Release Notes

July 9, 2024

EDR Sensor 4.29.3 This is an installer-only bug fix that fixes cases where an installer >= 4.29.1 was connecting to an organization in LimaCharlie that was set to a pre-4.29.1 version in the cloud.

June 12, 2024

New Groups Management UI

In this release, we are announcing an improved UI for managing groups.

Groups let you easily manage permissions for multiple users across several organizations. By creating a group, you can assign permissions once, and all users in the group will have those permissions for all the organizations in the group.

The new groups section can be found in the top navigation panel, next to Organizations.

June 6, 2024

Cross-tenant IOC Search

In this release, we are announcing the Cross-Tenant IOC Search feature - the ability to search indicators of compromise across many organizations at once. It is especially useful for service providers when they are looking to quickly confirm if a certain file hash, IP address, file/process path, or other IOC type was seen in any of their organizations.

The cross-tenant IOC search is located under "Recent Organizations" at

May 30, 2024

New EDR sensor version 4.29.1

  • Multiple stability across all platforms, particularly using the new installers available for download.

  • Fix to the proxy support on Linux

  • MacOS NEW_PROCESS event will now report RESPONSIBLE process/user/group information

  • Fixed handling of fork+exec on Linux and MacOS

  • MacOS support for Mac Unified Logs (MUL) similarly to the Windows Event Log (WEL) support. Use the mul://<PREDICATE> format in Artifact collection to specify which MULs to collect in real-time.

May 2, 2024

Ability to add comments to Detection & Response and False Positive rules

In the release, we are adding the ability to add comments to Detection & Response and False Positive rules. This can be useful to give analysts and detection engineers more context about the rule, how it works, what it includes or excludes, etc.

Comments are not included in detection content when an alert is triggered.

April 23, 2024

Authentication method enforcement

LimaCharlie now offers authentication method enforcement for custom domains. 

For example, you may say that any user with your email domain must authenticate via Google. This way you can disable the login + password, GitHub, and Microsoft login options for users with your domain - regardless if they are logging in via your custom branded site, or via 

This feature is available at no cost to customers that have their own custom branded sites.

April 17, 2024

Adding entity metrics chart to Sensors, Outputs, and D&R rules

We are starting to add metrics to make it easy for you to see the performance of different components of your security infrastructure.

In this release, we are exposing entity metrics for Sensors, Outputs, and D&R rules:

  • You will see a new Analytics tab on each Sensor. This tab shows the number of events collected from the Sensor in the specified time frame. It should help identify issues, see what hosts are the noisiest, etc.

  • You will see a new Analytics section on each D&R rule. This shows the number of times the detection & response rule has triggered in the specified time frame.

  • Similarly, you will see a new Analytics tab on each Output. This tab will show you the number of events sent via the Output in the specified time frame.

Data is updated every ~15 minutes and stored for three months. Note that the starting date for metrics is Mon, April 15.

In the coming weeks, we intend to add similar metrics to other parts of LimaCharlie, specifically False Positive rules and Adapters.

Updating user permissions to show a separate category of privileged permissions

To discourage admins from accidentally over-provisioning permissions for their users, we moved some sensitive permissions into a separate section within the permissions page. Specifically, we highlighted the following permissions as privileged:

  • apikey.ctrl

    Create, delete, and modify API keys. Allows a user to create API keys with full org permissions, effectively granting them superuser access, also known as privilege escalation.

  • billing.ctrl

    Change billing information, subscribe to additional services. Allows a user to subscribe to additional services which may incur costs to the org.

  • user.ctrl

    Create, delete, and change permissions for users. Allows a user to grant themselves or anyone else any permissions they want, also known as privilege escalation.

When org admins grant any of these permissions to a user, they will see a warning explaining the potential dangers of doing this. The same will soon be added to the groups section.

Note this is just a web app-level change for awareness and there are no modifications to how the permissions themselves work or are granted.

Adding a sensors count on the Sensors page, with an additional copy for context

We have added a count of sensors on the Sensors page to make it easier to see how many sensors are in the organization, and how many of them are billed on usage vs. quota. Note that these stats show what's on the page so they are affected by filters.

Added support for additional Azure log types

We've added support for several types of Azure ecosystem logs, including AKS, Key Vault, SQL Server, and Network Security Group. More information on these different log types can be found here: Note that upon ingestion:

  • The event_type field will map to the category field from the log entries.

  • The time field will map to the time field from the log entries.

Azure log types can be ingested via Azure Event Hub or by creating a Webhook. You can also see support for these new log types in the LimaCharlie UI, allowing for quick and easy cloud Adapter deployment!

New Plaso extension

We released our new Plaso extension. Plaso is a Python-based suite of tools used for creation of analysis timelines from forensic artifacts acquired from an endpoint. This is especially useful in an IR situation where the agent was deployed mid- or post-breach, therefore real-time telemetry is missing historical context. More info on Plaso here. The Plaso extension will take the artifact ID of a forensic artifact obtained from an endpoint, or a zip of artifacts (like a KAPE triage from the Velociraptor extension) and generate a CSV timeline of the data, as well as a .plaso timeline of the data that can be imported into Timesketch. These timelines are invaluable tools for digital forensic investigators and analysts, enabling them to effectively correlate the vast quantities of information encountered in logs and various forensic artifacts encountered in an intrusion investigation. How it works:

  • Initiate an artifact_get or a KAPE triage with ext-velociraptor or an MFT dump with ext-dumper

  • Leverage a D&R rule to watch for the ingestion of relevant artifact types and send them to the Plaso extension for processing

  • View the Plaso CSV artifact, or import the Plaso timeline artifact into Timesketch

Please be aware that it can take a long time for these timelines to be generated. For example, generating a CSV and a Plaso timeline from a 150mb KAPE triage zip (roughly 1.4gb unzipped) could take about an hour. You will receive a job_queued event when your job is added to the queue, and a job_started event when the processing begins. Upon completion, you will get an event with the pinfo output, and the CSV and .plaso files will be uploaded to your org as artifacts.

