Used in Header navigation bar

LimaCharlie

Release Notes

September 22, 2022

Extended Platform & Template Strings

  • Sensor information now includes its Extended Platform allowing you to see that, for example, "this is a Defender endpoint, but it's a Windows machine". Or, "that this is a Carbon Black sensor, but it's a Windows machine". This will show up in the UI in the sensor list as well as sensor details.

  • Template Strings in LimaCharlie now support two new "functions" (anon and token) to perform tokenization or anonymization of specific fields:

    https://doc.limacharlie.io/docs/documentation/279f9b83be51b-template-strings-and-transforms#template-strings

September 21, 2022

More visibility into the coverage & replay of Sigma/Soteria rules

In this release, we are continuing to deliver on our promise to provide more visibility into the security coverage. 

  • Users can now click on individual rules from Sigma and Soteria rulesets; they can see the content of all Sigma rules, as well as enable/disable individual rules from both rulesets. 

  • All rules from Sigma and Soteria can now also be replayed against historical traffic enabling even more granular retroactive threat hunting capabilities. 

  • Users have the ability to add and remove tags from any rule (including managed rulesets) making it easy to categorize detection & response rules and manage them at scale. 

Other enhancements include:

  • ‘Analyst’ role added to onboarding survey options

  • Fixed a bug where selected table rows were not colored correctly

  • Changed toggle track color for increased visibility on light mode

  • Added a warning text when LC Adapter ingestion method is GCS or S3

September 7, 2022

Announcing the ability to see Sigma & Soteria rules enabled for the organization

At LimaCharlie we believe cybersecurity needs to be transparent: the exact set of malicious activity and behavior you’re protected from should be known and you should be able to test/prove this. 

Driven by this core belief, we now give users the ability to see the list of all detection & response rules in place in your organization - not just your own (custom) rules, but also rules managed by Sigma and Soteria rulesets. You will also soon get the ability to enable/disable individual rules yourself.

In the few weeks that follow, we will be adding more advanced capabilities to give you even more visibility and control of your security coverage. 

With Sigma, you will soon have the ability to view the content of the individual rules. 

While the content of Soteria rules will remain hidden as it is the intellectual property of Soteria, we will be exposing details such as MITRE ATT&CK mapping and other metadata. A reminder that you can check the dynamic MITRE ATT&CK mapping here

August 31, 2022

Announcing the ability to define suppression as a part of D&R rules

LimaCharlie has added the ability to define suppression as a part of detection and response rules. This enables users to specify the maximum number of times a select action will trigger within a defined period. When that threshold is reached, LimaCharlie will suppress the action (that action will no longer take place).

For example, if the same event occurs on the same machine (or on different machines within the same tenant) again and again, you can suppress the duplicate alert for the user-specified time. Or, you can say “generate a LimaCharlie detection every time X happens but only send a PagerDuty alert once per hour”.

To learn more about this feature and how it can be used, check out this help article or visit our technical documentation.

August 16, 2022

LimaCharlie has added a new ingestion method for logs and telemetry coming from external sources - events in the AWS Simple Queue Service (SQS). 

Other user experience enhancements in this release include:

  • Updated table aesthetics to include alternating color schemes

  • Fixed payload deletion flow that was showing a misleading ‘in-progress’ indication, suggesting all payloads were being deleted

  • Fixed bug causing repeating fields in output configuration

  • A number of Comms-related deletions – no changes on user experience

  • Removed pagination and applied table virtualization to Cloud Adapters for UI consistency and performance improvement for a large list of cloud adapters

  • Fixed bug with creating a false positive rule from detections that would sometimes suggest an existing name and override an existing rule

  • Added a support dropdown on the navigation (for non-custom branded domains only)

  • Updated default value for service requests to run in sync, and not as a background task

  • Added a link to collect ideas for new external sources to be added as sensors on the sensor list

  • Added an Org token JWT onto the Rest API page

  • Migrated Org List and Switch Org List tables to be virtualized (no user impact)

  • Added helper text on billing summary to clarify that it’s not real-time (the billing summary is updated daily)

August 4, 2022

Billing for Payloads

Starting October 1, 2022, deploying Payloads via LimaCharlie will be priced at $0.19 per 1 GB of data sent. For example, a 1GB payload sent to 10 endpoints will cost $1.9 (10GBs x  $0.19).

This change will only impact organizations that leverage Payloads functionality, as well as Atomic Red Team, LimaCharlie Net installers & Dumper services (they are running as Payloads in LC).

To understand the impact on your organization, check the Metered Usage section of the Billing page. You will notice the new “Payload Data Sent” metric along with the size of payloads deployed and price. Note this price is shown for your information only; you won’t be charged for Payloads before October 1, 2022.

The reasoning for this update is that starting October 1, 2022, Google Cloud will start billing on outbound bandwidth from load balancers.

August 3, 2022

New Slack Audit Logs Sensor

We have added a new Slack sensor that allows the ingestion of Slack audit logs directly into LimaCharlie.

The Audit Logs API enables monitoring the audit events happening in an Enterprise Grid organization to ensure compliance, to prevent any inappropriate system access, and to allow security teams to audit suspicious behavior within their enterprise.

After Slack Audit Logs are ingested into LimaCharlie, you can have detection & response rules run on them at wire speed.

Get started by configuring a new sensor in the LimaCharlie web application. Note you need to be on the Enterprise Grid Slack plan to use this capability.

Other additions & updates include:

  • The chart under “vSensor Quota” on the billing page has been updated to show the high watermark of concurrently connected sensors (metric used for billing) instead of the total number of sensors online

  • Fixed a bug where Search modal didn’t close appropriately when selecting a link to the timeline event

  • Fixed a bug when Sensor tag search did not return correct results 

  • Added a link to release notes to the “web app updated” banner pop up

July 27, 2022

User experience and performance enhancements

  • Made improvements to the main sensor list to enhance performance. While not noticeable for smaller lists, there was an increasing delay as the number of sensors grew. As a result we’ve also removed pagination on the sensor list.

  • Added groups to ‘users and roles’ page, so that users can see all accounts that have access to their organization through groups.

  • Added various descriptive text and helpful links onto the ‘install sensors’ page regarding how to check release notes, test new sensor versions, and configure sensors to auto-update

  • Updated Adapters list display to remove tags and reflect the status as 'enabled/disabled' vs 'online/offline'

  • Updated Adapter creation flow copy at completion to clarify differences between sensor and adapter completion

  • Increased timeout for searches related to the main search bar

  • Updated copy at org creation replacing ‘region’ with ‘data residency region’ for added clarity

  • Updated the edit Adapter modal to display descriptive placeholder text like the Adapter creation form

  • Fixed bug for seen D&R rules for WEL events in replay

  • Fixed bug where event select input was not displaying custom events on load

July 20, 2022

User experience and performance enhancements

The release focused on small user experience and performance enhancements. 

  • Performance improvements to the detections list

  • Improved the dropdown performance for all dropdowns with a large list of items

  • Fixed a bug on removing group members where a user was briefly shown as a part of the group after having been removed

  • Use the new schema API to suggest possible Event Types based on the sensor type instead of the old static list 

  • Added an error message that gets displayed when a user without the payload.use permission attempts to issue a command in the Console section

  • Added centering events timeline on the selected event when a user goes to the Timeline either from a URL they've copy pasted, or from the "View in Timeline" link from a Detection

  • Marked the "secret key" field required on the output setup step (it previously appeared under “advanced options”)

July 19, 2022

Support for Templating

We've started rolling out support for template strings to multiple areas of LimaCharlie. This allows you to customize what would normally be a literal string so that it now supports formatting based on the context of execution. In all cases, backwards compatibility should be maintained. Detection names in the report action from D&R rules now supports it like:

yaml - action: report name: Evil executable on {{ .routing.hostname }}

Tasking in the task action from D&R rules now supports it like:

artifact_get {{ .event.FILE_PATH }}

The SMTP Output now supports a custom subject fields that use string templates. It also supports a new template parameter which is a string template to use for the body of the email (either in plain text or html): https://doc.limacharlie.io/docs/documentation/4832b284c1cba-reference-destinations#smtp

The Slack Output supports 3 new parameters:

  • color: to specify the color of the "attachment" part of the Slack message.

  • message: a string template for the "message" part of the Slack message.

  • attachment_text: a string template for the "attachment" part of the Slack message.

Support for Transforms

Transforms are now available for all Outputs via the custom_transform field. A Transform allows you to specify an alternate format for the data sent from an Output. For example, this could to customize a webhook format for a specific platform as in the Google Chat example. Or it could be to simply pair down the data sent via output to only the specific fields. Finally, it also allows you to create new fields in the Output that are either literal values, or composite values (as a String Template). Detailed documentation and examples are available: https://doc.limacharlie.io/docs/documentation/279f9b83be51b-template-strings-and-transforms#transforms

July 14, 2022

Sensor 4.27.3

  • Linux File Integrity Monitoring now leverages eBPF support for better performance. This stops most usage of inotify by the sensor.

  • Enhanced reliability of inotify usage on Linux when eBPF is not available.

  • General CPU performance enhancements across all platforms.

  • Fixes possible issue with Netlink usage on Linux for process notification.

  • Fixes rare race conditions that could hang network connectivity during network outages.

July 13, 2022

Sigma Converter Service

LimaCharlie is happy to contribute to the Sigma Project (https://github.com/SigmaHQ/sigma) by maintaining the LimaCharlie Backend for Sigma, enabling most Sigma rules to be converted to the Detection & Response rule format.

A LimaCharlie Service is available to apply many of those converted rules with a single click to an Organization. For cases where you either have your own Sigma rules, or you would like to convert/apply specific rules yourself, the Sigma Converter service described below can help streamline the process.

The full documentation is available here: https://doc.limacharlie.io/docs/documentation/e77178b3c907d-sigma-converter

July 11, 2022

Sensor Versioning Tags

Certain Sensor Tags in LimaCharlie had a special meaning. Tagging a sensor with latest would update that single sensor to the latest sensor version for example.

We are now transitioning these tags to have the lc: prefix. The goal of this is to reduce the likeliness of someone not being aware of those special tags and apply them with unintended consequences. Starting today, the following tags are supported in that fashion: lc:latestlc:stablelc:experimentallc:no_kernel and lc:debug.

The old versions of these tags remain operational for now, but will be turned off on August 1st. If you rely on these tags, we suggest you transition to the new form.

More documentation here: https://doc.limacharlie.io/docs/documentation/770dee947cad5-sensor-tags#system-tags

July 6, 2022

The ability to reset password

LimaCharlie users can now reset their password without having to contact support.

Simply click on the Forgot your password? link and follow the steps to reset the password.

July 5, 2022

Schema Inspection

It is now possible to inspect the schema of events in LimaCharlie.

Documentation on the "learned" schema: https://doc.limacharlie.io/docs/documentation/b35cc8558d171-schema-inspection

API documentation: https://api.limacharlie.io/static/swagger/#/Schema

The schema provided is learned on a per-org basis since the data ingested in LimaCharlie can vary from tenant to tenant.

This new API can be useful when building integrations with external products requiring a strict schema.

July 4, 2022

Announcing the ability to bring in telemetry from external sources without having to host a LimaCharlie Adapter (aka “cloud to cloud”).

LimaCharlie allows security professionals to ingest logs or telemetry from any external source in real-time. It includes built-in parsing for popular formats, with the option to define your own for custom sources.

Prior to this release, if someone wanted to bring, say, Office 365 logs into LimaCharlie, they would need to run an Adapter on premises or on their cloud. The Adapter would pull the data from the third-part and send it to the LimaCharlie cloud.

Starting today, for cloud-based log sources such as GitHub, 1Password, GCP, VMWare Carbon Black EDR, you no longer have to download the installer and run the Adapter. Simply enter the API credentials in the web app and click “save”.

Log sources that are not hosted on the cloud, such as Syslog, will continue to require an Adapter to be run on premises.

To learn more or to get started, check out the help article: How do I ingest logs or telemetry from cloud-based external sources?

June 8, 2022

Sensor 4.27.2

  • Fix possible performance degradation issue on hosts with heavy process / network activity.

  • Report User of processes in Windows instead of the Owner (small distinction in some cases).

  • Report a specific error code on artifact_get where the file is empty (0 bytes).

May 31, 2022

GitHub Sensor

We have added a new GitHub sensor that allows the ingestion of GitHub audit logs directly into LimaCharlie.

GitHub enables a wide variety of powerful capabilities beyond managing a developer’s code, such as automating the deployment of cloud resources and “infrastructure-as-code”. Securing DevOps infrastructure is critical to prevent privilege escalations or malicious actors from taking control of the cloud deployments.

To ensure full observability, security, and compliance, GitHub Enterprise Server provides logs of audited system, user, organization, and repository events. These logs can now be ingested directly into LimaCharlie and have detection & response rules run on them at wire speed.

