LimaCharlie
Release Notes
October 28, 2024
New MITRE Report API
In this release, we've added a new REST API and CLI for producing a MITRE report for a given Organization based on the D&R rules in place (using their tags like attack..t1000.xxx
).
API: https://api.limacharlie.io/static/swagger/#/Rules/getOrgMITREReport
CLI: limacharlie mitre-report
The resulting JSON report can be used with the attack-navigator: https://mitre-attack.github.io/attack-navigator/
This capability makes it easier to track security coverage against MITRE ATT&CK framework.
October 19, 2024
EDR Sensor v4.31.1
Network connection stability enhancements on all platforms.
The enhancements are both in the cloud-triggered upgrade version of the sensor AND in the on-disk installation, but there is no requirement to deploy both simultaneously.
October 17, 2024
New sort and bulk actions functionality for tables
In this release, we are adding the ability to sort columns in the LimaCharlie web app. In addition, tables now support bulk actions (Enable/Disable and Delete). This applies to the the following sections of the web app: Adapters, Yara Rules, Secrets, Lookups, False Positive Rules and Detection and Response Rules.
September 19, 2024
Ability to rename Detection and Response Rules
In this release, we added the ability to rename and modify metadata (expiration date, tags, and comment field) in Detection and Response rules. This makes it easier for users to manage their Hive records at scale and offers a better user experience.
Added Analytics to False Positive rules
We are continuing to add metrics to make it easy for you to see the performance of different components of your security infrastructure.
In this release, we are exposing entity metrics for False Positive rules. On every False Positive rule, users can now see how many times an FP rule has prevented Detections from triggering. This is in addition to analytics that already exist on Sensors, Outputs, and D&R rules.Data is updated every ~15 minutes and stored for three months.
Email sensor
You can now ingest raw emails directly into LimaCharlie using our new Email sensor. To get started, navigate to the sensors list > add new sensor > email and complete the steps required for sensor setup. For details, visit our technical documentation: https://docs.limacharlie.io/docs/telemetry-adapters-adapter-types-imap
August 27, 2024
Ability to rename Secrets, Yara Rules and Lookups
In this release, we added the ability to rename and modify metadata (expiration date, tags, and comment field) in Secrets, Yara Rules and Lookups Hive records. This makes it easier for users to manage their Hive records at scale and offers a better user experience.
Building Infrastructure-as-Code (IaC) templates for LimaCharlie tenants in one click
In this release, we are making public a lightweight web app that will allow users to build Infrastructure-as-Code (IaC) templates for LimaCharlie tenants in a very easy way. Users can select the features they want, and it will generate the appropriate YAML that they can copy/paste into their organization.
In addition, the tool includes several "Preconfigured Templates" that instantly bring useful capabilities to an organization, such as automating DFIR or collecting PowerShell transcripts from a system.
It's an open source project and we hope it will not only inspire new and existing users on how to use the IaC capabilities of LimaCharlie, but also to encourage folks to share their own capabilities in the form of Preconfigured Templates as anyone can submit a PR containing a new template.
The app is available here: https://refractionpoint.github.io/lc-iac-generator/
The repo is available here: https://github.com/refractionPOINT/lc-iac-generator
August 20, 2024
Querying the last 30 days in LCQC is now free and we added the ability to save queries
We are excited to announce that querying the last 30 days in LimaCharlie query console is now free. For instance,
If the time range your query applies to is 2024-07-30 00:00:00 to 2024-08-21 00:00:00, the query will be free as it is within the past 30 days.
If the time range your query applies to is 2024-07-15 00:00:00 to 2024-08-21 00:00:00, you will only be billed for 6 days (the past 30 days are free).
Give it a spin and let us know about your experience with LCQC.
In addition, in this release, we have added the ability for users to save LCQC queries. Once saved, queries can be used across their entire Organization.
To save, view, or edit saved queries, users will need to be grated appropriate permissions:
query.del - Delete saved queries query.get - Get saved queries query.get.mtd - Get saved queries metadata query.set - Set saved queries query.set.mtd - Set saved queries metadata
August 13, 2024
Sensor 4.30.0
New events for MacOS
USER_LOGIN
,USER_LOGOUT
SSH_LOGIN, SSH_LOGOUT
Reminder that given those are new events, you will have to enable them in the Event Collection section of your orgs.
July 13, 2024
MFA enforcement
LimaCharlie now offers the ability for org admins to enforce MFA requirement, as well as specific types of MFA available to the users of their email domain. To set up MFA enforcement, please contact LimaCharlie support.
July 9, 2024
EDR Sensor 4.29.3 This is an installer-only bug fix that fixes cases where an installer >= 4.29.1 was connecting to an organization in LimaCharlie that was set to a pre-4.29.1 version in the cloud.
June 12, 2024
New Groups Management UI
In this release, we are announcing an improved UI for managing groups.
Groups let you easily manage permissions for multiple users across several organizations. By creating a group, you can assign permissions once, and all users in the group will have those permissions for all the organizations in the group.
The new groups section can be found in the top navigation panel, next to Organizations.
June 6, 2024
Cross-tenant IOC Search
In this release, we are announcing the Cross-Tenant IOC Search feature - the ability to search indicators of compromise across many organizations at once. It is especially useful for service providers when they are looking to quickly confirm if a certain file hash, IP address, file/process path, or other IOC type was seen in any of their organizations.
The cross-tenant IOC search is located under "Recent Organizations" at https://app.limacharlie.io/orgs
May 30, 2024
New EDR sensor version 4.29.1
Multiple stability across all platforms, particularly using the new installers available for download.
Fix to the proxy support on Linux
MacOS NEW_PROCESS event will now report RESPONSIBLE process/user/group information
Fixed handling of fork+exec on Linux and MacOS
MacOS support for Mac Unified Logs (MUL) similarly to the Windows Event Log (WEL) support. Use the
mul://<PREDICATE>
format in Artifact collection to specify which MULs to collect in real-time. https://docs.limacharlie.io/docs/en/telemetry-artifacts
May 2, 2024
Ability to add comments to Detection & Response and False Positive rules
In the release, we are adding the ability to add comments to Detection & Response and False Positive rules. This can be useful to give analysts and detection engineers more context about the rule, how it works, what it includes or excludes, etc.
Comments are not included in detection content when an alert is triggered.
April 23, 2024
Authentication method enforcement
LimaCharlie now offers authentication method enforcement for custom domains.
For example, you may say that any user with your email domain @acme.com must authenticate via Google. This way you can disable the login + password, GitHub, and Microsoft login options for users with your domain - regardless if they are logging in via your custom branded site, or via app.limacharlie.io
This feature is available at no cost to customers that have their own custom branded sites.
April 17, 2024
Adding entity metrics chart to Sensors, Outputs, and D&R rules
We are starting to add metrics to make it easy for you to see the performance of different components of your security infrastructure.
In this release, we are exposing entity metrics for Sensors, Outputs, and D&R rules:
You will see a new Analytics tab on each Sensor. This tab shows the number of events collected from the Sensor in the specified time frame. It should help identify issues, see what hosts are the noisiest, etc.
You will see a new Analytics section on each D&R rule. This shows the number of times the detection & response rule has triggered in the specified time frame.
Similarly, you will see a new Analytics tab on each Output. This tab will show you the number of events sent via the Output in the specified time frame.
Data is updated every ~15 minutes and stored for three months. Note that the starting date for metrics is Mon, April 15.
In the coming weeks, we intend to add similar metrics to other parts of LimaCharlie, specifically False Positive rules and Adapters.
Updating user permissions to show a separate category of privileged permissions
To discourage admins from accidentally over-provisioning permissions for their users, we moved some sensitive permissions into a separate section within the permissions page. Specifically, we highlighted the following permissions as privileged:
apikey.ctrl
Create, delete, and modify API keys. Allows a user to create API keys with full org permissions, effectively granting them superuser access, also known as privilege escalation.
billing.ctrl
Change billing information, subscribe to additional services. Allows a user to subscribe to additional services which may incur costs to the org.
user.ctrl
Create, delete, and change permissions for users. Allows a user to grant themselves or anyone else any permissions they want, also known as privilege escalation.
When org admins grant any of these permissions to a user, they will see a warning explaining the potential dangers of doing this. The same will soon be added to the groups section.
Note this is just a web app-level change for awareness and there are no modifications to how the permissions themselves work or are granted.
Adding a sensors count on the Sensors page, with an additional copy for context
We have added a count of sensors on the Sensors page to make it easier to see how many sensors are in the organization, and how many of them are billed on usage vs. quota. Note that these stats show what's on the page so they are affected by filters.
Added support for additional Azure log types
We've added support for several types of Azure ecosystem logs, including AKS, Key Vault, SQL Server, and Network Security Group. More information on these different log types can be found here: https://docs.limacharlie.io/docs/telemetry-adapters-adapter-types-azure-logs. Note that upon ingestion:
The
event_type
field will map to thecategory
field from the log entries.The
time
field will map to thetime
field from the log entries.
Azure log types can be ingested via Azure Event Hub or by creating a Webhook. You can also see support for these new log types in the LimaCharlie UI, allowing for quick and easy cloud Adapter deployment!
New Plaso extension
We released our new Plaso extension. Plaso is a Python-based suite of tools used for creation of analysis timelines from forensic artifacts acquired from an endpoint. This is especially useful in an IR situation where the agent was deployed mid- or post-breach, therefore real-time telemetry is missing historical context. More info on Plaso here. The Plaso extension will take the artifact ID of a forensic artifact obtained from an endpoint, or a zip of artifacts (like a KAPE triage from the Velociraptor extension) and generate a CSV timeline of the data, as well as a .plaso timeline of the data that can be imported into Timesketch. These timelines are invaluable tools for digital forensic investigators and analysts, enabling them to effectively correlate the vast quantities of information encountered in logs and various forensic artifacts encountered in an intrusion investigation. How it works:
Initiate an artifact_get or a KAPE triage with ext-velociraptor or an MFT dump with ext-dumper
Leverage a D&R rule to watch for the ingestion of relevant artifact types and send them to the Plaso extension for processing
View the Plaso CSV artifact, or import the Plaso timeline artifact into Timesketch
Please be aware that it can take a long time for these timelines to be generated. For example, generating a CSV and a Plaso timeline from a 150mb KAPE triage zip (roughly 1.4gb unzipped) could take about an hour. You will receive a job_queued
event when your job is added to the queue, and a job_started
event when the processing begins. Upon completion, you will get an event with the pinfo output, and the CSV and .plaso files will be uploaded to your org as artifacts.
Extension docs -
https://docs.limacharlie.io/docs/extensions-third-party-extensions-plaso
Marketplace link -
https://app.limacharlie.io/add-ons/extension-detail/ext-plaso
April 16, 2024
New extensions, changes to lookups, and changes to pricing for some extensions
In this release, we are announcing a few changes and new features.
LimaCharlie CLI extension
LimaCharlie CLI extension allows you to issue LimaCharlie CLI commands using extension requests. You may use a D&R rule to trigger a LimaCharlie CLI event. To get started with LimaCharlie CLI extension, subscribe your tenant to the add-on: https://app.limacharlie.io/add-ons/extension-detail/limacharlie-cli
Changes to public Lookups
Now that new lookups in Hive have gained widespread adoption and we see more and more customers relying on those, we will start the process of sunsetting the legacy lookups feature. Don't worry - the lookups you are relying on will continue to work, but we are going to remove the ability to create lookups the old way (on the marketplace). Instead, you can create lookups in Hive as described in LimaCharlie documentation: https://docs.limacharlie.io/docs/addons-lookups
New pricing for Binlib and Strelka extensions
Following some time of collecting usage data, we are ready to set pricing for two of the new LimaCharlie extensions:
Strelka Extension. Usage of Strelka in LimaCharlie will be billed at $0.10 per GB parsed.
Just a reminder, Strelka is a real-time file scanning system used for threat hunting, threat detection, and incident response developed by the team at Target. LimaCharlie makes the deployment of Strelka much easier. The Strelka extension receives files using Artifacts by specifying an artifact_id in the run_on request. The extension will then process the file and return the results to the caller as well as send the results to its related Sensor.
Binlib Extension. Yara scanning, using Binlib will be billed at $0.01 per 1,000 files.
BinLib (Binary Library) is the collection of data and metadata pertaining to executable binaries, such as EXE or ELF files, that have been observed within your organization. Binaries can be tagged and historical searches can help identify the presence of malicious files within an organization.As always, please don't hesitate to reach out if you have any questions.
April 12, 2024
Cloud CLI extension & bi-directional communication between LimaCharlie and various telemetry sources
We are excited to announce the release of the new Cloud CLI extension that allows you to trigger actions against CLI or API endpoints for third-party products. This extension facilitates bi-directional communication between LimaCharlie and nearly any telemetry source. Actions can be triggered from the Cloud CLI UI or automated via D&R rules.
With the addition of the new bi-directional capability, users can take action to mitigate incidents immediately across any tool all from the same platform, eliminating the need to rely on a third-party solution to make changes.
To get started, subscribe your tenant to the Cloud CLI extension.
To learn more about LimaCharlie's new bi-directional capabilities and the opportunities created by the Cloud CLI extension, visit our technical documentation and register for the upcoming webinar on Tuesday, April 23, 2024.
April 1, 2024
Strelka Extension
Strelka is a real-time file scanning system used for threat hunting, threat detection, and incident response.
The Strelka extension receives files using Artifacts by specifying an artifact_id in the run_on request. The extension will then process the file and return the results to the caller as well as send the results to its related Sensor.
Here is an overview of how it can be assembled in LimaCharlie from zero (new account on free tier creating a new tenant) to "all the files extracted from Zeek over the network are processed by Strelka, an organization is ready to alert on findings, plus Zeek telemetry for bonus": Strelka + Zeek + LimaCharlie.
March 28, 2024
Ability to upload payloads via web app
LimaCharlie now offers the ability to upload payloads via a web interface, by simply dragging and dropping a payload file. This means that you no longer need to run a curl
command (but you still can as both options are available).
In addition, we removed restrictions around file types so any file type can be uploaded.
March 21, 2024
Hayabusa Extension
Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. The Hayabusa extension allows you to run Hayabusa against a specified event log (.evtx) or a collection of event logs (.zip). LimaCharlie will automatically kick off the analysis based off of the artifact ID provided in a D&R rule action.
To get started, subscribe to Hayabusa extension.
Additional docs and example rules are available here.
March 14, 2024
Migrating D&R Rule from legacy Service to new Extension
In this release, LimaCharlie launched a CLI tool to migrate D&R rules from legacy Service to new Extension.
The PYTHON CLI gives you a direct way to assess if any rules reference legacy reliable tasking, Zeek, Yara, or PagerDuty service, preview the change and execute the conversion required in the rule "response".
To learn more about converting D&R rules, visit our technical documentation:
March 6, 2024
Updates to the API for the default org creation template
Several weeks ago, we announced a change to the new tenant creation experience. Any new tenant created in the web app is now enabling Extensions instead of legacy Services.
Starting next Monday, March 11th, this change will also be implemented for the LimaCharlie API. This means for new tenants via API using the default template, LimaCharlie will be enabling Extensions instead of Services. Custom automations that do not rely on the default template will not be affected.
Announcing advanced filters in the web app
In this release, we are announcing advanced filters which have been added to the Sensors and Timeline pages. LimaCharlie users can get more granular when looking for specific events or sensors. Let us know your feedback & ideas to make it better. Note that based on feedback from our Beta users, we will be bringing back the text search field to the Timeline shortly.
The sensor Processes page now shows modules in a modal, instead of at the bottom of the page
Previously, when navigating through the Processes page on Sensors, you would see a flashing menu of options such as "View Modules", "Kill Process", etc. To make the page faster and improve user experience, we moved this menu to the left of the page. Also, the Sensor Processes page now shows modules in a modal, instead of at the bottom of the page.
February 21, 2024
Dumper Extension
The Dumper Extension provides the ability to do dumping of several forensic artifacts on Windows hosts. It supports a single action, which is to dump. It supports multiple targets, memory to dump the memory of the host and mft to dump the MFT of the file sytem to CSV. The Extension then automates the ingestion of the resulting dump (and dump metadata) to LimaCharlie's Artifact Ingestion system where it can be downloaded or analyzed and where you can create D&R rules to automate detections of characteristics of those dumps.
February 14, 2024
Changes to the add-ons marketplace
In this release, we are rolling out more user experience enhancements to Extensions and making them more prominent on the add-ons marketplace.
At the same time, we are making Services less prominent in the web app listing of add-ons. To find a list of services, go to the Extensions section of the marketplace, scroll to the bottom of the page, and click “show legacy services”. They will continue to show up as usual in the search bar on the marketplace.
We would like to encourage LimaCharlie users to migrate their legacy Services to Extensions. That said, Services are not being decommissioned; they will be working and accessible for the foreseeable future.
In the coming weeks, we will be adding more documentation about building your own Extensions and creating tools to make it easier to migrate your legacy Services. Meanwhile, please reach out if we can clarify anything or help you to get started with Extensions.
February 13, 2024
New Atomic Red Team extension
We have released a new LimaCharlie extension - Atomic Red Team. Atomic Red Team is a library of tests mapped to the MITRE ATT&CK framework, provided by Red Canary. With this extension, LimaCharlie users can use Atomic Red Team to quickly, portably, and reproducibly test their environments.
To get started, subscribe your tenant to the Atomic Red Team extension. If you have legacy Atomic Red Team service enabled in your tenant, you can unsubscribe from it after enabling the extension.
For more details about using the Atomic Red Team extension, visit our technical documentation: https://docs.limacharlie.io/docs/extensions-third-party-extensions-atomic-red-team
January 31, 2024
New extensions - Lookup Manager, Yara Manager, and Zeek
The Lookup Manager extension allows you to create, maintain & automatically refresh lookups in the organization to then reference them in Detection & Response Rules.
The Yara Manager extension allows you to create, maintain & automatically refresh Yara rules in the organization. Yara rules are records stored in config Hive that can be leveraged by other extensions such as BinLib to automate Yara scanning.The saved Lookup and Yara Configurations can be managed across tenants using Infrastructure as Code extension. To manage lookup and Yara versions across all of your tenants, update the file under the original Authenticated Resource Locator. Once a day, LimaCharlie will then sync all of the tenants that use the configuration.
The Zeek extension, once enabled, will watch for PCAP files being ingested through the Artifact Ingestion system. Individual PCAPs can be run on Zeek using an artifact id in our Manual Run feature. For each PCAP, the Zeek extension will run the Zeek tool on the PCAP. All the resulting Zeek log files will then be ingested as first-class telemetry into a LimaCharlie adapter where they can be viewed or Detection & Response rules can be created to generated detections or automate responses.Learn more and get started:
The ability to add lookups in several formats
We have updated the new lookups functionality to allow creating lookups in several formats - YAML, JSON, and newline. Once created, lookups will be converted into JSON.
January 16, 2024
Announcing new AWS Ruleset
We are excited to announce the addition of a new extension - a managed set of Detection & Response rules for AWS developed by Soteria. The ruleset is designed for detecting malicious activity in AWS.
To get started, subscribe your tenant to the extension: https://app.limacharlie.io/add-ons/extension-detail/soteria-rules-aws Then, configure AWS CloudTrail Logs Sensor to start collecting AWS audit logs.
