Tutorials

The Windows Sensor can listen, alert, and automate based on various Defender events. This is done by ingesting artifacts from the Defender Event Log Source and using Detection & Response rules to take the appropriate action. A config tem...

Prior to rolling out a new Sensor version, we recommend testing to ensure everything works as intended within your environment. While we test Sensors before releasing them, we cannot predict every niche use case. We also recommend testing on dev ...

LimaCharlie releases a new version of the Sensor frequently - often every few weeks. However, we give you full control over what sensor version is running in your Organization . Sensors are not updated by default. There are two methods for updat...

Sysmon can be a valuable addition to any defender's toolkit, given it's verbosity and generous log data. It's worth noting that LimaCharlie's native EDR capabilities mirror much of the same telemetry. However, Sysmon and LimaCharlie can be combine...

One data source of common interest on Linux systems is the audit.log file. By default, this file stores entries from the Audit system, which contains information about logins, privilege escalations, and other account-related events. You can find m...

You can enable real-time Windows Event Log (WEL) ingestion using the LimaCharlie EDR Sensor . First, navigate to the Exfil Control section of LimaCharlie and ensure that WEL events are enabled for your Windows rules. Next, navigate to th...

You can enable real-time MacOS Unified Logs (MUL) ingestion using the LimaCharlie EDR Sensor . First, navigate to the Exfil Control section of LimaCharlie and ensure that MUL events are enabled for your Windows rules. Next, navigate to t...