Get started by configuring a new sensor in the LimaCharlie web application.

May 26, 2022

New Outputs flag for storage optimization

We have added a new Outputs flag - 'Do not include routing' - which allows users to forward only the original logs to Outputs, excluding the routing label. This flag can be found under "Advanced Options" of the Output configuration.

This can be helpful for users wanting to use LimaCharlie for storage optimization since the routing label can add significant overhead. Watch the webinar recording to learn more about using LimaCharlie to reduce spending on Splunk and other high-cost security data solutions.

May 17, 2022

Updated 'Billing & Usage' Page

Along with several user experience enhancements released today, we have combined ‘Usage’ & ‘Billing’ pages into one - ‘Billing and Usage’ - to make it easy to manage the credit card and quota in one place.

May 13, 2022

Sensor 4.27.1

  • Fixes an issue on Linux eBPF that could result in unexpected data at the end of the FILE_PATH values.

May 4, 2022

Sensor 4.27.0

  • MacOS will now report MAC address

  • Fix issue where macOS machines on some network could have difficulty connecting to the cloud

  • Linux using eBPF will now acquire command lines directly from eBPF, eliminating race conditions for short-lived processes

April 27, 2022

Duo Sensor We have added a new Duo Sensor. By bringing the logs from Duo's cloud-based two-factor authentication services to LimaCharlie, companies can increase their visibility into the environment, meet compliance requirements and identify security risks. Duo Sensor collects two types of Duo logs: - Authentication Logs provide visibility into where and how users authenticate, including usernames, location, time, type of authentication factor, and more. This allows you to understand the normal behavior and identify potentially abnormal activity. - Administrator Logs track the username, time, and type of administrator activity, including groups, user, integration, and device management. This allows you to track any admin changes and identify suspicious activity.

Org Templates LimaCharlie organizations (Orgs) are tenants in the cloud, conceptually equivalent to "projects". When creating a new Org, you will now notice the following grouped offerings that activate LimaCharlie capabilities right from the get go:

  • Incident Response

    • Use open-source Sigma ruleset to receive detections

    • Collect Velociraptor artifacts through LimaCharlie

    • Automatically kickstart IR investigation powered by Sweep

    • Historical threat hunting powered by Replay

  • Extended Detection & Response Standard

    • Use open-source Sigma ruleset to receive detections

    • Run Atomic Red Team tests

    • Historical threat hunting powered by Replay

  • Extended Detection & Response Premium

    • Use curated Soteria MSSP ruleset to receive detections ($0.5 per vSensor per month; free on the free tier)

    • Run Atomic Red Team tests

    • Historical threat hunting powered by Replay

By pre-selecting some of these options for you, we hope to launch you right into our cloud capabilities and give you a sample of the dynamic offerings you can leverage here at LimaCharlie

April 14, 2022

Real-time detections

LimaCharlie is proud to be operating at wire speed, whether we are talking about collecting events, sending data to other destinations via outputs, or anything else. As you know, round-trip times for detection and response to take place in LimaCharlie are generally under 100ms.

Until recently, however, detections would show up in a web app with a delay of about 1 minute (the detection and response on the endpoint happened instantly, but feedback in the UI was slightly delayed).

We are excited to share that now, detections will also appear in the web app in real-time.

April 1, 2022

New IoC Search & Removal of the old Search Page

We are excited to announce that you can now search for sensors and indicators of compromise (IoC) no matter where you are in the web app. By default, LimaCharlie will detect the IoC type from the search term, but you remain in control of the locations you want to look for. You have the option to search in all IoC types, or to select a specific type such as domain, user name, file hash and others.We have also removed the old Search page. If you have any feedback or suggestions on how to make the Search even better - please let us know.

March 25, 2022

Introducing new Microsoft Defender Sensor

We have added a new Microsoft Defender Sensor.

Microsoft Defender has two values streams:

  • Defender for Cloud logs will come into LimaCharlie as one Microsoft Defender sensor.

  • Defender for Endpoints, on the other hand, will be mirrored as multiple sensors in LimaCharlie (similarly to the way we handle Carbon Black sensors).

Microsoft Defender is a usage-based sensor billed at $0.15 / GB.Check this step-by-step guide to get started with Microsoft Defender log collection.

March 14, 2022

Introducing new Windows Event Log Sensor

We have added a new Windows Event Log Sensor.

There might be times when you would not want to deploy the LimaCharlie agent on the endpoint, but you would still like to connect Windows Event Logs from the system. With the addition of the Windows Event Log sensor that runs on the LimaCharlie Adapter, you now have the ability to do it. Check this step-by-step guide to get started with the WEL collection. 

Introducing Google Cloud BigQuery output

LimaCharlie has added a new Google Cloud BigQuery output.

With the addition of the Google Cloud BigQuery output destination, LimaCharlie users can now output events and detections to a Google Cloud BigQuery Table to turn security data into valuable insights. Visit the technical doc or help doc for details or get started in the web app by navigating to the Outputs view.


February 25, 2022

Sensor 4.26.1 This is a minor update targeting Linux performance.

  • Fixes an issue where network tracking in Linux could result in uncapped memory usage.


February 22, 2022

Microsoft Office 365 sensor

We have added a new capability that allows users to bring Microsoft Office 365 logs into LimaCharlie. This gives security professionals more visibility into the cloud and allows them to have all security data in one place. As with all other LimaCharlie sensors, Microsoft Office 365 comes with one year of full telemetry storage, the ability to generate detections, and execute automations powered by LimaCharlie’s real-time Detection, Automation & Response engine. Some of the use cases Microsoft Office 365 addition enables are:

  • Monitoring global admin changes and specifically account creations of admin roles

  • Monitoring mass deletion of data such as emails or files, especially across multiple accounts

  • Monitoring changes in security configs

  • Monitoring logins from unexpected places that then perform data exfiltration tasks

  • Identifying email exfiltration

As LimaCharlie provides 1 year of full telemetry storage, it can also help organizations to satisfy their compliance requirements, and eliminate the need to purchase more expensive Microsoft Office 365 licenses.

Microsoft Office 365 sensor is billed on usage, at $0.15/GB (includes storage), similarly to our Syslog, AWS CloudTrail Logs, GCP Audit Logs, and 1Password sensors.

To get started, simply click “Add New Sensor” from the Sensors view of the web app. For a step-by-step guide, please visit our Help Center.


February 5, 2022

LimaCharlie Agent v4.26.0

This update brings significant changes under the hood to performance and reliability. It also brings Linux capabilities more on par with Windows and macOS.

  • Linux eBPF support for kernel 5.7+

    • Better performance for network connections and process notifications

    • File events now generated on Linux

    • Network isolation now supported

    • FIM still handled through inotify, but will be transitioning to eBPF in next release

  • Windows Kernel driver update

    • Should provide better performance around File IO tracking


February 3, 2022

New Sensors, vSensor & usage-based sensors

  • We have added six new sensors to receive telemetry from the external sources, which you can now configure in a few simple steps directly from the LimaCharlie web app. This allows you to bring in all of your security data into LimaCharlie, write detections on this data, take advantage of our 1 year data storage, and send what you need to the destinations of your choice via Outputs.

    • You will see Text/Syslog, JSON logs, Amazon AWS CloudTrail Logs, Google Cloud Platform Logs, 1Password audit event logs, and the VMWare Carbon Black EDR sensors

    • The setup flow is simple:

      • When you go to Add a New Sensor & select/create an installation key, you will be taken to the page where you can select the executable for your architecture, the method you want to use to pull your data and the method-specific parameters

      • We will give you a command line to run the adapter

  • We have introduced a definition of vSensor. vSensor (virtual sensor) represents a unified way of managing your capacity for all sensor types. You can find more information here. Essentially, nothing changes for any of the existing users leveraging our EDR sensors (just where you saw the word "Sensor" in quota is now "vSensor").

    • This change becomes relevant once you want to use the VMWare Carbon Black EDR sensor as it will only use 0.2 vSensor value. Therefore it will cost $0.5/month for one VMWare Carbon Black (includes 1 year full telemetry storage)

  • We are also officially introducing the usage-based sensors: Text/Syslog, JSON logs, Amazon AWS CloudTrail Logs, Google Cloud Platform Logs, 1Password audit event log sensors. Logs & data from other external sources are also billed based on usage. The price is set to $0.15 / GB for all usage-based sensors. You can learn more here.


February 1, 2022

D&R Rules detection Target

In an effort to better formalize mechanisms in a way that is more intuitive, we've changed the way you can create Detections from other Detections. As a reminder: this feature enables use cases like adding new responses to pre-existing D&R rules. For example, you could add a isolate network to a Sigma detection. The legacy mechanism used to rely on using a _DETECTION-NAME (_ prefix in all capital letters of the name of the Detection).

The new mechanism reuses the concept of target that allows you to run D&R rules on things like deployment events. We're introducing a detection target, like: target: detection that tells LimaCharlie you intend to apply this rule to Detections. When using this target, the `event: ` or `events: ` statements refer to the Detection name you wish to apply the rule to.

More documentation is available here. Don't worry though, if you are using the old-style of rule for Detections, all your rules will work as-is. We're converting them automatically to the new format in the backend. So you can take your time in porting them to the new style at your pace.

Sigma Source

We've recently changed the source of our Sigma CI/CD pipeline behind the sigma Service. You can now find the D&R rules part of the Sigma Service here. This should not have any impact on current operations, but you may see some errors pop up in your Platform Logs Errors today as the switch over coincides with some fixes to the Sigma --> D&R conversion.


January 11, 2022

Tailored Outputs & Advanced Search Update

We released a new type of Output stream called tailored. It allows users to send specific events, as defined by D&R rules actions to the Output. The goal of this feature is to allow more granularity on the events sent to an Output compared to the basic filters available in the traditional Output streams. Documentation can be accessed here.

Additionally, our latest release includes an enhancement of our search feature. Once inside an organization, you now route to Search via Dashboard. Upon clicking the top-right search bar, a module opens with options to filter a search for Sensors or Indicators within that org. Search results display the number of hosts where the indicator has been seen today, this week, this month and this year. Diving deeper into View Locations displays the first and last time it was observed on each host.


December 17, 2021

Velociraptor Service Beta

We have released a beta of the velociraptor service. This service will automate the deployment, running and collection off Velociraptor Artifacts. It supports 3 actions:

  • list to show all built-in Artifacts the latest release of Velociraptor supports

  • show to display usage of a specific built-in Artifact

  • collect to trigger an actual collection of Artifacts

The service requires the reliable-tasking service to be installed (so that Velociraptor can collect on large scale even if some endpoints are offline). The service supports built-in Artifacts but also deploying custom Artifact YAML config files.This beta does not have a custom web UI. To use it:

  • subscribe to the service

  • go to the Service Request section

  • select the velociraptor tab

  • turn off the Run as background job toggle to see results immediately

  • select the action collect

  • select an artifact_name from the list

  • select a sensor (or tag) to identify where to collect from


December 14, 2021

Web-app Updates & Billing Redesign

  • The Timeline of a sensor's events has received some performance improvements as well as a facelift: there's much more space in there to look at the content of events. We made the tree view optional, enabling Timeline to be used as a more general log viewer for ingested logs from external sources (GCP, 1Password, etc.) We've also removed the default event filters when you visit Timeline, so it's up to you how you want to narrow your search.

  • The list of D&R Rules will look a little different (no more paragraphs of text next to it) and will also be a lot faster if you have a large number of rules

  • Same as above with False Positive Rules

  • Added a confirmation step when closing most dialogs to make sure we don't accidentally lose input

  • Several other small bug fixes and tweaks

  • We heard from many of our users that it was often hard to tell what they were going to pay, so we designed two new pages to help with that: Usage and Billing. Front and center to the Usage page is the org's Quota Rate and Metered Usage. Quota Rate is calculated as (base cost per sensor + add-ons cost per sensor) * quota. Metered Usage sums up pay-per-use features such as Replay or Artifact Collection. Adding Quota Rate + Metered Usage together should give a good estimate of how an org's bill is trending. The Billing page is where you can view / edit payment method and delete your org, if required.Other highlights:

    • Chart to see peak online sensors vs your quota

    • Chart + table breakdown of all metered usage

    • It's now possible to see if there's an existing payment method, including customers who are on unified billing


November 29, 2021

Sensor v4.25.5

  • Fixes stability issues with running on hardened/customized versions of Linux.

  • Fixes rare deadlocks when unloading a sensor.

  • Enhances the performance of the Process List (os_processes) and Network (netstat) views in the webapp for Windows and macOS (Linux will soon follow with eBPF support). This is done by better caching on the sensor. Initial listing request when a sensor starts will still have a cold-start that can take up to a minute, follow on listings will be much quicker.


November 16, 2021

Chromium Sensor Update

The Chromium sensor has been updated and has been published to the Google Chrome Web Store and Microsoft Edge Add-ons store.

