Management
- 25 Apr 2024
- 2 Minutes to read
- Contributors
- Print
- DarkLight
This documentation version is deprecated, please click here for the latest version.
Management
- Updated on 25 Apr 2024
- 2 Minutes to read
- Contributors
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
The following sensor commands perform management actions on EDR sensors.
Exfil Service
Rather than using the exfil_add and exfil_del commands exclusively, it is recommended to use the Exfil extension available through the web UI and REST interface.
exfil_add
Add an LC event to the list of events sent back to the backend by default.
Platforms:
Usage:
usage: exfil_add [-h] -e EXPIRE event
positional arguments:
event name of event to start exfiling
optional arguments:
-e EXPIRE, --expire EXPIRE
number of seconds before stopping exfil of event
exfil_del
Remove an LC event from the list of events always sent back to the backend.
Platforms:
Usage:
usage: exfil_del [-h] event
positional arguments:
event name of event to stop exfiling
exfil_get
List all LC events sent back to the backend by default.
Platforms:
Return Event:
GET_EXFIL_EVENT_REP
Usage:
usage: exfil_get [-h]
history_dump
Send to the backend the entire contents of the sensor event cache, i.e. detailed events of everything that happened recently.
Platforms:
Return Event:
HISTORY_DUMP_REP
Usage:
usage: history_dump [-h] [-r ROOT] [-a ATOM] [-e EVENT]
optional arguments:
-r ROOT, --rootatom ROOT
dump events present in the tree rooted at this atom
-a ATOM, --atom ATOM dump the event with this specific atom
-e EVENT, --event EVENT
dump events of this type only
seal
Instruct the sensor to harden itself from tampering. This capability protects against use cases such as local admin users attempting to uninstall the LimaCharlie service. Please note that sealed status is curently only reflected in CONNECTED and SYNC events.
Seal Availability
Supported on sensor version 4.29.0 or newer and currently only supported on Windows.
Important note: the seal direct sensor command is stateless, meaning it will not survive a reboot. For this reason, in almost all cases, you want to automate the change of status in D&R rules using the seal and unseal response actions instead of this task. Alterntively you can also use the REST API endpoint {sid}/seal to change the status in a way that survives reboots.
The should_seal boolean parameter indicates whether a Sensor has yet to complete the seal command.
Platforms:
Usage:
usage: seal [--enable] [--disable]
Sample Event:
On Sensors version 4.29.0 or newer, you will see the following metadata within SYNC or CONNECTED events:
{
... ,
"SEAL_STATUS" : {
"ERROR": 0,
"IS_DISABLED": 1
}
}
set_performance_mode
Turn on or off the high performance mode on a sensor. This mode is designed for very high performance servers requiring high IO throughout. This mode reduces the accuracy of certain events which in turn reduces impact on the system, and is not useful for the vast majority of hosts. You can read more about Performance Mode and its caveats here.
Platforms:
Usage:
usage: set_performance_mode [-h] [--is-enabled]
optional arguments:
--is-enabled if specified, the high performance mode is enabled, otherwise
disabled
restart
Forces the LimaCharlie agent to re-initialize. This is typically only useful when dealing with cloned sensor IDs in combination with the remote deletion of the identity file on disk.
Platforms:
uninstall
Uninstall the sensor from that host.
For more information on Sensor uninstallation, including Linux systems, check here.
Platforms:
Usage:
usage: uninstall [-h] [--is-confirmed]
optional arguments:
--is-confirmed must be specified as a confirmation you want to uninstall
the sensor
Was this article helpful?