← Back to Blog

July 29th, 2021

Developer Roll Up: July 2022

Picture of Christoper Luft, LimaCharlie Co-Founder and Creative Technologist
Christopher Luft
Developer Roll Up: July 2022

LimaCharlie is firing on all cylinders and we are growing the team with the intention to deliver additional features and capabilities faster.

All the details on what has been happening during the month of July can be found below. As always, if you have any questions or concerns, please do not hesitate to contact us.

LimaCharlie is Hiring!

LimaCharlie is growing again! We are currently hiring for four positions with more coming in September. It is a very exciting time as we continue to gain traction in the market. We have always had a BIG vision and that vision is becoming a reality. Join us and come make cybersecurity better for the next generation.Job openings:

1. Director of Product

2. Developer Relations / Solutions Engineer

3. Front-End Engineer

4. Senior Infrastructure Engineer

Details on each position can be found here: https://www.limacharlie.io/careers

Net Telemetry Improvement

Two new Policy types are available for Net: dns-tracking and conn-tracking.

These new policies, when applied, will generate DNS_REQUEST and NETWORK_CONNECTIONS events for the Net sensor they are applied to.

Those events will make their way in real-time into LimaCharlie:

  • they will be visible and retained in the Timeline of the Net sensor

  • they will be visible in the Live Feed section of the Net sensor

  • they will go through the D&R rules

https://doc.limacharlie.io/docs/documentation/docs/lc-net.md#dns-tracking

Infrastructure Service

As outline by this post on our blog: https://www.limacharlie.io/blog/2021/7/6/infrastructure-service

We've released a new Service called infrastructure-service: https://app.limacharlie.io/add-ons/detail/infrastructure-service

We see Infrastructure as Code (IaC) in LimaCharlie as one of our super powers. But we know sometimes it's not the most convenient approach to apply quick IaC templates. This service now allows you to do what you used to do using the CLI, but through the service and its API. On top of the API it provides, it also has its own section in the web UI that makes it easy to copy/paste your org's current configuration for backup, transfer to another org or tweaking.

We plan to make use of this service and IaC even more in the future by providing "templates" you'll be able to apply very easily to your new orgs, and also to use IaC as a fast and reliable way to communicate/apply features and automation in LimaCharlie that involves multiple components (like a FIM rule + several D&R rules for example).

It's also worth noting that this service is now enabled by default on all new organizations to make it easier to bootstrap IaC deployments on new orgs.

New Course on edu.limacharlie.io

We have added a new course to our free learning platform that walks users through the LimaCharlie Add-on Marketplace. Learn how easy it is to get new superpowers or create your own.

https://edu.limacharlie.io/courses/exploring-the-add-on-marketplace

Windows Event Log Event Format

If you have not built D&R rules for real-time Windows Event Logs, you can stop reading.

It's recently come to our attention that some Windows Event Logs, as ingested through the real-time mechanism (https://doc.limacharlie.io/docs/documentation/docs/external_logs.md#from-real-time-events) may be formatted slightly differently from what was intended.

Specifically, in some cases, some events could have a Event envelope. The correct path generated is event/EVENT/System for example, and in the badly formatted events you would have event/EVENT/Event/System.

This error was due to some variable structures in the Windows Event Logs that we'd missed as part of the normalization step.

All Sigma rules automatically generated by LimaCharlie use the correct path, so unless you've created your own rules specifically for the real-time Windows Event Log events, there should be no impact.

Given the low expected impact, we intend to deploy the fix to all clusters tomorrow. If this has an impact on your operations please get in touch with us so we can evaluate the impact vs the impact from mismatched Sigma rules.

Slack Output Documentation

Since the move from Slack to deprecate Legacy tokens, we had not updated our documentation on getting the Slack Output working.

We've now remedied that: https://doc.limacharlie.io/docs/documentation/docs/outputs.md#slack

Happy to say Slack Output is now working well again.

Time Zone Preference

You can now select your preferred time zone in the web app! Go to Settings inside your User Profile and you can choose which time zone you'd prefer to see timestamps formatted in. Check it out!

https://www.reddit.com/r/limacharlieio/comments/oh5s6p/time_zone_preference_in_the_web_app/

Webhook Output Compression change

This is a minor update that could have an impact if you use webhook or webhook_bulk Outputs along with compression enabled.

We've fixed the behavior of compression on the HTTP headers of those outputs. When the change is deployed, these outputs using compression will now receive headers:

  • content-type: application/json

  • content-encoding: gzip

Before the fix they would only receive content-type: application/octet-stream.

This change will enable the automatic processing of various receiving webservers to remove the gzip encoding automatically. Practically it means will be able to, for example, using webhook_bulk with compression enabled to send data to the logz.io REST API directly.

In most cases, this should not have an impact. However if you are receiving compressed webhooks via a server that automatically removed gzip encoding, then the content of your webhooks will be automatically decoded.

This change will be deployed in the coming days. As always, please let us know if you have any issues or concerns.

New Events Stateful Parameter

This new stateful parameter now allows you to create stateful rules at the Sensor level (instead of the Process level).

This enables, for example, the detection of N number of bad authentications from Windows Event Logs with T amount of time.

See the doc for more: https://doc.limacharlie.io/docs/documentation/docs/dr.md#sensor-level

LimaCharlie 2FA

You will now be able to add a 2FA step to the LimaCharlie authentication on top of whatever settings your auth provider uses.

By heading into the User Profile, you'll be able to enroll yourself.

The initial rollout will only support SMS based 2FA, although we intend to add more over time.

Why is it limited to SMS? Simply put, we're very conscious of the complexity of authentication in general, and for that reason we use Firebase Authentication, which in turns integrates many auth providers like Google, Microsoft and Github. By leveraging Firebase for this, we can ensure that the implementation is rock solid. Unfortunately, Firebase does not yet support other forms of 2FA, but it's on their road map, and when they roll it out, we will support it right away.

We considered doing our own implementation, but decided against it for the current time. We strongly encourage you to use solid auth providers like Google and Office365 which support their own 2FA and anomaly detection. This new 2FA is either an extra-secure step on top of your provider; or a stop gap solution if you want to use email based authentication without a provider.

Replay Revamp

Over the weekend, we will be completing the deployment of a major revamp to Replay.

  • vastly enhanced performance and reliability

  • will use the latest version of the D&R engine

  • will support very large scale replay jobs with more ease

  • better stats on jobs

  • Replay will become a cornerstone of D&R rules development as we integrate it for live feedback throughout the web app

This move requires updating a few moving pieces:

  • Python SDK

  • Replay Service

  • Relay backend

This means that the state of Replay during the weekend will be in flux. Please let us know if this may be causing you issues.

New D&R Rule Operator: Scope

We've introduced a new operator to D&R rules: scope. This allows you to scope the path of all sub-rules to a sub-path specified. More concretely, this allows for rules that target specific sub parts of the event, like in the case of NETWORK_CONNECTIONS events.

More details: https://doc.limacharlie.io/docs/documentation/docs/dr.md#scope

Copyright © LimaCharlie 2025