LimaCharlie provides information security tools and infrastructure designed for massive scale. The platform supplies all the tools to run an MSSP or SOC as well as providing API’s that allow users to build and monetize their own products.
Developer documentation can be found here.
Practical guides to getting things done can be found in the LimaCharlie Help Center here.
The REST API Documentation can be found here.
To skip all of the details and get set up with endpoint detection and response capability you can follow our Getting Started guide or take the in-depth Quickstart e-learning course.
If have feedback or would like to make a feature request please fill out the form here.
LimaCharlie provides a true-real-time Endpoint Detection & Response (EDR) capability. Verbose telemetry is streamed from the endpoint sensor to the cloud in real-time over a semi-persistent TLS connection. Response actions are taken on the endpoint within 100ms of the triggering action or behaviour.
Endpoint telemetry is ingested and analyzed in-flight by the Detection & Response Engine. Telemetry can be tested against thousands of rules without impacting performance.
LimaCharlie’s EDR sensor generates telemetry for a wide variety of event data that is delivered in a common JSON format.
A versatile YAML-based detection syntax can be used to create detections for highly sophisticated behaviour, including the ability to track state and build multi-step detection logic that runs at wire speed.
This same detection syntax can also be used to easily achieve the following:
- Run Sigma rules
- Run continuous YARA scans without impacting performance
- Monitor file and registeries
- Leverage threat feeds or lookups
- Check hashes against VirusTotal
- Create rules against telemetry from Windows Defender
- Check domains using Levenshtein distance to detect spear phishing
A repository of sample detection rules can be found in this repository: Sample Rule Set.
The full open source Sigma ruleset (which can be enabled on deployments at the click of a button) can be found here: Sigma Rule Set
When a detection is triggered a response action is initiated. A response can take an action on the endpoint or be used to automate many aspects of security operations. Response actions can include:
- Kill a process or process tree
- Trigger memory dumps
- Issue an alert to a wide variety of destination types including the web application, any webhook, SMTP, PagerDuty, Kafka, SCP and more
- Initiate full PCAP capture from the network without impacting performance
- Trigger log ingestion and analysis
- Deploy and run any executable on endpoint such as patches or custom scripts
Documentation on LimaCharlie's EDR/XDR capability can be found here
LimaCharlie Net is a Secure Access Service Edge (SASE) that rolls SD-WAN into a cloud service. It changes the way that secure remote access is delivered. It is much more than a virtual private network and can be established with the click of a button. It is a micro-segmentable network that can capture full or partial PCAP files entirely in the cloud without impacting users. These captured files can also be analyzed with the Zeek Network Monitoring Tool and have detection rules written against them.
LimaCharlie Net is available for Windows, MacOS, Linux, iOS, Android and Chrome OS.
Documentation on LimaCharlie Net can be found here
LimaCharlie has the ability to ingest and process a large and ever growing list of file types and telemetry.
By leveraging this capability, LimaCharlie users can ingest and then write detection and response rules for just about anything out there.
If there is something you want to monitor that we do not yet support feel free to let us know. We frequently add support for new formats, and the turnaround is typically measured in days.
Everything can be automated via the full-featured API or manually through the LimaCharlie web application.
Currently supported file types and telemetry:
- Plain text logs, like syslog for example
- Windows Event Logs in real-time
- PCAPs which can then be processed using the Zeek network monitoring tool
- Windows Prefetch files
- Windows PE (executables) files
- Full memory dumps automated across the entire fleet
- Generic JSON
- OLE (MS Word, Excel etc)
- Windows MFT CSV Listing
- Apple Binary/XML plists
Documentation on Log & Artifact Ingestion can be found here
A high-level overview of the LimaCharlie platform. It explains the architecture and various components of the platform at a high level. |
The quickest way to get going. This course walks you through setting up your first DR rule, adding a threat feed, monitoring string distance and configuring email alerts. |
An introduction to the principles of detection and response with an examination of basic DR rules. |
A brief review of basic DR followed by an examination of Artifact Events, False Positive Rules, Variables, Lookups and Stateful Rules. |
This course outlines best practices for the most efficient use of LimaCharlie at scale. This structure is ideal for a Managed Security Service Provider (MSSP) or Security Operations Center (SOC) that is managing multiple organizations. |
With the CLI users can search across their entire fleet, search over historical data, replicate orgs, run spot checks on endpoints, push logs for ingestion. With the SDK users can capture data from the firehose or spout, and much much more. |
In this course you will learn about LimaCharlie’s powerful ability to capture and analyze Windows Event Logs (WEL) in real-time. Ingested WEL are indexed along common indicators of compromise (IoC’s) and run through the Detection & Response engine. |
In this course LimaCharlie founder, Maxime Lamothe-Brassard walks through how users can leverage the agent to do PCAP capture on the network. Once the PCAPS are captured they can be re-ingested and processed by the Zeek Network Monitoring Tool. |
LimaCharlie can ingest almost any form of telemetry or logs and run detection rules against them. Windows Event Logs, PCAPS, pfSense, Syslog and many more with new formats being added constantly. Learn about ingesting and analyzing artifacts. |
LimaCharlie Net is a Zero Trust solution that can create secure connections to internal resources based on the identity of the device regardless of the client location. Simple policies, mass provisioning, PCAP capture and analysis and much more! |
LimaCharlie offers pre-configured capabilities and services that can be enabled at the click of a button through the Add-on Marketplace. Learn what types of capabilities and services are available and how you can make your own additions. |