September 1st, 2021
Developer Roll Up: August 2021
Christopher Luft
Summer is winding down but the team at LimaCharlie is just getting things warmed up. We have some really great updates to share and are excited for what is coming over the next few months.
Replaying and Testing D&R Rules in the Web App
LimaCharlie’s ability to run D&R rules over historical data has taken a big step to being more easily usable while writing and testing rules. We have furthered the integration in the web app to shorten the feedback loop when writing rules. We ended up basically redesigning the D&R rule editing experience. Some things you might notice:
Full page editors for both D&R and FP rules
Draft rules for both of them, too
Ability to Replay rules both from the list or from the editor, testing them against historical data or directly passed events
Timeline events have a Start D&R Rule action which takes you to the editor with the event handy for testing
Check out our demo: https://www.loom.com/share/20c40686352f463ebff10f8ac7e974e2
Artifact Ingestion IP
The ingestion path for Artifact Ingestion is now using a static IP address across all clusters.
This means that the IP address that the service domain resolves to, like b76093c3662d5b4f.ingest.limacharlie.io , now resolves to a single IP address that is static. This makes it simpler to whitelist the IP across your networks.
Infrastructure as Code Improvements
We see Infrastructure as Code (IaC) in LimaCharlie as one of our superpowers. But we know sometimes it's not the most convenient approach to apply quick IaC templates. This service now allows you to do what you used to do using the CLI, but through the service and its API. On top of the API it provides, it also has its own section in the web UI that makes it easy to copy/paste your org's current configuration for backup, transfer to another org or tweaking.
We plan to make use of this service and IaC even more in the future by providing "templates" you'll be able to apply very easily to your new orgs, and also to use IaC as a fast and reliable way to communicate/apply features and automation in LimaCharlie that involves multiple components (like a FIM rule + several D&R rules for example).
It's also worth noting that this service is now enabled by default on all new organizations to make it easier to bootstrap IaC deployments on new orgs.
https://www.youtube.com/watch?v=uNghy7jXsSE
Sensor v4.25.2
We have made some changes to the macOS sensor. We have added a Code Identity event which looks for unique combinations of file hash and file path. This event is emitted the first time the combination is seen. Therefore it's a great event to look for hashes without being overwhelmed by process execution or module loads.
Support for NetStat IPv6 across Windows and MacOS.