Dear all.
I am trying to find a way to import custom rulesets in YAML format from our ATC environment to LimaCharlie as D&R rules. I understand that the rule format will need to be adjusted to the format accepted by LimaCharlie and that the built-in D&R AI feature can assist with this. Does anyone have experience with importing custom, in-house rule sets into LimaCharlie outside of the usual market place integration area? If so, do you have any tips around how to do this with a large ruleset? Did you need to create your own custom extension for this to happen?
Thank you in advance for any support or advice you can provide.
The simplest way would be to utilize the LC CLI. For example, if you have a file called APT_APT1.yar that contains Yara rules, this would be the command (set the value after --key to whatever you want to name it):
limacharlie hive set yara --key APT1 --data APT_APT1.yar --data-key rule
If you’re on Linux and have a directory of Yara rules, this will iterate over all the rules and import them with the rule name based on the file name:
for i in `ls -1 *.yar`; do rulename=`basename ${i%.*}`; limacharlie hive set yara --key $rulename --data $i --data-key rule; done
Thank you so much for your response Chris, this is useful information. Our custom rules typically include detections using KQL queries, which are contained within overall YAML files. The files include metadata about the rule, in addition to the KQL query. The rules cover detections for Windows, Linux and other systems. I was wondering if there was a way to bulk convert & import these YAML wrapped KQL detections into LC D&R YAML format, and also validate that the converted rules are correct and would alert on defined activity as the original KQL queries would. The rules are hosted in a private ATC github report.
I think the best way to do this right now would be to use the “Ask AI”
button in the Add Rule section of the webapp, paste the rule there and ask it to convert.
You probably want to do this manually though as different rule languages will have pretty significant differences and the AI may not get it completely right every time and you’ll want to validate.
Thank you Max. I’ve played around with this a bit and need to conduct further testing. Considering the complications with converting the original rules to LC rule format correctly (especially in bulk), I will probably need to do this manually with a few rules first and conduct testing to ensure the conversion is correctly matching the rule criteria. Appreciate the follow-up!
Sure thing. The plan is also to drastically increase effectiveness of the AI this weekend by switch to our new pipeline around the AI generation that uses the data found in your own tenant to validate the new rule matches the data you have and that the final rule is syntactically valid.
2 Likes
Thank you so much Max, it is great to hear that you and the team are constantly improving the platform and its features to bring great value to the LimaCharlie community! 
