May 1st, 2024
Developer Roll Up: April 2024
Christopher Luft
Yet another month has passed, bringing with it a fresh wave of enhancements to the SecOps Cloud Platform.
Upcoming Events
LimaCharlie at RSAC 2024 When: May 6-9
Join us this year at RSAC. Stop by the LimaCharlie booth (#1167) to learn about the SecOps Cloud Platform, pick up some swag, and meet the team building the future of SecOps.
Schedule a meeting with the team.
Join us for happy hour at Kona's Street Market for an intimate after hours event with our friends from Panther and Sublime Security.
Defender Fridays When: Every Friday @ 10:30am PT
Join us every Friday as we delve into the dynamic world of information security, exploring its defensive side with seasoned professionals from across the industry. Our aim is simple yet ambitious: to foster a collaborative space where ideas flow freely, experiences are shared, and knowledge expands.
This month, we are joined by Tim MalcolmVetter and other industry professionals.
—
April’s Releases
Cloud CLI extension & bi-directional communication between LimaCharlie and various telemetry sources
The release of the new Cloud CLI extension allows you to trigger actions against CLI or API endpoints for third-party products. This extension facilitates bi-directional communication between LimaCharlie and nearly any telemetry source. Actions can be triggered from the Cloud CLI UI or automated via D&R rules.
With the addition of the new bi-directional capability, users can take action to mitigate incidents immediately across any tool all from the same platform, eliminating the need to rely on a third-party solution to make changes.
To get started, subscribe your tenant to the Cloud CLI extension.
To learn more about LimaCharlie's new bi-directional capabilities and the opportunities created by the Cloud CLI extension, visit our technical documentation or watch our webinar.
Changes to public Lookups
Now that new lookups in Hive have gained widespread adoption and we see more and more customers relying on those, we will start the process of sunsetting the legacy lookups feature. Don't worry - the lookups you are relying on will continue to work, but we are going to remove the ability to create lookups the old way (on the marketplace).
Instead, you can create lookups in Hive as described in LimaCharlie documentation.
Adding entity metrics chart to Sensors, Outputs, and D&R rules
LimaCharlie is adding metrics to make it easy for you to see the performance of different components of your security infrastructure.
In this release, we are exposing entity metrics for Sensors, Outputs, and D&R rules:
You will see a new Analytics tab on each Sensor. This tab shows the number of events collected from the Sensor in the specified time frame. It should help identify issues, see what hosts are the noisiest, etc.
You will see a new Analytics section on each D&R rule. This shows the number of times the detection & response rule has triggered in the specified time frame.
Similarly, you will see a new Analytics tab on each Output. This tab will show you the number of events sent via the Output in the specified time frame.
Added support for additional Azure log types
LimaCharlie added support for several types of Azure ecosystem logs, including AKS, Key Vault, SQL Server, and Network Security Group. More information on these different log types can be found in our documentation.
Note that upon ingestion:
The event_type field will map to the category field from the log entries.
The time field will map to the time field from the log entries.
Azure log types can be ingested via Azure Event Hub or by creating a Webhook. You can also see support for these new log types in the LimaCharlie UI, allowing for quick and easy cloud Adapter deployment!
New Plaso Extension
Plaso is a Python-based suite of tools used for creation of analysis timelines from forensic artifacts acquired from an endpoint. This is especially useful in an IR situation where the agent was deployed mid- or post-breach, therefore real-time telemetry is missing historical context.
The Plaso extension will take the artifact ID of a forensic artifact obtained from an endpoint, or a zip of artifacts (like a KAPE triage from the Velociraptor extension) and generate a CSV timeline of the data, as well as a .plaso timeline of the data that can be imported into Timesketch
These timelines are invaluable tools for digital forensic investigators and analysts, enabling them to effectively correlate the vast quantities of information encountered in logs and various forensic artifacts encountered in an intrusion investigation.
How it works:
Initiate an artifact_get or a KAPE triage with ext-velociraptor or an MFT dump with ext-dumper
Leverage a D&R rule to watch for the ingestion of relevant artifact types and send them to the Plaso extension for processing
View the Plaso CSV artifact, or import the Plaso timeline artifact into Timesketch