April 16, 2024

New extensions, changes to lookups, and changes to pricing for some extensions

In this release, we are announcing a few changes and new features.

LimaCharlie CLI extension

LimaCharlie CLI extension allows you to issue LimaCharlie CLI commands using extension requests. You may use a D&R rule to trigger a LimaCharlie CLI event. To get started with LimaCharlie CLI extension, subscribe your tenant to the add-on:

Changes to public Lookups

Now that new lookups in Hive have gained widespread adoption and we see more and more customers relying on those, we will start the process of sunsetting the legacy lookups feature. Don't worry - the lookups you are relying on will continue to work, but we are going to remove the ability to create lookups the old way (on the marketplace). Instead, you can create lookups in Hive as described in LimaCharlie documentation:

New pricing for Binlib and Strelka extensions

Following some time of collecting usage data, we are ready to set pricing for two of the new LimaCharlie extensions:

  • Strelka Extension. Usage of Strelka in LimaCharlie will be billed at $0.10 per GB parsed.

Just a reminder, Strelka is a real-time file scanning system used for threat hunting, threat detection, and incident response developed by the team at Target. LimaCharlie makes the deployment of Strelka much easier. The Strelka extension receives files using Artifacts by specifying an artifact_id in the run_on request. The extension will then process the file and return the results to the caller as well as send the results to its related Sensor.

  • Binlib Extension. Yara scanning, using Binlib will be billed at $0.01 per 1,000 files.

BinLib (Binary Library) is the collection of data and metadata pertaining to executable binaries, such as EXE or ELF files, that have been observed within your organization. Binaries can be tagged and historical searches can help identify the presence of malicious files within an organization.As always, please don't hesitate to reach out if you have any questions.

April 12, 2024

Cloud CLI extension & bi-directional communication between LimaCharlie and various telemetry sources

We are excited to announce the release of the new Cloud CLI extension that allows you to trigger actions against CLI or API endpoints for third-party products. This extension facilitates bi-directional communication between LimaCharlie and nearly any telemetry source. Actions can be triggered from the Cloud CLI UI or automated via D&R rules.

With the addition of the new bi-directional capability, users can take action to mitigate incidents immediately across any tool all from the same platform, eliminating the need to rely on a third-party solution to make changes.

To get started, subscribe your tenant to the Cloud CLI extension.

To learn more about LimaCharlie's new bi-directional capabilities and the opportunities created by the Cloud CLI extension, visit our technical documentation and register for the upcoming webinar on Tuesday, April 23, 2024.

April 1, 2024

Strelka Extension

Strelka is a real-time file scanning system used for threat hunting, threat detection, and incident response.

The Strelka extension receives files using Artifacts by specifying an artifact_id in the run_on request. The extension will then process the file and return the results to the caller as well as send the results to its related Sensor.

Here is an overview of how it can be assembled in LimaCharlie from zero (new account on free tier creating a new tenant) to "all the files extracted from Zeek over the network are processed by Strelka, an organization is ready to alert on findings, plus Zeek telemetry for bonus": Strelka + Zeek + LimaCharlie.

March 28, 2024

Ability to upload payloads via web app

LimaCharlie now offers the ability to upload payloads via a web interface, by simply dragging and dropping a payload file. This means that you no longer need to run a curlcommand (but you still can as both options are available).

In addition, we removed restrictions around file types so any file type can be uploaded.

March 21, 2024

Hayabusa Extension

Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. The Hayabusa extension allows you to run Hayabusa against a specified event log (.evtx) or a collection of event logs (.zip).  LimaCharlie will automatically kick off the analysis based off of the artifact ID provided in a D&R rule action.

To get started, subscribe to Hayabusa extension. 

Additional docs and example rules are available here.

March 14, 2024

Migrating D&R Rule from legacy Service to new Extension

In this release, LimaCharlie launched a CLI tool to migrate D&R rules from legacy Service to new Extension.

The PYTHON CLI gives you a direct way to assess if any rules reference legacy reliable tasking, Zeek, Yara, or PagerDuty service, preview the change and execute the conversion required in the rule "response".

To learn more about converting D&R rules, visit our technical documentation:

March 6, 2024

Updates to the API for the default org creation template

Several weeks ago, we announced a change to the new tenant creation experience. Any new tenant created in the web app is now enabling Extensions instead of legacy Services.

Starting next Monday, March 11th, this change will also be implemented for the LimaCharlie API. This means for new tenants via API using the default template, LimaCharlie will be enabling Extensions instead of Services. Custom automations that do not rely on the default template will not be affected.

Announcing advanced filters in the web app

In this release, we are announcing advanced filters which have been added to the Sensors and Timeline pages. LimaCharlie users can get more granular when looking for specific events or sensors. Let us know your feedback & ideas to make it better. Note that based on feedback from our Beta users, we will be bringing back the text search field to the Timeline shortly.

