Sleeper Deployment
  • 05 Oct 2024
  • 2 Minutes to read
  • Contributors
  • Dark
    Light

Sleeper Deployment

  • Dark
    Light

Article summary

LimaCharlie's usage-based billing enables incident responders to offer pre-deployments to their customers at almost zero cost. That is, they can deploy across an Organization's entire fleet and lay dormant in ‘sleeper mode’ at a cost of just $0.10 per 30 days. With agents deployed ahead of an incident, responders can offer competitive SLAs.

For more details than what is below, feel free to contact us at answers@limacharlie.io or book a quick call with the engineering team to discuss your use case.

Sleeper and Usage billing use the following metrics:

Connected Time

Events Processed

Events Retained

$0.10 per 30 days

$0.67 per 100,000 events

$0.17 per 100,000 events

Using sleeper and usage deployments is extremely easy:

Applying the lc:sleeper tag to a Sensor will stop all activity on the host while remaining connected to the cloud. Within 10 minutes of the tag being applied, the sensor will enter sleeper mode and will be billed only for its "Connected Time" as outlined above. If the tag is removed, normal operations resume within 10 minutes.

Applying the lc:usagetag will make the sensor operate normally as usual, but its connection will not count against the normal Sensor Quota. Instead it will be billed per time spend connected and number of events process/retained as outlined above.

Using the "usage" and "sleeper" mode requires the organization in question to have billing enabled (a quota of at least 3 to be outside of the free tier).

This means a sample scenario around pre-deploying in an enterprise could look something like this:

  1. You create a new Organization in LimaCharlie.

  2. Set the Quota to 3 to enable billing.

  3. Create a new Installation Key, and set the lc:sleeper tag on the key.

  4. Enroll any number of EDR sensors, 4 or 40,000, it doesn't matter.

  5. For 100 sensors, you'll be billed $10 per month.

  6. Whenever you need to wake up and use some of the EDRs, you have 2 options (say you need 15 of them online):

    1. Set the lc:usage tag on the 15 sensors you need, within 10 minutes they will be online and billed on direct usage.

    2. Set the quota to 15, remove the lc:sleeper tag and within 10 minutes they will be online, billed according to the quota.

  7. When you're done, just re-add the lc:sleeper tag.

Switching to sleeper mode does not change the binary on disk, however, the code running in memory does change. Whether putting an org into dormant mode or changing sensor versions, the binary on disk remains as-is.

The changes to sleeper mode go into effect without the need for a reboot. In sleeper mode, activities such as read other process’ memory (e.g. YARA) will stop.


Was this article helpful?