Run detection logic over a full year of telemetry
LimaCharlie allows security professionals to hunt for threats retroactively by running detection & response (D&R) rules against historical traffic. When a new zero-day becomes known, this enables you to run a test for known indicators of compromise over the last year of endpoint telemetry to assess if you have been compromised.
When creating a new detection & response rule for your organization, you can instantly see how many times this rule would have been triggered which is invaluable for making D&R rules more precise and eliminating noise.
At scale, this capability provides some unique advantages for cybersecurity operations as it allows for a continuous integration / continuous development (CI/CD) approach. When rules are modified through your change control process, you can confirm that there are no unexpected results by running rules against known data. Think unit tests for detection logic. This moves us closer to the concept of ‘Detectors as Code.'
