Part 2: Integrating our SOAR (Tines) and the communication channel (Slack)
Now that we've have our detections being generated in LimaCharlie EDR, we are going to shift our focus to setting up Slack and Tine so that they can get the alerts from LimaCharlie.
To recap let's look at our planned playbook.
To create a workspace navigate to https://slack.com/help/articles/206845317-Create-a-Slack-workspace and follow the instructions for Desktop.
It will then take you to this screen.
Enter your lab name. The next screen will prompt you for your name. it will then ask you to add others but you should be able to skip this step
Then specify what we're currently working on.
Select Start with the Limited free version
Let's create an alert channel. The playbook we set up in Tines will send the received detection/alert to the soc analysts slack channel, which matches the work flow we defined in the diagram.
Then hit Create. Skip when prompted to add people.
It's time go over to Tines.com Click sign up for free.
Tines is a SOAR platform that leverages the principles of Security Orchestration, Automation, and Response. It uses a no-code approach, allowing teams to automate workflows without needing to write custom code. This enables faster and more efficient incident response. The platform integrates with a wide range of security tools and services, facilitating seamless workflow orchestration. Overall, Tines helps organizations streamline their security operations while reducing manual intervention.
Enter your email.
I ended up using the Google to sign up.
In the top left corner it should show you a quick tutorial. You can try it to quickly acclimatize yourself to the tool.
By the end of step 5 you should receive an email to the inbox you specified with the weather.
When you are done with the tutorial. We will Get to building out our automation here. The white background is unbearable so click on your initials in the top right and select Dark mode.
Once you are done, you should be able to see the entire Tines workspace or as Tines call it, "Your story".
Here we see some of the options we could use in building out our automation. You drag the components you need to build you automation into the open space and then click on it to configure what you would like. For example, in the image below we have a web hook:
In the bottom left of you page there should be a templates section. Let's say perhaps we wanted to do some data enrichment automation we may be able to leverage this template as part of our response workflow.
Click on the template pops out a side bar menu from the right with possibilities for various response actions to be taken.
Feel free to play around with it.
There are also entire playbook (story) templates already existent. Simply click on the playbook template and in the next page import.
We don't need to do any of those, but I heavily suggest looking into the docs and seeing how you could take a detour on this project, potentially expanding on it on your own.
Another tip is in the story view, we can go back to the dashboard by clicking the Tine logo icon in the top left.
Go back into "Your first story" and let's build out our playbook. Delete all the items on the story board except the webhook. We will be starting with that.
You may be wondering, What is a webhook?
In this playbook, the webhook is what connects LimaCharlie to Tines in real time. Whenever LimaCharlie detects a HackTool (or any other threat), it automatically sends a POST request (containing the relevant detection data) to Tines via this webhook. Tines then receives the detection details—like time, computer name, and source IP—and immediately triggers the rest of the automated workflow (sending notifications, prompting for isolation, etc.).
Essentially, the webhook acts as a “doorbell” that alerts Tines the moment a new detection occurs, eliminating the need for Tines to constantly check for updates.
Click on it and Set name and Description. Now copy the webhook URL. We will use this in LimaCharlie for the integration.
Interestingly the web UI was updated as I was working and documenting this course so you may see a change in the appearance of Tines here. Find the release notes for this update here. https://docs.limacharlie.io/docs/release-notes
Navigate to Outputs.
Then detections, since we created a custom detection rule.
Scroll down and choose Tines as the Destination.
The webhook we copied from Tines, we place it below along with a name for the output config.
Detections should be saved.
To test we will have to regenerate the event. Go back to the steps where we navigated to the LaZagne file in PowerShell and then executed it. Repeat those steps to see our alert is making its way over to Tines.
Click Refresh samples in Lima Charlie we see it detected the execution.
Let us now go over to Tines and see if it retrieved the Detection and it did.
Good work!
We will now move on the Building out the rest of the playbook. Check out part 3 below.
Comments