The sensor Processes page now shows modules in a modal, instead of at the bottom of the page

Previously, when navigating through the Processes page on Sensors, you would see a flashing menu of options such as "View Modules", "Kill Process", etc. To make the page faster and improve user experience, we moved this menu to the left of the page. Also, the Sensor Processes page now shows modules in a modal, instead of at the bottom of the page.

February 21, 2024

Dumper Extension

The Dumper Extension provides the ability to do dumping of several forensic artifacts on Windows hosts. It supports a single action, which is to dump. It supports multiple targets, memory to dump the memory of the host and mft to dump the MFT of the file sytem to CSV. The Extension then automates the ingestion of the resulting dump (and dump metadata) to LimaCharlie's Artifact Ingestion system where it can be downloaded or analyzed and where you can create D&R rules to automate detections of characteristics of those dumps.

February 14, 2024

Changes to the add-ons marketplace

In this release, we are rolling out more user experience enhancements to Extensions and making them more prominent on the add-ons marketplace. 

At the same time, we are making Services less prominent in the web app listing of add-ons. To find a list of services, go to the Extensions section of the marketplace, scroll to the bottom of the page, and click “show legacy services”. They will continue to show up as usual in the search bar on the marketplace.  

We would like to encourage LimaCharlie users to migrate their legacy Services to Extensions. That said, Services are not being decommissioned; they will be working and accessible for the foreseeable future. 

In the coming weeks, we will be adding more documentation about building your own Extensions and creating tools to make it easier to migrate your legacy Services. Meanwhile, please reach out if we can clarify anything or help you to get started with Extensions. 

February 13, 2024

New Atomic Red Team extension

We have released a new LimaCharlie extension - Atomic Red Team. Atomic Red Team is a library of tests mapped to the MITRE ATT&CK framework, provided by Red Canary. With this extension, LimaCharlie users can use Atomic Red Team to quickly, portably, and reproducibly test their environments.

To get started, subscribe your tenant to the Atomic Red Team extension. If you have legacy Atomic Red Team service enabled in your tenant, you can unsubscribe from it after enabling the extension.

For more details about using the Atomic Red Team extension, visit our technical documentation:

January 31, 2024

New extensions -  Lookup Manager, Yara Manager, and Zeek

The Lookup Manager extension allows you to create, maintain & automatically refresh lookups in the organization to then reference them in Detection & Response Rules.

The Yara Manager extension allows you to create, maintain & automatically refresh Yara rules in the organization. Yara rules are records stored in config Hive that can be leveraged by other extensions such as BinLib to automate Yara scanning.The saved Lookup and Yara Configurations can be managed across tenants using Infrastructure as Code extension. To manage lookup and Yara versions across all of your tenants, update the file under the original Authenticated Resource Locator. Once a day, LimaCharlie will then sync all of the tenants that use the configuration.

The Zeek extension, once enabled, will watch for PCAP files being ingested through the Artifact Ingestion system. Individual PCAPs can be run on Zeek using an artifact id in our Manual Run feature. For each PCAP, the Zeek extension will run the Zeek tool on the PCAP. All the resulting Zeek log files will then be ingested as first-class telemetry into a LimaCharlie adapter where they can be viewed or Detection & Response rules can be created to generated detections or automate responses.Learn more and get started:

The ability to add lookups in several formats

We have updated the new lookups functionality to allow creating lookups in several formats - YAML, JSON, and newline. Once created, lookups will be converted into JSON.

January 16, 2024

Announcing new AWS Ruleset

We are excited to announce the addition of a new extension - a managed set of Detection & Response rules for AWS developed by Soteria. The ruleset is designed for detecting malicious activity in AWS.

To get started, subscribe your tenant to the extension: Then, configure AWS CloudTrail Logs Sensor to start collecting AWS audit logs.

Ability to rename an organization in the web app

LimaCharlie users can now rename their organizations self-serve. To rename an organization, navigate to Billing > Billing and Usage, and scroll down to the “Rename Organization” section. To rename an organization, users require billing.ctrl permission.

January 4, 2024

New Lookups

Lookups are changing, but don't worry, old-style lookups are staying for a long time.

The main change in lookups is that they are moving from being global entities tied to Users, to being more in line with the rest of LimaCharlie where each lookup is now an object that lives within an Org. These new lookups can now be created, updated and accessed via the lookup Hive. Because they now live in Orgs, it means you no longer need to Subscribe to a lookup to use it.

Using a lookup is exactly as before (minus the Subscription), the only difference is that you no longer refer to the lookup via lcr://lookup/..., instead you now use hive://lookup/.... You can also now use infrastructure as code to manage your lookups across different tenants.

The new lookups are located under 'Automation' in the web app.

For more information about Config Hive and lookups, check out technical documentation:

December 22, 2023

Announcing OTX Extension

In this release, we are announcing the addition of the new OTX extension. This extension enables users to continuously import all their OTX pulses and the relevant D&R rules for most indicator types.

To get started, subscribe your tenant to the OTX extension, or follow the steps shown on the OTX Service page to migrate the configuration from the legacy OTX Service. 

Ability to invite new users to create LimaCharlie accounts

We have also added the ability to invite new users to create LimaCharlie accounts. When an org admin is adding users to their organization, if no user with the email address provided exists, they will be sent an email invite to create a LimaCharlie account.