Ability to rename an organization in the web app
LimaCharlie users can now rename their organizations self-serve. To rename an organization, navigate to Billing > Billing and Usage
, and scroll down to the “Rename Organization” section. To rename an organization, users require billing.ctrl
permission.
January 4, 2024
New Lookups
Lookups are changing, but don't worry, old-style lookups are staying for a long time.
The main change in lookups is that they are moving from being global entities tied to Users, to being more in line with the rest of LimaCharlie where each lookup is now an object that lives within an Org. These new lookups can now be created, updated and accessed via the lookup
Hive. Because they now live in Orgs, it means you no longer need to Subscribe to a lookup to use it.
Using a lookup is exactly as before (minus the Subscription), the only difference is that you no longer refer to the lookup via lcr://lookup/
..
., instead you now use hive://lookup/
...
. You can also now use infrastructure as code to manage your lookups across different tenants.
The new lookups are located under 'Automation' in the web app.
For more information about Config Hive and lookups, check out technical documentation: https://docs.limacharlie.io/docs/platform-management-config-hive https://docs.limacharlie.io/docs/platform-management-config-hive-lookups
December 22, 2023
Announcing OTX Extension
In this release, we are announcing the addition of the new OTX extension. This extension enables users to continuously import all their OTX pulses and the relevant D&R rules for most indicator types.
To get started, subscribe your tenant to the OTX extension, or follow the steps shown on the OTX Service page to migrate the configuration from the legacy OTX Service.
Ability to invite new users to create LimaCharlie accounts
We have also added the ability to invite new users to create LimaCharlie accounts. When an org admin is adding users to their organization, if no user with the email address provided exists, they will be sent an email invite to create a LimaCharlie account.
The new user won't automatically be added to the organization. After creating their LimaCharlie account, they will have to reach out to the person who invited them to complete the process. We have it on our roadmap to further improve this part of the experience.
December 19, 2023
Exposing more LC Sensor capabilities in the web app
In this release, we are adding a list of new tabs to LimaCharlie sensors:
Event Collection
tab provides a list of events collected from a Sensor, along with exfil (event collection) rules that apply to the Sensor. Works on: Windows, Linux, and macOS sensorsIntegrity Monitoring
tab provides a list of file & integrity monitoring rules that apply to the Sensor. Works on: Windows, Linux, and macOS sensorsServices
tab lists all services (Windows, launchctl on MacOS and initd on Linux). Command:os_services
Works on: Windows, Linux, and macOS sensorsDrivers
tab lists all drivers on Windows (command:os_drivers
). Works on: Windows sensorsPackages
tab provides a list of installed software packages (command:os_packages
). Works on: Windows and macOS sensorsUsers
tab provides a list of system users (command:os_users
). Works on: Windows sensorsAutoruns
tab lists pieces of code executing at startup, similar to SysInternals autoruns (command:os_autoruns
). Works on: Windows and macOS sensors
Sensor pages on the sidebar are now listed in alphabetical order.
December 14, 2023
EDR Sensor v4.28.5
The new version of the EDR sensor fixes a possible race condition with the execution of Payloads that could result in an error 259
(payload still executing) even when the Payload executed and terminated successfully. We observed this in some cases of Velociraptor execution.
The "stable" version of the sensor was also bumped up to 4.28.3
.
December 8, 2023
Indicators of Compromise (IOC) Search experience improvements
In this release, we have implemented significant improvements to the Search experience.
In the past, there was a four-hour delay between when an event happened & when it was indexed for the Indicators of Compromise (IOC) Search; this has now been shortened to 15 minutes.
Note that LimaCharlie detection & response capabilities are real-time, and both detection and response happen at wire speed. It’s only the indexing of the IOCs for Searching that takes additional time.
November 1, 2023
Announcing new Microsoft/Office 365 Ruleset
We are excited to announce the addition of a new extension - a managed set of Detection & Response rules for Office 365 developed by Soteria. The ruleset is designed for in-depth analysis of the Office 365 ecosystem which includes:
Microsoft Teams
Word
Excel
PowerPoint
Outlook
OneDrive
...and other productivity applications.
To get started, subscribe your tenant to the extension: https://app.limacharlie.io/add-ons/extension-detail/soteria-rules-o365
New Twilio Extension
In this release, we are also launching a Twilio extension that can trigger alerts based on Detection & Response rules.
For more information see LimaCharlie Twilio Documentation. Example Respond portion of a D&R rule that sends a message out via Twilio as the response action:
- action: extension request
extension action: run
extension name: ext-twilio
extension request:
body: '{{ .event }}'
from: '{{ "+10123456789" }}'
to: '{{ "+10123456789" }}'
To get started with Twilio extension, visit https://app.limacharlie.io/add-ons/extension-detail/ext-twilio
Sensor v4.28.4
enhanced network connectivity, resolves some issues with connections to the cloud dropping in certain situations
more detailed log (hcp.log) of some network connectivity issues
This update is not an update to the cloud-managed version of the LimaCharlie EDR. It is an installer-only update for the binary on disk. It is only available through the downloads.limacharlie.io downloads.
We recommend using this version for all future deployments and for currently problematic installs.
October 31, 2023
Four New Extensions - PagerDuty, Velociraptor, Sigma ruleset and Soteria EDR ruleset
Following the launch of Extensions, we are porting LimaCharlie Services into the corresponding Extensions. Today, we are releasing four new extensions:
To get started with migrating the existing tenant, navigate to the service page on the add-on marketplace, select an organization, and follow the steps on the screen. You can also do it from the Service page within your tenant. If you are creating a new organization, you can subscribe to the new extensions right away, without having to first enable the legacy Services.
October 18, 2023
Artifact Collection Extension
Following the launch of Extensions, we are porting LimaCharlie Services into the corresponding Extensions. Today, we are releasing the Artifact Collection Extension, which means you can migrate the legacy Artifact Collection Service to the new Extension.
To get started with migrating the existing tenant, navigate to the Artifact Collection Service, select the organization, and follow the steps on the screen. You can also do it from the Service page within your tenant.If you are creating a new organization, you can subscribe to the Artifact Collection Extension right away, without having to first enable the legacy Service: https://app.limacharlie.io/add-ons/extension-detail/ext-artifact
October 3, 2023
Payload Manager Extension
In this release, we are announcing the new Payload Manager extension.
The Payload Manager extension allows you to create, maintain & automatically refresh payloads in the organization to then deploy them on endpoints via Windows, Mac, or Linux sensors. The saved Payload Configurations can then be managed across tenants using Infrastructure as Code extension.
To get started with the Payload Manager extension, subscribe to the extension add-on on the marketplace & follow the instructions in description.
September 7, 2023
Changes to the Billing & Usage page
In this release, we have implemented some long-anticipated changes to the Billing & Usage page. You can now see the details of upcoming invoices for your LimaCharlie tenants.
This information is pulled dynamically from Stripe so you can follow the changes to your invoice throughout the billing period.
In line with these changes, the Metered Usage section of the page is now only focused on usage stats.
File & Registry Integrity Monitoring Extension
Following the launch of Extensions, we are porting all LimaCharlie Services into the corresponding Extensions. Today, we are releasing the File & Registry Integrity Monitoring Extension, which means you can migrate the legacy File & Registry Integrity Monitoring Service to the new Extension.
To get started with migrating the existing tenant, navigate to the Integrity Service, select the organization, and follow the steps on the screen. You can also do it from the Service page within your tenant.
If you are creating a new organization, you can subscribe to the Integrity Extension right away, without having to first enable the Integrity Service: https://app.limacharlie.io/add-ons/extension-detail/ext-integrityPlease do not hesitate to reach out if you have any questions.
September 5, 2023
Announcing Kubernetes Pods Logs Adapter
This Adapter collection method allows you to collect the logs of all the Pods in a Kubernetes cluster and bring them in LC. The container we publish makes this extra easy to add onto an existing cluster.
Documentation:
Container def:
https://github.com/refractionPOINT/usp-adapters/tree/master/containers/k8s_pods
Public container:
https://hub.docker.com/r/refractionpoint/lc-adapter-k8s-pods
August 31, 2023
OpenSearch Output
We've added the OpenSearch Output which makes it even easier for LimaCharlie users to send their events, detections & telemetry to OpenSearch.
August 29, 2023
Announcing Exfil Extension
Following the launch of Extensions, we are porting all LimaCharlie Services into the corresponding Extensions. Today, we are releasing the Exfil Extension, which means you can migrate the legacy Exfil Service to the new Extension.
To get started with migrating the existing tenant, navigate to the Exfil Service, select the organization, and follow the steps on the screen. You can also do it from the Service page within your tenant.
If you are creating a new organization, you can subscribe to the Exfil Extension right away, without having to first enable the Exfil Service: https://app.limacharlie.io/add-ons/extension-detail/ext-exfil
August 15, 2023
New MFA option - Authentificator App
In this release, we are expanding our list of Multi-factor authentification (MFA) options. In addition to the SMS-based MFA, LimaCharlie now supports TOTP (Time-based, One-Time Password) generated by the Authenticator apps.
Multi-factor authentification using Authenticator apps is known to be a stronger method of protection than the SMS-based MFA.
To get started with the new MFA method, navigate to the Manage User Settings
option in the web app and choose Add Multi-Factor Authentication
. You may be required to re-log in to your LimaCharlie account before you can proceed.
August 14, 2023
EDR Sensor 4.28.2
Fixing an issue that can lead to some files being skipped by dir_find_hash
Fixing an issue where custom Exfil Watches could result in small memory leak
Enable reporting from the sensor to the cloud for some enrollment errors to assist in troubleshooting complex environments.
August 8, 2023
BinLib - Binary Library
Binary Library, or “BinLib”, is a collection of data and metadata pertaining to executable binaries, such as EXE or ELF files, that have been observed within your organization(s). When enabled, this extension collects observed data into your own private collection of historical executables, then subsequently available for searching, tagging, and analysis. BinLib also features YARA scanning, allowing you to import rules and search across observed executables - all without impacting system resources or production systems.
With BinLib, LimaCharlie customers can realize their own private corpus of historical executable data, as observed across their environment(s). Furthermore, LimaCharlie’s multi-platform parity enables analysis across Windows, Linux, and Mac executables. Binaries can be tagged and historical searches can help identify the presence of malicious files within an organization(s).
To learn more, check out the announcement. To get started, refer to the technical documentation.
May 31, 2023
FreeBSD, OpenBSD and NetBSD platform support & IT Glue Sensor
LimaCharlie Adapter now supports FreeBSD, OpenBSD and NetBSD platforms. Check out the list of all supported platforms in the technical documentation, or get started by downloading the executable from the Sensor > Installation Keys page.
Additionally, in this release we have added a new IT Glue Adapter. LimaCharlie users can now ingest IT Glue audit logs directly into their tenant.
May 17, 2023
Announcing AWS GuardDuty Sensor
In today's release, LimaCharlie added a new Sensor - AWS GuardDuty. This enables LC users to ingest GuardDuty logs and have detection & response rules written on them. AWS GuardDuty enables customers to analyze AWS CloudTrail Event Logs, VPC Flow Logs, and DNS Logs to look for unusual or unexpected behavior in their AWS accounts.
April 19, 2023
Adding three new LC sensors
In this release, LimaCharlie added 3 new sensors:
Canary Token - CanaryTokens is an innovative tool that allows you to place decoy files, URLs, and other bait on your network or endpoints. When a CanaryToken is triggered, you'll receive an alert, allowing you to take immediate action to prevent any potential threats. With LimaCharlie Canary Token sensor, you can easily ingest CanaryToken alerts into LimaCharlie.
Azure Active Directory & Azure Monitor - these two sensors make it easier to get Azure data into LC.
April 12, 2023
Datadog Output & Rule Editing Experience Improvements
In this release, we have added an output to Datadog which makes it easier for users to send Detections, Audit Logs, and other types of Outputs directly to Datadog data analytics platform. You can configure a Datadog output by navigating to Outputs > Add Output in the web app.
Additionally, we added the ability to expand the rule editors for both D&R and FP rules. This should make it easier to edit complex and wordy rules without having to rely on a notepad or similar.
March 27, 2023
Sensor v4.28.0
Windows MSI has been updated:
proper version reported
should fix the issue where the sensor could install on non SystemDrive in some cases
uses longer network timeouts that should with some connectivity issues
introduces
os_users
on Windows to list users. Looking for feedback here as there's multiple ways to list users.supports a new
--interpreter
argument to therun
task which allows you to specify an interpreter to use when launching the payload. For example:run --payload-name my-powershell-script.ps1 --interpreter powershell
Finally, version 4.28.0
now supports connectivity to the LimaCharlie Cloud over an SSL connection not using pinned certificates. This makes it easier to deploy in environments where SSL interception is present. This new alternate connectivity uses a slightly different domain, for example:
Pinned connectivity:
9157798c50af372c.lc.limacharlie.io
Public Root CA version:
9157798c50af372c.edr.limacharlie.io
The default remains pinned certificate. A sensor enrolling using one or the other must/will remain using that connectivity method. The method used for a given sensor is based on its Installation Key.To enroll a sensor using the new public root CA SSL, you must create an Installation Key with the use_public_root_ca=true
option via the REST API, or using the Python SDK's use_public_root_ca
option: https://github.com/refractionPOINT/python-limacharlie/blob/master/limacharlie/Manager.py#L1364
An option to enable this in the web UI will come later.
March 23, 2023
LimaCharlie Query Console Suggestions
LimaCharlie Query Console now offers a search experience that displays a list of possible options that users can select from as they type. Several sources contribute to these suggestions:
LCQL Query Structure which provides a list of options based on the structure of the query.
LimaCharlie Schema API which exposes the "learned" schema from specific event types. As data comes into LimaCharlie, the Schema API will accumulate the list of fields and types observed for those specific events. LimaCharlie Query Console retrieves this learned schema and offers suitable suggestions as users type.
Sensor Selector Expressions which enable selecting a set of Sensors based on some characteristics.
LimaCharlie Query Console Suggestions are there to assist users as they are learning how to navigate the new Query Language and becoming more comfortable with the Console. It is most valuable to help get the right syntax for events and schema, while assisting with drafting the query along the way.
Give it a try and please reach out with ideas and suggestions so that we can continue to make it better and easier to navigate.
March 15, 2023
User Experience Enhancements
MFA form state bug fix which enables users to see placeholder suggestion for code input
Copy update on reliable tasking zero state page
Updated the list of featured add ons on the LC Marketplace
Improvements on Artifacts page relating to performance, UI enhancements and adding a copy to indicate end of the list
Added ability to delete all detections
March 9, 2023
Announcing Elastic Output
With LimaCharlie, organizations have full control of their security data - we make it easy to collect logs and telemetry from any source using Sensors and send it to any destination via Outputs. The granularity of the data collected and sent is controlled by the user. Along with generic mechanisms for outputting the data such as webhook and Syslog, LimaCharlie offers several pre-built configurations that simplify the task of sending data out of LC.
In this release, we are announcing Elastic Output that makes it easier to output events and detections to Elastic.
Link to the technical doc: Elastic Output
March 8, 2023
The ability to filter detections by date range
To make it easier for LimaCharlie users to navigate detections in the web app, we have added the ability to filter detections by date range. Users can now switch between jumping to a single date and filtering within a given time range in one click.
February 27, 2023
LimaCharlie Query Console, revamped Detections page & other enhancements
LimaCharlie Query Language is designed to provide a flexible, intuitive, and interactive way to explore data in LimaCharlie. It uses LimaCharlie Query Language and enables several features including:
Querying one full year of telemetry within your tenant
Choosing columns you want to have displayed in the web UI
Exporting query results in CSV or JSON
Estimating the query cost and validating the query before the query run
The ability to start a D&R rule from the query console
Additionally, in this release you will see the following:
Updated Detections page. This greatly improves performance and enables you to better navigate the detections data
Added a drag-to-resize ability for code editors and D&R editors. This should make it easier to edit longer D&R and FP rules in the LimaCharlie web app Updated spinner location on Audit logs to make it more intuitive for users to navigate audit logs
February 9, 2023
Adding support for webhooks as an ingestion method & web app enhancements
Since webhooks are a common way of moving data around, LimaCharlie now has support for webhooks as an ingestion method.
By enabling a webhook through the cloud_sensor
Hive, you will open up a specific URL to which you can send webhooks from other platforms. The data received there will make its way into LimaCharlie as a sensor in the same way an Office365 or Syslog Adapter would do.
To learn more and to get started, check out our technical documentation.
Other changes include:
Added the ability to bulk enable/disable false positive rules
Fixed a bug affecting the timeline sidebar close button
Fixed a bug when creating a draft Detection & Reponse Rule and returning back to it would land the user on a 404 page
February 1, 2023
Announcing Replay for False Positive rules
We have heard that one of the most painful challenges is dealing with false positives. To help solve it, in this release we are extending the capabilities of Replay used for retroactive threat hunting, and introducing the ability to replay False Positives.
Clicking “Mark as False Positive” from the Detections page will now both get the FP rule started, and populate the content of the detection so that you can fine tune the FP rule to work exactly as you want. You can also paste the content of the detection manually, and replay your false positive rule against that.
January 25, 2023
Improved Services UI and revamped Audit logs now stored for one full year
We have revamped the way LimaCharlie services are displayed in the web app to make them more user-friendly and easy to navigate. You will see that we have new pages for Velociraptor, Atomic Red Team, Dumper, Sigma, Zeek, Otx, PagerDuty, Twillio, and SOC Prime add-ons. We have also added the ‘background job’ toggle to the Reliable Tasking (now located under Sensors), and removed the old Reliable Tasking page under “Service Requests”. Note all these changes are available for users who have already switched to the new UI.
Additionally, we have greatly improved the way Management and Audit logs work in LimaCharlie. Both types of logs were merged into one - Audit Logs - and virtualized, making them easily scrollable. We will now be retaining Audit logs for one full year and have them available for browsing and searching in LimaCharlie, without the need to send them to external storage; the first iteration of this change is now available in the web app.
January 16, 2023
Announcing scheduled jobs in LimaCharlie
In this release, we are excited to announce the ability to schedule jobs in LimaCharlie. This enables use cases such as scheduling commands to endpoints or service requests.
Scheduling is done by creating a D&R rule with a target: schedule
, and defining the desired response (task, service request, etc). For example to issue an os_packages
once per week on Windows hosts:
detect:
target: schedule
event: 168h_per_sensor
op: is platform
name: windows
respond:
- action: task
command: os_packages
investigation: weekly-package-list
To learn more about how it works & see some examples, visit our technical documentation.
January 11, 2023
Updated web app experience for False Positive rules, Replay cost estimate, the ability to download tenant configuration & other enhancements
The web app experience managing False Positive rules now mirrors that of D&R rules. Users are able to enable/disable individual FP rules, see who created and last edited each rule, manage tags and more.
Users can now estimate the cost of replaying a detection & response rule before running the replay. This makes the cost of using replay even more predictable and transparent.
The “Templates” page under Organization Settings has been renamed to “Infrastructure as code”. Additionally, we have optimized the “Modify Existing” tab to load significantly faster, and added the ability to download the Org Configuration in JSON.
