Command Line Interface¶
The LimaCharlie CLI is installed as part of the Python SDK package.
The CLI uses a limacharlie <noun> <verb> command pattern. Every command supports --help for detailed usage and --ai-help for AI-optimized explanations. Run limacharlie --help to see all available commands.
Authentication¶
Authenticating the CLI can be done in a few ways.
Option 1 - Logging In
The simplest is to login to an Organization using an API key.
Use limacharlie auth login to store credentials locally. You will need an OID (Organization ID) and an API key, and (optionally) a UID (User ID), all of which you can get from the Access Management → REST API section of the web interface.
The login interface supports named environments, or a default one used when no environment is selected.
To list available organizations:
Setting a given organization in the current shell session can be done like this:
You can also specify a UID (User ID) during login to use a user API key representing the total set of permissions that user has (see User Profile in the web interface).
Option 2 - Environment Variables
You can use the LC_OID and LC_API_KEY and LC_UID environment variables to replace the values used logging in. The environment variables will be used if no other credentials are specified.
Docker Image¶
The CLI is also available as a Docker image on DockerHub (https://hub.docker.com/r/refractionpoint/limacharlie).
docker run refractionpoint/limacharlie:latest whoami
# Using a specific version (Docker image tag matches the library version)
docker run refractionpoint/limacharlie:5.0.0 whoami
# If you already have a credential file locally, you can mount it inside the Docker container
docker run -v ${HOME}/.limacharlie:/root/.limacharlie:ro refractionpoint/limacharlie:latest whoami
Commands¶
Search / Query¶
LimaCharlie Query Language (LCQL) provides a flexible, intuitive and interactive way to explore your data in LimaCharlie.
ARLs¶
Authenticated Resource Locators (ARLs) describe a way to specify access to a remote resource, supporting many methods, including authentication data, and all that within a single string.
ARLs can be used in the YARA manager to import rules from GitHub repositories and other locations.
Testing an ARL before applying it somewhere can be helpful to shake out access or authentication errors beforehand. You can test an ARL and see what files are fetched, and their contents, by running the following command:
Streaming¶
Stream events, detections, or audit logs in real-time. Uses pull-mode spouts (HTTPS) or push-mode firehose listeners (TLS).
# Stream events (pull-mode via stream.limacharlie.io, works through NATs and proxies)
limacharlie stream events
limacharlie stream events --tag server
# Stream detections
limacharlie stream detections
# Stream audit logs
limacharlie stream audit
Sync (Infrastructure as Code)¶
The pull command will fetch the organization configuration and write it to a local YAML file.
Then push can upload the configuration specified in the YAML file to your organization. The --dry-run simulates the sync and displays the changes that would occur.
limacharlie sync push --dry-run --oid c82e5c17-d519-4ef5-a4ac-c454a95d31ca --config /path/to/template.yaml
All these capabilities are also supported directly by the Configs SDK class (limacharlie.sdk.configs).
The Sync functionality supports all common useful configurations. Use the hive flags (--hive-dr-general, --hive-fp, --outputs, etc.) to control which resource types are synced. See limacharlie sync --help for all options.
To understand better the config format, do a pull from your organization. Notice the use of the include statement. Using this statement you can combine multiple config files together, making it ideal for the management of complex rule sets and their versioning.
Spot Checks¶
Used to perform Organization-wide checks for specific indicators of compromise. Supports many types of IoCs like file names, directories, registry keys, file hashes and YARA signatures.
IOC Search¶
Search for Indicators of Compromise (domains, IPs, file hashes, etc.) across the Insight data lake.
Extensions¶
Manage extension subscriptions.
Artifacts¶
Upload, list, and download Artifacts within LimaCharlie.
Replay¶
Perform Replay jobs from the CLI.
Detection & Response¶
Manage Detection and Response rules over the CLI.
Events & Detections¶
Print out to STDOUT events or detections matching the parameter.
List Sensors¶
Print out all basic sensor information for all sensors matching the selector.
Add Users¶
Add single or multiple users to a LimaCharlie organization. Added users will be sent an email to confirm their address, enable the account and create a new password.
Keep in mind that this action operates in the user context which means you need to use a user scoped API key. For more information on how to obtain one, see https://api.limacharlie.io/static/swagger/#getting-a-jwt
Add a single user:
Add multiple users:
Add multiple users from new line delimited entries in a text file: