LimaCharlie provides a multitude of events based on actions generated by sensors, systems, services, artifacts, and other key functions of the platform. The following pages provide details on structured events available in LimaCharlie. Note, this section only describes events generated by the LimaCharlie Endpoint AgentSensor or the LimaCharlie platform. Events generated by third-party sources (i.e., ingested via an Adapter) will be provided in their raw format, and can be addressed as such within Detection & Response rules.
Missing events on a sensor timeline?
Not seeing an expected event in your timeline? Be sure that you included all events of interest in your Exfil Control.
Operationalizing Events
Events can be observed and matched by Detection & Response rules to automate behavior and can also be streamed via Outputs to the destination of your choice.
Schema
Specific Event schemas are learned and available through the Schema API, learn more here.
Streams
There are 6 different event streams moving through LimaCharlie:
Name
Description
D&R Target
Output
Events
Events sent from sensors
<default>
✅
Deployment
Lifecycle events sent from sensors
deployment
✅
Detections
Detections reported from D&R rules
detection
✅
Artifacts
Artifacts sent from sensors (or API)
artifact
✅
Artifact Events
Lifecycle events for artifacts
artifact_event
✅
Audit
Audit logs for management activity within LimaCharlie
audit
✅
Billing
Billing activity within LimaCharlie
billing
✅
Formatting
At a high level, events in LimaCharlie are in standard formatted JSON.
{"type":"object","properties":{"event":{"type":"any","description":"Schema is determined by the routing/event_type"},"routing":{"type":"object","properties":{"this":{"type":"string","description":"GUID (i.e. 1e9e242a512d9a9b16d326ac30229e7b) - see 'Atoms' section for more detail","format":"Atom"},"event_type":{"type":"string","description":"The event type (e.g. NEW_PROCESS, NETWORK_SUMMARY) dictates the 'event' schema"},"event_time":{"type":"integer","description":"The time the event was observed on the host"},"latency":{"type":"integer","description":"The time difference between event time and event arrival, in milliseconds"},"event_id":{"type":"string","format":"UUID"},"oid":{"type":"string","format":"UUID","description":"Organization ID"},"sid":{"type":["string","null"],"format":"UUID","description":"Sensor ID"},"did":{"type":["string","null"],"format":"UUID","description":"Device ID"},"iid":{"type":["string","null"],"format":"UUID","description":"Installer Key ID"},"investigation_id":{"type":["string","null"],"format":"string","description":"Events responding to a command will include this if it was provided along with the command"},"parent":{"type":["string","null"],"description":"Atom of possible parent event","format":"Atom"},"target":{"type":["string","null"],"description":"Atom of possible target event","format":"Atom"},"hostname":{"type":["string","null"],},"arch":{"type":["integer","null"],"description":"Integer corresponds with sensor architecture"},"plat":{"type":["integer","null"],"description":"Integer corresponds with sensor platform"},"tags":{"type":["array"],"format":"string","description":"Tags applied to sensor at the time the event was sent"},}}}}
JSON
The following is a sample event utilizing the above schema:
Endpoint Agents are lightweight software agents deployed directly on endpoints like workstations and servers. These sensors collect real-time data related to system activity, network traffic, file changes, process behavior, and much more.
Similar to agents, Sensors send telemetry to the LimaCharlie platform in the form of EDR telemetry or forwarded logs. Sensors are offered as a scalable, serverless solution for securely connecting endpoints of an organization to the cloud.
Was this article helpful?
Thank you for your feedback! Our team will get back to you
