← Back to Blog

Developer Roll Up: February 2023

Picture of Christoper Luft, LimaCharlie Co-Founder and Creative Technologist
Christopher Luft
A summary of all that the LimaCharlie team has been up to for February 2023

We recently launched the LimaCharlie Query console which makes the underlying LimaCharlie Query Language (LCQL) more accessible. Users can now easily operationalize the full year of telemetry retained by LimaCharlie, reducing or eliminating the need to send telemetry into 3rd party SIEM-like tools such as Splunk and ELK. It is an exciting new set of capabilities that opens a whole new world of possibilities.

If you would like to learn more about LCQL, you can watch the webinar we recently recorded.

Join us on Mar 21, 2023@ 10:00 AM PT / 1:00 PM ET as Matt Bromiley walks through how to get started with LimaCharlie. This will be an interactive session and attendees are encouraged to bring their questions.

You can register for the webinar here.

LimaCharlie Query Console, revamped Detections page & other enhancements

LimaCharlie Query Language is designed to provide a flexible, intuitive, and interactive way to explore data in LimaCharlie. It uses LimaCharlie Query Language and enables several features including:

  • Querying one full year of telemetry within your tenant

  • Choosing columns you want to have displayed in the web UI

  • Exporting query results in CSV or JSON

  • Estimating the query cost and validating the query before the query run

  • The ability to start a D&R rule from the query console

Quality of Life (QoL) improvements

The team at LimaCharlie is always striving to make the user experience better and in February we released the following improvements.

  • Updated Detections page. This greatly improves performance and enables you to better navigate the detections data

  • Added a drag-to-resize ability for code editors and D&R editors. This should make it easier to edit longer D&R and FP rules in the LimaCharlie web app

  • Updated spinner location on Audit logs to make it more intuitive for users to navigate audit logs

Adding support for webhooks as an ingestion method

Since webhooks are a common way of moving data around, LimaCharlie now has support for webhooks as an ingestion method.

By enabling a webhook through the cloud_sensorHive, you will open up a specific URL to which you can send webhooks from other platforms. The data received there will make its way into LimaCharlie as a sensor in the same way an Office365 or Syslog Adapter would do.

Mass tagging

A small and useful new additional to the limacharlie command line tool (pip install limacharlie):

It's a new command called mass-tag that allows you to tag all endpoints (or remove tags) easily:

limacharlie mass-tag "plat == windows" -t my-tag

You can get details:

limacharlie mass-tag --help

It uses a Sensor Selector Expression as its first parameter: https://doc.limacharlie.io/docs/documentation/36c920f4f7bc9-sensor-selector-expressions

If you already have the Python SDK you might need to update it.

Announcing Replay for False Positive rules

We have heard that one of the most painful challenges is dealing with false positives. To help solve it, in this release we are extending the capabilities of Replay used for retroactive threat hunting, and introducing the ability to replay False Positive rules.

You can now replay a false positive rule against detection content to verify that an FP rule will in fact work. You can paste a properly formatted detection, or have it pre-populated automatically by selecting Mark as False Positive on the Detections page.