  • Old version 1.2.0

  • New version 1.3.0

Notable change: bug fix for atom generation so it now produces good per-request atoms that play nicely in the Timeline.

No user action is required as the extension should automatically be updated.


November 14, 2021

UX Improvements

We listen to you feedback & continue to make LimaCharlie experience easier and more intuitive. Sometimes it requires small tweaks and enhancements; at other times it warrants larger redesigns. In this release, we have made changes to the following parts of the experience:

  • Exfil Control

  • Yara Scanning

  • Artifact Collection

It should now be easier to understand how they work, what configuration options are available, and how to get them setup quickly. Also, Org Descriptions are now visible on the Organizations list.


November 8, 2021

Sensor v4.25.4

  • Fixes to the IS_OUTGOING flag in NETWORK_ACTIVITY on certain platforms.

  • Support for a new sensor tag put to allow users to put a specific Payload on disk without executing it or deleting it after it has been written.

  • Fixed an issue that could result in a sensor crash of macOS during sensor network isolation.

  • The USER_OBSERVED event is now regenerated every 24h. This can help build UEBA detections in a more reliable way.

  • Fixing certain network connections on macOS showing an invalid local IP.


November 1, 2021

Outputs UX Improvements

Forwarding data directly out of LimaCharlie in real-time using Outputs is one of the capabilities we're most proud of at LimaCharlie. It gives you the freedom to collect telemetry and fit LimaCharlie into your existing infrastructure however makes sense for your org.

Setting them up just got way easier. We've redesigned the flow for adding new outputs and configuring existing ones so that you can see at-a-glance what data streams are available, what destinations are supported, what's required to get data streaming into your destination of choice, and samples of what data you should expect to receive.


October 11, 2021

Web-app Onboarding & 'Add Sensor' flow

We've deployed a new web-app onboarding flow to make it easier to get started with LimaCharlie, from creating a new organization to seeing your first sensor deployed.

The most important part of this is the Add Sensor flow which you can find from the Sensors page. No more jumping between pages for keys / downloads / checking for successful deployments. None of the old stuff has changed yet so don't worry if you've got a flow that you're happy with.

However, if you use groups to manage user permissions across organizations, you may also notice the groups are missing from the front page of the app. We wanted to focus the front page on orgs, so groups got moved. You can find them inside the menu under "Manage Groups".


October 7, 2021

Enhanced Rule Validation We've deployed enhanced rule validation for D&R rules. Previously we had some cases where we did not validate the structure of a rule until runtime, and in some cases without producing errors.

The new validation means you may start seeing errors pushing rules to LimaCharlie from rules which previously did not generate errors, if those rules do in fact contain errors.This does not prevent previously working rules from working, it merely highlights rules that were already having issues.


September 30, 2021

Sensor v4.25.3

  • Fixes issues in the File IO reporting on Windows that could lead to missed events.

  • Minor fix to the run command that could lead to issues in some automation scenarios.

Stable Version Now 4.25.2 We've moved the official "Stable" version to 4.25.2 which has been running without major issues. This will not upgrade any Organizations automatically, it will only move the labeled versions used when you trigger a sensor version upgrade from the web interface.


August 25, 2021

Replaying and Testing D&R Rules in the web app

Hey all! Following the revamp we did to replay, we wanted to do some integration in the web app to shorten the feedback loop when writing rules. We ended up basically redesigning the D&R rule editing experience . Some things you might notice:

  • Full page editors for both D&R and FP rules

  • Draft rules for both of them, too

  • Ability to Replay rules both from the list or from the editor, testing them against historical data or directly passed events

  • Timeline events have a Start D&R Rule action which takes you to the editor with the event handy for testing

Check out our demo. Let us know if you have any issues or feedback!


August 2, 2021

Artifact Ingestion IP

The ingestion path for Artifact Ingestion is now using a static IP address across all clusters. This means that the IP address that the service domain resolves to, like b76093c3662d5b4f.ingest.limacharlie.io , now resolves to a single IP address that is static. This makes it simpler to whitelist the IP across your networks.


July 28, 2021

Replay Revamp

Over the weekend, we will be completing the deployment of a major revamp to Replay.

  • vastly enhanced performance and reliability

  • will use the latest version of the D&R engine

  • will support very large scale replay jobs with more ease

  • better stats on jobs

  • Replay will become a cornerstone of D&R rules development as we integrate it for live feedback throughout the web app

This move requires updating a few moving pieces:

  • Python SDK

  • Replay Service

  • Relay backend

This means that the state of Replay during the weekend will be in flux. Please let us know if this may be causing you issues.


July 22, 2021

New Events Stateful Parameter

This new stateful parameter now allows you to create stateful rules at the Sensor level (instead of the Process level).

This enables, for example, the detection of N number of bad authentications from Windows Event Logs with T amount of time.

See the doc for more: https://doc.limacharlie.io/docs/documentation/docs/dr.md#sensor-level

LimaCharlie 2FA

You will now be able to add a 2FA step to the LimaCharlie authentication on top of whatever settings your auth provider uses.

By heading into the User Profile, you'll be able to enroll yourself.

The initial rollout will only support SMS based 2FA, although we intend to add more over time.

Why is it limited to SMS? Simply put, we're very conscious of the complexity of authentication in general, and for that reason we use Firebase Authentication, which in turns integrates many auth providers like Google, Microsoft and Github. By leveraging Firebase for this, we can ensure that the implementation is rock solid. Unfortunately, Firebase does not yet support other forms of 2FA, but it's on their road map, and when they roll it out, we will support it right away.

We considered doing our own implementation, but decided against it for the current time. We strongly encourage you to use solid auth providers like Google and Office365 which support their own 2FA and anomaly detection. This new 2FA is either an extra-secure step on top of your provider; or a stop gap solution if you want to use email based authentication without a provider.


July 19, 2021

New D&R Rule Operator: Scope We've introduced a new operator to D&R rules: scope. This allows you to scope the path of all sub-rules to a sub-path specified. More concretely, this allows for rules that target specific sub parts of the event, like in the case of NETWORK_CONNECTIONS events. More details: https://doc.limacharlie.io/docs/documentation/docs/dr.md#scope


July 14, 2021

Webhook Output Compression change

This is a minor update that could have an impact if you use webhook or webhook_bulk Outputs along with compression enabled.

We've fixed the behavior of compression on the HTTP headers of those outputs. When the change is deployed, these outputs using compression will now receive headers:

  • content-type: application/json

  • content-encoding: gzip

whereas before the fix they would only receive content-type: application/octet-stream.

This change will enable the automatic processing of various receiving webservers to remove the gzip encoding automatically. Practically it means will be able to, for example, using webhook_bulk with compression enabled to send data to the logz.io REST API directly.

In most cases, this should not have an impact. However if you are receiving compressed webhooks via a server that automatically removed gzip encoding, then the content of your webhooks will be automatically decoded.

This change will be deployed in the coming days. As always, please let us know if you have any issues or concerns.


July 9, 2021

Slack Output Documentation

Since the move from Slack to deprecate Legacy tokens, we had not updated our documentation on getting the Slack Output working.We've now remedied that: https://doc.limacharlie.io/docs/documentation/docs/outputs.md#slack

Time Zone Preference You can now select your preferred time zone in the web app! Go to Settings inside your User Profile and you can choose which time zone you'd prefer to see timestamps formatted in. Check it out! https://www.reddit.com/r/limacharlieio/comments/oh5s6p/time_zone_preference_in_the_web_app/


July 8, 2021

WEL Event Format

If you have not built D&R rules for real-time Windows Event Logs, you can stop reading.

It's recently come to our attention that some Windows Event Logs, as ingested through the real-time mechanism (https://doc.limacharlie.io/docs/documentation/docs/external_logs.md#from-real-time-events) may be formatted slightly differently from what was intended.

Specifically, in some cases, some events could have a Event envelope. The correct path generated is event/EVENT/System for example, and in the badly formatted events you would have event/EVENT/Event/System.

This error was due to do some variable structures in the Windows Event Logs that we'd missed as part of the normalization step.

All Sigma rules automatically generated by LimaCharlie use the correct path, so unless you've created your own rules specifically for the real-time Windows Event Log events, there should be no impact.

Given the low expected impact, we intend to deploy the fix to all clusters tomorrow. If this has an impact on your operations please get in touch with us so we can evaluate the impact vs the impact from mismatched Sigma rules.


July 7, 2021

We have added a new course to our free learning platform that walks users through the LimaCharlie Add-on Marketplace. Learn how easy it is to get new superpowers or create your own.https://edu.limacharlie.io/courses/exploring-the-add-on-marketplace


July 6, 2021

Infrastructure Service

As outline by this post on our blog: https://www.limacharlie.io/blog/2021/7/6/infrastructure-service We've released a new Service called infrastructure-service: https://app.limacharlie.io/add-ons/detail/infrastructure-service

We see Infrastructure as Code (IaC) in LimaCharlie as one of our super powers. But we know sometimes it's not the most convenient approach to apply quick IaC templates. This service now allows you to do what you used to do using the CLI, but through the service and its API. On top of the API it provides, it also has its own section in the web UI that makes it easy to copy/paste your org's current configuration for backup, transfer to another org or tweaking.

We plan to make use of this service and IaC even more in the future by providing "templates" you'll be able to apply very easily to your new orgs, and also to use IaC as a fast and reliable way to communicate/apply features and automation in LimaCharlie that involves multiple components (like a FIM rule + several D&R rules for example).

It's also worth noting that this service is now enabled by default on all new organizations to make it easier to bootstrap IaC deployments on new orgs.


June 30, 2021

Net Telemetry

Two new Policy types are available for Net: dns-tracking and conn-tracking. These new policies, when applied, will generate DNS_REQUEST and NETWORK_CONNECTIONS events for the Net sensor they are applied to. Those events will make their way in real-time into LimaCharlie:

  • they will be visible and retained in the Timeline of the Net sensor

  • they will be visible in the Live Feed section of the Net sensor

  • they will go through the D&R rules

https://doc.limacharlie.io/docs/documentation/docs/lc-net.md#dns-tracking


June 29, 2021

In an industry first, LimaCharlie is introducing a pure usage-based billing scheme for its EDR capability. Deploy a full-featured, cross-platform agent for as little as $0.02 an endpoint.Read about what this means for cybersecurity: https://www.limacharlie.io/blog/2021/6/29/an-industry-first


June 17, 2021

Sensor v4.25.1

  • Enhanced hashing on Windows.

  • More reliable process parent/child tracking under load.


June 8, 2021

New Add-ons Marketplace

We've done a redesign of our add-on browsing / management experience! Some highlights:

  • Add-ons now live in a marketplace which you can browse anytime, specifying which org(s) you want to subscribe to add-ons

  • Add-ons are now searchable! Both from the marketplace and within orgs

  • Add-on authors now get separate preview descriptions & full markdown descriptions to better promote their add-ons

  • We've done a content audit to make sure our published add-ons are as descriptive as possible so everyone can set them up and use them

  • The Add-ons view within orgs is now a focused list of add-ons that are currently enabled in that org

  • Detection add-ons are now marked for deprecation, meaning we don't show them in the new marketplace. We feel that managed rule sets via Service add-ons are a better experience overall since you can simply enable them with no extra steps

Here's a quick tour if you'd like the guided version.


June 2, 2021

VirusTotal API

We've updated the lcr://api/vt API that can be used in D&R rules to support Domains and IPs on top of the existing Hashes support. Usage is exactly as before, the value provided in the lookup will automatically be detected to be a Domain, IP or Hash. Here is an example of a rule leveraging VirusTotal for Domains:

event: DNS_REQUESTop: lookuppath: event/DOMAIN_NAMEresource: lcr://api/vtmetadata_rules: value: 4 length of: true op: is greater than path: /


May 26, 2021

Sensor v4.25.0

The minor version change is the result not of new functionality in this release, but in the update to libYara included. As this was a major update and it is an external library we wanted to be cautious in letting people know of the change.

  • Updated libYara

  • Fix to macOS User Mode (without the Apple Endpoint Security Extension) process tracking that could result in high CPU during sensor updates.


May 12, 2021

Sensor v4.24.3

Linux:

  • File Integrity Monitoring on Linux has had fixes to support wildcards in paths like /home/*/.ssh/* without impacting system performance like before.

macOS:

  • You will no longer see the RPHCP.app appear in the Recent Applications section of the Dock after a restart

  • We now provide better “silent” installations for enterprise deployments using a preference file (the RPHCP.app won’t prompt you with the Install button if you’ve used an MDM profile and place the preference file in the /Library/Preferences folder)


May 9, 2021

Apple Binary/XML Plist Support

The Artifact Ingestion system now support Apple Binary (and XML etc) PLISTs. Ingesting them will produced a parsed version in JSON which you can alert on using the D&R rules engine similarly to Windows Event Logs and others.