Styling of the File and Integrity Monitoring page has been aligned with that of YARA. “Updated date” and “updated by” are now visible for all FIM rules.
For those looking to manage access to various parts of LC on a more granular level, LimaCharlie now supports decoupling the value of secrets from their usage in various configurations. You can learn about how it works in the technical documentation.
Artifacts page now has a zero state shown when the user does not have artifacts or artifact collection rules in their tenant.
Fixed a bug where the Detection and Response rule’s expiry date set at rule creation was ignored.
Updated the LimaCharlie mailing address on the privacy policy web page.
January 5, 2023
Updated web app experience for Reliable Tasking and Sensor Cull
As we are continuously looking for ways to make LimaCharlie easier to use, we have updated the web app experience for Reliable Tasking and Sensor Cull. Users can now submit tasks for sensors and manage sensor cull rules in an easier and more friendly way.
Other changes include:
Updated a copy about deleting sensors from LC Adapters
Fixed a bug where deleting a draft detection and response rule using the sidebar could take the user to a 404 page if no other rules exist
Updated cache and other behaviors to accurately reflect the ‘updatedBy’ field within a detection and response rule page
Fixed misaligned icons on the Artifacts page
Fixed a bug where labels on graphs on the dashboard would not appear in the UI
Updated generate access token request to use new API token endpoint
December 21, 2022
Ability to enable and disable Detection and Response rules in bulk
In this release, LimaCharlie added the ability for users to enable/disable Detection and Response rules in bulk. Select multiple (or all) rules at once, go to “select operation” > “enable/disable selected”. Depending on the number of rules in the organization, it may take a few seconds to a minute to complete. You can leave the page - it will not impact the progress.
Other changes include:
Fixed the issue where the onboarding page was not being scrollable on short-sized screens
Made organization select button/dropdown a single line
Make the search bar more responsive; it now collapses on a shorter screen width
Added a new toggle on File Integrity Management rule editor which enables users to receive detections for FIM_HIT events without having to create a D&R rule themselves (LimaCharlie will create a rule automatically).
Added a new toggle on YARA rule editor which enables users to receive detections for YARA_DETECTION events without having to create a D&R rule themselves (LimaCharlie will create a rule automatically).
Edited a copy edit for sensor-cull description, and added a link to documentation to the page
Added a new Rulesets section to the add-ons marketplace to make it easier to discover what detections coverage is available in LC
December 14, 2022
Announcing new LimaCharlie web app navigation
We are excited to announce the new navigation in the LimaCharlie web app. For over a year, we have been talking to many of our users, gathering feedback from Slack, Intercom, and other channels to understand how people navigate the product, what we can communicate better, and how different functionality is used.
We have reorganized the web application to better reflect the LimaCharlie approach to security and to be more in line with what users expect from the security infrastructure offering.
The new navigation can be enabled in user settings. Note if you are using multiple devices, you may be prompted to make this switch on each of them separately.
We know it takes time to switch to the new UI, so we put our users in control of when they want to do it. This is a big change that will affect all users, so we are looking for feedback and ideas about the new navigation. After this update, there are no plans for any other radical navigation changes in the near future.
December 12, 2022
Announcing integration with SnapAttack
LimaCharlie is excited to announce integration with SnapAttack. This integration converts select high-fidelity SnapAttack Community Edition detection logic into LimaCharlie D&R rules which can be applied to your tenant in one click.
SnapAttack Community Edition includes access to open source intelligence objects and behaviorally-oriented detections developed by SnapAttack threat research team as well as popular community tools, such as Atomic Red Team and Sigma. The ruleset contains high-confidence detections for most platforms that have been verified against true positive data by the SnapAttack’s threat detection team.
Similar to how it works with Sigma and Soteria rulesets, you can enable or disable individual SnapAttack rules, and replay them against historical telemetry.
To learn more, check out this help article: How can I use SnapAttack Community Edition in LimaCharlie?
To learn more about SnapAttack and their Enterprise Edition, visit https://www.snapattack.com/
December 9, 2022
Sensor 4.27.4
more detailed crash reporting
on crashes, a minidump is generated on Windows in
c:\windows\system32\hcpmd.dmp
expand the list of packages returned on Windows for
os_packages
fixed a crash on Windows during services listing.
log the sensor's OID and SID on sensor startup in STDOUT and in the local on-disk log. This will be useful to troubleshoot mis-enrolled sensors.
fixed bug where relevant file not reported in Yara scan.
December 3, 2022
LimaCharlie Query Language
We're happy to introduce the LimaCharlie Query Language (LCQL) in Beta.
LCQL allows you to query through your data in the LimaCharlie retention more easily and flexibly. It also enables several new useful features:
Dryrun mode to get estimates of data being queried.
Paged queries, so querying for data over a long period of time is not all done at once, giving you the opportunities to get results without incuring the cost of the full query.
Event name and event element tab-completion. You don't have to remember the event names or paths to all the elements you want to query.
Querying, projection (only report specific values from matching elements) and aggregation (count, count_unique).
Display underlying D&R rules generated for the query, making it easier to use LCQL to prototype D&R rules.
For this beta, the LCQL interface is limited to the LimaCharlie CLI (pip install limacharlie
), but the intent is to introduce this capability directly in the web interface in the future.
To launch the LCQL interface, install the LC CLI and use: limacharlie query
to launch the interactive mode.This feature is built on top of the Replay feature and shares billing.
For an introduction tour of LCQL, see: https://www.loom.com/share/78472900db69499b8cf3dc5805db8dd0
Documentation is also available here: https://doc.limacharlie.io/docs/documentation/b0915c7a5f598-lima-charlie-query-languageAs usual, we would love feedback on this feature, ideas on how to improve etc.
November 30, 2022
Announcing LimaCharlie demo tenant configuration
We want to make it easier for users new to LimaCharlie to get started with the product and to understand what our approach can enable. We have always made it easy to create an account without having to attend a mandatory demo, and provided free training and documentation.
In this release, we are introducing the ability to apply a demo configuration to the LimaCharlie tenant. Adding Demo Tenant Configuration will onboard a demo sensor, generate detections, and enable a variety of features so that users new to LimaCharlie can easily explore its functionality.
Other user experience enhancements:
Updated the web app behavior for orgs with no detections. Now when there are no detections, instead of an endless spinner, the user is provided with a message that there are no detections available.
Fixed the 404 page appearing on tenant creation for some data centers
Changed copy about replay pricing to be in line with the recent pricing update
November 28, 2022
Sigma Service Change
We are getting closer to enabling most of the Sigma public rules through our Sigma Service (it currently focuses on Windows).In an effort to make the transition painless (not spam you with unexpected alerts), we're introducing a few changes to how the Sigma Service is working:
As it is right now, when subscribing an org to Sigma for the first time, all Sigma rules will be installed and enabled.
When new Sigma rules are added to the open source community, they will be created in the orgs, but they will not be enabled by default. This behavior can be changed by sending the
default_enable_rules
action to the Sigma Service through the Service Requests section.You can monitor changes to the Sigma rules available in LimaCharlie using the RSS feed provided by Github here: https://github.com/refractionPOINT/sigma-limacharlie/commits/rules.atom
A new option is available with the Sigma Service through the Service Requests section to apply a Suppression Rule (https://doc.limacharlie.io/docs/documentation/b43d922abb409-reference-actions#suppression ) to all Sigma Service Detections. It is enabled by sending the
set_sensor_suppression
action to the Service with asuppression_time
value like1h
which represents the suppression period. These rules are applied per-sensor (not globally) and per-rule.
As usual, your feedback is very welcome and we look forward to pushing more functionality through Sigma and other managed rules from various sources.
November 23, 2022
New events & user experience enhancements
New DISCONNECTED Event. You will start seeing a new event,
DISCONNECTED
flowing from EDR sensors. It represents a sensor disconnecting from the cloud. Note that this does not necessarily indicate a problem as sensors frequently reconnect to the cloud. This event can be used for external online/offline signaling.New
_event_id
field in WEL Events. You will now see a new_event_id
field under theSystem
component of real-time WEL events from EDR. This synthetic field is there to enable easier rule writing on top of the events. It will always contain the EventID of the WEL event. This field avoids you having to specify multiple EventID field location (since it varies in WEL Microsoft format).
Additionally, the following enhancements have been implemented in this release:
Updated tags UI on tables to reveal/hide overflowing tags
Added first name/last name fields to sign up flow
Added ‘how did you hear about us’ to onboarding flow
November 22, 2022
Static EDR Cloud Endpoint
We have moved to a simple static cloud IP footprint for EDR. You will see that the relevant per-geo domain where EDR connects to in the LC cloud (like XXXXXXX.lc.limacharlie.io
) has now moved from multiple A records to a single one. Don't worry, if you were already setting up firewall exceptions for the IPs previous under that domain, you don't need to change anything because the now-unique IP is one of the ones that used to be there. The difference is that we can now officially guarantee that these IPs are the unique and static footprint of the LimaCharlie Cloud for EDR which makes your life simpler.
November 4, 2022
Replay Billing Estimates
Changes in Replay that are effective right now:
the returned data from Replay now has a new value,
n_billed
which is specifically for the exact number you will be billed on. The
n_evals
is now strictly representing the number of rule evaluations you made.
You can now send a
is_dry_run: true
value to the Replay API/Service. When you enable that, your request will not be actually run, instead the service will return you (through the
n_billed
metric) exactly what is the
worst-case
scenario for your request. Worst-case means that your full rule (all its operators) run on every single event from the sensors you're targeting during the target time period. It's not perfect, but a good start and will scale nicely with some of the optimizations we have in mind to make this even more efficient, which will result in directly smaller bills on your part.
New example of a dry-run:
{
"stats": {
"n_proc": 563671,
"n_shard": 0,
"n_eval": 563671,
"n_batch_access": 0,
"n_billed": 1127342
},
"results": [],
"did_match": false,
"is_dry_run": true
}
The latest version of the CLI (Python SDK) supports it through --dry-run
like:
$ limacharlie replay --entire-org --last-seconds 86400 --dry-run --rule-name tracer
The dry-run feature is not yet available in the webapp, but that is coming.
October 31, 2022
New API Available: number of events retained from a sensor over time
API: https://api.limacharlie.io/static/swagger/#/Retention/getEventRetainedCount
Python: https://github.com/refractionPOINT/python-limacharlie/pull/67/files
October 18, 2022
Billing for deploying payloads
As previously announced, starting today deploying Payloads via LimaCharlie is priced at $0.19 per 1 GB of data sent. For example, a 1GB payload sent to 10 endpoints will cost $1.9 (10GBs x $0.19).
This change will only impact organizations that leverage Payloads functionality, as well as Atomic Red Team, LimaCharlie Net installers & Dumper services (they are running as Payloads in LC).
To understand the impact on your organization, check the Metered Usage section of the Billing page. You will notice the “Payload Data Sent” metric along with the size of payloads deployed and price.
The reasoning for this update is that as of October 1, 2022, Google Cloud has started billing on outbound bandwidth from load balancers. As LimaCharlie is on GCP, we’re adjusting our pricing accordingly.
Other items in this release include:
- Support tab and support dropdown are now only available after sign in - Adjusted the email verification flow on signup which now gives a user the ability to "continue" with their signup process instead of having to log in in a separate window - Fixed a bug where some hyperlinks were displayed in a wrong color
October 12, 2022
CrowdStrike sensor and user experience enhancements
LimaCharlie continues to expand the list of telemetry sources we support. In this release, we added a new CrowdStrike sensor enabling users to ingest CrowdStrike EDR events normalized to LimaCharlie format.
This allows you to bring in all of your security data into LimaCharlie, write detections on this data, take advantage of our 1 year data storage, and send what you need to the destinations of your choice via Outputs.
CrowdStrike sensor is billed based on usage ($0.15 / GB).
Other items in this release include:
Fixed a bug when creating a rule with a hash and any special characters resulted in app crash; fixed a few other bugs related to D&R rule creation
Intercom help chat is now available to LimaCharlie customers using custom branded sites (i.e., to MSSPs using LimaCharlie but not to their customers)
Support dropdown adjusted for custom brand site users vs admins
‘Select/ unselect all’ toggle now working on Permissions modal
Add-on enhancements enabling users to save and view lookups and services
Updated the error message shown in sensor timeline view when there are no events to display
September 28, 2022
‘Advanced Filters’ and user experience enhancements
To make it easier for LimaCharlie users to drill down into their detection & response coverage and sensor deployments, we have added a new ‘Advanced Filters’ feature.
You can filter sensors based on the following criteria:
hostname (contains, omits, is, is not)
is_isolated (true, false)
is_kernel_available (true, false)
sid (contains, omits, is, is not)
You can filter detection & response rules based on the following criteria:
name (contains, omits, is, is not)
author (contains, omits, is, is not)
updatedBy (contains, omits, is, is not)
enabled (true, false)
tags (contains, is)
Note that filters are not case sensitive.
In the future, we plan to expand this functionality to other parts of the product such as detections.
If there are other parameters you would like to be able to filter on, please let us know.
Other enhancements include:
Console logs added to org creation that improve troubleshooting errors for users.
Link stylings on Add-on descriptions match links in rest of application (dark mode accessible)
Copy added to payload install for billing transparency
Truncated table cell values now reveal on hover
Various process page table speed optimizations, including an omission of process modules on initial page load that results in modules being needed to load separately (when one clicks ‘view modules’ in the toolbar)
Fixed a bug where when attempting to download the .msi installer for Windows, users would get an .exe installer instead.
Addressed a limitation where the sensor selection box in the web app would not accept arbitrary values (such as * in reliable-tasking where it is an expected value)
Some enhancements to Detections & Response logic (no effect on users).
September 22, 2022
Extended Platform & Template Strings
Sensor information now includes its Extended Platform allowing you to see that, for example, "this is a Defender endpoint, but it's a Windows machine". Or, "that this is a Carbon Black sensor, but it's a Windows machine". This will show up in the UI in the sensor list as well as sensor details.
Template Strings in LimaCharlie now support two new "functions" (
anon
andtoken
) to perform tokenization or anonymization of specific fields:https://doc.limacharlie.io/docs/documentation/279f9b83be51b-template-strings-and-transforms#template-strings
September 21, 2022
More visibility into the coverage & replay of Sigma/Soteria rules
In this release, we are continuing to deliver on our promise to provide more visibility into the security coverage.
Users can now click on individual rules from Sigma and Soteria rulesets; they can see the content of all Sigma rules, as well as enable/disable individual rules from both rulesets.
All rules from Sigma and Soteria can now also be replayed against historical traffic enabling even more granular retroactive threat hunting capabilities.
Users have the ability to add and remove tags from any rule (including managed rulesets) making it easy to categorize detection & response rules and manage them at scale.
Other enhancements include:
‘Analyst’ role added to onboarding survey options
Fixed a bug where selected table rows were not colored correctly
Changed toggle track color for increased visibility on light mode
Added a warning text when LC Adapter ingestion method is GCS or S3
September 7, 2022
Announcing the ability to see Sigma & Soteria rules enabled for the organization
At LimaCharlie we believe cybersecurity needs to be transparent: the exact set of malicious activity and behavior you’re protected from should be known and you should be able to test/prove this.
Driven by this core belief, we now give users the ability to see the list of all detection & response rules in place in your organization - not just your own (custom) rules, but also rules managed by Sigma and Soteria rulesets. You will also soon get the ability to enable/disable individual rules yourself.
In the few weeks that follow, we will be adding more advanced capabilities to give you even more visibility and control of your security coverage.
With Sigma, you will soon have the ability to view the content of the individual rules.
While the content of Soteria rules will remain hidden as it is the intellectual property of Soteria, we will be exposing details such as MITRE ATT&CK mapping and other metadata. A reminder that you can check the dynamic MITRE ATT&CK mapping here.
August 31, 2022
Announcing the ability to define suppression as a part of D&R rules
LimaCharlie has added the ability to define suppression as a part of detection and response rules. This enables users to specify the maximum number of times a select action will trigger within a defined period. When that threshold is reached, LimaCharlie will suppress the action (that action will no longer take place).
For example, if the same event occurs on the same machine (or on different machines within the same tenant) again and again, you can suppress the duplicate alert for the user-specified time. Or, you can say “generate a LimaCharlie detection every time X happens but only send a PagerDuty alert once per hour”.
To learn more about this feature and how it can be used, check out this help article or visit our technical documentation.
August 16, 2022
LimaCharlie has added a new ingestion method for logs and telemetry coming from external sources - events in the AWS Simple Queue Service (SQS).
Other user experience enhancements in this release include:
Updated table aesthetics to include alternating color schemes
Fixed payload deletion flow that was showing a misleading ‘in-progress’ indication, suggesting all payloads were being deleted
Fixed bug causing repeating fields in output configuration
A number of Comms-related deletions – no changes on user experience
Removed pagination and applied table virtualization to Cloud Adapters for UI consistency and performance improvement for a large list of cloud adapters
Fixed bug with creating a false positive rule from detections that would sometimes suggest an existing name and override an existing rule
Added a support dropdown on the navigation (for non-custom branded domains only)
Updated default value for service requests to run in sync, and not as a background task
Added a link to collect ideas for new external sources to be added as sensors on the sensor list
Added an Org token JWT onto the Rest API page
Migrated Org List and Switch Org List tables to be virtualized (no user impact)
Added helper text on billing summary to clarify that it’s not real-time (the billing summary is updated daily)
August 4, 2022
Billing for Payloads
Starting October 1, 2022, deploying Payloads via LimaCharlie will be priced at $0.19 per 1 GB of data sent. For example, a 1GB payload sent to 10 endpoints will cost $1.9 (10GBs x $0.19).
This change will only impact organizations that leverage Payloads functionality, as well as Atomic Red Team, LimaCharlie Net installers & Dumper services (they are running as Payloads in LC).
To understand the impact on your organization, check the Metered Usage section of the Billing page. You will notice the new “Payload Data Sent” metric along with the size of payloads deployed and price. Note this price is shown for your information only; you won’t be charged for Payloads before October 1, 2022.
The reasoning for this update is that starting October 1, 2022, Google Cloud will start billing on outbound bandwidth from load balancers.
August 3, 2022
New Slack Audit Logs Sensor
We have added a new Slack sensor that allows the ingestion of Slack audit logs directly into LimaCharlie.
The Audit Logs API enables monitoring the audit events happening in an Enterprise Grid organization to ensure compliance, to prevent any inappropriate system access, and to allow security teams to audit suspicious behavior within their enterprise.
After Slack Audit Logs are ingested into LimaCharlie, you can have detection & response rules run on them at wire speed.
Get started by configuring a new sensor in the LimaCharlie web application. Note you need to be on the Enterprise Grid Slack plan to use this capability.
Other additions & updates include:
The chart under “vSensor Quota” on the billing page has been updated to show the high watermark of concurrently connected sensors (metric used for billing) instead of the total number of sensors online
Fixed a bug where Search modal didn’t close appropriately when selecting a link to the timeline event
Fixed a bug when Sensor tag search did not return correct results
Added a link to release notes to the “web app updated” banner pop up
July 27, 2022
User experience and performance enhancements
Made improvements to the main sensor list to enhance performance. While not noticeable for smaller lists, there was an increasing delay as the number of sensors grew. As a result we’ve also removed pagination on the sensor list.