The new user won't automatically be added to the organization. After creating their LimaCharlie account, they will have to reach out to the person who invited them to complete the process. We have it on our roadmap to further improve this part of the experience.

December 19, 2023

Exposing more LC Sensor capabilities in the web app

In this release, we are adding a list of new tabs to LimaCharlie sensors:

  • Event Collection tab provides a list of events collected from a Sensor, along with exfil (event collection) rules that apply to the Sensor. Works on: Windows, Linux, and macOS sensors

  • Integrity Monitoring tab provides a list of file & integrity monitoring rules that apply to the Sensor. Works on: Windows, Linux, and macOS sensors

  • Services tab lists all services (Windows, launchctl on MacOS and initd on Linux). Command: os_services Works on: Windows, Linux, and macOS sensors

  • Drivers tab lists all drivers on Windows (command: os_drivers). Works on: Windows sensors

  • Packages tab provides a list of installed software packages (command: os_packages). Works on: Windows and macOS sensors

  • Users tab provides a list of system users (command: os_users). Works on: Windows sensors

  • Autoruns tab lists pieces of code executing at startup, similar to SysInternals autoruns (command: os_autoruns). Works on: Windows and macOS sensors

Sensor pages on the sidebar are now listed in alphabetical order.

December 14, 2023

EDR Sensor v4.28.5 The new version of the EDR sensor fixes a possible race condition with the execution of Payloads that could result in an error 259 (payload still executing) even when the Payload executed and terminated successfully. We observed this in some cases of Velociraptor execution.

The "stable" version of the sensor was also bumped up to 4.28.3.

December 8, 2023

Indicators of Compromise (IOC) Search experience improvements

In this release, we have implemented significant improvements to the Search experience.

In the past, there was a four-hour delay between when an event happened & when it was indexed for the Indicators of Compromise (IOC) Search; this has now been shortened to 15 minutes.

Note that LimaCharlie detection & response capabilities are real-time, and both detection and response happen at wire speed. It’s only the indexing of the IOCs for Searching that takes additional time.

November 1, 2023

Announcing new Microsoft/Office 365 Ruleset

We are excited to announce the addition of a new extension - a managed set of Detection & Response rules for Office 365 developed by Soteria. The ruleset is designed for in-depth analysis of the Office 365 ecosystem which includes:

  • Microsoft Teams

  • Word

  • Excel

  • PowerPoint

  • Outlook

  • OneDrive

  • ...and other productivity applications.

To get started, subscribe your tenant to the extension:

New Twilio Extension

In this release, we are also launching a Twilio extension that can trigger alerts based on Detection & Response rules.

For more information see LimaCharlie Twilio Documentation. Example Respond portion of a D&R rule that sends a message out via Twilio as the response action:

- action: extension request extension action: run extension name: ext-twilio extension request: body: '{{ .event }}' from: '{{ "+10123456789" }}' to: '{{ "+10123456789" }}'

To get started with Twilio extension, visit

Sensor v4.28.4

  • enhanced network connectivity, resolves some issues with connections to the cloud dropping in certain situations

  • more detailed log (hcp.log) of some network connectivity issues

This update is not an update to the cloud-managed version of the LimaCharlie EDR. It is an installer-only update for the binary on disk. It is only available through the downloads.

We recommend using this version for all future deployments and for currently problematic installs.

October 31, 2023

Four New Extensions - PagerDuty, Velociraptor, Sigma ruleset and Soteria EDR ruleset

Following the launch of Extensions, we are porting LimaCharlie Services into the corresponding Extensions. Today, we are releasing four new extensions:

To get started with migrating the existing tenant, navigate to the service page on the add-on marketplace, select an organization, and follow the steps on the screen. You can also do it from the Service page within your tenant. If you are creating a new organization, you can subscribe to the new extensions right away, without having to first enable the legacy Services.

October 18, 2023

Artifact Collection Extension

Following the launch of Extensions, we are porting LimaCharlie Services into the corresponding Extensions. Today, we are releasing the Artifact Collection Extension, which means you can migrate the legacy Artifact Collection Service to the new Extension.

To get started with migrating the existing tenant, navigate to the Artifact Collection Service, select the organization, and follow the steps on the screen. You can also do it from the Service page within your tenant.If you are creating a new organization, you can subscribe to the Artifact Collection Extension right away, without having to first enable the legacy Service:

October 3, 2023

Payload Manager Extension

In this release, we are announcing the new  Payload Manager extension.

The Payload Manager extension allows you to create, maintain & automatically refresh payloads in the organization to then deploy them on endpoints via Windows, Mac, or Linux sensors. The saved Payload Configurations can then be managed across tenants using Infrastructure as Code extension.

To get started with the Payload Manager extension, subscribe to the extension add-on on the marketplace & follow the instructions in description.

September 7, 2023

Changes to the Billing & Usage page

In this release, we have implemented some long-anticipated changes to the Billing & Usage page. You can now see the details of upcoming invoices for your LimaCharlie tenants. 

This information is pulled dynamically from Stripe so you can follow the changes to your invoice throughout the billing period.

In line with these changes, the Metered Usage section of the page is now only focused on usage stats. 

File & Registry Integrity Monitoring Extension

Following the launch of Extensions, we are porting all LimaCharlie Services into the corresponding Extensions. Today, we are releasing the File & Registry Integrity Monitoring Extension, which means you can migrate the legacy File & Registry Integrity Monitoring Service to the new Extension.