May 6, 2021

Web App Update

Sensor View

We've been working on making it easier to navigate & interact with the data for each individual sensor. To that end, we've deepened the navigation so you can drill down into a Sensor in the web app to access available data as well as take action from one place. Just click a Sensor from the list within an org and you'll see the new view.

Today you'll be able to see Overview, Artifacts, Timeline, Console, and Processes accessible from this view (Console pictured below). The intention is to deprecate Live View and consolidate most its functionality into this new one-stop-shop for everything on a Sensor. We're still working on finishing Processes and will be working on bringing File System and Network Connections into this view next.

Artifacts

We've created a new page, accessible from the Sidebar, for viewing all Artifacts within an Organization. The Artifact Collection page is now just for configuring rules, and there's no longer a need to open up a separate window to view & filter collected Artifacts.


April 26, 2021

Web App Historical/Timeline

Clicking on a Sensor in the Sensor List now brings you into a more complete view of all the information about that Sensor, including the Timeline (historical view) and the Live Console. This means the Historical view button has been moved to the sidebar menu found by clicking on a specific Sensor.

As we keep refactoring things you'll find more and more Sensor-specific views in this Sensor section.

This also comes with a change in the URL for these view. The historical URL now looks like /orgs/OID/sensors/SID/timeline. The links generated in the Detections have also been adjusted to point to this new path.


April 13, 2021

EXP Datacenter Decommissioning

The "Experimental" Datacenter will decommissioned from General Availability on Friday (April 16, 2021). We've reached out privately to users who had small deployments on this datacenter a few weeks ago, so we don't expect this announcement to have an impact on anyone. We just wanted to have it on the record for transparency or for those who noticed it gone from the list of datacenters.


April 8, 2021

Webapp - Event Explorer Rewrite

If you use explorer to dig into Sensors' event histories, this is for you! We rewrote the Explorer view to have improved performance, UX, and consistency of how event trees are constructed. It should feel familiar, but more approachable.

Some of its features:

  • The view is still at its core a browsable list of events, anchored at a chosen point in time. Clicking an event selects it for the viewer to show related events in a tree graph, as well as details of the raw event.

  • The URL contains the exact state of the filters and event tree you're looking at. Feel free to share with a colleague!

  • The keyboard controls have been expanded upon. There's a helpful Controls button to get you familiarized.

We hope it feels solid for you! Any feedback and bug reports are welcome.


April 5, 2021

Sigma Service & Live Windows Event Logs

Since a few days ago, the Sigma Service now generates Windows Event Logs based D&R rules that apply to Live Windows Event Logs (as announced March 16) on top of the previously-supported Artifact-based (files) Windows Event Logs.

This means that as you switch to using Live WEL, you will keep the coverage provided by Sigma.

As usual, the Sigma D&R rules used are available here for transparency: https://github.com/refractionPOINT/sigma/tree/lc-rules/lc-rules

Sensor v4.24.2

  • Enhanced performance with network tracking on Linux Docker environments.

  • Tweaks to process termination increasing reliability of the ordering of some events, leading to better stateful detection and parent->child ordering of events.

Note: with this release we are also bumping up the Stable version to 4.24.1.

March 22, 2021

Sensor v2.24.1

  • Fixes a possible memory leak that could occur in certain rare cases on Linux / Docker environments.

  • Fix also enhances memory and CPU performance a little bit on all platforms.


March 15, 2021

Preview: Real-time Windows Event Logs

We will be rolling out a major new feature early this week: The ability to capture Windows Event Logs (WEL) in real-time. Windows 2008 and above will be supported as we rely on APIs introduced then.The new events will be received just like any normal LimaCharlie event, encapsulated in an event of type WEL. Like the collection of WEL on disk, the real-time WEL collection contains the JSON form of each event.This means that with this feature, you will be able to write normal EDR-based D&R rules for WEL, including using stateful rules between WEL and first-class LimaCharlie events.The collection will still be configured from the Artifact Collection menu, by specifying a path of the form "wel://<log-source>:<log-filter>" as opposed to a traditional file path of a log file to collect.The collection will have a billing component (exact amount TBD) per number of events since collection can vary wildly depending on tenant.

Example configuration:

wel://Security:*

Example event:

{ "event": { "EVENT": { "EventData": { "ClientProcessId": "5136", "CountOfCredentialsReturned": "0", "ProcessCreationTime": "2021-03-15T02:55:19.2369319Z", "ReadOperation": "%%8100", "ReturnCode": "3221226021", "SubjectDomainName": "WIN-5GD8E0AG2OD", "SubjectLogonId": "0x1b8de", "SubjectUserName": "testuser", "SubjectUserSid": "S-1-5-21-4156042152-1734453135-989269774-1000", "TargetName": "MicrosoftAccount:user=02rlaxvkrpaxteab", "Type": "0" }, "System": { "Channel": "Security", "Computer": "WIN-5GD8E0AG2OD", "Correlation": { "ActivityID": "{cc484453-193e-0001-fe44-48cc3e19d701}" }, "EventID": "5379", "EventRecordID": "41750", "Execution": { "ProcessID": "664", "ThreadID": "748" }, "Keywords": "0x8020000000000000", "Level": "0", "Opcode": "0", "Provider": { "Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "Name": "Microsoft-Windows-Security-Auditing" }, "Security": "", "Task": "13824", "TimeCreated": { "SystemTime": "2021-03-15T02:55:21.9656464Z" }, "Version": "0" } } }, "routing": { ... }, "ts": "2021-03-15 02:55:22" }

Documentation: https://doc.limacharlie.io/docs/documentation/docs/external_logs.md#from-real-time-events


March 13, 2021

We’ve rolled out a change that lets you stay logged into LimaCharlie across browser tabs.This is on by default. You can change this in the LimaCharlie web application within Settings -> View User Profile -> Settings -> Allow Session Across Browser Tabs


March 1, 2021

White Label Changes

To those who use LimaCharlie's white label functionality -- we've just pushed out visual changes for your sites. Highlights:

  • Installation Keys & Sensor Downloads now appear together in a new section called Install Sensors

  • Incident Response moved from sidebar to the Sensors section

  • Menu reorganization

For more information please refer to our blog post:https://www.limacharlie.io/blog/2021/2/6/visual-changes-coming-soon-to-the-limacharlie-web-application


February 24, 2021

Web App Changes

  • We've just pushed a major update to the Sensors List. We feel it's a lot better than it used to. Cosmetic and performance changes.


February 17, 2021

Python SDK/CLI v3.18.0

  • Added support for lc-net Policies to the Configs CLI to manage the policies through config files.

  • Added the --all flag to limacharlie configsto sync all types.

  • Produce warning on limacharlie config if no config type to fetch/push is specified.


February 13, 2021

D&R Rules Changes:

  • We’ve introduced Time Descriptors to D&R Rules. These enable you to specify very custom time of day/week/year when parts of a rule are in effect. These unlock a bunch of UEBA use cases. For details see our documentation on D&R rules & times.

  • The event: _* portion of D&R Rules now support a special wildcard to have a rule match all Detections being re-processed by the D&R Rule Engine. This is useful to apply a rule to all detections generated. See the last paragraph: https://doc.limacharlie.io/docs/documentation/docs/dr.md#basic-structure


February 10, 2021

User interface updates

Some visual changes were made in the web application user interface. Details can be found in our blog post.


January 8, 2021

New Element in Event Routing

You may start to notice in the next few weeks a new element in the routing element of the events generated by LimaCharlie.

The new element is called ‘did’ (a string) and will be used to represent the DeviceID, a value that will tie together multiple SensorIDs when the multiple sensors refer to the same Device. The implementation of this new value will also gradually roll out so you may see it get populated to a value if, for example, you have a Windows sensor and a Chrome sensor on the same box. This new value will take more importance in the future as we introduce more sensors platforms to provide you with a top level view of a user's device.


January 5, 2021

Output Pricing

Starting March 1st, we will be introducing a per GB cost to non-Google Cloud Storage (GCS) Outputs in LimaCharlie. The cost will be $0.12 per GB.

The goal of this pricing is not to monetize the feature but rather to ensure a fair and scalable future for the feature. The cost introduced is the exact cost incurred by Google Cloud, our cloud infrastructure provider.

The exclusion of GCS is due to much lower costs for bandwidth within the Google Cloud.

You will likely start seeing these line items pop up in the billing section ahead of the price taking effect. We do this to provide lead time for you to evaluate the final cost once it takes effect.

If you are using Insight (our 1 year of data retention) exclusively this change will have no effect on your billing.


January 4, 2021

Insight Historical Search Throttling

We are rolling out throttling of Historical search ("object" search). You will now be limited to 20 searches per hour per Organization on a rolling window.

The goal of this is not so much to limit the number of searches done by a user as much as reducing the risk of users performing a high number of queries in an automated fashion without realizing. This API is backed by Google Cloud's BigQuery on our end and that service is very sensitive price-wise. It is able to search across peta-bytes in the blink of an eye (which is why we chose it for long term scalability), but it's also not cheap. We've decided on this approach for now as it allows us to have a sanity ceiling in a transparent way most users won't hit. The alternative would have been to bill directly users per search but we felt this approach would have been more likely to lead to surprise bills which nobody wants.We'll be refining this approach over time. Please let us know if you have feedback or concerns.Note that searches are not limited to single IOCs. Using the batch API (see related API documentation and Python SDK documentation) you can query for multiple IOCs at once, which will count as a single query. This can be a great way to still get the coverage you need but in a more efficient way.


December 17, 2020

Python CLI Config Push

  • We've released a new version of the Python SDK / CLI tool that refactors the old `Sync` module into a new cleaner module called `Configs` so you can consider Sync deprecated (although it is still present in the SDK/CLI).

  • We've also released a sample MSSP repo demonstrating infrastructure-as-code config management as part of a webinar.

  • Documentation to the new Configs module

  • The new Configs module can also be invoked via the CLI: `limacharlie configs --help`


December 9, 2020

Sensor v4.23.1

  • Enhancements to macOS support. Fixed some issues with upgrading the new System Extensions as well as the support for old Kernel Extensions.


December 3, 2020

Sensor v4.23.0

  • Revamp support for macOS 11 (Big Sur). This was a huge effort of re-writing the entire kernel acquisition pipeline and we were caught a bit off guard by the actual release date. Thanks for your patience. On a good note, our capabilities are actually better than they used to be.

  • Fixing possible connectivity issues that could also impact performance that were introduced in v4.22.0. We strongly recommend using the new v4.23.0 installers for new installs. If you have issues with previous installs on v4.22.0, you may swap the new installer for the older executable on disk.

  • We have added a capability to perform core-upgrades (as opposed to the normal day to day updates that we issue 99% of the time) from the cloud, so without having to swap executables or re-install as mentioned in the point above. We will be releasing instructions on doing core-upgrades within a day or two. We believe v.4.23.0 brings us back in a very stable core which should not require updates for a long time.

* Please note that macOS 11 (Big Sur) will still require a series of pop ups to confirm access by LimaCharlie to various parts of the OS by the new App bundle required to support Apple’s new frameworks. Unfortunately that’s just going to be part of life on the Apple ecosystem for the foreseeable future, all vendors are impacted. It is possible to bypass these by using enterprise deployment platforms and whitelisting the LimaCharlie certs at the enterprise level. We will be producing documentation on that topic in the future.


November 25, 2020

Sensor v4.22.1

  • Fixes an issue where Yara scanning would always be enabled even without rules being set. This fixes a memory leak on Linux.

  • Fixing proxy support where some proxies would reply with an HTTP 1.1 OK even to HTTP 1.0 requests.

  • Fixing support for Payloads and Artifact collection with proxies.

  • Better error reporting to artifact errors.

    In addition, the installer has also been updated for Windows. Mainly this changes an internal behavior of the agent where some payloads used to be loaded into memory manually, this new version loads them "properly" from OS perspective. This solves some issues with proxies and environment variable use and the sensor. You should not need to upgrade the installer on existing deployments unless you have a specific need for it.


November 13, 2020

Sensor v4.22.0

  • Hardened LC protocol with the sensor talking to the cloud. This fixes a rare issue where a sensor could become unresponsive if it had encountered a failure mid-enrollment.

  • New task available dns_resolve. It will cause the sensor to resolve a given domain name. This is mainly geared towards a future global-level API to correlate multiple sensors and users living on the same devices.

We recommend using the new installers for future installs, but should not be needed for current ones.


October 20, 2020

Two new services allowing for the creation of alerts/messages in the respective platforms.

These are designed to be mainly used as part of D&R rule actions to trigger escalation of an alert. They can also be used by other Services.


October 19, 2020

Sensor v4.21.3

  • Ability to use scripts (like .bat) as Payloads

  • Small performance tweak

The ability to run a script is provided by adding the ability to set the file extension of the payload. This is done by adding the extension to the Payload name. For example, if you create a new payload named extract everything.bat, the temporary name of the Payload when sent to the endpoint will end with .bat which will make Windows interpret the Payload as batch file. This mechanism should allow of the execution of any file type associated with execution on the endpoint. It is the equivalent of starting a shell and just "calling" the payload.