Added groups to ‘users and roles’ page, so that users can see all accounts that have access to their organization through groups.
Added various descriptive text and helpful links onto the ‘install sensors’ page regarding how to check release notes, test new sensor versions, and configure sensors to auto-update
Updated Adapters list display to remove tags and reflect the status as 'enabled/disabled' vs 'online/offline'
Updated Adapter creation flow copy at completion to clarify differences between sensor and adapter completion
Increased timeout for searches related to the main search bar
Updated copy at org creation replacing ‘region’ with ‘data residency region’ for added clarity
Updated the edit Adapter modal to display descriptive placeholder text like the Adapter creation form
Fixed bug for seen D&R rules for WEL events in replay
Fixed bug where event select input was not displaying custom events on load
July 20, 2022
User experience and performance enhancements
The release focused on small user experience and performance enhancements.
Performance improvements to the detections list
Improved the dropdown performance for all dropdowns with a large list of items
Fixed a bug on removing group members where a user was briefly shown as a part of the group after having been removed
Use the new schema API to suggest possible Event Types based on the sensor type instead of the old static list
Added an error message that gets displayed when a user without the payload.use permission attempts to issue a command in the Console section
Added centering events timeline on the selected event when a user goes to the Timeline either from a URL they've copy pasted, or from the "View in Timeline" link from a Detection
Marked the "secret key" field required on the output setup step (it previously appeared under “advanced options”)
July 19, 2022
Support for Templating
We've started rolling out support for template strings to multiple areas of LimaCharlie. This allows you to customize what would normally be a literal string so that it now supports formatting based on the context of execution. In all cases, backwards compatibility should be maintained. Detection names in the report
action from D&R rules now supports it like:
yaml
- action: report
name: Evil executable on {{ .routing.hostname }}
Tasking in the task
action from D&R rules now supports it like:
artifact_get {{ .event.FILE_PATH }}
The SMTP Output now supports a custom subject
fields that use string templates. It also supports a new template
parameter which is a string template to use for the body of the email (either in plain text or html): https://doc.limacharlie.io/docs/documentation/4832b284c1cba-reference-destinations#smtp
The Slack Output supports 3 new parameters:
color
: to specify the color of the "attachment" part of the Slack message.message
: a string template for the "message" part of the Slack message.attachment_text
: a string template for the "attachment" part of the Slack message.
Support for Transforms
Transforms are now available for all Outputs via the custom_transform
field. A Transform allows you to specify an alternate format for the data sent from an Output. For example, this could to customize a webhook format for a specific platform as in the Google Chat example. Or it could be to simply pair down the data sent via output to only the specific fields. Finally, it also allows you to create new fields in the Output that are either literal values, or composite values (as a String Template). Detailed documentation and examples are available: https://doc.limacharlie.io/docs/documentation/279f9b83be51b-template-strings-and-transforms#transforms
July 14, 2022
Sensor 4.27.3
Linux File Integrity Monitoring now leverages eBPF support for better performance. This stops most usage of inotify by the sensor.
Enhanced reliability of inotify usage on Linux when eBPF is not available.
General CPU performance enhancements across all platforms.
Fixes possible issue with Netlink usage on Linux for process notification.
Fixes rare race conditions that could hang network connectivity during network outages.
July 13, 2022
Sigma Converter Service
LimaCharlie is happy to contribute to the Sigma Project (https://github.com/SigmaHQ/sigma) by maintaining the LimaCharlie Backend for Sigma, enabling most Sigma rules to be converted to the Detection & Response rule format.
A LimaCharlie Service is available to apply many of those converted rules with a single click to an Organization. For cases where you either have your own Sigma rules, or you would like to convert/apply specific rules yourself, the Sigma Converter service described below can help streamline the process.
The full documentation is available here: https://doc.limacharlie.io/docs/documentation/e77178b3c907d-sigma-converter
July 11, 2022
Sensor Versioning Tags
Certain Sensor Tags in LimaCharlie had a special meaning. Tagging a sensor with latest
would update that single sensor to the latest sensor version for example.
We are now transitioning these tags to have the lc:
prefix. The goal of this is to reduce the likeliness of someone not being aware of those special tags and apply them with unintended consequences. Starting today, the following tags are supported in that fashion: lc:latest
, lc:stable
, lc:experimental
, lc:no_kernel
and lc:debug
.
The old versions of these tags remain operational for now, but will be turned off on August 1st. If you rely on these tags, we suggest you transition to the new form.
More documentation here: https://doc.limacharlie.io/docs/documentation/770dee947cad5-sensor-tags#system-tags
July 6, 2022
The ability to reset password
LimaCharlie users can now reset their password without having to contact support.
Simply click on the Forgot your password?
link and follow the steps to reset the password.
July 5, 2022
Schema Inspection
It is now possible to inspect the schema of events in LimaCharlie.
Documentation on the "learned" schema: https://doc.limacharlie.io/docs/documentation/b35cc8558d171-schema-inspection
API documentation: https://api.limacharlie.io/static/swagger/#/Schema
The schema provided is learned on a per-org basis since the data ingested in LimaCharlie can vary from tenant to tenant.
This new API can be useful when building integrations with external products requiring a strict schema.
July 4, 2022
Announcing the ability to bring in telemetry from external sources without having to host a LimaCharlie Adapter (aka “cloud to cloud”).
LimaCharlie allows security professionals to ingest logs or telemetry from any external source in real-time. It includes built-in parsing for popular formats, with the option to define your own for custom sources.
Prior to this release, if someone wanted to bring, say, Office 365 logs into LimaCharlie, they would need to run an Adapter on premises or on their cloud. The Adapter would pull the data from the third-part and send it to the LimaCharlie cloud.
Starting today, for cloud-based log sources such as GitHub, 1Password, GCP, VMWare Carbon Black EDR, you no longer have to download the installer and run the Adapter. Simply enter the API credentials in the web app and click “save”.
Log sources that are not hosted on the cloud, such as Syslog, will continue to require an Adapter to be run on premises.
To learn more or to get started, check out the help article: How do I ingest logs or telemetry from cloud-based external sources?
June 8, 2022
Sensor 4.27.2
Fix possible performance degradation issue on hosts with heavy process / network activity.
Report User of processes in Windows instead of the Owner (small distinction in some cases).
Report a specific error code on
artifact_get
where the file is empty (0 bytes).
May 31, 2022
GitHub Sensor
We have added a new GitHub sensor that allows the ingestion of GitHub audit logs directly into LimaCharlie.
GitHub enables a wide variety of powerful capabilities beyond managing a developer’s code, such as automating the deployment of cloud resources and “infrastructure-as-code”. Securing DevOps infrastructure is critical to prevent privilege escalations or malicious actors from taking control of the cloud deployments.
To ensure full observability, security, and compliance, GitHub Enterprise Server provides logs of audited system, user, organization, and repository events. These logs can now be ingested directly into LimaCharlie and have detection & response rules run on them at wire speed.
Get started by configuring a new sensor in the LimaCharlie web application.
May 26, 2022
New Outputs flag for storage optimization
We have added a new Outputs flag - 'Do not include routing' - which allows users to forward only the original logs to Outputs, excluding the routing label. This flag can be found under "Advanced Options" of the Output configuration.
This can be helpful for users wanting to use LimaCharlie for storage optimization since the routing label can add significant overhead. Watch the webinar recording to learn more about using LimaCharlie to reduce spending on Splunk and other high-cost security data solutions.
May 17, 2022
Updated 'Billing & Usage' Page
Along with several user experience enhancements released today, we have combined ‘Usage’ & ‘Billing’ pages into one - ‘Billing and Usage’ - to make it easy to manage the credit card and quota in one place.
May 13, 2022
Sensor 4.27.1
Fixes an issue on Linux eBPF that could result in unexpected data at the end of the FILE_PATH values.
May 4, 2022
Sensor 4.27.0
MacOS will now report MAC address
Fix issue where macOS machines on some network could have difficulty connecting to the cloud
Linux using eBPF will now acquire command lines directly from eBPF, eliminating race conditions for short-lived processes
April 27, 2022
Duo Sensor
We have added a new Duo Sensor.
By bringing the logs from Duo's cloud-based two-factor authentication services to LimaCharlie, companies can increase their visibility into the environment, meet compliance requirements and identify security risks.
Duo Sensor collects two types of Duo logs:
- Authentication Logs provide visibility into where and how users authenticate, including usernames, location, time, type of authentication factor, and more. This allows you to understand the normal behavior and identify potentially abnormal activity.
- Administrator Logs track the username, time, and type of administrator activity, including groups, user, integration, and device management. This allows you to track any admin changes and identify suspicious activity.
Org Templates LimaCharlie organizations (Orgs) are tenants in the cloud, conceptually equivalent to "projects". When creating a new Org, you will now notice the following grouped offerings that activate LimaCharlie capabilities right from the get go:
Incident Response
Use open-source Sigma ruleset to receive detections
Collect Velociraptor artifacts through LimaCharlie
Automatically kickstart IR investigation powered by Sweep
Historical threat hunting powered by Replay
Extended Detection & Response Standard
Use open-source Sigma ruleset to receive detections
Run Atomic Red Team tests
Historical threat hunting powered by Replay
Extended Detection & Response Premium
Use curated Soteria MSSP ruleset to receive detections ($0.5 per vSensor per month; free on the free tier)
Run Atomic Red Team tests
Historical threat hunting powered by Replay
By pre-selecting some of these options for you, we hope to launch you right into our cloud capabilities and give you a sample of the dynamic offerings you can leverage here at LimaCharlie
April 14, 2022
Real-time detections
LimaCharlie is proud to be operating at wire speed, whether we are talking about collecting events, sending data to other destinations via outputs, or anything else. As you know, round-trip times for detection and response to take place in LimaCharlie are generally under 100ms.
Until recently, however, detections would show up in a web app with a delay of about 1 minute (the detection and response on the endpoint happened instantly, but feedback in the UI was slightly delayed).
We are excited to share that now, detections will also appear in the web app in real-time.
April 1, 2022
New IoC Search & Removal of the old Search Page
We are excited to announce that you can now search for sensors and indicators of compromise (IoC) no matter where you are in the web app. By default, LimaCharlie will detect the IoC type from the search term, but you remain in control of the locations you want to look for. You have the option to search in all IoC types, or to select a specific type such as domain, user name, file hash and others.We have also removed the old Search page. If you have any feedback or suggestions on how to make the Search even better - please let us know.
March 25, 2022
Introducing new Microsoft Defender Sensor
We have added a new Microsoft Defender Sensor.
Microsoft Defender has two values streams:
Defender for Cloud logs will come into LimaCharlie as one Microsoft Defender sensor.
Defender for Endpoints, on the other hand, will be mirrored as multiple sensors in LimaCharlie (similarly to the way we handle Carbon Black sensors).
Microsoft Defender is a usage-based sensor billed at $0.15 / GB.Check this step-by-step guide to get started with Microsoft Defender log collection.
March 14, 2022
Introducing new Windows Event Log Sensor
We have added a new Windows Event Log Sensor.
There might be times when you would not want to deploy the LimaCharlie agent on the endpoint, but you would still like to connect Windows Event Logs from the system. With the addition of the Windows Event Log sensor that runs on the LimaCharlie Adapter, you now have the ability to do it. Check this step-by-step guide to get started with the WEL collection.
Introducing Google Cloud BigQuery output
LimaCharlie has added a new Google Cloud BigQuery output.
With the addition of the Google Cloud BigQuery output destination, LimaCharlie users can now output events and detections to a Google Cloud BigQuery Table to turn security data into valuable insights. Visit the technical doc or help doc for details or get started in the web app by navigating to the Outputs view.
February 25, 2022
Sensor 4.26.1
This is a minor update targeting Linux performance.
Fixes an issue where network tracking in Linux could result in uncapped memory usage.
February 22, 2022
Microsoft Office 365 sensor
We have added a new capability that allows users to bring Microsoft Office 365 logs into LimaCharlie. This gives security professionals more visibility into the cloud and allows them to have all security data in one place. As with all other LimaCharlie sensors, Microsoft Office 365 comes with one year of full telemetry storage, the ability to generate detections, and execute automations powered by LimaCharlie’s real-time Detection, Automation & Response engine. Some of the use cases Microsoft Office 365 addition enables are:
Monitoring global admin changes and specifically account creations of admin roles
Monitoring mass deletion of data such as emails or files, especially across multiple accounts
Monitoring changes in security configs
Monitoring logins from unexpected places that then perform data exfiltration tasks
Identifying email exfiltration
As LimaCharlie provides 1 year of full telemetry storage, it can also help organizations to satisfy their compliance requirements, and eliminate the need to purchase more expensive Microsoft Office 365 licenses.
Microsoft Office 365 sensor is billed on usage, at $0.15/GB (includes storage), similarly to our Syslog, AWS CloudTrail Logs, GCP Audit Logs, and 1Password sensors.
To get started, simply click “Add New Sensor” from the Sensors view of the web app. For a step-by-step guide, please visit our Help Center.
February 5, 2022
LimaCharlie Agent v4.26.0
This update brings significant changes under the hood to performance and reliability. It also brings Linux capabilities more on par with Windows and macOS.
Linux eBPF support for kernel 5.7+
Better performance for network connections and process notifications
File events now generated on Linux
Network isolation now supported
FIM still handled through inotify, but will be transitioning to eBPF in next release
Windows Kernel driver update
Should provide better performance around File IO tracking
February 3, 2022
New Sensors, vSensor & usage-based sensors
We have added six new sensors to receive telemetry from the external sources, which you can now configure in a few simple steps directly from the LimaCharlie web app. This allows you to bring in all of your security data into LimaCharlie, write detections on this data, take advantage of our 1 year data storage, and send what you need to the destinations of your choice via Outputs.
You will see Text/Syslog, JSON logs, Amazon AWS CloudTrail Logs, Google Cloud Platform Logs, 1Password audit event logs, and the VMWare Carbon Black EDR sensors
The setup flow is simple:
When you go to
Add a New Sensor
& select/create an installation key, you will be taken to the page where you can select the executable for your architecture, the method you want to use to pull your data and the method-specific parametersWe will give you a command line to run the adapter
We have introduced a definition of vSensor. vSensor (virtual sensor) represents a unified way of managing your capacity for all sensor types. You can find more information here. Essentially, nothing changes for any of the existing users leveraging our EDR sensors (just where you saw the word "Sensor" in quota is now "vSensor").
This change becomes relevant once you want to use the VMWare Carbon Black EDR sensor as it will only use 0.2 vSensor value. Therefore it will cost $0.5/month for one VMWare Carbon Black (includes 1 year full telemetry storage)
We are also officially introducing the usage-based sensors: Text/Syslog, JSON logs, Amazon AWS CloudTrail Logs, Google Cloud Platform Logs, 1Password audit event log sensors. Logs & data from other external sources are also billed based on usage. The price is set to $0.15 / GB for all usage-based sensors. You can learn more here.
February 1, 2022
D&R Rules detection
Target
In an effort to better formalize mechanisms in a way that is more intuitive, we've changed the way you can create Detections from other Detections. As a reminder: this feature enables use cases like adding new responses to pre-existing D&R rules. For example, you could add a isolate network
to a Sigma detection. The legacy mechanism used to rely on using a _DETECTION-NAME
(_
prefix in all capital letters of the name of the Detection).
The new mechanism reuses the concept of target
that allows you to run D&R rules on things like deployment
events. We're introducing a detection
target, like: target: detection
that tells LimaCharlie you intend to apply this rule to Detections. When using this target, the `event: ` or `events: ` statements refer to the Detection name you wish to apply the rule to.
More documentation is available here. Don't worry though, if you are using the old-style of rule for Detections, all your rules will work as-is. We're converting them automatically to the new format in the backend. So you can take your time in porting them to the new style at your pace.
Sigma Source
We've recently changed the source of our Sigma CI/CD pipeline behind the sigma
Service. You can now find the D&R rules part of the Sigma Service here. This should not have any impact on current operations, but you may see some errors pop up in your Platform Logs Errors today as the switch over coincides with some fixes to the Sigma --> D&R conversion.
January 11, 2022
Tailored Outputs & Advanced Search Update
We released a new type of Output stream called tailored
. It allows users to send specific events, as defined by D&R rules actions to the Output. The goal of this feature is to allow more granularity on the events sent to an Output compared to the basic filters available in the traditional Output streams. Documentation can be accessed here.
Additionally, our latest release includes an enhancement of our search feature. Once inside an organization, you now route to Search via Dashboard. Upon clicking the top-right search bar, a module opens with options to filter a search for Sensors or Indicators within that org. Search results display the number of hosts where the indicator has been seen today, this week, this month and this year. Diving deeper into View Locations displays the first and last time it was observed on each host.
December 17, 2021
Velociraptor Service Beta
We have released a beta of the velociraptor
service. This service will automate the deployment, running and collection off Velociraptor Artifacts. It supports 3 actions:
list
to show all built-in Artifacts the latest release of Velociraptor supportsshow
to display usage of a specific built-in Artifactcollect
to trigger an actual collection of Artifacts
The service requires the reliable-tasking
service to be installed (so that Velociraptor can collect on large scale even if some endpoints are offline). The service supports built-in Artifacts but also deploying custom Artifact YAML config files.This beta does not have a custom web UI. To use it:
subscribe to the service
go to the Service Request section
select the
velociraptor
tabturn off the
Run as background job
toggle to see results immediatelyselect the action
collect
select an
artifact_name
from the listselect a
sensor
(ortag
) to identify where to collect from
December 14, 2021
Web-app Updates & Billing Redesign
The Timeline of a sensor's events has received some performance improvements as well as a facelift: there's much more space in there to look at the content of events. We made the tree view optional, enabling Timeline to be used as a more general log viewer for ingested logs from external sources (GCP, 1Password, etc.) We've also removed the default event filters when you visit Timeline, so it's up to you how you want to narrow your search.
The list of D&R Rules will look a little different (no more paragraphs of text next to it) and will also be a lot faster if you have a large number of rules
Same as above with False Positive Rules
Added a confirmation step when closing most dialogs to make sure we don't accidentally lose input
Several other small bug fixes and tweaks
We heard from many of our users that it was often hard to tell what they were going to pay, so we designed two new pages to help with that: Usage and Billing. Front and center to the Usage page is the org's Quota Rate and Metered Usage. Quota Rate is calculated as
(base cost per sensor + add-ons cost per sensor) * quota
. Metered Usage sums up pay-per-use features such as Replay or Artifact Collection. Adding Quota Rate + Metered Usage together should give a good estimate of how an org's bill is trending. The Billing page is where you can view / edit payment method and delete your org, if required.Other highlights:Chart to see peak online sensors vs your quota
Chart + table breakdown of all metered usage
It's now possible to see if there's an existing payment method, including customers who are on unified billing
November 29, 2021
Sensor v4.25.5
Fixes stability issues with running on hardened/customized versions of Linux.
Fixes rare deadlocks when unloading a sensor.
Enhances the performance of the Process List (
os_processes
) and Network (netstat
) views in the webapp for Windows and macOS (Linux will soon follow with eBPF support). This is done by better caching on the sensor. Initial listing request when a sensor starts will still have a cold-start that can take up to a minute, follow on listings will be much quicker.
