Destinations are the recipients of LimaCharlie streams. Oftentimes, users will rely on LimaCharlie for 365 data retention, while pushing high-fidelity alerts or other platform logs to another source for subsequent auditing or ticketing. As such, we have created native and/or easy-to-use destination options.
Every destination will have both general and specific parameters. Destinations can be configured via the LimaCharlie GUI, API, or command-line.
All destinations can be configured with the following options:
is_flat: take the json output and flatten the whole thing to a flat structure.
is_payload_as_string: converts the payload (
detectcomponents) of events and detections into a JSON string instead of a JSON object.
inv_id: only send events matching the investigation id to this output (event stream only).
tag: only send events from sensors with this tag to this output (event stream only).
cat: only send detections from this category to this output (detect stream only).
cat_black_list: only send detections that do not match the prefixes in this list (newline-separated).
event_white_list: only send event of the types in this list (newline-separated, event and audit streams only).
event_black_list: only send event not of the types in this list (newline-separated, event and audit streams only).
is_delete_on_failure: if an error occurs during output, delete the output automatically.
is_prefix_data: wrap JSON events in a dictionary with the event_type as the key and original event as value.
sample_rate: limits data sent to Output to be 1/sample_rate.
custom_transform: a template and transforms to apply to the JSON data as a last output step.
If you are configuring destinations using the LimaCharlie UI, required options must be provided before the output can be created.