YumanBlazer/SOAR-EDR-Incident-Response-Lab

# SOAR & EDR Incident Response Automation Lab ## Architecture  **Data flow:** Endpoint (Windows 11 VM) ↓ lazagne.exe executed LimaCharlie Agent ↓ D&R rule fires → Detections webhook Tines Webhook (Retrieve Detections) ↓ parallel ├── Slack alert ──────────────────────────────────────── analyst channel ├── Email alert ──────────────────────────────────────── audit trail └── User Prompt (FormAgent) ─── Isolate? [Yes] / [No] ├── Yes → POST /isolation → GET /isolation → Slack confirmation └── No → Slack "not isolated, please investigate" ## Tech Stack | Component | Tool | Role | |-----------|------|------| | EDR | LimaCharlie | Endpoint telemetry + D&R rules + sensor isolation API | | SOAR | Tines | Workflow orchestration (10-agent story) | | Notification | Slack | Real-time analyst alerts + confirmation messages | | Notification | Email | Audit trail via EmailAgent | | Test payload | LaZagne | Open-source credential harvester used as benign red-team trigger | | Endpoint | Windows 11 VM | Target machine running LimaCharlie sensor | ## Demo ### 1. Attack Simulation — LaZagne Executed on Endpoint  ### 2. LimaCharlie — Detections Triggered  ### 3. Slack — Initial Alert Received  ### 4. Tines — Analyst Decision Prompt (Human-in-the-Loop)  ### 5. LimaCharlie — Sensor Isolated  ### 6. Tines — Full Storyboard  ## Tines Workflow (10 Agents) Story name: **`mannntek-SOAR-EDR`** | # | Agent Type | Name | Purpose | |---|-----------|------|---------| | 0 | `WebhookAgent` | Retrieve Detections | Receives JSON payload from LimaCharlie Outputs | | 1 | `HTTPRequestAgent` | Send a message (Slack) | Posts initial detection alert to analyst channel | | 2 | `EmailAgent` | Send Email | Sends alert email for audit trail | | 3 | `FormAgent` | User Prompt | Presents "Isolate?" boolean toggle (Yes / No) + Submit | | 4 | `TriggerAgent` | No | Routes when `<>` == `"false"` | | 5 | `HTTPRequestAgent` | Send a message (Slack) | Posts "not isolated" notice to channel | | 6 | `TriggerAgent` | Yes | Routes when `<>` == `"true"` | | 7 | `HTTPRequestAgent` | Isolate Sensor | `POST /v1/{sid}/isolation` to LimaCharlie API | | 8 | `HTTPRequestAgent` | Send a message (Slack) | Posts isolation confirmation to channel | | 9 | `HTTPRequestAgent` | Get Isolation Status | `GET /v1/{sid}/isolation` — verifies isolation succeeded | **Link order:** `0→1`, `0→2`, `0→3`, `3→4`, `3→6`, `4→5`, `6→7`, `7→9`, `9→8` ## LimaCharlie D&R Rule Rule name: **`mannntek-Lazagne-SOAR-EDR`** Saved at: [`limacharlie/dnr-rule.yml`](limacharlie/dnr-rule.yml) events: - NEW_PROCESS - EXISTING_PROCESS op: and rules: - op: is windows - op: or rules: - case sensitive: false op: ends with path: event/FILE_PATH value: lazagne.exe - case sensitive: false op: ends with path: event/COMMAND_LINE value: all - case sensitive: false op: contains path: event/COMMAND_LINE value: lazagne - case sensitive: false op: is path: event/HASH value: dc06d62ee95062e714f2566c95b8edaabfd387023b1bf98a09078b84007d5268 - action: report metadata: author: mannntek description: Detects Lazagne (SOAR-EDR Tool) falsepositives: - To the moon level: medium tags: - attack.credential_access name: mannntek - HackTool - Lazagne (SOAR-EDR) ## Alert & Notification Content ### Initial Slack / Email Alert Title: <> Time: <> Computer: <> Source IP: <> Username: <> File Path: <> Command Line: <> Sensor ID: <> Detection Link: <> ### Isolation API Calls # Isolate sensor POST https://api.limacharlie.io/v1/<>/isolation Authorization: Bearer <> # Verify isolation GET https://api.limacharlie.io/v1/<>/isolation Authorization: Bearer <> ### Confirmation Slack Message Isolation Status: <> The computer: <> has been isolated ### No-Isolation Slack Message The computer: <> was not isolated, please investigate. ## Test Results | Metric | Result | |--------|--------| | Detection trigger | `.\lazagne.exe` on Windows 11 VM (ARM 64-bit) | | Detection latency | < 500 ms | | Slack alert delivery | < 2 seconds | | Email alert delivery | < 5 seconds | | Isolation execution | < 2 seconds after analyst approval | | Workflow success rate | 100% across all test runs | ## Key Lessons Learned 1. **SOAR variable syntax** — Tines uses `<>` liquid-style references, not `{{ }}` or `${}`. 2. **API endpoint accuracy** — LimaCharlie isolation uses `POST /v1/{sid}/isolation`; the same URL with `GET` returns current isolation status. 3. **Overly broad D&R rules cause false positives** — `ends with: all` alone matches unrelated Windows processes (e.g., `PushToInstall`). Rules should combine multiple conditions with AND. 4. **Human-in-the-loop for destructive actions** — A boolean toggle with explicit Yes/No labels reduces accidental isolation far better than a single-click button. 5. **Credentials in SOAR** — Store API keys as named credentials (`<>`, `<>`); never hard-code them in agent options. 6. **Audit trail matters** — Parallel Slack + Email delivery ensures there is a searchable record even if one channel is unavailable. ## Repo Structure SOAR-EDR-Incident-Response-Lab/ ├── README.md ├── limacharlie/ │ └── dnr-rule.yml # Detection & Response rule (YAML) ├── tines/ │ └── workflow-export.json # Full Tines story export (importable) ├── docs/ │ └── architecture.png # Drawio architecture diagram └── screenshots/ ├── 01-slack-alerts.webp ├── 02-limacharlie-sensor-isolated.webp ├── 03-tines-user-prompt.webp ├── 04-limacharlie-detections.webp ├── 05-lazagne-execution.webp └── 06-tines-storyboard.webp ## References - [LimaCharlie Documentation](https://docs.limacharlie.io) - [Tines Documentation](https://docs.tines.com) - [Slack API — chat.postMessage](https://api.slack.com/methods/chat.postMessage) - [LaZagne on GitHub](https://github.com/AlessandroZ/LaZagne) - MITRE ATT&CK: [T1555 — Credentials from Password Stores](https://attack.mitre.org/techniques/T1555/)