November 16, 2021
Chromium Sensor Update
The Chromium sensor has been updated and has been published to the Google Chrome Web Store and Microsoft Edge Add-ons store.
Old version 1.2.0
New version 1.3.0
Notable change: bug fix for atom generation so it now produces good per-request atoms that play nicely in the Timeline.
No user action is required as the extension should automatically be updated.
November 14, 2021
UX Improvements
We listen to you feedback & continue to make LimaCharlie experience easier and more intuitive. Sometimes it requires small tweaks and enhancements; at other times it warrants larger redesigns. In this release, we have made changes to the following parts of the experience:
Exfil Control
Yara Scanning
Artifact Collection
It should now be easier to understand how they work, what configuration options are available, and how to get them setup quickly. Also, Org Descriptions are now visible on the Organizations list.
November 8, 2021
Sensor v4.25.4
Fixes to the IS_OUTGOING flag in NETWORK_ACTIVITY on certain platforms.
Support for a new sensor tag put to allow users to put a specific Payload on disk without executing it or deleting it after it has been written.
Fixed an issue that could result in a sensor crash of macOS during sensor network isolation.
The USER_OBSERVED event is now regenerated every 24h. This can help build UEBA detections in a more reliable way.
Fixing certain network connections on macOS showing an invalid local IP.
November 1, 2021
Outputs UX Improvements
Forwarding data directly out of LimaCharlie in real-time using Outputs is one of the capabilities we're most proud of at LimaCharlie. It gives you the freedom to collect telemetry and fit LimaCharlie into your existing infrastructure however makes sense for your org.
Setting them up just got way easier. We've redesigned the flow for adding new outputs and configuring existing ones so that you can see at-a-glance what data streams are available, what destinations are supported, what's required to get data streaming into your destination of choice, and samples of what data you should expect to receive.
October 11, 2021
Web-app Onboarding & 'Add Sensor' flow
We've deployed a new web-app onboarding flow to make it easier to get started with LimaCharlie, from creating a new organization to seeing your first sensor deployed.
The most important part of this is the Add Sensor flow which you can find from the Sensors page. No more jumping between pages for keys / downloads / checking for successful deployments. None of the old stuff has changed yet so don't worry if you've got a flow that you're happy with.
However, if you use groups to manage user permissions across organizations, you may also notice the groups are missing from the front page of the app. We wanted to focus the front page on orgs, so groups got moved. You can find them inside the menu under "Manage Groups".
October 7, 2021
Enhanced Rule Validation We've deployed enhanced rule validation for D&R rules. Previously we had some cases where we did not validate the structure of a rule until runtime, and in some cases without producing errors.
The new validation means you may start seeing errors pushing rules to LimaCharlie from rules which previously did not generate errors, if those rules do in fact contain errors.This does not prevent previously working rules from working, it merely highlights rules that were already having issues.
September 30, 2021
Sensor v4.25.3
Fixes issues in the File IO reporting on Windows that could lead to missed events.
Minor fix to the
run
command that could lead to issues in some automation scenarios.
Stable Version Now 4.25.2
We've moved the official "Stable" version to 4.25.2
which has been running without major issues.
This will not upgrade any Organizations automatically, it will only move the labeled versions used when you trigger a sensor version upgrade from the web interface.
August 25, 2021
Replaying and Testing D&R Rules in the web app
Hey all! Following the revamp we did to replay
, we wanted to do some integration in the web app to shorten the feedback loop when writing rules. We ended up basically redesigning the D&R rule editing experience . Some things you might notice:
Full page editors for both D&R and FP rules
Draft rules for both of them, too
Ability to
Replay
rules both from the list or from the editor, testing them against historical data or directly passed eventsTimeline events have a
Start D&R Rule
action which takes you to the editor with the event handy for testing
Check out our demo. Let us know if you have any issues or feedback!
August 2, 2021
Artifact Ingestion IP
The ingestion path for Artifact Ingestion is now using a static IP address across all clusters.
This means that the IP address that the service domain resolves to, like b76093c3662d5b4f.ingest.limacharlie.io
, now resolves to a single IP address that is static. This makes it simpler to whitelist the IP across your networks.
July 28, 2021
Replay Revamp
Over the weekend, we will be completing the deployment of a major revamp to Replay.
vastly enhanced performance and reliability
will use the latest version of the D&R engine
will support very large scale replay jobs with more ease
better stats on jobs
Replay will become a cornerstone of D&R rules development as we integrate it for live feedback throughout the web app
This move requires updating a few moving pieces:
Python SDK
Replay Service
Relay backend
This means that the state of Replay during the weekend will be in flux. Please let us know if this may be causing you issues.
July 22, 2021
New Events Stateful Parameter
This new stateful parameter now allows you to create stateful rules at the Sensor level (instead of the Process level).
This enables, for example, the detection of N number of bad authentications from Windows Event Logs with T amount of time.
See the doc for more: https://doc.limacharlie.io/docs/documentation/docs/dr.md#sensor-level
LimaCharlie 2FA
You will now be able to add a 2FA step to the LimaCharlie authentication on top of whatever settings your auth provider uses.
By heading into the User Profile, you'll be able to enroll yourself.
The initial rollout will only support SMS based 2FA, although we intend to add more over time.
Why is it limited to SMS? Simply put, we're very conscious of the complexity of authentication in general, and for that reason we use Firebase Authentication, which in turns integrates many auth providers like Google, Microsoft and Github. By leveraging Firebase for this, we can ensure that the implementation is rock solid. Unfortunately, Firebase does not yet support other forms of 2FA, but it's on their road map, and when they roll it out, we will support it right away.
We considered doing our own implementation, but decided against it for the current time. We strongly encourage you to use solid auth providers like Google and Office365 which support their own 2FA and anomaly detection. This new 2FA is either an extra-secure step on top of your provider; or a stop gap solution if you want to use email based authentication without a provider.
July 19, 2021
New D&R Rule Operator: Scope
We've introduced a new operator to D&R rules: scope
. This allows you to scope the path
of all sub-rules to a sub-path specified. More concretely, this allows for rules that target specific sub parts of the event, like in the case of NETWORK_CONNECTIONS events.
More details: https://doc.limacharlie.io/docs/documentation/docs/dr.md#scope
July 14, 2021
Webhook Output Compression change
This is a minor update that could have an impact if you use webhook
or webhook_bulk
Outputs along with compression enabled.
We've fixed the behavior of compression on the HTTP headers of those outputs. When the change is deployed, these outputs using compression will now receive headers:
content-type: application/json
content-encoding: gzip
whereas before the fix they would only receive content-type: application/octet-stream
.
This change will enable the automatic processing of various receiving webservers to remove the gzip encoding automatically. Practically it means will be able to, for example, using webhook_bulk
with compression enabled to send data to the logz.io REST API directly.
In most cases, this should not have an impact. However if you are receiving compressed webhooks via a server that automatically removed gzip encoding, then the content of your webhooks will be automatically decoded.
This change will be deployed in the coming days. As always, please let us know if you have any issues or concerns.
July 9, 2021
Slack Output Documentation
Since the move from Slack to deprecate Legacy tokens, we had not updated our documentation on getting the Slack Output working.We've now remedied that: https://doc.limacharlie.io/docs/documentation/docs/outputs.md#slack
Time Zone Preference
You can now select your preferred time zone in the web app! Go to Settings
inside your User Profile
and you can choose which time zone you'd prefer to see timestamps formatted in. Check it out!
https://www.reddit.com/r/limacharlieio/comments/oh5s6p/time_zone_preference_in_the_web_app/
July 8, 2021
WEL Event Format
If you have not built D&R rules for real-time Windows Event Logs, you can stop reading.
It's recently come to our attention that some Windows Event Logs, as ingested through the real-time mechanism (https://doc.limacharlie.io/docs/documentation/docs/external_logs.md#from-real-time-events) may be formatted slightly differently from what was intended.
Specifically, in some cases, some events could have a Event
envelope. The correct path generated is event/EVENT/System
for example, and in the badly formatted events you would have event/EVENT/Event/System
.
This error was due to do some variable structures in the Windows Event Logs that we'd missed as part of the normalization step.
All Sigma rules automatically generated by LimaCharlie use the correct path, so unless you've created your own rules specifically for the real-time Windows Event Log events, there should be no impact.
Given the low expected impact, we intend to deploy the fix to all clusters tomorrow. If this has an impact on your operations please get in touch with us so we can evaluate the impact vs the impact from mismatched Sigma rules.
July 7, 2021
We have added a new course to our free learning platform that walks users through the LimaCharlie Add-on Marketplace. Learn how easy it is to get new superpowers or create your own.https://edu.limacharlie.io/courses/exploring-the-add-on-marketplace
July 6, 2021
Infrastructure Service
As outline by this post on our blog: https://www.limacharlie.io/blog/2021/7/6/infrastructure-service
We've released a new Service called infrastructure-service
: https://app.limacharlie.io/add-ons/detail/infrastructure-service
We see Infrastructure as Code (IaC) in LimaCharlie as one of our super powers. But we know sometimes it's not the most convenient approach to apply quick IaC templates. This service now allows you to do what you used to do using the CLI, but through the service and its API. On top of the API it provides, it also has its own section in the web UI that makes it easy to copy/paste your org's current configuration for backup, transfer to another org or tweaking.
We plan to make use of this service and IaC even more in the future by providing "templates" you'll be able to apply very easily to your new orgs, and also to use IaC as a fast and reliable way to communicate/apply features and automation in LimaCharlie that involves multiple components (like a FIM rule + several D&R rules for example).
It's also worth noting that this service is now enabled by default on all new organizations to make it easier to bootstrap IaC deployments on new orgs.
June 30, 2021
Net Telemetry
Two new Policy types are available for Net: dns-tracking
and conn-tracking
.
These new policies, when applied, will generate DNS_REQUEST and NETWORK_CONNECTIONS events for the Net sensor they are applied to.
Those events will make their way in real-time into LimaCharlie:
they will be visible and retained in the Timeline of the Net sensor
they will be visible in the Live Feed section of the Net sensor
they will go through the D&R rules
https://doc.limacharlie.io/docs/documentation/docs/lc-net.md#dns-tracking
June 29, 2021
In an industry first, LimaCharlie is introducing a pure usage-based billing scheme for its EDR capability. Deploy a full-featured, cross-platform agent for as little as $0.02 an endpoint.Read about what this means for cybersecurity: https://www.limacharlie.io/blog/2021/6/29/an-industry-first
June 17, 2021
Sensor v4.25.1
Enhanced hashing on Windows.
More reliable process parent/child tracking under load.
June 8, 2021
New Add-ons Marketplace
We've done a redesign of our add-on browsing / management experience! Some highlights:
Add-ons now live in a marketplace which you can browse anytime, specifying which org(s) you want to subscribe to add-ons
Add-ons are now searchable! Both from the marketplace and within orgs
Add-on authors now get separate preview descriptions & full markdown descriptions to better promote their add-ons
We've done a content audit to make sure our published add-ons are as descriptive as possible so everyone can set them up and use them
The Add-ons view within orgs is now a focused list of add-ons that are currently enabled in that org
Detection add-ons are now marked for deprecation, meaning we don't show them in the new marketplace. We feel that managed rule sets via Service add-ons are a better experience overall since you can simply enable them with no extra steps
Here's a quick tour if you'd like the guided version.
June 2, 2021
VirusTotal API
We've updated the lcr://api/vt
API that can be used in D&R rules to support Domains and IPs on top of the existing Hashes support.
Usage is exactly as before, the value provided in the lookup will automatically be detected to be a Domain, IP or Hash.
Here is an example of a rule leveraging VirusTotal for Domains:
event: DNS_REQUESTop: lookuppath: event/DOMAIN_NAMEresource:
lcr://api/vt
metadata_rules: value: 4 length of: true op: is greater than path: /
May 26, 2021
Sensor v4.25.0
The minor version change is the result not of new functionality in this release, but in the update to libYara included. As this was a major update and it is an external library we wanted to be cautious in letting people know of the change.
Updated libYara
Fix to macOS User Mode (without the Apple Endpoint Security Extension) process tracking that could result in high CPU during sensor updates.
May 12, 2021
Sensor v4.24.3
Linux:
File Integrity Monitoring on Linux has had fixes to support wildcards in paths like
/home/*/.ssh/*
without impacting system performance like before.
macOS:
You will no longer see the RPHCP.app appear in the Recent Applications section of the Dock after a restart
We now provide better “silent” installations for enterprise deployments using a preference file (the RPHCP.app won’t prompt you with the Install button if you’ve used an MDM profile and place the preference file in the /Library/Preferences folder)
May 9, 2021
Apple Binary/XML Plist Support
The Artifact Ingestion system now support Apple Binary (and XML etc) PLISTs. Ingesting them will produced a parsed version in JSON which you can alert on using the D&R rules engine similarly to Windows Event Logs and others.
May 6, 2021
Web App Update
Sensor View
We've been working on making it easier to navigate & interact with the data for each individual sensor. To that end, we've deepened the navigation so you can drill down into a Sensor in the web app to access available data as well as take action from one place. Just click a Sensor from the list within an org and you'll see the new view.
Today you'll be able to see Overview
, Artifacts
, Timeline
, Console
, and Processes
accessible from this view (Console
pictured below). The intention is to deprecate Live View
and consolidate most its functionality into this new one-stop-shop for everything on a Sensor. We're still working on finishing Processes
and will be working on bringing File System
and Network Connections
into this view next.
Artifacts
We've created a new page, accessible from the Sidebar, for viewing all Artifacts within an Organization. The Artifact Collection
page is now just for configuring rules, and there's no longer a need to open up a separate window to view & filter collected Artifacts.
April 26, 2021
Web App Historical/Timeline
Clicking on a Sensor in the Sensor List now brings you into a more complete view of all the information about that Sensor, including the Timeline (historical view) and the Live Console. This means the Historical view button has been moved to the sidebar menu found by clicking on a specific Sensor.
As we keep refactoring things you'll find more and more Sensor-specific views in this Sensor section.
This also comes with a change in the URL for these view. The historical URL now looks like /orgs/OID/sensors/SID/timeline
. The links generated in the Detections have also been adjusted to point to this new path.
April 13, 2021
EXP Datacenter Decommissioning
The "Experimental" Datacenter will decommissioned from General Availability on Friday (April 16, 2021). We've reached out privately to users who had small deployments on this datacenter a few weeks ago, so we don't expect this announcement to have an impact on anyone. We just wanted to have it on the record for transparency or for those who noticed it gone from the list of datacenters.
April 8, 2021
Webapp - Event Explorer Rewrite
If you use explorer to dig into Sensors' event histories, this is for you! We rewrote the Explorer view to have improved performance, UX, and consistency of how event trees are constructed. It should feel familiar, but more approachable.
Some of its features:
The view is still at its core a browsable list of events, anchored at a chosen point in time. Clicking an event selects it for the viewer to show related events in a tree graph, as well as details of the raw event.
The URL contains the exact state of the filters and event tree you're looking at. Feel free to share with a colleague!
The keyboard controls have been expanded upon. There's a helpful
Controls
button to get you familiarized.
We hope it feels solid for you! Any feedback and bug reports are welcome.
April 5, 2021
Sigma Service & Live Windows Event Logs
Since a few days ago, the Sigma Service now generates Windows Event Logs based D&R rules that apply to Live Windows Event Logs (as announced March 16) on top of the previously-supported Artifact-based (files) Windows Event Logs.
This means that as you switch to using Live WEL, you will keep the coverage provided by Sigma.
As usual, the Sigma D&R rules used are available here for transparency: https://github.com/refractionPOINT/sigma/tree/lc-rules/lc-rules
Sensor v4.24.2
Enhanced performance with network tracking on Linux Docker environments.
Tweaks to process termination increasing reliability of the ordering of some events, leading to better stateful detection and parent->child ordering of events.
Note: with this release we are also bumping up the Stable
version to 4.24.1
.
March 22, 2021
Sensor v2.24.1
Fixes a possible memory leak that could occur in certain rare cases on Linux / Docker environments.
Fix also enhances memory and CPU performance a little bit on all platforms.
March 15, 2021
Preview: Real-time Windows Event Logs
We will be rolling out a major new feature early this week: The ability to capture Windows Event Logs (WEL) in real-time. Windows 2008 and above will be supported as we rely on APIs introduced then.The new events will be received just like any normal LimaCharlie event, encapsulated in an event of type WEL
. Like the collection of WEL on disk, the real-time WEL collection contains the JSON form of each event.This means that with this feature, you will be able to write normal EDR-based D&R rules for WEL, including using stateful rules between WEL and first-class LimaCharlie events.The collection will still be configured from the Artifact Collection menu, by specifying a path of the form "wel://<log-source>:<log-filter>" as opposed to a traditional file path of a log file to collect.The collection will have a billing component (exact amount TBD) per number of events since collection can vary wildly depending on tenant.
Example configuration:
wel://Security:*
Example event:
{
"event": {
"EVENT": {
"EventData": {
"ClientProcessId": "5136",
"CountOfCredentialsReturned": "0",
"ProcessCreationTime": "2021-03-15T02:55:19.2369319Z",
"ReadOperation": "%%8100",
"ReturnCode": "3221226021",
"SubjectDomainName": "WIN-5GD8E0AG2OD",
"SubjectLogonId": "0x1b8de",
"SubjectUserName": "testuser",
"SubjectUserSid": "S-1-5-21-4156042152-1734453135-989269774-1000",
"TargetName": "MicrosoftAccount:user=02rlaxvkrpaxteab",
"Type": "0"
},
"System": {
"Channel": "Security",
"Computer": "WIN-5GD8E0AG2OD",
"Correlation": {
"ActivityID": "{cc484453-193e-0001-fe44-48cc3e19d701}"
},
"EventID": "5379",
"EventRecordID": "41750",
"Execution": {
"ProcessID": "664",
"ThreadID": "748"
},
"Keywords": "0x8020000000000000",
"Level": "0",
"Opcode": "0",
"Provider": {
"Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"Name": "Microsoft-Windows-Security-Auditing"
},
"Security": "",
"Task": "13824",
"TimeCreated": {
"SystemTime": "2021-03-15T02:55:21.9656464Z"
},
"Version": "0"
}
}
},
"routing": {
...
},
"ts": "2021-03-15 02:55:22"
}
Documentation: https://doc.limacharlie.io/docs/documentation/docs/external_logs.md#from-real-time-events
March 13, 2021
We’ve rolled out a change that lets you stay logged into LimaCharlie across browser tabs.This is on by default. You can change this in the LimaCharlie web application within Settings -> View User Profile -> Settings -> Allow Session Across Browser Tabs
March 1, 2021
White Label Changes
To those who use LimaCharlie's white label functionality -- we've just pushed out visual changes for your sites. Highlights:
Installation Keys & Sensor Downloads now appear together in a new section called Install Sensors
Incident Response moved from sidebar to the Sensors section
Menu reorganization
For more information please refer to our blog post:https://www.limacharlie.io/blog/2021/2/6/visual-changes-coming-soon-to-the-limacharlie-web-application
February 24, 2021
Web App Changes
We've just pushed a major update to the Sensors List. We feel it's a lot better than it used to. Cosmetic and performance changes.
