Developer Roll Up: November 2021

Another busy month for the team at LimaCharlie. Some of the highlights include the introduction of a new sensor type and our SOC 2 Type 2 certification.

I will also take this opportunity to invite you to our first ever dev stream. Join the team at LimaCharlie for an interactive living room style discussion about all that has happened in the last year. Meet the team, learn about new features and the thinking behind them, as well as getting a glimpse of what is coming.

You can register to attend here.

Sensor v4.25.4

• Fixes to the IS_OUTGOING flag in NETWORK_ACTIVITY on certain platforms.

• Support for a new sensor tag put to allow users to put a specific Payload on disk without executing it or deleting it after it has been written.

• Fixed an issue that could result in a sensor crash of macOS during sensor network isolation.

• The USER_OBSERVED event is now regenerated every 24h. This can help build UEBA detections in a more reliable way.

• Fixing certain network connections on macOS showing an invalid local IP.

Soc II Type II Certification

LimaCharlie has achieved SOC 2 certification. More than ever, LimaCharlie customers can be assured that their data is safe and that our cloud infrastructure will be available when they need it.

https://www.limacharlie.io/blog/2021/11/9/limacharlie-achieves-soc2-certification

UX Improvements

We listen to your feedback & continue to make LimaCharlie experience easier and more intuitive. Sometimes it requires small tweaks and enhancements; at other times it warrants larger redesigns.

In this release, we have made changes to the following parts of the experience:

• Exfil Control

• Yara Scanning

• Artifact Collection

It should now be easier to understand how they work, what configuration options are available, and how to get them setup quickly.  Also, Org Descriptions are now visible on the Organizations list.

Check the screenshots for a peek of what you'll see next time you visit Exfil Control, Yara Scanning & Artifacts Collection in your orgs from now on

Universal Sensor Protocol (USP)

We're excited to announce that we're now opening up the Alpha release of our newest service. This service begins to extend many of the LimaCharlie super-powers (D&R rules, indexing and storage)  to things like external audit logs and 3rd party EDRs. We believe this, in combination with Outputs will also make LimaCharlie a great platform to optimize margins around Storage on external data lakes.

You can now ingest real-time external logs/telemetry into LimaCharlie. This new telemetry will go directly into the normal "EDR" pipeline. This means:

• All telemetry is stored with 1 year of retention.

• You can create D&R rules that apply to this new telemetry just like you do with EDR.

• You can send this new telemetry to Outputs like you would do with EDR data.

You will notice we're referring in a generic way to the logs/telemetry you can ingest. This is because we've open sourced the underlying protocol (so you can make your own sensors if you'd like: https://github.com/refractionPOINT/go-uspclient/).

We're also releasing as part of this Alpha a new piece of software we call the LimaCharlie Adapter. This Adapter supports a multitude of ingestion mechanisms and allows you to start easily ingesting from any of them. You can think of it like a Beat or a Splunk Collector.

The Adapter currently allows you to ingest using the following methods:

• S3 buckets

• Google Pub/Sub

• STDIN of the process (so you can pipe logs in)

• Syslog: the Adapter can operate as a syslog endpoint

• 1Password events API

The Adapter itself is an executable available here:

• Linux Intel 64 bit: https://downloads.limacharlie.io/adapter/linux/64

• macOS Intel 64 bit: https://downloads.limacharlie.io/adapter/mac/64

• macOS ARM 64 bit: https://downloads.limacharlie.io/adapter/mac/arm64

• Windows Intel 64 bit: https://downloads.limacharlie.io/adapter/windows/64

It’s also available as a Docker Container: https://hub.docker.com/r/refractionpoint/lc-adapter

Although the ingestion mechanism is technically generic, we're also expanding the list of sources of telemetry in a more direct way. We are doing this by adding more Platforms to the Sensors. By making these sources of data as first class Platforms, we can simplify drastically the process of ingestion.

Here are the current Platforms supported:

• text: this is a generic Platform for text based logs.

• json: this is a generic Platform for logs in the JSON format.

• gcp: this is a log format for Google Cloud Platform audit logs.

• carbon_black: this is for Carbon Black sensor data.

• 1password: this is for 1Password event logs.

We plan on expanding to a ton more in the future. If you would like support for something else that we don't have please share it with us. That being said, you're not limited to the formats we put forward. The Adapter allows you to specify with great precision how you want to parse and map any logs you want to bring in, no involvement on our side!

The Adapter documentation lives here: https://doc.limacharlie.io/docs/documentation/ZG9jOjI2NzM2Mjcz-lima-charlie-adapter

We also have some articles describing specific use cases:

• Syslog ingestion: https://help.limacharlie.io/en/articles/5702125-how-to-get-realtime-syslog-ingestion-with-limacharlie

• GCP Audit Logs via Pub/sub: https://help.limacharlie.io/en/articles/5754343-how-to-connect-google-cloud-logs-to-limacharlie

Finally, you may notice from the list of Platforms above that we support CarbonBlack. We wanted to highlight this and describe a bit more the capability. One of configurations available to the Adapter is the ability to take one source of telemetry and automatically represent it as any number of sensors. This means your 500 CarbonBlack sensors can come into LimaCharlie each as first class sensors. We also normalize the CarbonBlack telemetry into the LimaCharlie EDR format, which means all your D&R rules will now apply automatically.

Again, if you'd like to bring in sensors from other platforms with a similar treatment as the CarbonBlack EDR, let us know!

All this is now available from all data centers. Please let us know if you encounter difficulties so we can expand our documentation in the right direction.

The pricing during the Alpha is the following:

• For CarbonBlack, the cost per sensor per month is listed on our pricing page. This is handled transparently through the Quota (each sensor will consume 0.2 quota units).

• For all other sources, billing is done per 1 GB of data ingested (uncompressed) from the source at the rate listed on our pricing page (billed on ingestion) and this covers the full 1 year retention you're used to with EDR.

This being an Alpha, pricing may fluctuate when we go GA, but the intention is to keep it in the same ballpark and make it as accessible as possible.

Other things to expected in the future:

• More platforms officially supported

• Better onboarding flow

• Better visualization

• Optionally have the LC cloud run the adapter in the cloud for you.

Sensor v4.25.5

• Fixes stability issues with running on hardened/customized versions of Linux.

• Fixes rare deadlocks when unloading a sensor.

• Enhances the performance of the Process List (os_processes) and Network (netstat) views in the webapp for Windows and macOS (Linux will soon follow with eBPF support). This is done by better caching on the sensor. Initial listing request when a sensor starts will still have a cold-start that can take up to a minute, follow on listings will be much quicker.