- Getting Started
- Sensors 21
- Adapters 17
- Adapter Examples
- Adapter Types 13
- Azure Logs 3
- 1Password
- Atlassian Updated
- AWS CloudTrail
- AWS GuardDuty Updated
- Azure Event Hub
- Canarytokens Updated
- Cato Updated
- Duo
- File Updated
- Google Cloud Pubsub
- Google Cloud Storage
- Google Workspace
- IIS Logs
- IMAP
- IT Glue
- JSON Updated
- Kubernetes Pods Logs
- Mac Unified Logging
- Microsoft Defender Updated
- Microsoft Entra ID Updated
- Microsoft 365
- Okta
- S3
- Slack Audit Logs
- Sophos
- SQS
- Stdin
- Syslog
- Sublime Security Updated
- Tailscale Updated
- VMWare Carbon Black
- Windows Event Log
- EVTX
- Adapter Deployment
- Adapters as a Service
- Adapter Tutorials 3
- Adapter Usage Updated
- Template Strings and Transforms
- Artifacts
- Endpoint Agent 4
- Hostname Resolution
- Endpoint Agent Commands 1
- Endpoint Agent Installation Updated 1
- Endpoint Agent Uninstallation
- Endpoint Agent Versioning and Upgrades Updated
- Payloads
- Sleeper Deployment
- Tutorials
- Installation Keys
- Sensor Tags
- Sensor Connectivity
- Reference
- Adapters 17
- Query Console
- Detection and Response Updated 3
- Events 1
- Platform Management 1
- Outputs
- Add-Ons 1 5
- FAQ 1
- Release Notes Updated
API Integrations
Mechanics
Functionally, API-based lookups operate exactly the same as using the normal lookup
operator, with one addition: metadata_rules
. The rule will pass a value to the lookup, wait for a response, and then evaluate the response using metadata_rules
.
The operators within metadata_rules
are evaluated exactly the same as any other rule, except they additionally evaluate the lookup's response. The response actions will only run if the metadata_rules
criteria are met.
Configuration
When subscribed, API keys can be managed within the Integrations
menu, available under Organizaiton Settings
in the web app:
Users who wish to view and/or edit API keys will need to have the following permissions:
org.conf.get
org.conf.set
Available Lookups
LimaCharlie offers multiple API lookups for telemetry and D&R rule enrichment, allowing you to make higher fidelity detections that rely on API-based metadata. The list of available API-based integrations are under this page in the left-side navigation menu. Don't see an integration that you want? Let us know!