Automated Incident Response with SOAR & EDR Integration

, ,

This project outlines the creation of a SOAR lab that integrates with an EDR tool to automate incident handling. The core idea is to build an automated workflow that detects, analyzes, and responds to security threats on an endpoint with minimal human intervention. This setup is designed to significantly reduce the manual workload for security teams and speed up the response to potential attacks.

Demo

Above: A live demonstration of the automated detection and alerting workflow.

Lab Overview

The lab uses LimaCharlie as the EDR to monitor endpoints and detect threats, Tines as a no-code automation platform to orchestrate the response workflow, and Slack for sending real-time notifications.

The project involves installing a LimaCharlie agent on a Windows Server, configuring detection rules for malicious activity (like credential dumping via LaZagne), and then using Tines to automate actions based on the alerts.

Playbook Workflow

The following diagram illustrates the flow of data from the endpoint to the EDR, and finally to the SOAR platform for decision making and alerting.

Playbook Workflow Diagram

Here's the full playbook config JSON file.

LimaCharlie Configuration

Installation

To begin, we install the LimaCharlie sensor on the target Windows machine:

lc_sensor.exe -i YOUR_INSTALLATION_KEY
LimaCharlie Interface

Detection & Response Rule

We configure a specific rule to detect the usage of LaZagne, a credential dumping tool. The rule looks for process events ending in "LaZagne.exe", specific command line arguments, or a known file hash.

Detect: 
events:
  - NEW_PROCESS
  - EXISTING_PROCESS
op: and
rules:
  - op: is windows
  - op: or
    rules:
    - case sensitive: false
      op: ends with
      path: event/FILE_PATH
      value: LaZagne.exe
    - case sensitive: false
      op: contains
      path: event/COMMAND_LINE
      value: LaZagne
    - case sensitive: false
      op: contains
      path: event/COMMAND_LINE
      value: ' all'
    - case sensitive: false
      op: is
      path: event/HASH
      value: 'dc06d62ee95062e714f2566c95b8edaabfd387023b1bf98a09078b84007d5268'
Respond: 
- action: report
  name: detect-hacktool-lazagne
  metadata:
    author: Anon
    description: Detects the execution of LaZagne credential dumping tool via file path, command line, or file hash.
    falsepositives: 
      - Legitimate penetration testing tools named 'lazagne'
    level: high
    tags:
      - attack.credential_access
    name: HackTool - Lazagne

Tines Automation Configuration

Once the alert is generated by LimaCharlie, Tines picks it up to orchestrate the response. We structure the message to extract key details like the source IP, username, and file path.

Message Structure

Detection Info.

Title : <<retrieve_detections.body.cat>>
Time : <<retrieve_detections.body.detect.routing.event_time>>
Computer : <<retrieve_detections.body.detect.routing.hostname>>
Source IP : <<retrieve_detections.body.detect.routing.ext_ip>>
Username : <<retrieve_detections.body.detect.event.USER_NAME>>
File Path : <<retrieve_detections.body.detect.event.FILE_PATH>>
Command Line : <<retrieve_detections.body.detect.event.COMMAND_LINE>>
Sensor ID : <<retrieve_detections.body.detect.routing.sid>>

Detection Link : <<retrieve_detections.body.link>>

Tines Storybook

The visual storybook in Tines handles the logic: retrieving the alert, formatting the data, and dispatching it to the communication channels.

Tines Storybook Workflow

Challenges & Lessons Learned

While the final playbook ran smoothly, the setup process came with a few hurdles that are worth noting for anyone attempting to replicate this:

  • False Positives: Initially, the detection rule was too broad. I triggered a few alerts just by renaming a text file to include "LaZagne". I had to tighten the logic to specifically look for process execution events rather than just file system changes.
  • JSON Parsing in Tines: Extracting nested JSON data from the LimaCharlie payload was tricky. I learned that using the "Explode" mode in Tines is crucial when the event structure varies between different alert types.
  • Latency: There is a slight delay (approx 30-60 seconds) between the detection on the endpoint and the Slack notification. For critical containment actions, this latency is acceptable, but real-time blocking should ideally happen at the EDR level itself.

Evidence & Results

When the attack is simulated on the endpoint, the automation triggers successfully, delivering alerts via both Email and Slack.

Email Alerts

Evidence of Email Alerts

Slack Channel Alerts

Evidence of Slack Alerts