March 2nd, 2023
Developer Roll Up: February 2023
We recently launched the LimaCharlie Query console which makes the underlying LimaCharlie Query Language (LCQL) more accessible. Users can now easily operationalize the full year of telemetry retained by LimaCharlie, reducing or eliminating the need to send telemetry into 3rd party SIEM-like tools such as Splunk and ELK. It is an exciting new set of capabilities that opens a whole new world of possibilities.
If you would like to learn more about LCQL, you can watch the webinar we recently recorded.
Join us on Mar 21, 2023@ 10:00 AM PT / 1:00 PM ET as Matt Bromiley walks through how to get started with LimaCharlie. This will be an interactive session and attendees are encouraged to bring their questions.
You can register for the webinar here.
LimaCharlie Query Console, revamped Detections page & other enhancements
LimaCharlie Query Language is designed to provide a flexible, intuitive, and interactive way to explore data in LimaCharlie. It uses LimaCharlie Query Language and enables several features including:
Querying one full year of telemetry within your tenant
Choosing columns you want to have displayed in the web UI
Exporting query results in CSV or JSON
Estimating the query cost and validating the query before the query run
The ability to start a D&R rule from the query console
Quality of Life (QoL) improvements
The team at LimaCharlie is always striving to make the user experience better and in February we released the following improvements.
Updated Detections page. This greatly improves performance and enables you to better navigate the detections data
Added a drag-to-resize ability for code editors and D&R editors. This should make it easier to edit longer D&R and FP rules in the LimaCharlie web app
Updated spinner location on Audit logs to make it more intuitive for users to navigate audit logs
Adding support for webhooks as an ingestion method
Since webhooks are a common way of moving data around, LimaCharlie now has support for webhooks as an ingestion method.
By enabling a webhook through the cloud_sensorHive, you will open up a specific URL to which you can send webhooks from other platforms. The data received there will make its way into LimaCharlie as a sensor in the same way an Office365 or Syslog Adapter would do.
A small and useful new additional to the limacharlie command line tool (pip install limacharlie):
It's a new command called mass-tag that allows you to tag all endpoints (or remove tags) easily:
limacharlie mass-tag "plat == windows" -t my-tag
You can get details:
limacharlie mass-tag --help
It uses a Sensor Selector Expression as its first parameter: https://doc.limacharlie.io/docs/documentation/36c920f4f7bc9-sensor-selector-expressions
If you already have the Python SDK you might need to update it.
Announcing Replay for False Positive rules
We have heard that one of the most painful challenges is dealing with false positives. To help solve it, in this release we are extending the capabilities of Replay used for retroactive threat hunting, and introducing the ability to replay False Positive rules.
You can now replay a false positive rule against detection content to verify that an FP rule will in fact work. You can paste a properly formatted detection, or have it pre-populated automatically by selecting Mark as False Positive on the Detections page.