How can I add LimaCharlie traffic to an allow list?
Install Sensors section of the web app you’ll see a list of hostnames and ports that the LimaCharlie agent will connect to.
How much data does the LimaCharlie sensor produce per day?
The amount of data that is produced by the sensor is dependent on how much, and what kind of activity is taking place on the endpoint. That being said, the average data produced per endpoint across thousands of deployments is approximately 1MB per day.
How much resources does the LimaCharlie sensor consume?
The total footprint of the sensor on disk combined with what is in memory is approximately 2MB. The sensor typically runs under 1% CPU.
Depending on what actions you may be performing it may increase (e.g. if you’re doing a full YARA scan it’s expected that the CPU usage will increase). When you use our YARA trickle scan, that also keeps CPU usage within reasonable bounds. You’ll only see YARA scans spike CPU when you do a full manual scan.
Why does my sensor initially connect successfully but then disappears?
Sometimes we see the agent connect to the LimaCharlie cloud, enrolls, then disconnects (which is normal the first time after enrollment) and never connects again, or it doesn't show that kernel has been acquired.
This behavior is typical with SSL interception. Sometimes it's a network device, but at other times some security products on the host can do that without being very obvious.
You can confirm if there is SSL interception by performing the following steps to check the SSL fingerprint of the LimaCharlie cloud from the host.
Confirm the region of your organization
If you already know where your organization's region is located, you can move to the next step. To verify the organization's region where the data is processed and stored, click
Add Sensor from the
Sensors view. You will then see the region listed under
Open the test URL
Via web browser, navigate to one of the below test URLs that corresponds to the correct region:
No website will open; you should get a "Your connection is not private" type of message instead.
Display the SSL Certificate
By clicking near the URL bar on the exclamation mark, you will open a small menu and you can click "Certificate status"/"Certificate validity"/"Certificate is not valid" which will display the certificate information.
Confirm the SHA-1 and SHA-256 fingerprints
The SHA-1 and SHA-256 fingerprints should match the values below that correspond to the region your organization is in.
If the SHA-1 and SHA-256 fingerprints you are seeing do not match what's listed below, that's an indicator of the SSL interception.
|14 44 8C B6 A1 19 A5 BE 18 AE 28 07 E3 D6 BD 55 B8 7A 5E 0C 3F 2D 78 03 6E 7C 6A 2A AA 45 8F 60
|1A 72 67 08 D0 83 7D A9 62 85 39 55 A1 12 1B 10 B0 F4 56 1A
|49 49 B0 41 D6 14 F3 3B 86 BF DF 14 24 F8 BD 2F E1 98 39 41 5A 99 E6 F1 C7 A2 C8 AB 34 0C FE 1D
|2E 49 00 DB F8 3A 2A 88 E0 15 76 D5 C5 4F 8F F3 7D 27 77 DD
|68 6F 08 3D 53 3F 08 E0 22 EB F6 67 0C 3C 41 08 75 D6 0E 67 03 88 D9 B6 E1 F8 19 6B DA 54 5A A3
|37 57 DD 4E CF 2B 25 0B CA EA E2 E6 E3 B2 98 48 29 19 F3 6B
|EF B3 FA A7 78 AB F0 B0 41 00 CF A3 5F 44 3F 9A 4D 16 28 B9 83 22 85 E3 36 44 D5 DC F9 5C 78 5B
|07 72 B3 31 1A 89 D6 54 1D 71 C3 07 AD B5 8A 26 FD 30 7E 5D
|D3 40 8B 59 AE 5A 28 75 D1 65 71 50 52 2E 6F 45 26 EE E8 19 3A 9A 74 39 C1 64 60 B8 6A 92 15 47
|E3 EF AE 6A 0E 7F 18 83 15 FE F2 02 6C F3 2D 4E 59 95 4D 0A
What happens if a host is offline?
When the host is offline, the Sensor will keep collecting telemetry and store it locally in a "ring buffer" (which limits the total possible size). The buffer is ~60mb, so the amount of time it will cover will vary based on how much telemetry the individual endpoint generates. e.g. A domain controller will likely be generating many more events than a regular end user workstation.
When the host is back online, the content of this buffer will be flushed to the cloud where detection and response (D&R) rules will apply as usual.
The same ring buffer is used when the Sensor runs normally, even if data is not sent to the cloud in real-time. The cloud can then retroactively request the full or partial content of the ring buffer, bringing your telemetry current.
How can I tell which installation key was used to enroll a sensor?
On occasion you may need to check which installation key was used to enroll a sensor. You can do so by comparing the sensors
Installer ID with the Installation Key's
Adapter Key value.
- Go to the Sensors section and click into the sensor in question to view its details page. Take note of the
- Go to the Install Sensors section. Click the copy icon under the
- Compare these two values; the Installer ID on a sensor should be the same as the Adapter Key of the installation key used.
If you need to check a large list of sensors, you can perform an export of all sensors from the main sensors list page, or use the LimaCharlie API.