Introduction

LimaCharlie has a system for creating detection and response (D&R) rules. The platform comes with a wide variety of detections already available but the real power is that it allows users to create any number of complex detections along with their response actions. Once created a D&R rule can be applied to the fleet instantly.

A D&R rule has two components: the Detection part of the rule is a simple expression that describes what the rule should match on. The response component describes the list of actions that should be taken when the rule matches. D&R rules can be defined in either JSON or YAML, having a basic understanding of either format will be helpful. The REST interface expects rules in their native JSON format. 

A detection is basically a rule - or series of rules - that will trigger a response action when a given event takes place. For example, we may want to detect when an endpoint makes a network request to a known malware domain and then send an alert about what has transpired, prevent the offending endpoint from any further communication on the network and/or kill the process that made the request.