March 3rd, 2022
Developer Roll Up: February 2022
Christopher Luft
We are a couple of days late with the developer roll up for February but it is only because we are so busy! This is a huge update despite it being for the shortest month of the year, and we are not done yet: expect some even bigger announcements throughout March.
If you are reading this, you should join us for our upcoming webinar, ‘Enhancing your SOC’s visibility on Microsoft platforms with LimaCharlie’. During the webinar we will be exploring the different ways that LimaCharlie can be applied across the Microsoft stack. Monitor Windows Event Logs in real-time, alert on events from Windows Defender, eliminate the need for SSL interception by using the Microsoft Edge extension, and ingest and monitor Microsoft 365 and Active Directory telemetry in the cloud.
Register for the webinar on March 22nd at 10.00 AM PT here: Webinar Registration
Sigma Source
We've recently changed the source of our Sigma CI/CD pipeline behind the sigma Service.
You can now find the D&R rules part of the Sigma Service here: https://github.com/refractionPOINT/sigma-limacharlie/tree/rules
This should not have any impact on current operations, but you may see some errors pop up in your Platform Logs Errors today as the switch over coincides with some fixes to the Sigma --> D&R conversion.
New Sensors
We have added six new sensors to receive telemetry from external sources, which you can now configure in a few simple steps directly from the LimaCharlie web app. This allows you to bring in all of your security data into LimaCharlie, write detections on this data, take advantage of our 1 year data storage, and send what you need to the destinations of your choice via Outputs.
You will see Text/Syslog, JSON logs, Amazon AWS CloudTrail Logs, Google Cloud Platform Logs, 1Password audit event logs, and VMWare Carbon Black EDR sensors.
We need ideas for other third-party sources that you want to bring into LimaCharlie - drop us a line and let us know what you are interested in.
The setup flow is simple:
When you go to Add a New Sensor & select/create an installation key, you will be taken to the page where you can select the executable for your architecture, the method you want to use to pull your data and the method-specific parameters
We will give you a command line to run the adapter
Billing Changes
We have introduced a definition of vSensor. vSensor (virtual sensor) represents a unified way of managing your capacity for all sensor types. You can find more information here. Essentially, nothing changes for any of the existing users leveraging our EDR sensors (just where you saw the word "Sensor" in quota is now "vSensor").
It does not change anything for any of our existing users.
This change becomes relevant once you want to use the VMWare Carbon Black EDR sensor as it will only use 0.2 vSensor value. Therefore it will cost $0.5/month for one VMWare Carbon Black (includes 1 year full telemetry storage)
Usage-Based Sensors
We are also officially introducing the usage-based sensors: Text/Syslog, JSON logs, Amazon AWS CloudTrail Logs, Google Cloud Platform Logs, 1Password audit event log sensors. Logs & data from other external sources are also billed based on usage. The price is set to $0.15 / GB for all usage-based sensors.
You can learn more here
LimaCharlie Agent v4.26.0
This update brings significant changes under the hood to performance and reliability. It also brings Linux capabilities more on par with Windows and macOS.
Linux eBPF support for kernel 5.7+
Better performance for network connections and process notifications
File events now generated on Linux
Network isolation now supported
FIM still handled through inotify, but will be transitioning to eBPF in next release
Windows Kernel driver update
Should provide better performance around File IO tracking
Microsoft Office 365
We are excited to announce the new capability that allows users to bring Microsoft Office 365 logs into LimaCharlie. This gives security professionals more visibility into the cloud and allows them to have all security data in one place.
As with all other LimaCharlie sensors, Microsoft Office 365 comes with one year of full telemetry storage, the ability to generate detections, and execute automations powered by LimaCharlie’s real-time Detection, Automation & Response engine.
Some of the use cases Microsoft Office 365 addition enables are:
Monitoring global admin changes and specifically account creations of admin roles
Monitoring mass deletion of data such as emails or files, especially across multiple accounts
Monitoring changes in security configs
Monitoring logins from unexpected places that then perform data exfiltration tasks
Identifying email exfiltration
As LimaCharlie provides 1 year of full telemetry storage, it can also help organizations to satisfy their compliance requirements, and eliminate the need to purchase more expensive Microsoft Office 365 licenses.
Microsoft Office 365 sensor is billed on usage, at $0.15/GB (includes storage), similarly to our Syslog, AWS CloudTrail Logs, GCP Audit Logs, and 1Password sensors.
To get started, simply click “Add New Sensor” from the Sensors view of the web app. For a step-by-step guide, please visit our Help Center.
Simplified billing for Chrome sensors
We have decided to simplify the way we bill for Chrome sensors. Currently, we have a concept of a “sidecar sensor” which makes Chrome sensors free as long as the number of Chrome sensors is less than the total number of EDR sensors (Windows, Linux, macOS, Docker, or Net). In other words, if you have 5 x Windows sensors and 10 x Chrome sensors in the same org, you would be paying $25/month, calculated as follows:
5 x $2.5 per month for Windows, plus
5 x $2.5 per month for Chrome (you get the first 5 Chrome sensors for free)
In the spirit of making pricing transparent & predictable, starting May 1st, 2022 billing for Chrome sensors will be simplified.
Moving forward, Chrome sensors will cost $0.25/sensor per month. This will make them equivalent to 0.1 vSensor for the purposes of calculating the quota. Using the above example, if you have 5 Windows sensors & 10 Chrome sensors, the total monthly cost would be $15, calculated as follows:
5 x $2.5 per month for Windows, plus
10 x $0.25 for Chrome
This includes one year of full telemetry storage.
We hope that having a clear price for the Chrome sensor will make it easier to calculate deployment costs. If you have any questions, please reach out & we’ll walk you through these changes. If you are not currently using Chrome sensors, the impact on your billing should be minimal.
Sensor 4.26.1
This is a minor update targeting Linux performance.
Fixes an issue where network tracking in Linux could result in uncapped memory usage.