March 30th, 2021
Developer Roll Up: March 2021
Christopher Luft
Spring is in the air and the team at LimaCharlie has been busy! This month is a mix of little quality-of-life improvements and some big new capabilities, like real-time Windows Event Log capture. Read all of the details below.
Feature requests and general inquiries can be directed here: limacharlie.io/user-ticket
Whitelabel Improvements
To those who use LimaCharlie's white label functionality -- we've just pushed out visual changes for your sites. Highlights:
Installation Keys & Sensor Downloads now appear together in a new section called Install Sensors
Incident Response moved from sidebar to the Sensors section
Menu reorganization
For more information please refer to our blog post.
Multi-Tab Sessions
We’ve rolled out a change that lets you stay logged into LimaCharlie across browser tabs.This is on by default. You can change this in the LimaCharlie web application within Settings -> View User Profile -> Settings -> Allow Session Across Browser Tabs
Windows Event Log Capture in Real-time
As mentioned to a few of you last week, we will be rolling out a major new feature early this week: The ability to capture Windows Event Logs (WEL) in real-time. Only Windows 2008 and above will be supported as we rely on APIs introduced then.The new events will be received just like any normal LimaCharlie event, encapsulated in an event of type WEL. Like the collection of WEL on disk, the real-time WEL collection contains the JSON form of each event.This means that with this feature, you will be able to write normal EDR-based D&R rules for WEL, including using stateful rules between WEL and first-class LimaCharlie events.The collection will still be configured from the Artifact Collection menu, by specifying a path of the form "wel://<log-source>:<log-filter>" as opposed to a traditional file path of a log file to collect.The collection will have a billing component (exact amount TBD) per number of events since collection can vary wildly depending on tenant.Example configuration:
wel://Security:*{
"event": {
"EVENT": {
"EventData": {
"ClientProcessId": "5136",
"CountOfCredentialsReturned": "0",
"ProcessCreationTime": "2021-03-15T02:55:19.2369319Z",
"ReadOperation": "%%8100",
"ReturnCode": "3221226021",
"SubjectDomainName": "WIN-5GD8E0AG2OD",
"SubjectLogonId": "0x1b8de",
"SubjectUserName": "testuser",
"SubjectUserSid": "S-1-5-21-4156042152-1734453135-989269774-1000",
"TargetName": "MicrosoftAccount:user=02rlaxvkrpaxteab",
"Type": "0"
},
"System": {
"Channel": "Security",
"Computer": "WIN-5GD8E0AG2OD",
"Correlation": {
"ActivityID": "{cc484453-193e-0001-fe44-48cc3e19d701}"
},
"EventID": "5379",
"EventRecordID": "41750",
"Execution": {
"ProcessID": "664",
"ThreadID": "748"
},
"Keywords": "0x8020000000000000",
"Level": "0",
"Opcode": "0",
"Provider": {
"Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"Name": "Microsoft-Windows-Security-Auditing"
},
"Security": "",
"Task": "13824",
"TimeCreated": {
"SystemTime": "2021-03-15T02:55:21.9656464Z"
},
"Version": "0"
}
}
},
"routing": {
...
},
"ts": "2021-03-15 02:55:22"
}Documentation: https://doc.limacharlie.io/docs/documentation/docs/external_logs.md#from-real-time-events
Sensor v4.24.0
Live Windows Event Log Subscription
As previewed earlier this week, we're introducing real-time collection of Windows Event Logs.
This feature allows you to specify WEL sources and a filter pattern. Collection of those events is not enabled by default.
The generated event are sent to the cloud as WEL events. You can build D&R rules directly on them as they are parsed to JSON.
In the coming weeks we will be moving the Sigma integration to leverage this source of WEL in addition to the previous (still valid) Artifact source.
We also want to make sure we calibrate pricing to the real-world usage people make of it. For this reason, we're delaying the application of specific pricing. When we roll it out, pricing will be based on the number of WEL events received. You can see your current usage under the "event_wel" label of the Billing section's usage. The intent is to calibrate the pricing to be significantly cheaper than the current Artifact-based collection of WEL.
As this is the first release of a fairly major update, we'd appreciate feedback.
Documentation: https://doc.limacharlie.io/docs/documentation/docs/external_logs.md#windows-event-logs
Sample event: https://doc.limacharlie.io/docs/documentation/docs/events.md#wel
Note for existing tenants: as the WEL event is new, it means it will not be enabled by default in the Exfil Control section of your orgs (if you use it). If you want to start using WEL, make sure to add it to the relevant Windows profiles you want them for.
Process Environment Event
We are introducing a new type of event named PROCESS_ENVIRONMENT. This event is not sent to the cloud by default because it can be extremely verbose.
Every time a process is started, the LimaCharlie Agent will attempt to emit this event containing the list of environment variables the process was created with.
We recommend using the event through an Exfil Watch Rule that watches for the existence of specific environment variables you're interested in. This will allow you to receive the event only when relevant.
Sample event: https://doc.limacharlie.io/docs/documentation/docs/events.md#process_environment
Note for existing tenants: as the PROCESS_ENVIRONMENT event is new, it means it will not be enabled by default in the Exfil Control section of your orgs (if you use it).
Sensor v2.24.1
fixes a possible memory leak that could occur in certain rare cases on Linux / Docker environments.
fixe also enhances memory and CPU performance a little bit on all platforms.