February 17, 2021
Python SDK/CLI v3.18.0
Added support for lc-net Policies to the Configs CLI to manage the policies through config files.
Added the
--all
flag tolimacharlie configs
to sync all types.Produce warning on
limacharlie config
if no config type to fetch/push is specified.
February 13, 2021
D&R Rules Changes:
We’ve introduced Time Descriptors to D&R Rules. These enable you to specify very custom time of day/week/year when parts of a rule are in effect. These unlock a bunch of UEBA use cases. For details see our documentation on D&R rules & times.
The
event: _*
portion of D&R Rules now support a special wildcard to have a rule match all Detections being re-processed by the D&R Rule Engine. This is useful to apply a rule to all detections generated. See the last paragraph: https://doc.limacharlie.io/docs/documentation/docs/dr.md#basic-structure
February 10, 2021
User interface updates
Some visual changes were made in the web application user interface. Details can be found in our blog post.
January 8, 2021
New Element in Event Routing
You may start to notice in the next few weeks a new element in the routing
element of the events generated by LimaCharlie.
The new element is called ‘did
’ (a string) and will be used to represent the DeviceID, a value that will tie together multiple SensorIDs when the multiple sensors refer to the same Device. The implementation of this new value will also gradually roll out so you may see it get populated to a value if, for example, you have a Windows sensor and a Chrome sensor on the same box. This new value will take more importance in the future as we introduce more sensors platforms to provide you with a top level view of a user's device.
January 5, 2021
Output Pricing
Starting March 1st, we will be introducing a per GB cost to non-Google Cloud Storage (GCS) Outputs in LimaCharlie. The cost will be $0.12 per GB.
The goal of this pricing is not to monetize the feature but rather to ensure a fair and scalable future for the feature. The cost introduced is the exact cost incurred by Google Cloud, our cloud infrastructure provider.
The exclusion of GCS is due to much lower costs for bandwidth within the Google Cloud.
You will likely start seeing these line items pop up in the billing section ahead of the price taking effect. We do this to provide lead time for you to evaluate the final cost once it takes effect.
If you are using Insight (our 1 year of data retention) exclusively this change will have no effect on your billing.
January 4, 2021
Insight Historical Search Throttling
We are rolling out throttling of Historical search ("object" search). You will now be limited to 20 searches per hour per Organization on a rolling window.
The goal of this is not so much to limit the number of searches done by a user as much as reducing the risk of users performing a high number of queries in an automated fashion without realizing. This API is backed by Google Cloud's BigQuery on our end and that service is very sensitive price-wise. It is able to search across peta-bytes in the blink of an eye (which is why we chose it for long term scalability), but it's also not cheap. We've decided on this approach for now as it allows us to have a sanity ceiling in a transparent way most users won't hit. The alternative would have been to bill directly users per search but we felt this approach would have been more likely to lead to surprise bills which nobody wants.We'll be refining this approach over time. Please let us know if you have feedback or concerns.Note that searches are not limited to single IOCs. Using the batch API (see related API documentation and Python SDK documentation) you can query for multiple IOCs at once, which will count as a single query. This can be a great way to still get the coverage you need but in a more efficient way.
December 17, 2020
Python CLI Config Push
We've released a new version of the Python SDK / CLI tool that refactors the old `Sync` module into a new cleaner module called `Configs` so you can consider Sync deprecated (although it is still present in the SDK/CLI).
We've also released a sample MSSP repo demonstrating infrastructure-as-code config management as part of a webinar.
The new Configs module can also be invoked via the CLI: `limacharlie configs --help`
December 9, 2020
Sensor v4.23.1
Enhancements to macOS support. Fixed some issues with upgrading the new System Extensions as well as the support for old Kernel Extensions.
December 3, 2020
Sensor v4.23.0
Revamp support for macOS 11 (Big Sur). This was a huge effort of re-writing the entire kernel acquisition pipeline and we were caught a bit off guard by the actual release date. Thanks for your patience. On a good note, our capabilities are actually better than they used to be.
Fixing possible connectivity issues that could also impact performance that were introduced in
v4.22.0
. We strongly recommend using the newv4.23.0
installers for new installs. If you have issues with previous installs onv4.22.0
, you may swap the new installer for the older executable on disk.We have added a capability to perform core-upgrades (as opposed to the normal day to day updates that we issue 99% of the time) from the cloud, so without having to swap executables or re-install as mentioned in the point above. We will be releasing instructions on doing core-upgrades within a day or two. We believe
v.4.23.0
brings us back in a very stable core which should not require updates for a long time.
* Please note that macOS 11 (Big Sur) will still require a series of pop ups to confirm access by LimaCharlie to various parts of the OS by the new App bundle required to support Apple’s new frameworks. Unfortunately that’s just going to be part of life on the Apple ecosystem for the foreseeable future, all vendors are impacted. It is possible to bypass these by using enterprise deployment platforms and whitelisting the LimaCharlie certs at the enterprise level. We will be producing documentation on that topic in the future.
November 25, 2020
Sensor v4.22.1
Fixes an issue where Yara scanning would always be enabled even without rules being set. This fixes a memory leak on Linux.
Fixing proxy support where some proxies would reply with an HTTP 1.1 OK even to HTTP 1.0 requests.
Fixing support for Payloads and Artifact collection with proxies.
Better error reporting to artifact errors.
In addition, the installer has also been updated for Windows. Mainly this changes an internal behavior of the agent where some payloads used to be loaded into memory manually, this new version loads them "properly" from OS perspective. This solves some issues with proxies and environment variable use and the sensor. You should not need to upgrade the installer on existing deployments unless you have a specific need for it.
November 13, 2020
Sensor v4.22.0
Hardened LC protocol with the sensor talking to the cloud. This fixes a rare issue where a sensor could become unresponsive if it had encountered a failure mid-enrollment.
New task available dns_resolve. It will cause the sensor to resolve a given domain name. This is mainly geared towards a future global-level API to correlate multiple sensors and users living on the same devices.
We recommend using the new installers for future installs, but should not be needed for current ones.
October 20, 2020
Two new services allowing for the creation of alerts/messages in the respective platforms.
These are designed to be mainly used as part of D&R rule actions to trigger escalation of an alert. They can also be used by other Services.
October 19, 2020
Sensor v4.21.3
Ability to use scripts (like .bat) as Payloads
Small performance tweak
The ability to run a script is provided by adding the ability to set the file extension of the payload. This is done by adding the extension to the Payload name. For example, if you create a new payload named extract everything.bat, the temporary name of the Payload when sent to the endpoint will end with .bat which will make Windows interpret the Payload as batch file. This mechanism should allow of the execution of any file type associated with execution on the endpoint. It is the equivalent of starting a shell and just "calling" the payload.
Dumper Service now supports dumping the MFT on Windows
We've added a new option, target to the Dumper Service. This option supports memory (the default) and mft. The MFT dumping behaves the same way as memory, except that it dumps the MFT as a pipe-delimited CSV file of type mftcsv in the Artifact Collection system.
Artifact Collection parsing for mftcsv and csv types
The Artifact Collection systems has two new parsers: mftcsv and csv. This means you can write D&R rules on the contents of the MFT dump announced above. The generic csv type will parse any CSV file, assuming the first line is a header definition of the columns.
August 19th, 2020
Sensor v4.21.0
Basic Proxy support: https://doc.limacharlie.io/en/master/proxy/
Small enhancement to Linux packet capture.
Note: proxy support requires new version of the installer, if you keep installers locally for deployments you will want to re-download the latest.
Web App v2.28.10
Adding a timer to the delete-org dialog to help avoid deleting by mistake.
Adding banner in web app when an organization has past-due billing to help make billing issues more visible.
Wednesday, July 15, 2020
New sensor-cull
Service
This new service is free and be subscribed to from the add-ons section of your organizations.It allows you to set rules that automate the deletion of sensors that have not connected to your org after N days. This is useful for docker deployments or other template/VM based deployments where sensors continually enroll, and then are not seen again once the container/VM is destroyed.
Wednesday, July 1st, 2020
Sensor v4.20.1
This is a minor update with a single fix:
A local Docker installation could cause an override of the FQDN to
host.docker.internal
. This has been mainly observed on Windows, but all platforms now ignore this FQDN locally and report their hostname instead in those instances.
Tuesday, June 16th, 2020
Web UI v2.28.6
Advanced Artifact Search. If you go in Artifact Collection, there is now a link to a full page viewer of Artifact and search above the list at the bottom.
Fixed hostname display in Detections from Artifacts.
Hiding certain event types from the Exfil Service to avoid mistakenly enabling extremely verbose events fleet wide. Still available through API. This will like be reverted when we release the next version of our main endpoint service which will have better performance.
Adding Packet Capture section to Artifact Collection. More details in its own annoucement shortly.
Sensor v4.20.0
More information in REGISTRY_WRITE operations. Includes type, size and first N bytes of the value written.
Network capture capability on Linux sensor. More details to follow.
Windows kernel small fix to memory leak issue in some rare network configurations.
Linux Packet Capture
This is a big capability rollout we're very excited about. It is now possible to configure automatic pcap capture on Linux hosts from the cloud.Configured through the Artifact Collection screen, you can specify a list of hosts filtered by tag. Then in each a list of captures to run where each capture is a combination of a network interface and a filter expression (tcpdum-like).When activated, captures will be started (synchronized every ~10m) on the hosts. Captures will be automatically uploaded to the LimaCharlie cloud's Artifact Collection in 30MB chunks where they will be retained for the retention period specified in the rule.This closes an important detection loop. For example:
You can now capture network traffic from (for example) a proxy. Have the network capture retained automatically in the cloud. This capture on its way in gets translated into JSON where you may apply D&R rules to automate detection and response from the PCAP header layers. You may then have those PCAPs automatically converted into Zeek logs using a D&R rule on PCAP ingestion using the Zeek service. These Zeek logs get re-ingested in the Artifact Collection service (with a custom retention of your choosing) where they also get converted to JSON and again can be used to base D&R rules from them to automate even more.This is the first step towards more XDR-like capabilities. On our future roadmap is to include a managed Suricata service allowing you to run as many network detection rules as you want without impacting endpoints directly.As part of this rollout are changes to the Zeek service to make it more usable and customizable (see documentation link below). The Python SDK has also been modified to provide simple iteration over PCAPs from one or many hosts, which can be used to further automate off-site pipelines.Some doc: https://doc.limacharlie.io/en/master/external_logs/#network-capture https://doc.limacharlie.io/en/master/zeek/Feel free to reach out if you have any more questions.The LimaCharlie Team
Friday, May 29th 2020
Artifact Export Pricing
This is a heads up that beginning next month (July), we will be introducing a price around Artifact exports.The reason for adding a usage-based pricing around this is that large bulk exports (like Artifacts) incur network bandwidth costs for LimaCharlie. It is not our intent to specifically monetize this feature but given the cost is non-trivial, we will be setting the price to be at-cost (https://cloud.google.com/storage/pricing#network-pricing).This should have little to no impact on most users unless you do frequent exports of original Artifacts.Our longer term intent to lessen the impact on pricing like this is to favor the development (both internally at LimaCharlie and externally by LC users) of Services through our Service framework since these services will be able to use Artifact data from the cloud at a much lesser cost.The new pricing will be $0.12 per GB exported.
Tuesday, May 26th 2020
Renaming External Logs
We've renamed External Logs to Artifact Collection in order to make it more descriptive.
This renaming also translates into the commands like log_get
which are now artifact_get
etc.
The old commands are still supported as aliases to the new ones.
The events generated by the sensors have not been renamed for backward compatibility.
New Webhook-Bulk Output
The new webhook_bulk
Output now allows you to transmit batches of events/detections/audit-logs via webhook.
The old webhook
(still available) transmitted a webhook per-event which was not suitable for large amounts of events.These changes (including the web UI) are rolling out over the next few hours.
OLE VBA Macro Parsing The Artifact Collection system can now detect, parse and extract OLE (MS Word, Excel etc) documents that contain VBA macros and extract them. This means you can now build D&R rules that look for specific content in VBA macros from documents ingested.
Wednesday, May 20th 2020
Sensor 4.19.6
Fixes specific to stability in Docker environments.
Fix to specific cases on Windows where kernel notifications could lead in blocking of handles.
Added to Windows REGISTRY_WRITE events: registry value size, registry value type and first 16 bytes of the value itself.
Tuesday, May 19th 2020
Reliable-Tasking Service
We've just released a new service called reliable-tasking
. This service allows you to task multiple endpoints at once, including offline endpoints. In the event an endpoint is offline, the service will wait for it to come back online and issue the task then. An optional ttl
is also available to limit the amount of time the task will be pending for offline endpoints.As all Services, it is available through the REST API, D&R rules and SDK.
https://doc.limacharlie.io/en/master/reliable_tasking/
https://python-limacharlie.readthedocs.io/en/latest/limacharlie.html#limacharlie.Replicants.ReliableTasking
Sunday, May 17th 2020
Centralized Invoices
We have been working on providing a capability to do a single centralized Invoice for users of LC at scale like MSSPs. This feature will see a single invoice sent to you monthly for all organizations created under your domain so you can pay a one time instead of each org individually.We expect to be ready for roll-out within a week or two. If this is something you're interested in let us know and we will contact you when it's available.
Saturday, May 16th 2020
Sensor v4.19.5
This is a single change release with very minor impact.
The "atoms" that are used to correlate all events now implement a new encoding scheme that Greatly improves searching for specific events by Atom, which is most commonly needed in the Historical view of the web UI. The "crawling" up the parent process tree in this view should become Much faster (it is now O(1)) for sensors upgraded to this new version.
Saturday, May 16th 2020
Sensor v4.19.5
This is a single change release with very minor impact.
The "atoms" that are used to correlate all events now implement a new encoding scheme that Greatly improves searching for specific events by Atom, which is most commonly needed in the Historical view of the web UI. The "crawling" up the parent process tree in this view should become Much faster (it is now O(1)) for sensors upgraded to this new version.
Thursday, May 14th 2020
Rolling Directory Reset
Tonight, after 6 PM Pacific Time, we will be performing an upgrade to most datacenters' Sensor Directory service. This is part of an effort to increase performance and reliability of the service.The side-effect is that over a few minutes, the sensor list may be partial or unreliable. This will not impact general telemetry collection of the sensors.Let us know if you have any questions.
Wednesday, May 13th 2020
Sensor v4.19.4
Small tweak to Windows kernel extension. Fixes rare cases causing blocking delay on pipe closure and possible memory leak in certain network configurations
Better file path expansion in kernel read file.
Thursday, May 7th 2020
TTLs
The
add var
action for D&R rules now supports a TTL for variables: https://doc.limacharlie.io/en/master/dr/#variablesD&R rules and False Positive rules now support an
expire_on
parameter to auto-purge the rule at a certain time: https://doc.limacharlie.io/en/master/dr/#expiration
Tuesday, May 5th 2020
Sensor v4.19.3
os_processes now supports a
--pid
to list single process and a--is-no-modules
to report only the process information and not all its modules (lighter weight event).os_version on Windows now adds a FRIENDLY component that lists a few human-readable strings from the registry.
The CODE_IDENTITY event now includes several attributes found in the file_info like various file times. Nix OSes also include UID, GID and Mode.
The FILE_INFO_REP event now includes UID, GID and Mode.
All file hashes are now generated from the kernel when available.
Process information acquisition has been streamlined, should result in better performance.
Monday, May 4th 2020
Web UI v2.26.0
Added a toggle to enable/disable a D&R rule without deleting it.
Added a
Web App Domain
value in the Integrations section. If set, this domain name (likeapp.limacharlie.io
for example) will be used in the generation of URL links. At the moment the only link generated is found in the Detections generated. If the Integration value is set, you will find alinks
value at the root of the JSON detections that is the equivalent of the link we have in our web UI to go to the Historic view to the event in question. This is off by default so that you may set it to the value of your white-label domain (if applicable).
Saturday, April 25 2020
Sensor v4.19.2
Command line arguments on Windows and OSX should now more reliably contain the full value event when extremely long.
Fixing a bug on DNS for Linux that could cause the Linux sensor to block for a long when restarting. Consequentially, you may need to manually restart the Linux sensor after upgrading to this new version if you are upgrading from
4.19.x
.Fixing an issue where extreme numbers of process starts on a machine could result in some TERMINATION events being lost. This in turn could result in slow memory leak from internal mechanisms tracking process termination.
Enhanced error numbers for External Log fetching through
log_get
.
Side note: we recently changed our EV Certificate used to sign Windows components. During the switch an error was made and the wrong .cat file was included when deploying the driver. This could result in Windows 10 Secure Boot enabled systems to reject the driver signing. This update fixes this.
Friday, April 17th 2020
Sensor v4.19.1
:
Ability to ignore cert validity (
--is-ignore-cert
) forlog_get
andrun
, for more info on why see: https://doc.limacharlie.io/en/master/sensor_commands/#log_get.The
NETWORK_CONNECTIONS
event now contains the original connection timestamp for each connection within.Signed MSI installers are now available for Windows. Note that sensor uninstallation is not possible using the MSI, you will still have to use the `uninstall` command or uninstall locally. See https://doc.limacharlie.io/en/master/deploy_sensor/#windows for instructions on using your Installation Key with them.
Linux sample installer has been modified to support Debian and CentOS families.Sensor Upgrade Staging:
It is now possible to test-upgrade specific sensors within an Organization without upgrading the whole Organization. This allows you to specify test machines within the Org to deploy the new sensor versions to. This is done using a "magic" sensor tag
latest
: https://doc.limacharlie.io/en/master/deploy_sensor/#staging-deploymentGeneral:The SMTP Output now supports a
subject
parameter to override the Subject line.The
NEW_DOCUMENT
andFILE_TYPE_ACCESSED
specifics are now -documented: https://doc.limacharlie.io/en/master/events/#new_document
Thursday, April 16th 2020
Sensor v4.19.0
Linux now supports DNS (through static libpcap).
Windows fixes issue where some system configs could see a memory leak in kernel related to network connections.
Hostname now reported as FQDN when possible.
Small performance tweaks.
Saturday, April 11th 2020
Python SDK v3.7.0
Adding a new API to get a timeline of specific IoC types from a sensor.
Wednesday, April 1st 2020
New UI for generic Service requests. Uses the service request definitions from external services. Main use case is for the Dumper service at the moment. Will become more fleshed out in the future. https://github.com/refractionPOINT/lc-service
Minor cosmetic tweaks.
Historic view now displays relevant default events for Chrome sensors.
Fixes to historic view in some corner cases with sensors with very little data.
Adding process hash to the process view and the network view of the Live page.
Sensor network isolation is now a first class feature. New UI elements in sensor detail view and sensor list filters for it.
Sunday, March 29th 2020
Python SDK v3.6.0
Adding CLI accessors for Events and Detections to STDOUT
https://github.com/refractionPOINT/python-limacharlie/#events--detections
Tuesday, March 24th 2020
Persistent Network Isolation Network isolation currently requires D&R rules in order to make network persistence persistent across reboots.
This is changing. We've streamlined the isolation concept into a first-class API instead of a mix of D&R rules and sensor commands. Managing network isolation will be safer and more intuitive.
