- Print
- DarkLight
LimaCharlie is infrastructure to connect sources of security data, automate activity based on what's being observed, and forward data to where you need it. There's no correct way to use it - every environment is different.
That said, the majority of LimaCharlie users require basic endpoint detection and response (EDR) capabilities. This guide will cover:
Creating a new Organization
Deploying a Sensor to the organization
Adding Sigma rules to detect suspicious activity
Forwarding detections to an external destination as an Output
All of this can be done within our free tier, which offers full platform functionality for up to two (2) sensors. If you haven't already signed up for a free account, please do so at app.limacharlie.io.
Let's get started!
Creating an Organization
LimaCharlie organizations are isolated tenants in the cloud, conceptually equivalent to "projects". They can be configured to suit the needs of each deployment.
After accepting the initial Terms of Service, you'll be offered a prompt to create an organization in a selected Region
with a globally unique Name
.
Region Selection
The region that you select for an organization is permanent. Please also consider regulatory requirements for you and/or your customers' data.
Once the organization is created, you'll be forwarded to our initial dashboard and Sensor list, which will be empty and ready for the next step.
Deploying a Sensor
From the Sensors page in your new organization, click Add Sensor
to open the setup flow for new sensors. Generally speaking, Sensors are executables that install on hosts and connect them to the LimaCharlie cloud to send telemetry, receive commands, and other capabilities.
Telemetry
For a full overview of types of sensors, their capabilities, and other telemetry, check out Telemetry.
The setup flow should make this process straighforward. For example's sake, let's say we're installing a sensor on a Windows 10 (64 bit) machine we have in front of us.
Choose the Windows sensor type
Create an Installation Key - this registers the executable to communicate securely with your organization
Choose the
64 bit (.exe)
installerFollow the on-screen instructions to execute the installer properly
See immediate feedback when the sensor registers successfully with the cloud
Potential Issues
Since sensors are executables that talk to the cloud, antivirus software and networking layers may interfere with installation. If you run into an issue, take a look at troubleshooting.
With a Windows sensor connected to the cloud, you should gain a lot of visibility into the endpoint. If we view the new sensor inside the web application, we'll have access to views such as:
Timeline
: the viewer for telemetry events being collected from the endpointProcesses
: the list of processes running on the endpoint, their level of network activity, and commands to manipulate processes (i.e. kill / pause / resume process, or view modules)File System
: an explorer for the endpoint's file system, right in the browserConsole
: a safe shell-like environment for issuing commandsLive Feed
: a running view of the live output of all the sensor's events
With telemetry coming in from the cloud, let's add rules to detect potentially malicious activity.
Adding Sigma Rules
Writing security rules and automations from scratch is a huge effort. To set an open, baseline standard of coverage, LimaCharlie maintains a sigma
add-on which can be enabled for free, and is kept up to date with the openly maintained threat signatures.
Enabling the Sigma add-on will automatically apply rules to your organization to match these threat signatures so we can begin to see Detections on incoming endpoint telemetry.
Writing Detection and Response rules
Writing your own rules is outside the scope of this guide, but we do encourage checking out Detection & Response when you're finished.
Output
Security data generated from sensors is yours to do with as you wish. For example's sake, let's say we want to forward detections to an Amazon S3 bucket for longer-lived storage of detections.
From the Outputs page in your organization, click Add Output
to open the setup flow for new outputs. Again, the setup flow should make this process straightforward.
Choose the Detections stream
Choose the Amazon S3 destination
Configure the Output and ensure it connects securely to the correct bucket:
Output Name
Bucket Name
Key ID
Secret Key
Region
Optionally, you can view samples of the detection stream's data (assuming recent detections have occurred)
With this output in place you can extend the life of your detections beyond the 1 year LimaCharlie retains them, and stage them for any tool that can pull from S3.