Skip to content
/ SOAR-EDR Public

Implements an automated cybersecurity response system using LimaCharlie, Tines, and Slack to detect, alert, and isolate threats on a Windows server

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cYberbOss21/SOAR-EDR

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
Detection Rule
Detection Rule
 
 
README.md
README.md
 
 

Repository files navigation

SOAR-EDR

Implements an automated cybersecurity response system using LimaCharlie, Tines, and Slack to detect, alert, and isolate threats on a Windows server

SOAR-EDR Implementation Guide

Part 1: Design Objectives:

  • Create a Playbook Workflow
  • Brainstorm actions to include in the playbook.

Notes:
Use draw.io to visualize the workflow.

SOAR-EDR-Playbook

Part 2: LimaCharlie Setup

  1. Install and Configure LimaCharlie
    • Choose Vultr as the cloud provider to deploy a Windows Server machine.
    • Install LimaCharlie on the Windows Server to log and monitor all events.

Note:
Screenshot of the Windows Server setup

image

  1. Setup LimaCharlie

image

Part 3: Telemetry Generation

  1. Generate Telemetry with Lazagne
    • Disable Windows Security temporarily
    • Download and execute Lazagne.exe (a vulnerability demonstration tool).

Note:

  • Screenshot of Lazagne running in PowerShell

    image

  • LimaCharlie should detect the download of Lazagne. Include a screenshot of the detection log

image

  1. Create Detection & Response (D&R) Rule
    • Navigate to Organization > Automation > D&R Rules > New Rule
    • Locate the event in the LimaCharlie logs and add it to the rule.

Note:

  • Screenshot of the rule creation and test output

image

image

  • Screenshot of the detection result

    image

Part 4: Slack & Tines Integration

  1. Configure Slack and Tines
    • Set up a dedicated Slack channel for notifications.
    • Configure Tines for playbook setup.

Note:

  • Slack channel setup

    image

Tines

image

  1. Connect Tines with LimaCharlie
    • Go to Sensors > Outputs > Add Output > Detections > Tines in LimaCharlie.

Note:

image

image

Part 5: Automation and Playbook Creation

  1. Develop the Playbook
    • Objective: Automate responses including sending a Slack message, an email with detection details, and generating a user prompt for machine isolation.
    • If the response is “Yes,” proceed to isolate the affected machine.

Note:

  • screenshot of the playbook and, a demo video

image image

Watch the demo video

Note: Clicking the link in the Slack message or email takes you directly to the specific LimaCharlie event, providing detailed insights for further investigation.

Takeaways

  • Created Custom Detection & Response Rules with LimaCharlie.
  • Developed a response playbook incorporating Tines, Slack, and email notifications.
  • Enhanced response capabilities to include automated machine isolation based on user prompts.

About

Implements an automated cybersecurity response system using LimaCharlie, Tines, and Slack to detect, alert, and isolate threats on a Windows server

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published