The new REST API: https://api.limacharlie.io/static/swagger/#/sensors/get__sid__isolation The new D&R rule Actions: https://doc.limacharlie.io/en/master/dr/#isolate-network The Python SDK: https://python-limacharlie.readthedocs.io/en/latest/limacharlie.html#limacharlie.Sensor.Sensor.isolateNetwork
The Web UI will also be updated so you can see, sort and modify the Isolation state of a sensor directly from there. If you want to see a preview before we push it to prod: https://beta.app.limacharlie.io, you will be able to toggle the isolation state in the details panel of a sensor in the sensor list section.
IMPORTANT: Now this new persistent mode can clash with the old way of managing isolation through D&R rules. This means that if you use the segregate_network
sensor command as part of a D&R rule, you will likely want to modify those rules to use the new isolate network
Action. This new Action sets the isolation mode persistently.
In order to avoid bad surprises, we will be doing the transition gradually. Starting now, you can use the new isolate network
and rejoin network
Actions as part of your rules. But the persistence on reboot will NOT be enforced so that the current behavior is mostly maintained. Then starting next week, we will enable the enforcement of the persistence on reboot. This means you can now put in place the small D&R rule changes (if you're affected) and not worry about it. Then next week you'll be free to remove the older D&R rules using the segregate_network
command.
Sunday, March 15th 2020
Towards Authenticated D&R Rules At the moment, a user or api key having the permission to create a D&R rule gives complete access to all the Response capabilities in D&R rules, including tasking sensors.
In the next few days and weeks, we will be moving towards enforcing the relevant permissions from the creator of a D&R rules to the Response components of new rules.
This means that in order for a user/api key to create a D&R rule that tasks a sensor in the Response component, that user/api key will require having the sensor.task
permission.
This concept will apply to sensor.task
, sensor.tag
and replicant.task
.
This move will only apply to NEW D&R rules, so anything currently in prod will not be affected.The rollout of this will be progressive in order to make the transition smooth:
Within a few days we will now generate Errors when permissions are missing from a new rule, but the rule will still be created. Within the next few weeks (there will be another announcement) we will eventually turn these Errors into enforcement.
The goal of this transition is to move towards a system that provides greater oversight onto more "active" types of access. This will become more critical as we expand 1st and eventually 3rd party Services.
Wednesday, March 11th 2020
Cap on D&R Rule Matches
In very rare occasions we've seen certain D&R rules match abnormally often. Some of those cases resulted in degraded performance of the cluster.In order to limit the impact of these, we've implemented a new system that will temporarily disable a rule in the affected subset of endpoints at run-time. When this occurs, an error is emitted to the Error log.The threshold is currently very high (on the order of 500 / minute / backend-service) so it should not have any impact on any normal rules. So this is more for awareness.
Python SDK 3.4.0
Added Manager.getApiKeys()
, Manager.addApiKey()
and Manager.removeApiKey()
. This functionality is also available through the REST interface: https://api.limacharlie.io/static/swagger/#/api_keys
Tuesday, March 10th 2020
Python SDK v3.3.0
Adds accessors for jobs from Services:
https://github.com/refractionPOINT/python-limacharlie/blob/master/limacharlie/Manager.py#L910 https://github.com/refractionPOINT/python-limacharlie/blob/master/limacharlie/Jobs.py
Sensor v4.18.7
Log uploads have built-in retries in the agent.
Fixing case that would cause the sensor to restart.
Windows signing certificate has changed (3 year renewal). No effect unless you specifically whitelisted the cert.
CODE_IDENTITY hashes are now entirely gathered from the kernel which should help cases where another piece of software enforces no-sharing of file handles.
EXISTING_PROCESS generation fixed when pre-existing state has cycles in parent-child relationships.
This releases fixes stability issues and is recommended.Note that with this release, we are moving v4.18.6
to the Stable sensor branch. v4.18.7
is now Latest.
Also, on top of changes above:
Fixed an issue where some Windows processes leaking process handles would not be detected as "terminated". This had implications on memory and stateful detection over time.
Monday, March 9th 2020
LimaCharlie Chrome Sensor v1.1.0
(pending Chrome Web Store review) The new Chrome sensor version should be available soon.It will include:
history_dump
parameter support, like selecting specific event type or atom.Exfil Watch rule support, so you can create watch rules for specific patterns in events to send to the cloud.
3 new events:
BROWSER_REQUEST_CONTEXT
is a root event for all activity related to a specific request in the browser.HTTP_REQUEST_HEADERS
contains the list of all headers sent in the request.HTTP_RESPONSE_HEADERS
contains the list of all headers in the response to a request.
The _HEADERS
events are not sent to the cloud by default, but you can get them by using history_dump
for a specific atom (or event type) or creating a watch rule looking for specific content pattern.Screenshot shows the relationship between all these events.
Friday, March 6th 2020
The package names (and IDs for Chrome) from the os_packages
command now get indexed for IoC searches.
Tuesday, February 25th 2020
lc-service v1.6.0
:
Introduce a new Service class called
InteractiveService
: https://github.com/refractionPOINT/lc-service/#interactive-serviceProvides easy abstraction to do interactive tasking of agents with callbacks in the service.
Example also provided: https://github.com/refractionPOINT/lc-service/blob/master/examples/interactive_service/server.py
Wednesday, February 19th 2020
Sensor v4.18.6
Fixes a long standing stability issue on all platforms.
Friday, February 7th 2020
Sensor v4.18.5
Single change to MacOS sensor. Fixing compatibility issue with FUSE filesystems.
Tuesday, February 4th 2020
Sensor v4.18.4
Fixes to MacOS kernel acquisition of Processes and File IO.
General stability fixes.
Tuesday, January 28th 2020
Python SDK v3.2.1
(and REST API)
Add a new API to get hosts that used (as external or internal IP) a given IP during a given time range. Useful for correlating firewall/external logs with LimaCharlie SensorIDs.
Above API is available in REST API: https://api.limacharlie.io/static/swagger/#/sensors/get_ips__oid_
Above API is available in Python SDK: https://python-limacharlie.readthedocs.io/en/latest/limacharlie.html#limacharlie.Manager.Manager.getSensorsWithIp
Note that the dataset for the IP query described above has only been created a few weeks back, so older queries may not return anything.
Sunday, January 26th 2020
Python SDK v3.2.0
Completes the move towards a single CLI interface by moving the limacharlie-upload
to limacharlie logs upload
.
A limacharlie logs get_original
CLI was also added to download original logs.
Saturday, January 25th 2020
Additional API Key Flairs
We've introduced 3 new API Key Flairs:
[segment]
isolates what a key's user can see to whatever is created by that key.[secret]
allows resource names created by the key to be seen by others, but not the content of the resources.[root]
an escape-hatch that allows the user of the key to override any resources created by any other keys even if these had[lock]
.
See the doc: https://doc.limacharlie.io/en/master/api_keys/#flair
Friday, January 17th 2020
Whitelabel Configurations
If you do not make use of a whitelabel, you can ignore.The whitelabel system now supports a new configuration to hide more "management" parts of the UI to all users except specific domains. So for example if your whitelabel is for your company "SecCo", you can specify that all users who are NOT @secco.com
will not be able to see the Groups UI, the Create Org button, the Personal Add-on UI and the User Profile.This is something useful if you want to provide a leaner experience to your users through your white label.If this is something you want, get in touch and we will deploy the change to your whitelabel.
Thursday, January 16th 2020
Python SDK v3.0.0
This is a major release specifically because it breaks existing CLI interface. The SDK itself remains compatible.Many modules previously instantiated through dedicated CLI interfaces like limacharlie-search
or through the Python module like python -m limacharlie.Sync
have been moved into a single proper CLI tool like:
limacharlie search ...
limacharlie sync ...
etc
As reflected in the README: https://github.com/refractionPOINT/python-limacharlie/#sync-1This should provide a better experience when using the CLI. The modules moved are:
dr
to manage D&R rulessearch
to search for IoCs across organizationsreplay
to run Replay jobssync
to export/import entire Organization configs
GitHub: refractionPOINT/python-limacharlie
Python API for the LimaCharlie.io service. Contribute to refractionPOINT/python-limacharlie development by creating an account on GitHub.
Web UI v2.19.1
Removed the "limacharlie" reference from a few spots in whitelabels.
Moved some subsections behind permission walls: interaction with services like
exfil
,responder
etc now require thereplicant.task
permission. Sensor Downloads requires theikey.list
permission. This helps effectively hide complexity away from users with limited permission sets.
Monday, January 13th 2020
Sensor v4.18.3
More aggressive new process processing, results in better data accuracy.
Fixes to run-time memory validation resulting in more stable sensor.
Fixes to Docker deployment modes, specifically network namespace tracking. Fixes performance in Linux when namespaces are not used. See doc for new
NET_NS
environment variable usage: https://doc.limacharlie.io/en/master/deploy_sensor/#container-clustersAdding OriginalFileName to CODE_IDENTITY events on Windows. Adds support for some new Sigma rules as well.Sensor
v4.18.3
More aggressive new process processing, results in better data accuracy.
Fixes to run-time memory validation resulting in more stable sensor.
Fixes to Docker deployment modes, specifically network namespace tracking. Fixes performance in Linux when namespaces are not used. See doc for new
NET_NS
environment variable usage: https://doc.limacharlie.io/en/master/deploy_sensor/#container-clustersAdding OriginalFileName to CODE_IDENTITY events on Windows. Adds support for some new Sigma rules as well.
Saturday, January 11th 2020
Web UI v2.19.0
Major overhaul of the visuals.
Only on app.limacharlie.io, White Labels will follow.
API Key Flair Support
A new feature is available on all datacenters. This feature allows you to specify some characteristics relating to new API Keys. Currently two Flair are supported:
[bulk]
modifies the API quota applied to the key to be higher[lock]
locks resources created with the API key so that they may only be modified by the same key.
More details: https://doc.limacharlie.io/en/master/api_keys/#flair
Wednesday, December 25th 2020
Deprecation: --is-not-compiled
flag for yara_
commands.
As part of the overhaul of some of our Yara capabilities, we will be deprecating this flag in the next week. Its functionality will become the default behavior.If you are using the Yara related capabilities through the Yara service, this will have no impact. You may be impacted only if you if you issue those commands yourself in an automated manner.In essence, you will no longer be able to run pre-compiled Yara rules through LC, only "normal" rules (text) will be supported. This becomes more effective as we add more platforms and architectures since compiled Yara rules are not cross-platform.As usual, let us know if you have any concerns.
Tuesday, December 24th 2020
Sensor v4.18.2
Adding TCP connection state to connections on MacOS
Fixing issue with ad-hoc Yara scans.
Tuesday, December 17th 2020
API Change:/org/{oid}
(https://api.limacharlie.io/static/swagger/#/orgs/get_orgs__oid_)
As we grow, we're encountering extra-large organizations which makes certain APIs less relevant than before. We've begun onboarding organizations which make use of container-clusters and create a lot of churn in sensors. This means the n_sensors
value returned by this API is less relevant, and in some cases very expensive to compute.
As far as we know, no-one is actively making use of this parameter. If you are, please let us know so we can work our an appropriate alternative. Otherwise our plan is to deprecate this value returned by the API.
Python SDK 2.19.2
The Manager.sensors()
API call is now easier to use for larger organizations. Pagination used to be done manually, but this function now returns a generator instead. This means doing a for sensor in manager.sensors():
will now iterate over ALL sensors as is the expectation.
Sunday, December 16 2019
Python SDK v2.19.0
Adding option to CLI to upload External Logs with a given N days of retention.
Adding an API call to the Manager object to get all sensors with a given tag.
Web UI v2.18.1
Adding a checkbox to "only display online sensors" in the sensor list.
Friday, December 13 2019
Sensor v4.18.1
Enhanced performance.
Bug fix where some process terminations were being lost. Could lead to CPU usage creep.
Thursday, December 12th 2019
Sensor v4.18.0
Support for day-granularity for external log ingestion. Will be enabled in the Web App shortly.
Added support for container clusters mode using a privileged container and the host file-system mount. More on this later.
Better support for TCPv6 and UDPv6 on Linux.
More timely VOLUME_MOUNT notifications.
Additional installer logging.
Drive type now included in VOLUME_MOUNT on Windows.
Friday, December 6th 2019
Variables in D&R rules
A new capability part of D&R rules has been rolled out to all clusters.
https://doc.limacharlie.io/en/master/dr/#variables
It allows you to track simple state per sensor/boot and use it as part of rules. The documentation above contains an example of rules to detect physical attacks from removable media (rubber ducky attack).
Wednesday, December 4th 2019
Changes to billing for External Logs
Starting today, we will be beginning to transition the way we do billing for External Logs.
TLDR; your bill for External Logs will go down in the short term and will be more granular in the long term.
At the moment, we bill a flat price based on usage at ingestion time that includes a full year of retention. This model has begun to show its limitations as we introduce more data formats to External Logs that are more geared towards forensics (like memory dumps) and are large in nature.
The transition begins with moving the billing to be per bytes-day, adding the concept of retention period to the billing. This means the billing code will change to LC-LOG-BYTES-DAY. The side-effect is that the number of bytes that show up in the billing will become much bigger (365 times bigger), but the associate price will actually be going down to about $1.04 per GB for the one year of retention.
The second phase of the transition will come shortly after where we will introduce the optional number of days of retention requested at ingestion time. This will allow you to, for example, ingest a large memory dump file with a retention of 7 days and you will be billed only for those 7 days.
The new pricing will be of $0.01 per 3.5GB-day and billing will have a granularity of 1 day. Billing will still be performed at ingestion time and be part of your monthly invoice.
Sunday, December 1st 2019
Sensor v4.17.4
Fixing event ordering in queue flush when a sensor loses connection.
Fixing issue where file IO renaming had an invalid timestamp on sensor.
Enhancements to event relationship tracking in sensor.
Enhancements to sensor internal security mechanisms.
Sunday, November 24th 2019
Web UI v2.17.0
Adding support for downloading very large External Logs (like full memory dumps). Download is triggered asynchronously.
Small fixes.
Friday, November 22nd 2019
Python SDK Tweak
The Insight API to access detections and to access events has been extended to support pagination through the use of a "cursor" parameter.
The Python SDK version 2.18.8 now makes use of this feature. To leverage it to its full potential (streaming large numbers of detections/events), the two relevant APIs now return generators and not lists.
In most cases (iterating through the results) this will have no impact whatsoever.
If however you are specifically doing something that expects a list (like len( results ) you will want to unwind the results first: results = list( results ).
For more details see the commit: https://github.com/refractionPOINT/python-limacharlie/commit/2c4af79c49a183b8eb14e1920638e0064947afd5
The affected functions are: .getHistoricDetections() and .getHistoricEvents().
"log" Stream
This weekend, we will be deploying the new Output "log" stream that will include "ingest" events from file ingested through the External Logs mechanism. This will allow you to get notifications on file ingestion. You may then use the log_id field to retrieve the original or parsed version of the log if you need to.
These events look like:
{ "event": { "original_md5": "56d0caf4127106cfd7c5398a37807180", "original_path": "/var/log/syslog.1", "size": 1469109, "source": "1c00a331-4fc2-43bd-8282-8641e0124cfe" }, "routing": { "event_time": 1574443133000, "event_type": "ingest", "log_id": "0472dfd8-fbce-461c-ae71-c5d28fbdcfe9", "log_type": "txt", "oid": "c82e5c18-d519-4ef5-b4cc-c454a95d31ca" }}
During the weekend we will also be deploying a new higher-reliability Sensor Directory service. This service is responsible for showing you which sensors are online and routing the sensor tasking properly. The update should take a few minutes and during those few minutes sensors may be showing offline and taskings may not get delivered properly.
Thursday, November 21st 2019
Web UI v2.16.0
Refactor of the Detections and External Log sections to be paginated and generally better / easier to use. This is an ongoing refactor as we want to make those sections more operational by introducing things like searching, filtering etc.
Re-worded the Sensor Download version management section to better reflect that there is a "latest" version track, and a "stable" version track.
Added a new Output Stream for deployment events. This allows you to Output these meta-events like the other streams. We will also introduce in the near future a log Stream to get notifications of new External Log files being processed.
Added an option to the Yara Service to create new Source from a Yara rule specified literally in the Web UI.
Yara Scanning in External Logs
The "External Logs" already supports D&R rules, but we're now adding a new operator called yara that can only apply to target: log. It allows you to perform Yara scans in the cloud on those files based on Yara Sources from the Yara Service. Being a D&R operator, it also means you can use it as part of more complex rules.
Adjacent to this, the External Logs also now supports a pe type. It's for Portable Executables (Windows). The parsed version of this format extracts a lot of information from the PE headers into JSON, which you can use to build D&R rules for things like specific imports etc.
https://doc.limacharlie.io/en/master/dr/#yara
Saturday, November 16th 2019
Replicant -> Service This is just a friendly update regarding our re-naming of the old Replicant naming system towards Services.You may notice in the next few days / weeks that various APIs and SDKs start referring to Services instead of Replicants.In all cases, we will maintain legacy "aliases" using the term replicant so that existing code / integrations keep working, but we do encourage you to use "service" going forward.You may still see "replicant" in some error messages here and there as the term is still used internally, but we believe the change in name makes their purpose clearer to new users.
Monday, November 11th 2019
Data Fetching This is a high level announcement that touches on multiple systems.Many services in LC require the user to specify a location where LC should go and fetch some data. For example:
Lookup Resources / Addons: where the lookup's content can be fetched, like an HTTPS URL.
Yara Service: where a Yara signature source can be found, like a Github repo.
We've begun unifying this set of capabilities using what we call Authenticated Resource Locators (ARL): https://doc.limacharlie.io/en/master/arl/This is a simple format that allows you to specify a location, protocol AND authentication method + creds to use to fetch data.This new format will begin popping up in multiple services and will be the standard for the foreseeable future. Since it is a super-set of the previous capabilities, the other formats will begin being deprecated.This brings in some immediate wins:
Resources can now be fetched from authenticated locations and APIs.
Yara rules can now be fetched from private Github repositories using Access Tokens.
The new ARL method also brings in automated archive expansion. So if you point to tarball or a zip file, the contents will be expanded and used instead of the archive itself.If you encounter any issues, or any scenarios that worked previously but not anymore, let us know. Conversely if you would like some access protocols (FTP for example) or authentication methods to be added to ARLs, it will also be our pleasure.
Lookup Formats
In addition to the above change os using ARLs, LC now understands the MISP JSON format. If you create a Lookup pointing to MISP JSON, the format will be parsed and the lookup will associate the MISP IDs as the Attribute metadata.For example the ARL: [https,osint.digitalside.it/Threat-Intel/digitalside-misp-feed/5d74d8a4-641c-441a-9cef-592dc0a8018c.json]
In combination with authentication in ARLs, you should be able to fetch MISP feeds directly from your instances using the REST API.LC similarly supports the JSON OTX Pulse format from AlienVault.
Tuesday, November 5th 2019
It seems v4.17.2
fails to load on some Windows systems, likely due to a binary dependency introduced. We are investigating but will revert the Latest version to the previous version in the meantime. The dependency has been fixed and we're rolling it out as v4.17.3
.
Monday, November 4th 2019
Sensor v4.17.2
Small stability fixes.