Dumper Service now supports dumping the MFT on Windows

We've added a new option, target to the Dumper Service. This option supports memory (the default) and mft. The MFT dumping behaves the same way as memory, except that it dumps the MFT as a pipe-delimited CSV file of type mftcsv in the Artifact Collection system.

Artifact Collection parsing for mftcsv and csv types

The Artifact Collection systems has two new parsers: mftcsv and csv. This means you can write D&R rules on the contents of the MFT dump announced above. The generic csv type will parse any CSV file, assuming the first line is a header definition of the columns.


August 19th, 2020

Sensor v4.21.0

  • Basic Proxy support: https://doc.limacharlie.io/en/master/proxy/

  • Small enhancement to Linux packet capture.

Note: proxy support requires new version of the installer, if you keep installers locally for deployments you will want to re-download the latest.

Web App v2.28.10

  • Adding a timer to the delete-org dialog to help avoid deleting by mistake.

  • Adding banner in web app when an organization has past-due billing to help make billing issues more visible.


Wednesday, July 15, 2020

New sensor-cull Service

This new service is free and be subscribed to from the add-ons section of your organizations.It allows you to set rules that automate the deletion of sensors that have not connected to your org after N days. This is useful for docker deployments or other template/VM based deployments where sensors continually enroll, and then are not seen again once the container/VM is destroyed.


Wednesday, July 1st, 2020

Sensor v4.20.1

This is a minor update with a single fix:

  • A local Docker installation could cause an override of the FQDN  to host.docker.internal. This has been mainly observed on Windows, but all platforms now ignore this FQDN locally and report their hostname instead in those instances.


Tuesday, June 16th, 2020

Web UI v2.28.6

  • Advanced Artifact Search. If you go in Artifact Collection, there is now a link to a full page viewer of Artifact and search above the list at the bottom.

  • Fixed hostname display in Detections from Artifacts.

  • Hiding certain event types from the Exfil Service to avoid mistakenly enabling extremely verbose events fleet wide. Still available through API. This will like be reverted when we release the next version of our main endpoint service which will have better performance.

  • Adding Packet Capture section to Artifact Collection. More details in its own annoucement shortly.

Sensor v4.20.0

  • More information in REGISTRY_WRITE operations. Includes type, size and first N bytes of the value written.

  • Network capture capability on Linux sensor. More details to follow.

  • Windows kernel small fix to memory leak issue in some rare network configurations.

Linux Packet Capture

This is a big capability rollout we're very excited about. It is now possible to configure automatic pcap capture on Linux hosts from the cloud.Configured through the Artifact Collection screen, you can specify a list of hosts filtered by tag. Then in each a list of captures to run where each capture is a combination of a network interface and a filter expression (tcpdum-like).When activated, captures will be started (synchronized every ~10m) on the hosts. Captures will be automatically uploaded to the LimaCharlie cloud's Artifact Collection in 30MB chunks where they will be retained for the retention period specified in the rule.This closes an important detection loop. For example:

You can now capture network traffic from (for example) a proxy. Have the network capture retained automatically in the cloud. This capture on its way in gets translated into JSON where you may apply D&R rules to automate detection and response from the PCAP header layers. You may then have those PCAPs automatically converted into Zeek logs using a D&R rule on PCAP ingestion using the Zeek service. These Zeek logs get re-ingested in the Artifact Collection service (with a custom retention of your choosing) where they also get converted to JSON and again can be used to base D&R rules from them to automate even more.This is the first step towards more XDR-like capabilities. On our future roadmap is to include a managed Suricata service allowing you to run as many network detection rules as you want without impacting endpoints directly.As part of this rollout are changes to the Zeek service to make it more usable and customizable (see documentation link below). The Python SDK has also been modified to provide simple iteration over PCAPs from one or many hosts, which can be used to further automate off-site pipelines.Some doc: https://doc.limacharlie.io/en/master/external_logs/#network-capture https://doc.limacharlie.io/en/master/zeek/Feel free to reach out if you have any more questions.The LimaCharlie Team


Friday, May 29th 2020

Artifact Export Pricing

This is a heads up that beginning next month (July), we will be introducing a price around Artifact exports.The reason for adding a usage-based pricing around this is that large bulk exports (like Artifacts) incur network bandwidth costs for LimaCharlie. It is not our intent to specifically monetize this feature but given the cost is non-trivial, we will be setting the price to be at-cost (https://cloud.google.com/storage/pricing#network-pricing).This should have little to no impact on most users unless you do frequent exports of original Artifacts.Our longer term intent to lessen the impact on pricing like this is to favor the development (both internally at LimaCharlie and externally by LC users) of Services through our Service framework since these services will be able to use Artifact data from the cloud at a much lesser cost.The new pricing will be $0.12 per GB exported.


Tuesday, May 26th 2020

Renaming External Logs

We've renamed External Logs to Artifact Collection in order to make it more descriptive. This renaming also translates into the commands like log_get which are now artifact_get etc. The old commands are still supported as aliases to the new ones. The events generated by the sensors have not been renamed for backward compatibility. New Webhook-Bulk Output

The new webhook_bulk Output now allows you to transmit batches of events/detections/audit-logs via webhook. The old webhook (still available) transmitted a webhook per-event which was not suitable for large amounts of events.These changes (including the web UI) are rolling out over the next few hours.

OLE VBA Macro Parsing The Artifact Collection system can now detect, parse and extract OLE (MS Word, Excel etc) documents that contain VBA macros and extract them. This means you can now build D&R rules that look for specific content in VBA macros from documents ingested.


Wednesday, May 20th 2020

Sensor 4.19.6

  • Fixes specific to stability in Docker environments.

  • Fix to specific cases on Windows where kernel notifications could lead in blocking of handles.

  • Added to Windows REGISTRY_WRITE events: registry value size, registry value type and first 16 bytes of the value itself.


Tuesday, May 19th 2020

Reliable-Tasking Service

We've just released a new service called reliable-tasking. This service allows you to task multiple endpoints at once, including offline endpoints. In the event an endpoint is offline, the service will wait for it to come back online and issue the task then. An optional ttl is also available to limit the amount of time the task will be pending for offline endpoints.As all Services, it is available through the REST API, D&R rules and SDK. https://doc.limacharlie.io/en/master/reliable_tasking/ https://python-limacharlie.readthedocs.io/en/latest/limacharlie.html#limacharlie.Replicants.ReliableTasking


Sunday, May 17th 2020

Centralized Invoices

We have been working on providing a capability to do a single centralized Invoice for users of LC at scale like MSSPs. This feature will see a single invoice sent to you monthly for all organizations created under your domain so you can pay a one time instead of each org individually.We expect to be ready for roll-out within a week or two. If this is something you're interested in let us know and we will contact you when it's available.


Saturday, May 16th 2020

Sensor v4.19.5

This is a single change release with very minor impact.

  • The "atoms" that are used to correlate all events now implement a new encoding scheme that Greatly improves searching for specific events by Atom, which is most commonly needed in the Historical view of the web UI. The "crawling" up the parent process tree in this view should become Much faster (it is now O(1)) for sensors upgraded to this new version.


Saturday, May 16th 2020

Sensor v4.19.5

This is a single change release with very minor impact.

  • The "atoms" that are used to correlate all events now implement a new encoding scheme that Greatly improves searching for specific events by Atom, which is most commonly needed in the Historical view of the web UI. The "crawling" up the parent process tree in this view should become Much faster (it is now O(1)) for sensors upgraded to this new version.


Thursday, May 14th 2020

Rolling Directory Reset

Tonight, after 6 PM Pacific Time, we will be performing an upgrade to most datacenters' Sensor Directory service. This is part of an effort to increase performance and reliability of the service.The side-effect is that over a few minutes, the sensor list may be partial or unreliable. This will not impact general telemetry collection of the sensors.Let us know if you have any questions.


Wednesday, May 13th 2020

Sensor v4.19.4

  • Small tweak to Windows kernel extension. Fixes rare cases causing blocking delay on pipe closure and possible memory leak in certain network configurations

  • Better file path expansion in kernel read file.


Thursday, May 7th 2020

TTLs


Tuesday, May 5th 2020

Sensor v4.19.3

  • os_processes now supports a --pid to list single process and a --is-no-modules to report only the process information and not all its modules (lighter weight event).

  • os_version on Windows now adds a FRIENDLY component that lists a few human-readable strings from the registry.

  • The CODE_IDENTITY event now includes several attributes found in the file_info like various file times. Nix OSes also include UID, GID and Mode.

  • The FILE_INFO_REP event now includes UID, GID and Mode.

  • All file hashes are now generated from the kernel when available.

  • Process information acquisition has been streamlined, should result in better performance.


Monday, May 4th 2020

Web UI v2.26.0

  • Added a toggle to enable/disable a D&R rule without deleting it.

  • Added a Web App Domain value in the Integrations section. If set, this domain name (like app.limacharlie.io for example) will be used in the generation of URL links. At the moment the only link generated is found in the Detections generated. If the Integration value is set, you will find a links value at the root of the JSON detections that is the equivalent of the link we have in our web UI to go to the Historic view to the event in question. This is off by default so that you may set it to the value of your white-label domain (if applicable).


Saturday, April 25 2020

Sensor v4.19.2

  • Command line arguments on Windows and OSX should now more reliably contain the full value event when extremely long.

  • Fixing a bug on DNS for Linux that could cause the Linux sensor to block for a long when restarting. Consequentially, you may need to manually restart the Linux sensor after upgrading to this new version if you are upgrading from 4.19.x.

  • Fixing an issue where extreme numbers of process starts on a machine could result in some TERMINATION events being lost. This in turn could result in slow memory leak from internal mechanisms tracking process termination.

  • Enhanced error numbers for External Log fetching through log_get.

Side note: we recently changed our EV Certificate used to sign Windows components. During the switch an error was made and the wrong .cat file was included when deploying the driver. This could result in Windows 10 Secure Boot enabled systems to reject the driver signing. This update fixes this.


Friday, April 17th 2020

Sensor v4.19.1:

  • Ability to ignore cert validity (--is-ignore-cert) for log_get and run, for more info on why see: https://doc.limacharlie.io/en/master/sensor_commands/#log_get.

  • The NETWORK_CONNECTIONS event now contains the original connection timestamp for each connection within.

  • Signed MSI installers are now available for Windows. Note that sensor uninstallation is not possible using the MSI, you will still have to use the `uninstall` command or uninstall locally. See https://doc.limacharlie.io/en/master/deploy_sensor/#windows for instructions on using your Installation Key with them.

  • Linux sample installer has been modified to support Debian and CentOS families.Sensor Upgrade Staging:

  • It is now possible to test-upgrade specific sensors within an Organization without upgrading the whole Organization. This allows you to specify test machines within the Org to deploy the new sensor versions to. This is done using a "magic" sensor tag latesthttps://doc.limacharlie.io/en/master/deploy_sensor/#staging-deploymentGeneral:

  • The SMTP Output now supports a subject parameter to override the Subject line.

  • The NEW_DOCUMENT and FILE_TYPE_ACCESSED specifics are now -documented: https://doc.limacharlie.io/en/master/events/#new_document 


Thursday, April 16th 2020

Sensor v4.19.0

  • Linux now supports DNS (through static libpcap).

  • Windows fixes issue where some system configs could see a memory leak in kernel related to network connections.

  • Hostname now reported as FQDN when possible.

  • Small performance tweaks.


Saturday, April 11th 2020

Python SDK v3.7.0 Adding a new API to get a timeline of specific IoC types from a sensor.


Wednesday, April 1st 2020

  • New UI for generic Service requests. Uses the service request definitions from external services. Main use case is for the Dumper service at the moment. Will become more fleshed out in the future. https://github.com/refractionPOINT/lc-service

  • Minor cosmetic tweaks.

  • Historic view now displays relevant default events for Chrome sensors.

  • Fixes to historic view in some corner cases with sensors with very little data.

  • Adding process hash to the process view and the network view of the Live page.

  • Sensor network isolation is now a first class feature. New UI elements in sensor detail view and sensor list filters for it.


Sunday, March 29th 2020

Python SDK v3.6.0 Adding CLI accessors for Events and Detections to STDOUT

https://github.com/refractionPOINT/python-limacharlie/#events--detections


Tuesday, March 24th 2020

Persistent Network Isolation Network isolation currently requires D&R rules in order to make network persistence persistent across reboots.

This is changing. We've streamlined the isolation concept into a first-class API instead of a mix of D&R rules and sensor commands. Managing network isolation will be safer and more intuitive.