To get started with migrating the existing tenant, navigate to the Integrity Service, select the organization, and follow the steps on the screen. You can also do it from the Service page within your tenant.

If you are creating a new organization, you can subscribe to the Integrity Extension right away, without having to first enable the Integrity Service: do not hesitate to reach out if you have any questions.

September 5, 2023

Announcing Kubernetes Pods Logs Adapter

This Adapter collection method allows you to collect the logs of all the Pods in a Kubernetes cluster and bring them in LC. The container we publish makes this extra easy to add onto an existing cluster.

August 31, 2023

OpenSearch Output

We've added the OpenSearch Output which makes it even easier for LimaCharlie users to send their events, detections & telemetry to OpenSearch.

August 29, 2023

Announcing Exfil Extension

Following the launch of Extensions, we are porting all LimaCharlie Services into the corresponding Extensions. Today, we are releasing the Exfil Extension, which means you can migrate the legacy Exfil Service to the new Extension.

To get started with migrating the existing tenant, navigate to the Exfil Service, select the organization, and follow the steps on the screen. You can also do it from the Service page within your tenant.

If you are creating a new organization, you can subscribe to the Exfil Extension right away, without having to first enable the Exfil Service:

August 15, 2023

New MFA option - Authentificator App

In this release, we are expanding our list of Multi-factor authentification (MFA) options. In addition to the SMS-based MFA, LimaCharlie now supports TOTP (Time-based, One-Time Password) generated by the Authenticator apps.

Multi-factor authentification using Authenticator apps is known to be a stronger method of protection than the SMS-based MFA.

To get started with the new MFA method, navigate to the Manage User Settings option in the web app and choose Add Multi-Factor Authentication . You may be required to re-log in to your LimaCharlie account before you can proceed.

August 14, 2023

EDR Sensor 4.28.2

  • Fixing an issue that can lead to some files being skipped by dir_find_hash

  • Fixing an issue where custom Exfil Watches could result in small memory leak

  • Enable reporting from the sensor to the cloud for some enrollment errors to assist in troubleshooting complex environments.

August 8, 2023

BinLib - Binary Library

Binary Library, or “BinLib”, is a collection of data and metadata pertaining to executable binaries, such as EXE or ELF files, that have been observed within your organization(s). When enabled, this extension collects observed data into your own private collection of historical executables, then subsequently available for searching, tagging, and analysis. BinLib also features YARA scanning, allowing you to import rules and search across observed executables - all without impacting system resources or production systems.

With BinLib, LimaCharlie customers can realize their own private corpus of historical executable data, as observed across their environment(s). Furthermore, LimaCharlie’s multi-platform parity enables analysis across Windows, Linux, and Mac executables. Binaries can be tagged and historical searches can help identify the presence of malicious files within an organization(s).

To learn more, check out the announcement. To get started, refer to the technical documentation.

May 31, 2023

FreeBSD, OpenBSD and NetBSD platform support & IT Glue Sensor

LimaCharlie Adapter now supports FreeBSD, OpenBSD and NetBSD platforms. Check out the list of all supported platforms in the technical documentation, or get started by downloading the executable from the Sensor > Installation Keys page.

Additionally, in this release we have added a new IT Glue Adapter. LimaCharlie users can now ingest IT Glue audit logs directly into their tenant.

May 17, 2023

Announcing AWS GuardDuty Sensor

In today's release, LimaCharlie added a new Sensor - AWS GuardDuty. This enables LC users to ingest GuardDuty logs and have detection & response rules written on them. AWS GuardDuty enables customers to analyze AWS CloudTrail Event Logs, VPC Flow Logs, and DNS Logs to look for unusual or unexpected behavior in their AWS accounts.

April 19, 2023

Adding three new LC sensors

In this release, LimaCharlie added 3 new sensors:

  • Canary Token - CanaryTokens is an innovative tool that allows you to place decoy files, URLs, and other bait on your network or endpoints. When a CanaryToken is triggered, you'll receive an alert, allowing you to take immediate action to prevent any potential threats. With LimaCharlie Canary Token sensor, you can easily ingest CanaryToken alerts into LimaCharlie.

  • Azure Active Directory & Azure Monitor - these two sensors make it easier to get Azure data into LC.

April 12, 2023

Datadog Output & Rule Editing Experience Improvements

In this release, we have added an output to Datadog which makes it easier for users to send Detections, Audit Logs, and other types of Outputs directly to Datadog data analytics platform. You can configure a Datadog output by navigating to Outputs > Add Output in the web app.

Additionally, we added the ability to expand the rule editors for both D&R and FP rules. This should make it easier to edit complex and wordy rules without having to rely on a notepad or similar.

March 27, 2023

Sensor v4.28.0 Windows MSI has been updated:

  • proper version reported

  • should fix the issue where the sensor could install on non SystemDrive in some cases

  • uses longer network timeouts that should with some connectivity issues

  • introduces os_users on Windows to list users. Looking for feedback here as there's multiple ways to list users.

