February 8th, 2023
A Guide to LimaCharlie's Microsoft Integrations
LimaCharlie has multiple integrations that offer security teams greater visibility into Microsoft Windows. If you’re familiar with LimaCharlie, you probably know about some of these already. But over the past few months, we’ve added quite a bit to our catalog of capabilities. For this reason, we wanted to put together an updated guide to our most important Microsoft integrations:
The LimaCharlie Windows sensor
The Windows sensor is where most people begin when using LimaCharlie to gain insight into Microsoft platforms. The sensor offers a broad range of coverage for Windows, boasting compatibility from Windows XP SP2 32-bit on up to Windows 11 and Windows Server 2022.
This EDR-class sensor provides access to kernel-level data while maintaining an extremely light footprint on the host. It can be deployed manually, via software deployment packages, or by using a tool like Microsoft Intune for deployments at scale.
So what can you actually do with the LimaCharlie Windows sensor? Quite a few things:
To begin with, the Windows sensor provides rich telemetry data. The Timeline gives access to historical data on the endpoint for over 50 common event types: network activity, DNS events, registry writes, file creation and deletion, and so on. You can also define custom events if you have a need to monitor for something that isn’t on the default events list.
The sensor also brings data standardization and storage benefits. Telemetry is presented in a standardized JSON format and is retained—by default and at no additional cost—for one year. All telemetry data is fully searchable, and can be sent to external data repositories or analytics platforms as needed.
The Windows sensor can also be used to send commands to the endpoint using the Console feature. The sensor currently supports 45 commands on Windows platforms; for a full list of available commands see our documentation.
The sensor’s Processes feature allows security teams to gain detailed, real-time insight into the processes active on a given endpoint—and to suspend/resume or kill processes if necessary.
Windows Event Logs
Access to Windows Event Log (WEL) data is another capability of the LimaCharlie Windows sensor—but is important enough to warrant a bit of extra discussion.
The sensor lets you import WEL data in real time. This has clear benefits:
For security teams currently managing WEL data via forwarding infrastructure and extra tooling, the ability to use the LimaCharlie sensor to do this directly means that they can now eliminate unnecessary cost and complexity.
In addition, since the log data imported into LimaCharlie is structured as JSON, security teams can write detection and response (D&R) rules to run directly on Windows events as they occur.
In addition to real-time WEL data, the Windows sensor also lets you import historical event log data from disk. This is useful for teams that need to conduct historical research—or that simply want to establish a bit more context for activity on an endpoint when they set up LimaCharlie for the first time.
Lastly, we’ve recently added the ability to get Windows Event Log data without using the Windows sensor—i.e., in an on-premises way. For a discussion of how this works and why it’s sometimes a better option than using the full EDR sensor on an endpoint, see LimaCharlie co-founder Maxime Lamothe-Brassard’s recent product update.
LimaCharlie and Microsoft Edge
For security teams that need to protect endpoints running Microsoft Edge, LimaCharlie also offers a browser-based Edge sensor.
The Edge sensor is available as a Microsoft Edge Add-on and offers relevant telemetry data from the browser: DNS events, visibility into URLs, etc.
As with other LimaCharlie sensors, the Edge sensor can be used as the basis of D&R rules and security automation. If suspicious activity is detected on a browser, the sensor can be set up to send an alert or disconnect that instance of Edge from the Internet automatically.
Microsoft Cloud Support
LimaCharlie allows you to import Microsoft Defender log data into the LimaCharlie cloud in real time. This offers you can use LimaCharlie to monitor Defender events as they happen on an endpoint and set up D&R rules to automate alerting and response on that basis.
In addition, bringing all of your Defender data into LimaCharlie offers greater simplicity and consolidation. Defender for Cloud and Defender for Endpoints logs available in a single LimaCharlie dashboard; multiple data types can be combined with ease; and multi-source telemetry becomes far more manageable.
For a walkthrough of the setup process, see: How to bring Microsoft Defender logs into LimaCharlie.
Office 365 Audit Logs
For security teams that need Office 365 coverage, LimaCharlie offers the ability to ingest Office 365 audit events.
This provides several benefits. As with other forms of telemetry data, LimaCharlie automatically stores Office 365 audit log data for a full year—which helps meet compliance requirements and means substantial savings when compared to the cost of purchasing storage from Microsoft.
In addition, because Azure data can be included in the Office 365 telemetry imported into LimaCharlie, it's possible to hunt for suspicious activity in your Azure deployments. You can, for example, set up D&R rules and alerting around events such as logins/failed logins, global admin changes, email or file exfiltration, mass deletions, and so forth.
Learning more about LimaCharlie and Microsoft
If you’d like to learn more about how security teams can use LimaCharlie’s Microsoft integrations for powerful, scalable security, you may be interested in watching our recent webinar: Enhance your SOC's visibility on Microsoft platforms with LimaCharlie.
LimaCharlie has an active community Slack channel and holds weekly office hours every Friday at 9:00 AM PT. These are great places to drop by and ask a question, get some help, or even request a new feature.
To see any of the Microsoft integrations discussed in this post in action, try LimaCharlie for yourself or book a demo today.