Destinations are the recipients of LimaCharlie streams. Oftentimes, users will rely on LimaCharlie for 365 data retention, while pushing high-fidelity alerts or other platform logs to another source for subsequent auditing or ticketing. As such, we have created native and/or easy-to-use destination options.
If you need support for a destination we haven't integrated yet, let us know by jumping in the LimaCharlie community Slack or email us at
Every destination will have both general and specific parameters. Destinations can be configured via the LimaCharlie GUI, API, or command-line.
All destinations can be configured with the following options:
is_flat: take the json output and flatten the whole thing to a flat structure.
is_payload_as_string: converts the payload (
detectcomponents) of events and detections into a JSON string instead of a JSON object.
inv_id: only send events matching the investigation id to this output (event stream only).
tag: only send events from sensors with this tag to this output (event stream only).
cat: only send detections from this category to this output (detect stream only).
cat_black_list: only send detections that do not match the prefixes in this list (newline-separated).
event_white_list: only send event of the types in this list (newline-separated, event and audit streams only).
event_black_list: only send event not of the types in this list (newline-separated, event and audit streams only).
is_delete_on_failure: if an error occurs during output, delete the output automatically.
is_prefix_data: wrap JSON events in a dictionary with the event_type as the key and original event as value.
sample_rate: limits data sent to Output to be 1/sample_rate.
custom_transform: a template and transforms to apply to the JSON data as a last output step.
If you are configuring destinations using the LimaCharlie UI, required options must be provided before the output can be created.