  • supports a new --interpreter argument to the run task which allows you to specify an interpreter to use when launching the payload. For example: run --payload-name my-powershell-script.ps1 --interpreter powershell

Finally, version 4.28.0 now supports connectivity to the LimaCharlie Cloud over an SSL connection not using pinned certificates. This makes it easier to deploy in environments where SSL interception is present. This new alternate connectivity uses a slightly different domain, for example:

The default remains pinned certificate. A sensor enrolling using one or the other must/will remain using that connectivity method. The method used for a given sensor is based on its Installation Key.To enroll a sensor using the new public root CA SSL, you must create an Installation Key with the use_public_root_ca=true option via the REST API, or using the Python SDK's use_public_root_ca option:

An option to enable this in the web UI will come later.

March 23, 2023

LimaCharlie Query Console Suggestions

LimaCharlie Query Console now offers a search experience that displays a list of possible options that users can select from as they type. Several sources contribute to these suggestions:

  • LCQL Query Structure which provides a list of options based on the structure of the query.

  • LimaCharlie Schema API which exposes the "learned" schema from specific event types. As data comes into LimaCharlie, the Schema API will accumulate the list of fields and types observed for those specific events. LimaCharlie Query Console retrieves this learned schema and offers suitable suggestions as users type.

  • Sensor Selector Expressions which enable selecting a set of Sensors based on some characteristics.

LimaCharlie Query Console Suggestions are there to assist users as they are learning how to navigate the new Query Language and becoming more comfortable with the Console. It is most valuable to help get the right syntax for events and schema, while assisting with drafting the query along the way.

Give it a try and please reach out with ideas and suggestions so that we can continue to make it better and easier to navigate.

March 15, 2023

User Experience Enhancements

  • MFA form state bug fix which enables users to see placeholder suggestion for code input

  • Copy update on reliable tasking zero state page

  • Updated the list of featured add ons on the LC Marketplace

  • Improvements on Artifacts page relating to performance, UI enhancements and adding a copy to indicate end of the list

  • Added ability to delete all detections

March 9, 2023

Announcing Elastic Output

With LimaCharlie, organizations have full control of their security data - we make it easy to collect logs and telemetry from any source using Sensors and send it to any destination via Outputs. The granularity of the data collected and sent is controlled by the user. Along with generic mechanisms for outputting the data such as webhook and Syslog, LimaCharlie offers several pre-built configurations that simplify the task of sending data out of LC.

In this release, we are announcing Elastic Output that makes it easier to output events and detections to Elastic.

Link to the technical doc: Elastic Output

March 8, 2023

The ability to filter detections by date range

To make it easier for LimaCharlie users to navigate detections in the web app, we have added the ability to filter detections by date range. Users can now switch between jumping to a single date and filtering within a given time range in one click.

February 27, 2023

LimaCharlie Query Console, revamped Detections page & other enhancements

LimaCharlie Query Language is designed to provide a flexible, intuitive, and interactive way to explore data in LimaCharlie. It uses LimaCharlie Query Language and enables several features including:

  • Querying one full year of telemetry within your tenant

  • Choosing columns you want to have displayed in the web UI

  • Exporting query results in CSV or JSON

  • Estimating the query cost and validating the query before the query run

  • The ability to start a D&R rule from the query console

Additionally, in this release you will see the following:

  • Updated Detections page. This greatly improves performance and enables you to better navigate the detections data

  • Added a drag-to-resize ability for code editors and D&R editors. This should make it easier to edit longer D&R and FP rules in the LimaCharlie web app Updated spinner location on Audit logs to make it more intuitive for users to navigate audit logs

February 9, 2023

Adding support for webhooks as an ingestion method & web app enhancements

Since webhooks are a common way of moving data around, LimaCharlie now has support for webhooks as an ingestion method.

By enabling a webhook through the cloud_sensor Hive, you will open up a specific URL to which you can send webhooks from other platforms. The data received there will make its way into LimaCharlie as a sensor in the same way an Office365 or Syslog Adapter would do.

To learn more and to get started, check out our technical documentation.

Other changes include:

  • Added the ability to bulk enable/disable false positive rules

  • Fixed a bug affecting the timeline sidebar close button

  • Fixed a bug when creating a draft Detection & Reponse Rule and returning back to it would land the user on a 404 page

February 1, 2023

Announcing Replay for False Positive rules

We have heard that one of the most painful challenges is dealing with false positives. To help solve it, in this release we are extending the capabilities of Replay used for retroactive threat hunting, and introducing the ability to replay False Positives. 

Clicking “Mark as False Positive” from the Detections page will now both get the FP rule started, and populate the content of the detection so that you can fine tune the FP rule to work exactly as you want. You can also paste the content of the detection manually, and replay your false positive rule against that.

January 25, 2023

Improved Services UI and revamped Audit logs now stored for one full year

We have revamped the way LimaCharlie services are displayed in the web app to make them more user-friendly and easy to navigate. You will see that we have new pages for Velociraptor, Atomic Red Team, Dumper, Sigma, Zeek, Otx, PagerDuty, Twillio, and SOC Prime add-ons. We have also added the ‘background job’ toggle to the Reliable Tasking (now located under Sensors), and removed the old Reliable Tasking page under “Service Requests”. Note all these changes are available for users who have already switched to the new UI. 

Additionally, we have greatly improved the way Management and Audit logs work in LimaCharlie. Both types of logs were merged into one - Audit Logs - and virtualized, making them easily scrollable. We will now be retaining Audit logs for one full year and have them available for browsing and searching in LimaCharlie, without the need to send them to external storage; the first iteration of this change is now available in the web app.