The new REST API: https://api.limacharlie.io/static/swagger/#/sensors/get__sid__isolation The new D&R rule Actions: https://doc.limacharlie.io/en/master/dr/#isolate-network The Python SDK: https://python-limacharlie.readthedocs.io/en/latest/limacharlie.html#limacharlie.Sensor.Sensor.isolateNetwork

The Web UI will also be updated so you can see, sort and modify the Isolation state of a sensor directly from there. If you want to see a preview before we push it to prod: https://beta.app.limacharlie.io, you will be able to toggle the isolation state in the details panel of a sensor in the sensor list section.

IMPORTANT: Now this new persistent mode can clash with the old way of managing isolation through D&R rules. This means that if you use the segregate_network sensor command as part of a D&R rule, you will likely want to modify those rules to use the new isolate network Action. This new Action sets the isolation mode persistently.

In order to avoid bad surprises, we will be doing the transition gradually. Starting now, you can use the new isolate network and rejoin network Actions as part of your rules. But the persistence on reboot will NOT be enforced so that the current behavior is mostly maintained. Then starting next week, we will enable the enforcement of the persistence on reboot. This means you can now put in place the small D&R rule changes (if you're affected) and not worry about it. Then next week you'll be free to remove the older D&R rules using the segregate_network command.


Sunday, March 15th 2020

Towards Authenticated D&R Rules At the moment, a user or api key having the permission to create a D&R rule gives complete access to all the Response capabilities in D&R rules, including tasking sensors.

In the next few days and weeks, we will be moving towards enforcing the relevant permissions from the creator of a D&R rules to the Response components of new rules.

This means that in order for a user/api key to create a D&R rule that tasks a sensor in the Response component, that user/api key will require having the sensor.task permission.

This concept will apply to sensor.task, sensor.tag and replicant.task.

This move will only apply to NEW D&R rules, so anything currently in prod will not be affected.The rollout of this will be progressive in order to make the transition smooth:

  1. Within a few days we will now generate Errors when permissions are missing from a new rule, but the rule will still be created. Within the next few weeks (there will be another announcement) we will eventually turn these Errors into enforcement.

  2. The goal of this transition is to move towards a system that provides greater oversight onto more "active" types of access. This will become more critical as we expand 1st and eventually 3rd party Services.


Wednesday, March 11th 2020

Cap on D&R Rule Matches

In very rare occasions we've seen certain D&R rules match abnormally often. Some of those cases resulted in degraded performance of the cluster.In order to limit the impact of these, we've implemented a new system that will temporarily disable a rule in the affected subset of endpoints at run-time. When this occurs, an error is emitted to the Error log.The threshold is currently very high (on the order of 500 / minute / backend-service) so it should not have any impact on any normal rules. So this is more for awareness.

Python SDK 3.4.0

Added Manager.getApiKeys(), Manager.addApiKey() and Manager.removeApiKey(). This functionality is also available through the REST interface: https://api.limacharlie.io/static/swagger/#/api_keys


Tuesday, March 10th 2020

Python SDK v3.3.0

  • Adds accessors for jobs from Services:

https://github.com/refractionPOINT/python-limacharlie/blob/master/limacharlie/Manager.py#L910 https://github.com/refractionPOINT/python-limacharlie/blob/master/limacharlie/Jobs.py

Sensor v4.18.7

  • Log uploads have built-in retries in the agent.

  • Fixing case that would cause the sensor to restart.

  • Windows signing certificate has changed (3 year renewal). No effect unless you specifically whitelisted the cert.

  • CODE_IDENTITY hashes are now entirely gathered from the kernel which should help cases where another piece of software enforces no-sharing of file handles.

  • EXISTING_PROCESS generation fixed when pre-existing state has cycles in parent-child relationships.

This releases fixes stability issues and is recommended.Note that with this release, we are moving v4.18.6 to the Stable sensor branch. v4.18.7 is now Latest.

Also, on top of changes above:

  • Fixed an issue where some Windows processes leaking process handles would not be detected as "terminated". This had implications on memory and stateful detection over time.


Monday, March 9th 2020

LimaCharlie Chrome Sensor v1.1.0

(pending Chrome Web Store review) The new Chrome sensor version should be available soon.It will include:

  • history_dump parameter support, like selecting specific event type or atom.

  • Exfil Watch rule support, so you can create watch rules for specific patterns in events to send to the cloud.

  • 3 new events: BROWSER_REQUEST_CONTEXT is a root event for all activity related to a specific request in the browser. HTTP_REQUEST_HEADERS contains the list of all headers sent in the request. HTTP_RESPONSE_HEADERS contains the list of all headers in the response to a request.

The _HEADERS events are not sent to the cloud by default, but you can get them by using history_dump for a specific atom (or event type) or creating a watch rule looking for specific content pattern.Screenshot shows the relationship between all these events.


Friday, March 6th 2020

The package names (and IDs for Chrome) from the os_packages command now get indexed for IoC searches.


Tuesday, February 25th 2020

lc-service v1.6.0:


Wednesday, February 19th 2020

Sensor v4.18.6

  • Fixes a long standing stability issue on all platforms.


Friday, February 7th 2020

Sensor v4.18.5

  • Single change to MacOS sensor. Fixing compatibility issue with FUSE filesystems.


Tuesday, February 4th 2020

Sensor v4.18.4

  • Fixes to MacOS kernel acquisition of Processes and File IO.

  • General stability fixes.


Tuesday, January 28th 2020

Python SDK v3.2.1 (and REST API)

Note that the dataset for the IP query described above has only been created a few weeks back, so older queries may not return anything.


Sunday, January 26th 2020

Python SDK v3.2.0

Completes the move towards a single CLI interface by moving the limacharlie-upload to limacharlie logs upload. A limacharlie logs get_original CLI was also added to download original logs.


Saturday, January 25th 2020

Additional API Key Flairs

We've introduced 3 new API Key Flairs:

  • [segment] isolates what a key's user can see to whatever is created by that key.

  • [secret] allows resource names created by the key to be seen by others, but not the content of the resources.

  • [root] an escape-hatch that allows the user of the key to override any resources created by any other keys even if these had [lock] .

See the doc: https://doc.limacharlie.io/en/master/api_keys/#flair


Friday, January 17th 2020

Whitelabel Configurations

If you do not make use of a whitelabel, you can ignore.The whitelabel system now supports a new configuration to hide more "management" parts of the UI to all users except specific domains. So for example if your whitelabel is for your company "SecCo", you can specify that all users who are NOT @secco.com will not be able to see the Groups UI, the Create Org button, the Personal Add-on UI and the User Profile.This is something useful if you want to provide a leaner experience to your users through your white label.If this is something you want, get in touch and we will deploy the change to your whitelabel.


Thursday, January 16th 2020

Python SDK v3.0.0

This is a major release specifically because it breaks existing CLI interface. The SDK itself remains compatible.Many modules previously instantiated through dedicated CLI interfaces like limacharlie-search or through the Python module like python -m limacharlie.Sync have been moved into a single proper CLI tool like:

  • limacharlie search ...

  • limacharlie sync ...

  • etc

As reflected in the README: https://github.com/refractionPOINT/python-limacharlie/#sync-1This should provide a better experience when using the CLI. The modules moved are:

  • dr to manage D&R rules

  • search to search for IoCs across organizations

  • replay to run Replay jobs

  • sync to export/import entire Organization configs

GitHub: refractionPOINT/python-limacharlie

Python API for the LimaCharlie.io service. Contribute to refractionPOINT/python-limacharlie development by creating an account on GitHub.

Web UI v2.19.1

  • Removed the "limacharlie" reference from a few spots in whitelabels.

  • Moved some subsections behind permission walls: interaction with services like exfil , responder etc now require the replicant.task permission. Sensor Downloads requires the ikey.list permission. This helps effectively hide complexity away from users with limited permission sets.


Monday, January 13th 2020

Sensor v4.18.3

  • More aggressive new process processing, results in better data accuracy.

  • Fixes to run-time memory validation resulting in more stable sensor.

  • Fixes to Docker deployment modes, specifically network namespace tracking. Fixes performance in Linux when namespaces are not used. See doc for new NET_NS environment variable usage: https://doc.limacharlie.io/en/master/deploy_sensor/#container-clusters

  • Adding OriginalFileName to CODE_IDENTITY events on Windows. Adds support for some new Sigma rules as well.Sensor v4.18.3

    • More aggressive new process processing, results in better data accuracy.

    • Fixes to run-time memory validation resulting in more stable sensor.

    • Fixes to Docker deployment modes, specifically network namespace tracking. Fixes performance in Linux when namespaces are not used. See doc for new NET_NS environment variable usage: https://doc.limacharlie.io/en/master/deploy_sensor/#container-clusters

    • Adding OriginalFileName to CODE_IDENTITY events on Windows. Adds support for some new Sigma rules as well.


Saturday, January 11th 2020

Web UI v2.19.0

API Key Flair Support

A new feature is available on all datacenters. This feature allows you to specify some characteristics relating to new API Keys. Currently two Flair are supported:

  • [bulk] modifies the API quota applied to the key to be higher

  • [lock] locks resources created with the API key so that they may only be modified by the same key.

More details: https://doc.limacharlie.io/en/master/api_keys/#flair


Wednesday, December 25th 2020

Deprecation: --is-not-compiled flag for yara_ commands.

As part of the overhaul of some of our Yara capabilities, we will be deprecating this flag in the next week. Its functionality will become the default behavior.If you are using the Yara related capabilities through the Yara service, this will have no impact. You may be impacted only if you if you issue those commands yourself in an automated manner.In essence, you will no longer be able to run pre-compiled Yara rules through LC, only "normal" rules (text) will be supported. This becomes more effective as we add more platforms and architectures since compiled Yara rules are not cross-platform.As usual, let us know if you have any concerns.


Tuesday, December 24th 2020

Sensor v4.18.2

  • Adding TCP connection state to connections on MacOS

  • Fixing issue with ad-hoc Yara scans.


Tuesday, December 17th 2020

API Change:/org/{oid} (https://api.limacharlie.io/static/swagger/#/orgs/get_orgs__oid_)

As we grow, we're encountering extra-large organizations which makes certain APIs less relevant than before. We've begun onboarding organizations which make use of container-clusters and create a lot of churn in sensors. This means the n_sensors value returned by this API is less relevant, and in some cases very expensive to compute. As far as we know, no-one is actively making use of this parameter. If you are, please let us know so we can work our an appropriate alternative. Otherwise our plan is to deprecate this value returned by the API. Python SDK 2.19.2

The Manager.sensors() API call is now easier to use for larger organizations. Pagination used to be done manually, but this function now returns a generator instead. This means doing a for sensor in manager.sensors(): will now iterate over ALL sensors as is the expectation.


Sunday, December 16 2019

Python SDK v2.19.0

  • Adding option to CLI to upload External Logs with a given N days of retention.

  • Adding an API call to the Manager object to get all sensors with a given tag.

Web UI v2.18.1

  • Adding a checkbox to "only display online sensors" in the sensor list.


Friday, December 13 2019

Sensor v4.18.1

  • Enhanced performance.

  • Bug fix where some process terminations were being lost. Could lead to CPU usage creep.


Thursday, December 12th 2019

Sensor v4.18.0

  • Support for day-granularity for external log ingestion. Will be enabled in the Web App shortly.

  • Added support for container clusters mode using a privileged container and the host file-system mount. More on this later.

  • Better support for TCPv6 and UDPv6 on Linux.

  • More timely VOLUME_MOUNT notifications.

  • Additional installer logging.

  • Drive type now included in VOLUME_MOUNT on Windows.


Friday, December 6th 2019

Variables in D&R rules

A new capability part of D&R rules has been rolled out to all clusters.

https://doc.limacharlie.io/en/master/dr/#variables

It allows you to track simple state per sensor/boot and use it as part of rules. The documentation above contains an example of rules to detect physical attacks from removable media (rubber ducky attack).


Wednesday, December 4th 2019

Changes to billing for External Logs

Starting today, we will be beginning to transition the way we do billing for External Logs.

TLDR; your bill for External Logs will go down in the short term and will be more granular in the long term.

At the moment, we bill a flat price based on usage at ingestion time that includes a full year of retention. This model has begun to show its limitations as we introduce more data formats to External Logs that are more geared towards forensics (like memory dumps) and are large in nature.

The transition begins with moving the billing to be per bytes-day, adding the concept of retention period to the billing. This means the billing code will change to LC-LOG-BYTES-DAY. The side-effect is that the number of bytes that show up in the billing will become much bigger (365 times bigger), but the associate price will actually be going down to about $1.04 per GB for the one year of retention.

The second phase of the transition will come shortly after where we will introduce the optional number of days of retention requested at ingestion time. This will allow you to, for example, ingest a large memory dump file with a retention of 7 days and you will be billed only for those 7 days.

The new pricing will be of $0.01 per 3.5GB-day and billing will have a granularity of 1 day. Billing will still be performed at ingestion time and be part of your monthly invoice.


Sunday, December 1st 2019

Sensor v4.17.4

  • Fixing event ordering in queue flush when a sensor loses connection.

  • Fixing issue where file IO renaming had an invalid timestamp on sensor.

  • Enhancements to event relationship tracking in sensor.

  • Enhancements to sensor internal security mechanisms.


Sunday, November 24th 2019

Web UI v2.17.0

  • Adding support for downloading very large External Logs (like full memory dumps). Download is triggered asynchronously.

  • Small fixes.


Friday, November 22nd 2019

Python SDK Tweak

The Insight API to access detections and to access events has been extended to support pagination through the use of a "cursor" parameter.

The Python SDK version 2.18.8 now makes use of this feature. To leverage it to its full potential (streaming large numbers of detections/events), the two relevant APIs now return generators and not lists.

In most cases (iterating through the results) this will have no impact whatsoever.

If however you are specifically doing something that expects a list (like len( results ) you will want to unwind the results first: results = list( results ).

For more details see the commit: https://github.com/refractionPOINT/python-limacharlie/commit/2c4af79c49a183b8eb14e1920638e0064947afd5

The affected functions are: .getHistoricDetections() and .getHistoricEvents().

"log" Stream

This weekend, we will be deploying the new Output "log" stream that will include "ingest" events from file ingested through the External Logs mechanism. This will allow you to get notifications on file ingestion. You may then use the log_id field to retrieve the original or parsed version of the log if you need to.

These events look like:

{ "event": { "original_md5": "56d0caf4127106cfd7c5398a37807180", "original_path": "/var/log/syslog.1", "size": 1469109, "source": "1c00a331-4fc2-43bd-8282-8641e0124cfe" }, "routing": { "event_time": 1574443133000, "event_type": "ingest", "log_id": "0472dfd8-fbce-461c-ae71-c5d28fbdcfe9", "log_type": "txt", "oid": "c82e5c18-d519-4ef5-b4cc-c454a95d31ca" }}

During the weekend we will also be deploying a new higher-reliability Sensor Directory service. This service is responsible for showing you which sensors are online and routing the sensor tasking properly. The update should take a few minutes and during those few minutes sensors may be showing offline and taskings may not get delivered properly.


Thursday, November 21st 2019

Web UI v2.16.0

  • Refactor of the Detections and External Log sections to be paginated and generally better / easier to use. This is an ongoing refactor as we want to make those sections more operational by introducing things like searching, filtering etc.

  • Re-worded the Sensor Download version management section to better reflect that there is a "latest" version track, and a "stable" version track.

  • Added a new Output Stream for deployment events. This allows you to Output these meta-events like the other streams. We will also introduce in the near future a log Stream to get notifications of new External Log files being processed.

  • Added an option to the Yara Service to create new Source from a Yara rule specified literally in the Web UI.

Yara Scanning in External Logs

The "External Logs" already supports D&R rules, but we're now adding a new operator called yara that can only apply to target: log. It allows you to perform Yara scans in the cloud on those files based on Yara Sources from the Yara Service. Being a D&R operator, it also means you can use it as part of more complex rules.

Adjacent to this, the External Logs also now supports a pe type. It's for Portable Executables (Windows). The parsed version of this format extracts a lot of information from the PE headers into JSON, which you can use to build D&R rules for things like specific imports etc.

https://doc.limacharlie.io/en/master/dr/#yara


Saturday, November 16th 2019

Replicant -> Service This is just a friendly update regarding our re-naming of the old Replicant naming system towards Services.You may notice in the next few days / weeks that various APIs and SDKs start referring to Services instead of Replicants.In all cases, we will maintain legacy "aliases" using the term replicant so that existing code / integrations keep working, but we do encourage you to use "service" going forward.You may still see "replicant" in some error messages here and there as the term is still used internally, but we believe the change in name makes their purpose clearer to new users.


Monday, November 11th 2019

Data Fetching This is a high level announcement that touches on multiple systems.Many services in LC require the user to specify a location where LC should go and fetch some data. For example:

  • Lookup Resources / Addons: where the lookup's content can be fetched, like an HTTPS URL.

  • Yara Service: where a Yara signature source can be found, like a Github repo.

We've begun unifying this set of capabilities using what we call Authenticated Resource Locators (ARL): https://doc.limacharlie.io/en/master/arl/This is a simple format that allows you to specify a location, protocol AND authentication method + creds to use to fetch data.This new format will begin popping up in multiple services and will be the standard for the foreseeable future. Since it is a super-set of the previous capabilities, the other formats will begin being deprecated.This brings in some immediate wins:

  • Resources can now be fetched from authenticated locations and APIs.

  • Yara rules can now be fetched from private Github repositories using Access Tokens.

The new ARL method also brings in automated archive expansion. So if you point to tarball or a zip file, the contents will be expanded and used instead of the archive itself.If you encounter any issues, or any scenarios that worked previously but not anymore, let us know. Conversely if you would like some access protocols (FTP for example) or authentication methods to be added to ARLs, it will also be our pleasure.

Lookup Formats In addition to the above change os using ARLs, LC now understands the MISP JSON format. If you create a Lookup pointing to MISP JSON, the format will be parsed and the lookup will associate the MISP IDs as the Attribute metadata.For example the ARL: [https,osint.digitalside.it/Threat-Intel/digitalside-misp-feed/5d74d8a4-641c-441a-9cef-592dc0a8018c.json]In combination with authentication in ARLs, you should be able to fetch MISP feeds directly from your instances using the REST API.LC similarly supports the JSON OTX Pulse format from AlienVault.


Tuesday, November 5th 2019

It seems v4.17.2 fails to load on some Windows systems, likely due to a binary dependency introduced. We are investigating but will revert the Latest version to the previous version in the meantime. The dependency has been fixed and we're rolling it out as v4.17.3.


Monday, November 4th 2019

Sensor v4.17.2

  • Small stability fixes.

Removal of old Add-ons This should not affect anyone. We are removing the old Add-ons called "dr" and "tasking" since they have not been actively used in the backend in a long time. They used to be a control method for those features, but the new RBAC has made them irrelevant.


Wednesday, October 30th 2019

Pricing Adjustment Over the past year and half the set of capabilities LimaCharlie is delivering have increased drastically, but through all this time our pricing has stayed the same.This has changed the value provided by LimaCharlie a lot, and it has also changed our costs. Obviously we want to keep increasing the value LimaCharlie provides, and to be able to do that it means we'll need to adjust our pricing to go along.Our intent is therefore to increase the pricing of the base sensor from $0.5 to $0.7 per endpoint per month. This will ensure we can keep growing the platform, adding features and generally making things better. This new pricing will be in effect starting December 1st 2019.If you have questions, thoughts or concerns please get in touch, we always appreciate the feedback.Thanks for your support.


Tuesday, October 29th 2019

Sensor v4.17.1

  • Additional hardening of the runtime.

  • Fixes a rare race condition on sensor upgrade that could result in sensor not responding for a long time.

  • Fixes to File Tracking to fix some gaps where some file IO could be missed.

  • Better issue reporting to help us troubleshoot issues.Major

  • The NETWORK_SUMMARY event has been replaced with a new event called NETWORK_CONNECTIONS.

  • The new NETWORK_CONNECTIONS has a similar structure to the SUMMARY, but it now reports ALL network connections in a slightly-batched mode. This means you now will get full net flow data from a single event.

  • Before or after upgrading, you will want to go tweak your D&R rules that referred to the SUMMARY event. The new structure is slightly flatter and can be seen here: https://doc.limacharlie.io/en/master/events/#network_connections


Monday, October 28th 2019

Sigma Support

It's official, the LimaCharlie D&R rules target has been merged into mainline Sigma: https://github.com/Neo23x0/sigma

A dump of the pre-generated community rules is also available on our /rulesrepo: https://github.com/refractionPOINT/rules/tree/master/Sigma


Thursday, October 24th 2019

Cutting Edge Feeds being removed.

The Add-ons currently have available two lc-cutting-edge- feeds. As we move forward with more "managed" options for feeds, rules and services on LimaCharlie both internal and through partners, we will be removing those feeds from public access. They will be back in the short future in a managed format (not requiring D&R rules to be built on them).

This will go in effect today. If you are using them, the only impact is that you will see errors in organization about not having access anymore, but nothing else will be impacted.


Wednesday, October 23rd 2019

The Chrome Sensor is now available on the Chrome Web Store: https://chrome.google.com/webstore/detail/limacharlie-sensor/ljdgkaegafdgakkjekimaehhneieecki


Tuesday, October 22nd 2019

Old output.limacharlie.io

We will be decommissioning the old HTTP streaming service that has been replaced by stream.limacharlie.io shortly.

This method was deprecated mid-September. It was used by the Web App and SDKs. As long as you have reloaded the web app since then and updated the SDK, there should not be any effect. The Web App and SDKs were updated in mid-September and the change was transparent.


Thursday, October 17th 2019

Web UI v2.14.0

We're about to release a Chrome(OS) sensor. You will begin seeing references to it in the web UI. Official announcement will be coming, but will support HTTP request events, DNS events, network isolation etc.


Wednesday, October 7th 2019

Minor update:

We're migrating the D&R rules String Distance operator from using Levenshtein Distance to using Damerau-Levenshtein Distance. This will bring the behavior closer to the usually expected behavior around string distance. The change will be transparent and no rules need updating.


Monday, October 7th 2019

Sensor v4.16.3

  • Performance mode can be managed through Web UI

  • Multiple stability and hardening fixes.


Wednesday, October 2nd 2019

Web UI v2.13.0

  • Many fixes

  • Addition of False Positive Rules (http://doc.limacharlie.io/en/master/dr/#false-positive-rules), add them from the D&R page or through quick-add on the Detections page.

  • Adding Performance Mode Rules. Accessible through the Exfil page, set the performance mode automatically without D&R rules.


Friday September 20th 2019

  • Detection & Response Rule Validation: In an effort to help people learn D&R rules more easily, we are introducing a more thorough validation of the rules. Prior to this, we did not warn on unexpected extraneous parameters in a rule.Starting this weekend, we will be deploying better validation. This will NOT apply to existing rule, they will keep running fine. But when trying to push a new rule or an update to an existing one, you may get validation errors if there is an issue.

Web UI v2.12.4

  • Adding support for Microsoft Auth to log in to the web interface (like Google Auth).

  • Various bug fixes.

Sensor v4.16.2

  • Adding support for Yara scanning a directory and its subdirectories.

  • Adding an active keepalive mechanism. This will help make the stateful detections and general "online" presence of sensors more reliable.


Thursday, September 19th 2019

Python SDK v2.18.5

  • === Possibly Important note for compatibility === This patch, to be released later today on pip fixes a bug in the Manager.replicantRequest()call. The isSynchronous behaved inverted. This patch fixes the name of the parameter and its doc. It's not a major change, but if you issue Replicant requests manually in the SDK you may want to verify your use.


Friday, September 13th 2019

Sensor v4.16.1

  • The latest sensor version on Windows did not properly associate the DNS request Process with a ID. This patch version fixes it. It's the only change.


Thursday, September 12th 2019

Deprecation of output.limacharlie.io and Python SDK prior to 2.18.0The old HTTP streaming API will be deprecated within a week or two.

If you are using it directly, you can switch to the new API (https://doc.limacharlie.io/en/master/outputs/#http-streaming) which is very similar but should be more resilient and better performant.If you are using the Python SDK, please update to the latest version, the Spout functionality (relying on the HTTP streaming API) has been moved to the new API (stream.limacharlie.io) transparently.


Monday, September 9th 2019

Sensorv4.16.0

  • Alternate Data Streams (ADS) are now listed inline in thedir_listresults on Windows.

  • Themem_readcommand now supports dumping the memory to a local file. This can be used in combination with thelog_getcommand to support getting large memory dumps. Small memory leak fixed.

Web UI v2.12.0

  • Toggle in User Profile to remove the chat widget.

  • Clicking historical view link from Search page should now highlight the relevant event more reliably.

  • New streaming API is used by web UI and SDKs to get real-time access to sensors. Change is transparent but no longer requires access to high-ports, all is now streamed over a single HTTPS 443 connection.

  • Display pricing information in the Billing page for upcoming usage-based billing of some services.

  • Added Replay rule eval limit parameter (to avoid billing surprises if a Replay job is very expensive).

  • External Logs now display unknown data as a HexDump.

  • External Logs now display logs paginated resulting in much better performance.

  • Added support for Windows Prefetch files to External Logs, they get converted to JSON, so you can visualize and build DR rules on them.

  • Small fixes.


Sunday, September 1st 2019

Sensor v4.15.0

  • New Pipe related events on Windows: NEW_NAMED_PIPE and OPEN_NAMED_PIPE similar to Sysmon events.

  • The log_get and file_get commands can now read files exclusively locked by other processes on Windows (requires kernel presence), like IE History files.

  • Custom Payload support. Upload custom executables to LC and launch them through the agent on a host, get the STDOUT and STDERR back. Uses new payload.use and payload.ctrl permissions.

