Management

The following sensor commands perform management actions on EDR sensors.

exfil_add

Add an LC event to the list of events sent back to the backend by default.

Platforms:

Usage:

usage: exfil_add [-h] -e EXPIRE event

positional arguments:
  event                 name of event to start exfiling

optional arguments:
  -e EXPIRE, --expire EXPIRE
                        number of seconds before stopping exfil of event

exfil_del

Remove an LC event from the list of events always sent back to the backend.

Platforms:

Usage:

usage: exfil_del [-h] event

positional arguments:
  event       name of event to stop exfiling

exfil_get

List all LC events sent back to the backend by default.

Platforms:

Return Event:
GET_EXFIL_EVENT_REP

Usage:

usage: exfil_get [-h]

history_dump

Send to the backend the entire contents of the sensor event cache, i.e. detailed events of everything that happened recently.

Platforms:

Return Event:
HISTORY_DUMP_REP

Usage:

usage: history_dump [-h] [-r ROOT] [-a ATOM] [-e EVENT]

optional arguments:
  -r ROOT, --rootatom ROOT
                        dump events present in the tree rooted at this atom
  -a ATOM, --atom ATOM  dump the event with this specific atom
  -e EVENT, --event EVENT
                        dump events of this type only

seal

Instruct the sensor to harden itself from tampering. This capability protects against use cases such as local admin users attempting to uninstall the LimaCharlie service. Please note that sealed status is curently only reflected in CONNECTED and SYNC events.

Important note: the seal direct sensor command is stateless, meaning it will not survive a reboot. For this reason, in almost all cases, you want to automate the change of status in D&R rules using the seal and unseal response actions instead of this task. Alterntively you can also use the REST API endpoint {sid}/seal to change the status in a way that survives reboots.

The should_seal boolean parameter indicates whether a Sensor has yet to complete the seal command.

Platforms:

Usage:

usage: seal [--enable] [--disable]

Sample Event:
On Sensors version 4.29.0 or newer, you will see the following metadata within SYNC or CONNECTED events:

{
 ... ,
 "SEAL_STATUS" : {
    "ERROR": 0,
    "IS_DISABLED": 1
    }
}

set_performance_mode

Turn on or off the high performance mode on a sensor. This mode is designed for very high performance servers requiring high IO throughout. This mode reduces the accuracy of certain events which in turn reduces impact on the system, and is not useful for the vast majority of hosts. You can read more about Performance Mode and its caveats here.

Platforms:

Usage:

usage: set_performance_mode [-h] [--is-enabled]

optional arguments:
  --is-enabled  if specified, the high performance mode is enabled, otherwise
                disabled

restart

Forces the LimaCharlie agent to re-initialize. This is typically only useful when dealing with cloned sensor IDs in combination with the remote deletion of the identity file on disk.

Platforms:

uninstall

Uninstall the sensor from that host.

For more information on Sensor uninstallation, including Linux systems, check here.

Platforms:

Usage:

usage: uninstall [-h] [--is-confirmed]

optional arguments:
  --is-confirmed  must be specified as a confirmation you want to uninstall
                  the sensor