The LimaCharlie Adapter is software that ingests or forwards logs and other telemetry of your choice to your organization within LimaCharlie, in real-time. Adapters support ingestion of any structured text via simple, yet flexible, test ingestion methods. The following data types allow you to push any arbitary data into LimaCharlie:
- Common Event Format (CEF)
You can customize your own mapping on ingestion, and data is observable and addressable immediately.
We also have a list of Adapter types that offer pre-defined mapping and guided adapter setups. In many cases, the ingestion pipelines will be the same, which allow for easy one-step reference and enhanced D&R rules.
For example, AWS CloudTrail and Amazon GuardDuty logs are available for ingestion from either an AWS S3 bucket or Simple Queue Service (SQS) events. Thus, the web app "helper" walks you through setting up either one of those sources, depending on your needs and architecture.
Note - certain cloud-to-cloud adapters, such as AWS S3 and Google Cloud Storage ingest data as a sink, meaning blobs will be deleted as they are consumed. The ingestion API will require the ability to delete objects in these adapters. To avoid any errors, we recommend creating a dedicated bucket (with appropriate permissions) to ingest logs into LimaCharlie.
For other data streams, where unique connector details are required (e.g. Office 365 or Slack), we will provide guidance on establishing those connections.
We will indicate pre-defined Adapters on their respective page under Adapter Types.
At a high-level, you can deploy Adapters in one of two ways:
- On-prem, Adapters utilize the LC Adapter binary to ingest a data source and forward it to LimaCharlie.
- Cloud-to-cloud, connects the LimaCharlie cloud directly with your cloud source and automatically ingest data.
You can use on-prem adapters to forward cloud data, or you could acquire the same data with a cloud-to-cloud connection. So, which one to use?
The answer lies in how you want to send your data to LimaCharlie. Are you OK with configuring a connector from our platform, or would you rather use a bastion box in between? Either way works for us!
The data ingested from adapters is parsed/mapped into JSON by LimaCharlie, according to the parameters you provided, unless using a pre-defined format.
Software-based, or "on-prem" adapters are available in the following formats:
If you need support for a specific platform, or require more information about supported platforms, please let us know.
Detection & Reponse on Adapter Data
Similar to EDR telemetry, data received via Adapters are observable via Detection & Response rules. D&R rules that action on Adapter-based data are written the same way, with event and operator qualifiers and response actions based on successful detections.
Depending on the type of adapter, you can reference adapter data directly via the
platform sensor selector (e.g.