  • Shell command support. An extension of the Payload support, execute a command through the default shell and get the STDOUT and STDERR back. Uses new payload.use permission.

  • Better crash handling, more likely to report detailed logs for review.

Python SDK v2.17.0

  • Payload management support.

  • Added support for limits on number of event evaluated and rule evaluation.

  • Added a new call to just validate a DR rule without running it.

  • Removed the limacharlie init CLI function to initialize a new organization's config files.


Wednesday, August 28th 2019

Normalized Billing: we now offer to automatically normalize the billing email used for organizations. Any new Organization created on LC by someone from your corporate domain will automatically have the billing email address set to a corporate standard address (often finance dept) of your choosing.If this is something you would like, drop us a line.Also note that Stripe Invoices will now have the Organization Name the Invoice is about in the header.

Monday, August 19th 2019

Web UIv2.10.2

  • Various UI tweaks

  • Added permissions for upcoming payload execution service.

  • Added optional parametersstart=andend=to the Historical view to set hard start and end timestamps to visualize. Useful for edge cases where a single sensor produces a ton of data and it’s too much for a 30m time window.

  • Support for new large log upload feature.


Sunday, August 18 2019

Sensorv4.14.3

  • Large log upload support. Logs ingested can now be up to 4GB

Python SDKv2.16.2

  • Support for large log uploads.


Tuesday, August 13th 2019

Web UIv2.10.0

  • New support and download links for the Linux Alpine compatible sensor.

  • Large refactor of all Replicants into first-class Services in the Organization page.

  • Large refactor of Incidents (in the Warroom) into more generic Jobs in the Org Dashboard.

  • Enable those Services directly from their panel on top of the Add-ons section.

  • Historical view’s Cascading Event Selector now supports an@element to filter the events on the parent + children tree of a specific atom. Can be combined with the Download button to download all events within a specific process tree.

  • Many small visual tweaks.

  • Added visual indication if a sensor has Kernel data supported in the Sensor List.


Monday, August 12th 2019

*Replicants and Incidents Changes*

This change will occur within the next few days:

After feedback from users, and seeing how much the platform is expanding, we’ve decided to re-factor the way you interface with Replicants. All Replicants (and the Warroom page) have been morphed into proper sections of your Organization’s menu.

We think this will make interaction with various more advanced features of LC more intuitive and will normalize interactions across all those features. Obviously this is a work in progress and we look forward to your feedback.

For example, managing File Integrity Monitoring will no longer require you to go in the Warroom, find the Integrity Replicant, interact with it. Instead there will now be a “File/Reg Integrity” menu in the page Organization view that will bring you directly to those features.

Incidents, which previously appeared as a result of interactions with some Replicants in the Warroom section will also transform. We’ve made them generic and renamed them to Jobs. They will now appear in the Dashboard section of your Organization’s UI.

Although the new Jobs are very similar in content to the old Incidents, they will not be backwards-compatible. This means that as we switch to the new UI, you will lose access to the old Incidents (not Detections) from your Replicants. If you need to keep a copy, we suggest you do so now before the move. Given Replicants and Incidents were generally not heavily used we don’t expect this to have a high impact, but if you have any issues please let us know.*


Wednesday, August 7th 2019

Sensorv4.14.2

  • Added internal mechanism for performing a backoff, this will be used for more reliable transmission with the cloud.

  • Added internal event to report when sensor drop events (after long disconnection from the cloud)

  • Added a new Linux “architecture”: Alpine. The sensor is available at [https://app.limacharlie.io/get/linux/alpine64](https://app.limacharlie.io/get/linux/alpine64) and proper display of this new architecture will be deployed in the upcoming web app version. This sensor architecture will allow you to run the LimaCharlie sensor within Alpine Linux containers. We will have an upcoming blog article on the topic.


Saturday, August 4th 2019

Python SDKv2.16.0

  • Support for new Sensor Quota, Resources, Users and User Permissions API endpoints.

  • Support for the above API endpoints in Sync.


Wednesday, July 31st 2019

Python SDKv2.15.1

  • New—traceoption to the Replay CLI as well support fortrace: truein the Replay REST API. If you specify it, it will return an additionaltracesfield that specify each operation as it was evaluated and the success or failure of the operation. Should help to help you figure out exactly where errors occur when developing a new rule.



Tuesday, July 30th 2019

Python SDKv2.15.0

  • Added support for Exfil Replicant config to the Sync module.

  • Fixed small bugs with Sync including Python 3 compat.

Monday, July 29th 2019

Web UIv2.9.0

  • Enable the new Exfil Replicant. Manages which events are sent to the cloud automatically. This means DR rules doingexfil_addare not necessary anymore. You need to enable this Replicant and interact with it in the Warroom section. This includes a new Watchlist capability that allows you to specify certain event patterns when you want a matching event sent back to the cloud in real-time even if not in the list of “default” events.

  • Many many fixes.

  • New 100% width design for org pages. Should be more usable.

  • Listing domains relevant to an organization in the Sensor Download section. This allows you to know which domain the agent uses to talk to the cloud so you can whitelist it.

Sensorv4.14.1

  • Adds support for Exfil control via the Replicant (as mentioned above), including the new Watch list.

  • Windows network isolation now correctly terminates existing connections when enabled.

  • Better Windows kernel component unloading resulting in more timely sensor upgrades.

  • Fixes a bug with unicode handling in certain cases on Windows.(edited)

Note: the new exfil watch list currently only supports filtering based on strings, not integers. This support will be added at a later date.

Backend Capability Update:

The new DR rules for Logs are now available. Using the target: login a DR rule, you can now describe detections to be applied to logs as they are ingested. You can read about it here: https://doc.limacharlie.io/en/master/dr/#targets

Python SDKv2.14.4

  • Small fixes for Python 3

  • Add support for Exfil Replicant


Monday, July 22nd 2019

Web Appv2.8.0

  • Adding Organization Groups, they allow you to control RBAC across several organizations and users through one entity.- Small visual tweaks.

  • Cleaner handling/hiding of some UI elements when required permissions are not present.


Monday, July 5th 2019

Sensorv4.13.3

  • Windows performance enhancement. Should solve some high CPU/Mem usage on some hosts running software generating very high volumes of thread injections and process creation


Friday, June 21st 2019

Sensorv4.13.2

  • Further fixes to reliability of OSX kernel acquisition of network connections. If you are runningv4.13.1 it is recommended you update.


Thursday, June 20th 2019

Sensorv4.13.1

  • Fixes to OSX kernel acquisition of network connections.


Wednesday, June 19th 2019

Sensorv4.13.0

  • New event on network connection termination.

  • Adding partial read capability tofile_getcommand.

Web UIv2.7.9

  • Small quality of life fixes.

Python SDKv2.13.0

  • Small fix to Sync (Infrastructure as Code)

  • Adding support for Logging and Integrity Replicants in the Sync functionality.


Tuesday, June 18th 2019

Web UIv2.7.8

  • Enhanced Data Visualization interface and General Availability.

  • Support a URL parameter of?session_type=LOCALto enable persistent login of the current session.

  • Small UI tweak


Thursday, June 13th 2019

Web UIv2.7.0

  • Moved live web-based chat to different provider.

  • Various fixes.

  • Better file vs domain detection in organization dashboard search box.

  • New prevalence visualization page, private beta for the moment, will be in General Availability shortly.


Wednesday, June 5th 2019

Sensorv4.12.2

  • Fix to kernel-sourced events on hosts where time is wrong.

  • Small fix to component unloads.

  • Enhanced kernel component upgrade mechanism.


Thursday, May 30th 2019

Sensorv4.12.1

  • Required for compatibility with MacOS 10.14.5 and up. Introduces a new config file on disk namedhcp_hbs.

  • Dedupes memory strings on the sensor before reporting to the cloud.

  • Enables FIM on Linux. It has some caveats, see http://doc.limacharlie.io/en/develop/replicants/#linux

  • Introduces ground-work for more reliable messaging in upcoming versions.

  • Adds support for setting Installation Key via an environment variable on Linux, this will be rolled out in the public installers shortly.


Friday, May 24th 2019

Web UIv2.6.1

  • Logging Replicant now supports setting up files/directories paths to watch for changes and ingest on change. For example on Linux setting:/var/log/syslog.1to get general syslog content once a day.

  • Many various fixes.

  • The Detections page now loads a dynamic amount of content. 7 days by default, but goes down to 1h if there is too many detections.


Thursday, May 16th 2019

Web UIv2.6.0

  • Adding Replay Replicant. Allows you to run Replay jobs from the UI in a managed way instead of the CLI/SDK.

  • Fixed bug where clicking in Text Area for D&R rules forced-recenter the page.


Monday, May 13th 2019

Web UIv2.5.0

  • Tons of tweaks and small fixes.

  • Introducing User API Keys:

  • Available from the User Profile section (top left menu).

  • Produce a key similarly to the Org API Keys.

  • These keys can be provided to the jwtREST endpoint to get a JWT for the REST API. But instead of providing an oid, you provide the UID in the uid parameter.

  • The JWT produced represents ALL org+permissions accesses you have as a user on LimaCharlie. This means the JWT can be used to issue API calls to multiple organizations. The token mirrors the various User permissions you have across your organizations.

  • This makes this User API Key very powerful. Unless you have specific scenarios where you require it, we recommend you stick to Org API Keys. If you have questions or want to discuss don’t hesitate to get in touch.

  • Enabling External Logs feature in beta. This is recommended to be used with the new Logging Replicant subscription, or using the new Ingestion Keys available in the RESP API section of your organization. More details to come.

  • Usage Overview is not available in the Billing section (at the bottom). It provides some metrics around your usage of LimaCharlie.


Sunday, May 5th 2019

Sensorv4.11.0

  • Linux sensor now reports detailed version information inos_version.

  • Better atom linkage between some stateful events likeSENSITIVE_PROCESS_ACCESSandREMOTE_PROCESS_HANDLE.

  • Although not enabled yet, this version includes necessary code for upcoming log collection mechanism.

  • MacOS version should now be notarized for upcoming MacOS release.


Sunday, April 3rd 2019

Web UIv2.3.0

  • Various fixes

  • Adding a new “magic search” on the org front page. This search field combines an agent search by SID and hostname with searching for IoCs. It will expand to any new data sets in LC in the future. It’s a quick search for everything.

  • Important overhaul to the UI of various aspects of the Replicants / WarRoom.


Wednesday, March 27th 2019

Sensorv4.10.0

  • Better reliability in Windows driver deployment.

  • Better propagation of decoration metadata (like file signing status and file hash) through various events.

  • More reliable process reporting in Linux using NetLink sockets.

  • Adding SHA1 and MD5 to CODE_IDENTITY events.

  • Adding relationship atoms to composite events like PROCESS_LIST so the process can be correlated from these events.


Friday, March 22nd 2019

Web UIv2.2.7

  • Adding a way to push updates to Resources through a REST interface.

  • Access the Resource Access Token through the new User Profile section available from the top left menu.

  • Various other enhancements and fixes.


Monday, March 4th 2019

Web UIv2.2.0

  • Tons of tweaks and bug fixes.

  • Adding tags to the sensor list.

  • Historical view will now asynchronously try to resolve missing parent events using a new API. You can expect a???parent node to pop-in with real information within a few seconds of being displayed.

  • Replicants are now widely available. To enable, go to the Addons, “Replicant” tab and subscribe. This will give you access to the “Warroom” section in your organization.

  • Responder Replicant automates the old “sweep” functionality in a more complete way and done from the cloud (not the browser) so you can launch it on a sensor and move on, fire-and-forget.

  • Yara Replicant manages Yara signatures and which sets of signatures should be scanned constantly on which hosts. Also enables an on-demand scan from those signature sets. Automated investigation of hits to come.

  • Integrity Replicant manages FIM rules similarly to the Yara Replicant. Automated investigation of hits to come.

  • Yara and Integrity Replicants require the new sensorv4.9.0to work properly.


Sunday, March 3rd 2019

Sensorv4.9.0

  • Yara in sensor has been updated. Windows, MacOS and Linux (except ARM build) now also support common Yara modules like “PE”.

  • Yara now defines some common variables like file_path and file_name used by some commonly available Signature sets.

  • Yara and File Integrity Monitoring now support the “update protocol”. This increases efficiency of maintaining up to date signature sets and FIM watch-sets. This feature is required for the upcoming Replicant soft-launch.

  • Parent atoms are now correctly propagated within the process list. This feature is required for the upcoming automated parent finding feature in the Historical view.

  • Windows driver unload sequence has been tweaked to provide better consistant unload/load cycles.

  • Internal IP reported by sensor should now more reliably represent the actual internal IP address of the interface used to reach the internet. This solves cases where a host with VMs could report the IP of the wrong interface.

  • Enabling common support for ARM and ARM64 sensors in all datacenters (installer availability coming very soon).