization options, security practitioners can also adjust non-standard data schemas before pulling detection algorithms from the selected content list.  

LimaCharlie has recently released an integration with the SOC Prime CCM API to enable automated deployment of the most relevant detections directly into your environment from a single place via an intuitive interface. The app is available to install right from the LimaCharlie platform.

LimaCharlie makes deploying detection logic easy

LimaCharlie provides Security Infrastructure as a Service (SIaaS) in the form of a wide variety of interoperable cybersecurity technologies that all use the same data format and which are delivered on-demand. It is a scalable, cloud-based approach capable of providing fine-grained visibility into events taking place across the breadth of an organization of any size, from remote endpoints to the cloud.

LimaCharlie is able to collect telemetry from a near-limitless number of sources through the use of Sensors, including:

• All versions of Windows (back to XP SP II)

• All versions of macOS (M1 and Intel)

• All versions of Linux

• AWS Cloud Trail

• CarbonBlack EDR

• Google Cloud Pub/Sub

• STDIN

• 1Password API

• Microsoft Office 365

• Syslog

All of the telemetry produced by the LimaCharlie Sensors are run through the Detection, Response & Automation engine at wire speed. This is where SOC Prime and LimaCharlie create a powerful capability that is greater than the sum of their parts. 

With very little configuration users of both platforms can connect them. This means that without any complicated licensing, or long-term commitments, you can easily apply best-in-class detection logic across your entire fleet, and do so with cost efficiency.

Get custom, curated detection logic across your entire fleet today

Getting started with this powerful combination starts by creating an account with SOC Prime. You can sign up here.

Once you have created your account, make sure to enable access to the SOC Prime CCM API. Here you can download a walk-through guide for the latest version of the CCM API Integration Tool.

The next step is to create an account with LimaCharlie. The free tier is full-featured and provides two tenants with two sensors each. You can sign up here.

With your account created, the next step will be to install one or more sensors to get telemetry flowing. Here is a short video demonstrating how easy it is to install a sensor:

If you are interested in external sensors such as CarbonBlack EDR, AWS Cloud Trail, 1Password event logs, Google Cloud Pub/Sub, etc, please see the doc. A detailed example of using this class of sensors to digest Syslog can be found here.

Once our sensors are installed, the last step is to connect the two platforms and apply your custom ruleset created using SOC Prime’s CCM.

The CCM module allows automatically streaming LimaCharlie Rules from static and dynamic Content Lists: 

• Statiс Content Lists enable teams to arrange detection content manually selected for certain purposes. 

• Dynamic Content Lists enable teams to continuously deliver the newly released and updated detections matching pre-configured custom filters.

Security practitioners can add LimaCharlie Rules to the specific static Content List right from the rule page in the SOC Prime’s Platform. First, click Add to CCM List from the Code tab with the LimaCharlie rule source code:

Then, select the Static List from the list of options. If you cannot find the list that matches your needs, click the Create New Content List button to build a new list from scratch. 

Once added, you can find the hand-picked rule in the selected Static Content List on the Content Lists page of the CCM module.

Alternatively, teams can create dynamic Content Lists with LimaCharlie detections automatically populated based on the pre-configured filters. On the Create New Content List form, add the list name and select the Dynamic type. Optionally, you can configure multiple customization settings for the dynamic Content List, add a list description, category, include or exclude tags. To adjust the list to the specific language format, click Advanced Filters, then find Content Platform and select LimaCharlie from the drop-down list. Security practitioners can also add more filters, like the list author, MITRE ATT&CK® technique, or the date of rule creation to make sure they stream only the most relevant detection algorithms directly into their LimaCharlie instance.

After the lists have been configured in the SOC Prime’s platform, you can finish the configuration in LimaCharlie. 

First, enable the socprime add-on on the LimaCharlie marketplace. 

Then, navigate to the Integrations page in your organization, enter the SOC Prime Key & click Update.

When the Key is saved, you will get the ability to select the SOC Prime Content Lists you want to have populated in LimaCharlie as detection & response rules. After selecting the lists & clicking Update, you are all set to start receiving detections based on your SOC Prime lists.