January 16, 2023

Announcing scheduled jobs in LimaCharlie

In this release, we are excited to announce the ability to schedule jobs in LimaCharlie. This enables use cases such as scheduling commands to endpoints or service requests.

Scheduling is done by creating a D&R rule with a target: schedule, and defining the desired response (task, service request, etc). For example to issue an os_packages once per week on Windows hosts:


target: schedule event: 168h_per_sensor op: is platform name: windows respond: - action: task command: os_packages investigation: weekly-package-list

To learn more about how it works & see some examples, visit our technical documentation.

January 11, 2023

Updated web app experience for False Positive rules, Replay cost estimate, the ability to download tenant configuration & other enhancements

  • The web app experience managing False Positive rules now mirrors that of D&R rules. Users are able to enable/disable individual FP rules, see who created and last edited each rule, manage tags and more. 

  • Users can now estimate the cost of replaying a detection & response rule before running the replay. This makes the cost of using replay even more predictable and transparent. 

  • The “Templates” page under Organization Settings has been renamed to “Infrastructure as code”. Additionally, we have optimized the “Modify Existing” tab to load significantly faster, and added the ability to download the Org Configuration in JSON. 

  • Styling of the File and Integrity Monitoring page has been aligned with that of YARA. “Updated date” and “updated by” are now visible for all FIM rules. 

  • For those looking to manage access to various parts of LC on a more granular level, LimaCharlie now supports decoupling the value of secrets from their usage in various configurations. You can learn about how it works in the technical documentation

  • Artifacts page now has a zero state shown when the user does not have artifacts or artifact collection rules in their tenant.

  • Fixed a bug where the Detection and Response rule’s expiry date set at rule creation was ignored. 

  • Updated the LimaCharlie mailing address on the privacy policy web page.

January 5, 2023

Updated web app experience for Reliable Tasking and Sensor Cull

As we are continuously looking for ways to make LimaCharlie easier to use, we have updated the web app experience for Reliable Tasking and Sensor Cull. Users can now submit tasks for sensors and manage sensor cull rules in an easier and more friendly way.

Other changes include:

  • Updated a copy about deleting sensors from LC Adapters

  • Fixed a bug where deleting a draft detection and response rule using the sidebar could take the user to a 404 page if no other rules exist

  • Updated cache and other behaviors to accurately reflect the ‘updatedBy’ field within a detection and response rule page

  • Fixed misaligned icons on the Artifacts page

  • Fixed a bug where labels on graphs on the dashboard would not appear in the UI

  • Updated generate access token request to use new API token endpoint

December 21, 2022

Ability to enable and disable Detection and Response rules in bulk

In this release, LimaCharlie added the ability for users to enable/disable Detection and Response rules in bulk. Select multiple (or all) rules at once, go to “select operation” > “enable/disable selected”. Depending on the number of rules in the organization, it may take a few seconds to a minute to complete. You can leave the page - it will not impact the progress. 

Other changes include: 

  • Fixed the issue where the onboarding page was not being scrollable on short-sized screens

  • Made organization select button/dropdown a single line

  • Make the search bar more responsive; it now collapses on a shorter screen width

  • Added a new toggle on File Integrity Management rule editor which enables users to receive detections for FIM_HIT events without having to create a D&R rule themselves (LimaCharlie will create a rule automatically). 

  • Added a new toggle on YARA rule editor which enables users to receive detections for YARA_DETECTION events without having to create a D&R rule themselves (LimaCharlie will create a rule automatically). 

  • Edited a copy edit for sensor-cull description, and added a link to documentation to the page

  • Added a new Rulesets section to the add-ons marketplace to make it easier to discover what detections coverage is available in LC

December 14, 2022

Announcing new LimaCharlie web app navigation

We are excited to announce the new navigation in the LimaCharlie web app. For over a year, we have been talking to many of our users, gathering feedback from Slack, Intercom, and other channels to understand how people navigate the product, what we can communicate better, and how different functionality is used.

We have reorganized the web application to better reflect the LimaCharlie approach to security and to be more in line with what users expect from the security infrastructure offering.

The new navigation can be enabled in user settings. Note if you are using multiple devices, you may be prompted to make this switch on each of them separately.

We know it takes time to switch to the new UI, so we put our users in control of when they want to do it. This is a big change that will affect all users, so we are looking for feedback and ideas about the new navigation. After this update, there are no plans for any other radical navigation changes in the near future.

December 12, 2022

Announcing integration with SnapAttack

LimaCharlie is excited to announce integration with SnapAttack. This integration converts select high-fidelity SnapAttack Community Edition detection logic into LimaCharlie D&R rules which can be applied to your tenant in one click.

SnapAttack Community Edition includes access to open source intelligence objects and behaviorally-oriented detections developed by SnapAttack threat research team as well as popular community tools, such as Atomic Red Team and Sigma. The ruleset contains high-confidence detections for most platforms that have been verified against true positive data by the SnapAttack’s threat detection team.

Similar to how it works with Sigma and Soteria rulesets, you can enable or disable individual SnapAttack rules, and replay them against historical telemetry.

To learn more, check out this help article: How can I use SnapAttack Community Edition in LimaCharlie?

To learn more about SnapAttack and their Enterprise Edition, visit

December 9, 2022

Sensor 4.27.4

  • more detailed crash reporting

  • on crashes, a minidump is generated on Windows in c:\windows\system32\hcpmd.dmp

  • expand the list of packages returned on Windows for os_packages

  • fixed a crash on Windows during services listing.

