← Back to Blog

Developer Roll Up: April 2022

Picture of Christoper Luft, LimaCharlie Co-Founder and Creative Technologist
Christopher Luft
Developer Roll Up: April 2022

The months continue to peel off of the calendar and Spring is in the air. As usual, the team at LimaCharlie has been busy pushing the state of cybersecurity forward. In the last month, we have fixed some bugs, brought real-time detections into the web application, and launched a new sensor type.

On May 19th at 10.00 AM PST join us as we present a webinar on how to reduce security tooling spend by augmenting Splunk and other high-cost data solutions with LimaCharlie. You can register for the webinar at the following link.

Register for the webinar here.


New IoC Search & Removal of the old Search Page

We are excited to announce that you can now search for sensors and indicators of compromise (IoC) no matter where you are in the web app.

By default, LimaCharlie will detect the IoC type from the search term, but you remain in control of the locations you want to look for. You have the option to search in all IoC types, or to select a specific type such as domain, user name, file hash and others.

We have also removed the old Search page. If you have any feedback or suggestions on how to make the Search even better - please let us know.

Bug Fix in Syslog Output

If you are not using Syslog Outputs you can ignore the rest of this announcement.

On Tuesday the 5th of April, we will be deploying a fix to the Syslog Output to all clusters.

We've found that due to a combination of bugs, Outputs with the is_no_header flag with a value of false would still receive logs without the Syslog headers (https://datatracker.ietf.org/doc/html/rfc5424#section-6.2).

If you are using a Syslog Output and the is_no_header value is false, this change means you will begin receiving logs with the header (which looks like <38>your-original-log ).

Most systems expecting syslog should understand those headers and strip them out, but this is entirely dependent on the system itself.

For this reason, we suggest that if you're using a Syslog Output, and its is_no_header value is false, you modify it to true so that the current behavior will remain constant as we deploy it. Otherwise, there is the possibility of the data looking a bit different.

Fixing this bug will enable people who rely on getting actual Syslog-formatted data to work with LimaCharlie, including using the "structured data" component of Syslog.

If you have questions or concerns please get in touch.

RFC 5424 - The Syslog Protocol

Sigma Rules - Suppressing Informational Level

LimaCharlie will now begin suppressing informational level rules from the Sigma project through our Sigma Service.

This should reduce the number of false positives people are seeing.

If you would still like to run those rules, as always you can run those rules yourself by converting them through the Sigma CLI to the D&R rule format.

Real-time detections

LimaCharlie is proud to be operating at wire speed, whether we are talking about collecting events, sending data to other destinations via outputs, or anything else. As you know, round-trip times for detection and response to take place in LimaCharlie are generally under 100ms.

Until recently, however, detections would show up in a web app with a delay of about 1 minute (the detection and response on the endpoint happened instantly, but feedback in the UI was slightly delayed). We are excited to share that now, detections will also appear in the web app in real-time.

Go to the Detections page to try our true real-time detection and response yourself. 

Duo Sensor

LimaCharlie has added a new Duo Sensor.

By bringing the logs from Duo’s cloud-based two-factor authentication services to LimaCharlie, companies can increase their visibility into the environment, meet compliance requirements and identify security risks.

Duo Sensor collects two types of Duo logs:

  • Authentication Logs provide visibility into where and how users authenticate, including usernames, location, time, type of authentication factor, and more. This allows you to understand the normal behavior and identify potentially abnormal activity.

  • Administrator Logs track the username, time, and type of administrator activity, including groups, user, integration, and device management. This allows you to track any admin changes and identify suspicious activity.

Duo is a usage-based sensor billed at $0.15 / GB.

Check this step-by-step guide to get started with Duo log collection.

Org Templates

LimaCharlie organizations (Orgs) are tenants in the cloud, conceptually equivalent to “projects”. When creating a new Org, you will now notice the following grouped offerings that activate LimaCharlie capabilities right from the get go:

  • Incident Response

  • Use open-source Sigma ruleset to receive detections

  • Collect Velociraptor artifacts through LimaCharlie

  • Automatically kickstart IR investigation powered by Sweep

  • Historical threat hunting powered by Replay

  • Extended Detection & Response Standard

  • Use open-source Sigma ruleset to receive detections

  • Run Atomic Red Team tests

  • Historical threat hunting powered by Replay

  • Extended Detection & Response Premium

  • Use curated Soteria MSSP ruleset to receive detections ($0.5 per vSensor per month; free on the free tier)

  • Run Atomic Red Team tests

  • Historical threat hunting powered by Replay

By pre-selecting some of these options for you, we hope to launch you right into our cloud capabilities and give you a sample of the dynamic offerings you can leverage here at LimaCharlie.