Removal of old Add-ons This should not affect anyone. We are removing the old Add-ons called "dr" and "tasking" since they have not been actively used in the backend in a long time. They used to be a control method for those features, but the new RBAC has made them irrelevant.
Wednesday, October 30th 2019
Pricing Adjustment Over the past year and half the set of capabilities LimaCharlie is delivering have increased drastically, but through all this time our pricing has stayed the same.This has changed the value provided by LimaCharlie a lot, and it has also changed our costs. Obviously we want to keep increasing the value LimaCharlie provides, and to be able to do that it means we'll need to adjust our pricing to go along.Our intent is therefore to increase the pricing of the base sensor from $0.5 to $0.7 per endpoint per month. This will ensure we can keep growing the platform, adding features and generally making things better. This new pricing will be in effect starting December 1st 2019.If you have questions, thoughts or concerns please get in touch, we always appreciate the feedback.Thanks for your support.
Tuesday, October 29th 2019
Sensor v4.17.1
Additional hardening of the runtime.
Fixes a rare race condition on sensor upgrade that could result in sensor not responding for a long time.
Fixes to File Tracking to fix some gaps where some file IO could be missed.
Better issue reporting to help us troubleshoot issues.Major
The
NETWORK_SUMMARY
event has been replaced with a new event calledNETWORK_CONNECTIONS
.The new
NETWORK_CONNECTIONS
has a similar structure to the SUMMARY, but it now reports ALL network connections in a slightly-batched mode. This means you now will get full net flow data from a single event.Before or after upgrading, you will want to go tweak your D&R rules that referred to the SUMMARY event. The new structure is slightly flatter and can be seen here: https://doc.limacharlie.io/en/master/events/#network_connections
Monday, October 28th 2019
Sigma Support
It's official, the LimaCharlie D&R rules target has been merged into mainline Sigma: https://github.com/Neo23x0/sigma
A dump of the pre-generated community rules is also available on our /rulesrepo: https://github.com/refractionPOINT/rules/tree/master/Sigma
Thursday, October 24th 2019
Cutting Edge Feeds being removed.
The Add-ons currently have available two lc-cutting-edge- feeds. As we move forward with more "managed" options for feeds, rules and services on LimaCharlie both internal and through partners, we will be removing those feeds from public access. They will be back in the short future in a managed format (not requiring D&R rules to be built on them).
This will go in effect today. If you are using them, the only impact is that you will see errors in organization about not having access anymore, but nothing else will be impacted.
Wednesday, October 23rd 2019
The Chrome Sensor is now available on the Chrome Web Store: https://chrome.google.com/webstore/detail/limacharlie-sensor/ljdgkaegafdgakkjekimaehhneieecki
Tuesday, October 22nd 2019
Old output.limacharlie.io
We will be decommissioning the old HTTP streaming service that has been replaced by stream.limacharlie.io shortly.
This method was deprecated mid-September. It was used by the Web App and SDKs. As long as you have reloaded the web app since then and updated the SDK, there should not be any effect. The Web App and SDKs were updated in mid-September and the change was transparent.
Thursday, October 17th 2019
Web UI v2.14.0
We're about to release a Chrome(OS) sensor. You will begin seeing references to it in the web UI. Official announcement will be coming, but will support HTTP request events, DNS events, network isolation etc.
Wednesday, October 7th 2019
Minor update:
We're migrating the D&R rules String Distance operator from using Levenshtein Distance to using Damerau-Levenshtein Distance. This will bring the behavior closer to the usually expected behavior around string distance. The change will be transparent and no rules need updating.
Monday, October 7th 2019
Sensor v4.16.3
Performance mode can be managed through Web UI
Multiple stability and hardening fixes.
Wednesday, October 2nd 2019
Web UI v2.13.0
Many fixes
Addition of False Positive Rules (http://doc.limacharlie.io/en/master/dr/#false-positive-rules), add them from the D&R page or through quick-add on the Detections page.
Adding Performance Mode Rules. Accessible through the Exfil page, set the performance mode automatically without D&R rules.
Friday September 20th 2019
Detection & Response Rule Validation: In an effort to help people learn D&R rules more easily, we are introducing a more thorough validation of the rules. Prior to this, we did not warn on unexpected extraneous parameters in a rule.Starting this weekend, we will be deploying better validation. This will NOT apply to existing rule, they will keep running fine. But when trying to push a new rule or an update to an existing one, you may get validation errors if there is an issue.
Web UI v2.12.4
Adding support for Microsoft Auth to log in to the web interface (like Google Auth).
Various bug fixes.
Sensor v4.16.2
Adding support for Yara scanning a directory and its subdirectories.
Adding an active keepalive mechanism. This will help make the stateful detections and general "online" presence of sensors more reliable.
Thursday, September 19th 2019
Python SDK v2.18.5
=== Possibly Important note for compatibility === This patch, to be released later today on
pip
fixes a bug in theManager.replicantRequest()
call. The isSynchronous behaved inverted. This patch fixes the name of the parameter and its doc. It's not a major change, but if you issue Replicant requests manually in the SDK you may want to verify your use.
Friday, September 13th 2019
Sensor v4.16.1
The latest sensor version on Windows did not properly associate the DNS request Process with a ID. This patch version fixes it. It's the only change.
Thursday, September 12th 2019
Deprecation of output.limacharlie.io and Python SDK prior to 2.18.0The old HTTP streaming API will be deprecated within a week or two.
If you are using it directly, you can switch to the new API (https://doc.limacharlie.io/en/master/outputs/#http-streaming) which is very similar but should be more resilient and better performant.If you are using the Python SDK, please update to the latest version, the Spout functionality (relying on the HTTP streaming API) has been moved to the new API (stream.limacharlie.io) transparently.
Monday, September 9th 2019
Sensorv4.16.0
Alternate Data Streams (ADS) are now listed inline in the
dir_list
results on Windows.The
mem_read
command now supports dumping the memory to a local file. This can be used in combination with thelog_get
command to support getting large memory dumps. Small memory leak fixed.
Web UI v2.12.0
Toggle in User Profile to remove the chat widget.
Clicking historical view link from Search page should now highlight the relevant event more reliably.
New streaming API is used by web UI and SDKs to get real-time access to sensors. Change is transparent but no longer requires access to high-ports, all is now streamed over a single HTTPS 443 connection.
Display pricing information in the Billing page for upcoming usage-based billing of some services.
Added Replay rule eval limit parameter (to avoid billing surprises if a Replay job is very expensive).
External Logs now display unknown data as a HexDump.
External Logs now display logs paginated resulting in much better performance.
Added support for Windows Prefetch files to External Logs, they get converted to JSON, so you can visualize and build DR rules on them.
Small fixes.
Sunday, September 1st 2019
Sensor v4.15.0
New Pipe related events on Windows:
NEW_NAMED_PIPE
andOPEN_NAMED_PIPE
similar to Sysmon events.The
log_get
andfile_get
commands can now read files exclusively locked by other processes on Windows (requires kernel presence), like IE History files.Custom Payload support. Upload custom executables to LC and launch them through the agent on a host, get the STDOUT and STDERR back. Uses new
payload.use
andpayload.ctrl
permissions.Shell command support. An extension of the Payload support, execute a command through the default shell and get the STDOUT and STDERR back. Uses new
payload.use
permission.Better crash handling, more likely to report detailed logs for review.
Python SDK v2.17.0
Payload management support.
Added support for limits on number of event evaluated and rule evaluation.
Added a new call to just validate a DR rule without running it.
Removed the
limacharlie init
CLI function to initialize a new organization's config files.
Wednesday, August 28th 2019
Normalized Billing: we now offer to automatically normalize the billing email used for organizations. Any new Organization created on LC by someone from your corporate domain will automatically have the billing email address set to a corporate standard address (often finance dept) of your choosing.If this is something you would like, drop us a line.Also note that Stripe Invoices will now have the Organization Name the Invoice is about in the header.
Monday, August 19th 2019
Web UIv2.10.2
Various UI tweaks
Added permissions for upcoming payload execution service.
Added optional parametersstart=andend=to the Historical view to set hard start and end timestamps to visualize. Useful for edge cases where a single sensor produces a ton of data and it’s too much for a 30m time window.
Support for new large log upload feature.
Sunday, August 18 2019
Sensorv4.14.3
Large log upload support. Logs ingested can now be up to 4GB
Python SDKv2.16.2
Support for large log uploads.
Tuesday, August 13th 2019
Web UIv2.10.0
New support and download links for the Linux Alpine compatible sensor.
Large refactor of all Replicants into first-class Services in the Organization page.
Large refactor of Incidents (in the Warroom) into more generic Jobs in the Org Dashboard.
Enable those Services directly from their panel on top of the Add-ons section.
Historical view’s Cascading Event Selector now supports an@element to filter the events on the parent + children tree of a specific atom. Can be combined with the Download button to download all events within a specific process tree.
Many small visual tweaks.
Added visual indication if a sensor has Kernel data supported in the Sensor List.
Monday, August 12th 2019
*Replicants and Incidents Changes*
This change will occur within the next few days:
After feedback from users, and seeing how much the platform is expanding, we’ve decided to re-factor the way you interface with Replicants. All Replicants (and the Warroom page) have been morphed into proper sections of your Organization’s menu.
We think this will make interaction with various more advanced features of LC more intuitive and will normalize interactions across all those features. Obviously this is a work in progress and we look forward to your feedback.
For example, managing File Integrity Monitoring will no longer require you to go in the Warroom, find the Integrity Replicant, interact with it. Instead there will now be a “File/Reg Integrity” menu in the page Organization view that will bring you directly to those features.
Incidents, which previously appeared as a result of interactions with some Replicants in the Warroom section will also transform. We’ve made them generic and renamed them to Jobs. They will now appear in the Dashboard section of your Organization’s UI.
Although the new Jobs are very similar in content to the old Incidents, they will not be backwards-compatible. This means that as we switch to the new UI, you will lose access to the old Incidents (not Detections) from your Replicants. If you need to keep a copy, we suggest you do so now before the move. Given Replicants and Incidents were generally not heavily used we don’t expect this to have a high impact, but if you have any issues please let us know.*
Wednesday, August 7th 2019
Sensorv4.14.2
Added internal mechanism for performing a backoff, this will be used for more reliable transmission with the cloud.
Added internal event to report when sensor drop events (after long disconnection from the cloud)
Added a new Linux “architecture”: Alpine. The sensor is available at [https://app.limacharlie.io/get/linux/alpine64](https://app.limacharlie.io/get/linux/alpine64) and proper display of this new architecture will be deployed in the upcoming web app version. This sensor architecture will allow you to run the LimaCharlie sensor within Alpine Linux containers. We will have an upcoming blog article on the topic.
Saturday, August 4th 2019
Python SDKv2.16.0
Support for new Sensor Quota, Resources, Users and User Permissions API endpoints.
Support for the above API endpoints in Sync.
Wednesday, July 31st 2019
Python SDKv2.15.1
New—traceoption to the Replay CLI as well support fortrace: truein the Replay REST API. If you specify it, it will return an additionaltracesfield that specify each operation as it was evaluated and the success or failure of the operation. Should help to help you figure out exactly where errors occur when developing a new rule.
Tuesday, July 30th 2019
Python SDKv2.15.0
Added support for Exfil Replicant config to the Sync module.
Fixed small bugs with Sync including Python 3 compat.
Monday, July 29th 2019
Web UIv2.9.0
Enable the new Exfil Replicant. Manages which events are sent to the cloud automatically. This means DR rules doingexfil_addare not necessary anymore. You need to enable this Replicant and interact with it in the Warroom section. This includes a new Watchlist capability that allows you to specify certain event patterns when you want a matching event sent back to the cloud in real-time even if not in the list of “default” events.
Many many fixes.
New 100% width design for org pages. Should be more usable.
Listing domains relevant to an organization in the Sensor Download section. This allows you to know which domain the agent uses to talk to the cloud so you can whitelist it.
Sensorv4.14.1
Adds support for Exfil control via the Replicant (as mentioned above), including the new Watch list.
Windows network isolation now correctly terminates existing connections when enabled.
Better Windows kernel component unloading resulting in more timely sensor upgrades.
Fixes a bug with unicode handling in certain cases on Windows.(edited)
Note: the new exfil watch list currently only supports filtering based on strings, not integers. This support will be added at a later date.
Backend Capability Update:
The new DR rules for Logs are now available. Using the target: login a DR rule, you can now describe detections to be applied to logs as they are ingested. You can read about it here: https://doc.limacharlie.io/en/master/dr/#targets
Python SDKv2.14.4
Small fixes for Python 3
Add support for Exfil Replicant
Monday, July 22nd 2019
Web Appv2.8.0
Adding Organization Groups, they allow you to control RBAC across several organizations and users through one entity.- Small visual tweaks.
Cleaner handling/hiding of some UI elements when required permissions are not present.
Monday, July 5th 2019
Sensorv4.13.3
Windows performance enhancement. Should solve some high CPU/Mem usage on some hosts running software generating very high volumes of thread injections and process creation
Friday, June 21st 2019
Sensorv4.13.2
Further fixes to reliability of OSX kernel acquisition of network connections. If you are runningv4.13.1 it is recommended you update.
Thursday, June 20th 2019
Sensorv4.13.1
Fixes to OSX kernel acquisition of network connections.
Wednesday, June 19th 2019
Sensorv4.13.0
New event on network connection termination.
Adding partial read capability tofile_getcommand.
Web UIv2.7.9
Small quality of life fixes.
Python SDKv2.13.0
Small fix to Sync (Infrastructure as Code)
Adding support for Logging and Integrity Replicants in the Sync functionality.
Tuesday, June 18th 2019
Web UIv2.7.8
Enhanced Data Visualization interface and General Availability.
Support a URL parameter of?session_type=LOCALto enable persistent login of the current session.
Small UI tweak
Thursday, June 13th 2019
Web UIv2.7.0
Moved live web-based chat to different provider.
Various fixes.
Better file vs domain detection in organization dashboard search box.
New prevalence visualization page, private beta for the moment, will be in General Availability shortly.
Wednesday, June 5th 2019
Sensorv4.12.2
Fix to kernel-sourced events on hosts where time is wrong.
Small fix to component unloads.
Enhanced kernel component upgrade mechanism.
Thursday, May 30th 2019
Sensorv4.12.1
Required for compatibility with MacOS 10.14.5 and up. Introduces a new config file on disk namedhcp_hbs.
Dedupes memory strings on the sensor before reporting to the cloud.
Enables FIM on Linux. It has some caveats, see http://doc.limacharlie.io/en/develop/replicants/#linux
Introduces ground-work for more reliable messaging in upcoming versions.
Adds support for setting Installation Key via an environment variable on Linux, this will be rolled out in the public installers shortly.
Friday, May 24th 2019
Web UIv2.6.1
Logging Replicant now supports setting up files/directories paths to watch for changes and ingest on change. For example on Linux setting:/var/log/syslog.1to get general syslog content once a day.
Many various fixes.
The Detections page now loads a dynamic amount of content. 7 days by default, but goes down to 1h if there is too many detections.
Thursday, May 16th 2019
Web UIv2.6.0
Adding Replay Replicant. Allows you to run Replay jobs from the UI in a managed way instead of the CLI/SDK.
Fixed bug where clicking in Text Area for D&R rules forced-recenter the page.
Monday, May 13th 2019
Web UIv2.5.0
Tons of tweaks and small fixes.
Introducing User API Keys:
Available from the User Profile section (top left menu).
Produce a key similarly to the Org API Keys.
These keys can be provided to the jwtREST endpoint to get a JWT for the REST API. But instead of providing an oid, you provide the UID in the uid parameter.
The JWT produced represents ALL org+permissions accesses you have as a user on LimaCharlie. This means the JWT can be used to issue API calls to multiple organizations. The token mirrors the various User permissions you have across your organizations.
This makes this User API Key very powerful. Unless you have specific scenarios where you require it, we recommend you stick to Org API Keys. If you have questions or want to discuss don’t hesitate to get in touch.
Enabling External Logs feature in beta. This is recommended to be used with the new Logging Replicant subscription, or using the new Ingestion Keys available in the RESP API section of your organization. More details to come.
Usage Overview is not available in the Billing section (at the bottom). It provides some metrics around your usage of LimaCharlie.
Sunday, May 5th 2019
Sensorv4.11.0
Linux sensor now reports detailed version information inos_version.
Better atom linkage between some stateful events likeSENSITIVE_PROCESS_ACCESSandREMOTE_PROCESS_HANDLE.
Although not enabled yet, this version includes necessary code for upcoming log collection mechanism.
MacOS version should now be notarized for upcoming MacOS release.
Sunday, April 3rd 2019
Web UIv2.3.0
Various fixes
Adding a new “magic search” on the org front page. This search field combines an agent search by SID and hostname with searching for IoCs. It will expand to any new data sets in LC in the future. It’s a quick search for everything.
Important overhaul to the UI of various aspects of the Replicants / WarRoom.
Wednesday, March 27th 2019
Sensorv4.10.0
Better reliability in Windows driver deployment.
Better propagation of decoration metadata (like file signing status and file hash) through various events.
More reliable process reporting in Linux using NetLink sockets.
Adding SHA1 and MD5 to CODE_IDENTITY events.
Adding relationship atoms to composite events like PROCESS_LIST so the process can be correlated from these events.
Friday, March 22nd 2019
Web UIv2.2.7
Adding a way to push updates to Resources through a REST interface.
Access the Resource Access Token through the new User Profile section available from the top left menu.
Various other enhancements and fixes.
Monday, March 4th 2019
Web UIv2.2.0
Tons of tweaks and bug fixes.
Adding tags to the sensor list.
Historical view will now asynchronously try to resolve missing parent events using a new API. You can expect a???parent node to pop-in with real information within a few seconds of being displayed.
Replicants are now widely available. To enable, go to the Addons, “Replicant” tab and subscribe. This will give you access to the “Warroom” section in your organization.
Responder Replicant automates the old “sweep” functionality in a more complete way and done from the cloud (not the browser) so you can launch it on a sensor and move on, fire-and-forget.
Yara Replicant manages Yara signatures and which sets of signatures should be scanned constantly on which hosts. Also enables an on-demand scan from those signature sets. Automated investigation of hits to come.
Integrity Replicant manages FIM rules similarly to the Yara Replicant. Automated investigation of hits to come.
Yara and Integrity Replicants require the new sensorv4.9.0to work properly.
Sunday, March 3rd 2019
Sensorv4.9.0
Yara in sensor has been updated. Windows, MacOS and Linux (except ARM build) now also support common Yara modules like “PE”.
Yara now defines some common variables like file_path and file_name used by some commonly available Signature sets.
Yara and File Integrity Monitoring now support the “update protocol”. This increases efficiency of maintaining up to date signature sets and FIM watch-sets. This feature is required for the upcoming Replicant soft-launch.
Parent atoms are now correctly propagated within the process list. This feature is required for the upcoming automated parent finding feature in the Historical view.
Windows driver unload sequence has been tweaked to provide better consistant unload/load cycles.
Internal IP reported by sensor should now more reliably represent the actual internal IP address of the interface used to reach the internet. This solves cases where a host with VMs could report the IP of the wrong interface.
Enabling common support for ARM and ARM64 sensors in all datacenters (installer availability coming very soon).