Skip to main content
LimaCharlie is an endpoint and browser security tool which includes the ability for Secure Annex to enrich Chrome extensions with analysis data.

Setup

  1. Generate an API key in Secure Annex.
  2. Install the LimaCharlie’s Secure Annex plugin
  3. Add the API key to the configuration
Detailed LimaCharlie documentation

Detection rules

Create detection rules to match enrichment conditions and alert analysts when a new extension meets the criteria. Example rules 
detect:
  event: extensions
  op: and
  rules:
    - op: is
      path: routing/hostname
      value: ext-secureannex
    - op: or
      rules:
        - op: contains
          path: event/results/extensions/?/categories/?/
          value: Remote Access
        - op: contains
          path: event/results/extensions/?/categories/?/
          value: Proxy Avoidance
respond:
- action: report
  metadata:
    author: John Tuckner
    description: Detects categories related to free VPNs and proxies
    level: low
  name: Detect remote access categories
I