February 28th, 2023
Query data with greater flexibility using LimaCharlie Query Language (LCQL)
Christopher Luft
If you’ve been following along our journey, you know that LimaCharlie makes it easy and cost effective to get security data from any source, normalized into a single hub with the unique added benefit of running detection, automation, and response rules at wire speed.
On top of being able to store all of your data within LimaCharlie, you get granular control and the ability to send data to any external destination. This means that you can send certain types of detections to Slack, certain types of events to Splunk, audit logs to an S3 bucket, and so on - with no lock-in and no limitations on what gets sent where.
Until recently, when you wanted to query all of your data, you would need to either send it all to a third-party SIEM or request for it to be sent on-demand—storing all data in LimaCharlie and instantaneously pushing the relevant logs and events into your SIEM when you need to run an investigation.
While these methods are unique and convenient, they were still limiting the ability for you to query all of your data in one place and forced you to rely on third-party tools and can be extremely cost prohibitive—limiting what you can do with your data.
That’s why we are happy to introduce LimaCharlie Query Language that solves this problem.
What is LimaCharlie Query Language?
LimaCharlie Query Language (LCQL) is designed to provide a flexible, intuitive, and interactive way to explore data in LimaCharlie enabling several new useful features at launch:
Dry Run mode to estimate the cost of running the query.
Paged queries, so querying for data over a long period of time is not all done at once, giving you the opportunities to get results without incurring the cost of the full query.
Querying, projection (only report specific values from matching elements) and aggregation (count, count_unique).
In future releases, we will support:
Event name and event element tab-completion. You don't have to remember the event names or paths to all the elements you want to query.
Display underlying D&R rules generated for the query, making it easier to use LCQL to prototype D&R rules.
LCQL has been available in Beta through the LimaCharlie CLI (install the LimaCharlie CLI and use: limacharlie query to launch the interactive mode) and now the functionality is built into the LimaCharlie web application. You can get started with LCQL by navigating to the Query Console in the web app.
With the introduction of LCQL, our focus is not to replace SIEM solutions, but to give you the choice and ability to query your telemetry within LimaCharlie.
This feature is built on top of the Replay feature and shares the same billing structure.
LimaCharlie Query Language use cases
Let’s explore some specific use cases of LCQL to help you understand the benefits and how you could potentially apply it to your organization:
Domain Count
Show me all domains resolved by Windows hosts that contain "google" in the last 10 minutes and the number of times each was resolved.
Domains Prevalence
Show me all domains resolved by Windows hosts that contain "google" in the last 10 minutes and the number of unique sensors that have resolved them.
GitHub Protected Branch Override
Show me all the GitHub branch protection override (force pushing to repo without all approvals) in the past 12h that came from a user outside the United States, with the repo, user and number of infractions.
Learning more about LimaCharlie Query Language
If you’d like to learn more about how you can use LimaCharlie Query Language to give you the ability to operationalize your historical telemetry more easily, schedule a call with our security engineers or get started for free and dive into the LCQL documentation.
With our transparent pricing model, you can get predictable pricing with no long term contracts, capacity planning, or price modeling. One year of full data storage is included at no cost.
You can also watch our introduction to LimaCharlie Query Language webinar.