Contents x
    Management
    • 17 May 2023
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Management

    • Updated on 17 May 2023
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article Summary

    The following sensor commands perform management actions on EDR sensors.

    Exfil Service

    Rather than using the exfil_add and exfil_del commands directly, it is recommended to use the Exfil Service available through the web UI and REST interface.

    exfil_add

    Add an LC event to the list of events sent back to the backend by default.

    Platforms:

    Usage:

    usage: exfil_add [-h] -e EXPIRE event

positional arguments:
  event                 name of event to start exfiling

optional arguments:
  -e EXPIRE, --expire EXPIRE
                        number of seconds before stopping exfil of event

    exfil_del

    Remove an LC event from the list of events always sent back to the backend.

    Platforms:

    Usage:

    usage: exfil_del [-h] event

positional arguments:
  event       name of event to stop exfiling

    exfil_get

    List all LC events sent back to the backend by default.

    Platforms:

    Return Event:
    GET_EXFIL_EVENT_REP

    Usage:

    usage: exfil_get [-h]

    history_dump

    Send to the backend the entire contents of the sensor event cache, i.e. detailed events of everything that happened recently.

    Platforms:

    Return Event:
    HISTORY_DUMP_REP

    Usage:

    usage: history_dump [-h] [-r ROOT] [-a ATOM] [-e EVENT]

optional arguments:
  -r ROOT, --rootatom ROOT
                        dump events present in the tree rooted at this atom
  -a ATOM, --atom ATOM  dump the event with this specific atom
  -e EVENT, --event EVENT
                        dump events of this type only

    set_performance_mode

    Turn on or off the high performance mode on a sensor. This mode is designed for very high performance servers requiring high IO throughout. This mode reduces the accuracy of certain events which in turn reduces impact on the system. This mode is not useful for the vast majority of hosts.

    If you are considering its usage, get in touch with the team at LimaCharlie.io.

    Platforms:

    Usage:

    usage: set_performance_mode [-h] [--is-enabled]

optional arguments:
  --is-enabled  if specified, the high performance mode is enabled, otherwise
                disabled

    restart

    Forces the LimaCharlie agent to re-initialize. This is typically only useful when dealing with cloned sensor IDs in combination with the remote deletion of the identity file on disk.

    Platforms:

    uninstall

    Uninstall the sensor from that host.

    For more information on Sensor uninstallation, including Linux systems, check here.

    Platforms:

    Usage:

    usage: uninstall [-h] [--is-confirmed]

optional arguments:
  --is-confirmed  must be specified as a confirmation you want to uninstall
                  the sensor
    Was this article helpful?
    What's Next