  • log the sensor's OID and SID on sensor startup in STDOUT and in the local on-disk log. This will be useful to troubleshoot mis-enrolled sensors.

  • fixed bug where relevant file not reported in Yara scan.

December 3, 2022

LimaCharlie Query Language

We're happy to introduce the LimaCharlie Query Language (LCQL) in Beta.

LCQL allows you to query through your data in the LimaCharlie retention more easily and flexibly. It also enables several new useful features:

  • Dryrun mode to get estimates of data being queried.

  • Paged queries, so querying for data over a long period of time is not all done at once, giving you the opportunities to get results without incuring the cost of the full query.

  • Event name and event element tab-completion. You don't have to remember the event names or paths to all the elements you want to query.

  • Querying, projection (only report specific values from matching elements) and aggregation (count, count_unique).

  • Display underlying D&R rules generated for the query, making it easier to use LCQL to prototype D&R rules.

For this beta, the LCQL interface is limited to the LimaCharlie CLI (pip install limacharlie), but the intent is to introduce this capability directly in the web interface in the future.

To launch the LCQL interface, install the LC CLI and use: limacharlie query to launch the interactive mode.This feature is built on top of the Replay feature and shares billing.

November 30, 2022

Announcing LimaCharlie demo tenant configuration

We want to make it easier for users new to LimaCharlie to get started with the product and to understand what our approach can enable. We have always made it easy to create an account without having to attend a mandatory demo, and provided free training and documentation.

In this release, we are introducing the ability to apply a demo configuration to the LimaCharlie tenant. Adding Demo Tenant Configuration will onboard a demo sensor, generate detections, and enable a variety of features so that users new to LimaCharlie can easily explore its functionality.

Other user experience enhancements: 

  • Updated the web app behavior for orgs with no detections. Now when there are no detections, instead of an endless spinner, the user is provided with a message that there are no detections available. 

  • Fixed the 404 page appearing on tenant creation for some data centers

  • Changed copy about replay pricing to be in line with the recent pricing update

November 28, 2022

Sigma Service Change

We are getting closer to enabling most of the Sigma public rules through our Sigma Service (it currently focuses on Windows).In an effort to make the transition painless (not spam you with unexpected alerts), we're introducing a few changes to how the Sigma Service is working:

  • As it is right now, when subscribing an org to Sigma for the first time, all Sigma rules will be installed and enabled.

  • When new Sigma rules are added to the open source community, they will be created in the orgs, but they will not be enabled by default. This behavior can be changed by sending the default_enable_rules action to the Sigma Service through the Service Requests section.

  • You can monitor changes to the Sigma rules available in LimaCharlie using the  RSS feed provided by Github here:

  • A new option is available with the Sigma Service through the Service Requests section to apply a Suppression Rule ( ) to all Sigma Service Detections. It is enabled by sending the set_sensor_suppression action to the Service with a suppression_time value like 1h which represents the suppression period. These rules are applied per-sensor (not globally) and per-rule.

As usual, your feedback is very welcome and we look forward to pushing more functionality through Sigma and other managed rules from various sources.

November 23, 2022

New events & user experience enhancements

  • New DISCONNECTED Event. You will start seeing a new event, DISCONNECTED flowing from EDR sensors. It represents a sensor disconnecting from the cloud. Note that this does not necessarily indicate a problem as sensors frequently reconnect to the cloud. This event can be used for external online/offline signaling.

  • New _event_id field in WEL Events. You will now see a new _event_id field under the System component of  real-time WEL events from EDR. This synthetic field is there to enable easier rule writing on top of the events. It will always contain the EventID of the WEL event. This field avoids you having to specify multiple EventID field location (since it varies in WEL Microsoft format).

Additionally, the following enhancements have been implemented in this release:

  • Updated tags UI on tables to reveal/hide overflowing tags

  • Added first name/last name fields to sign up flow

  • Added ‘how did you hear about us’ to onboarding flow

November 22, 2022

Static EDR Cloud Endpoint

We have moved to a simple static cloud IP footprint for EDR. You will see that the relevant per-geo domain where EDR connects to in the LC cloud (like has now moved from multiple A records to a single one. Don't worry, if you were already setting up firewall exceptions for the IPs previous under that domain, you don't need to change anything because the now-unique IP is one of the ones that used to be there. The difference is that we can now officially guarantee that these IPs are the unique and static footprint of the LimaCharlie Cloud for EDR which makes your life simpler.

November 4, 2022

Replay Billing Estimates

Changes in Replay that are effective right now:

  • the returned data from Replay now has a new value,




    which is specifically for the exact number you will be billed on. The




    is now strictly representing the number of rule evaluations you made.

  • You can now send a


    is_dry_run: true


    value to the Replay API/Service. When you enable that, your request will not be actually run, instead the service will return you (through the




    metric) exactly what is the




    scenario for your request. Worst-case means that your full rule (all its operators) run on every single event from the sensors you're targeting during the target time period. It's not perfect, but a good start and will scale nicely with some of the optimizations we have in mind to make this even more efficient, which will result in directly smaller bills on your part.

New example of a dry-run:

{ "stats": { "n_proc": 563671, "n_shard": 0, "n_eval": 563671, "n_batch_access": 0, "n_billed": 1127342 }, "results": [], "did_match": false, "is_dry_run": true }

The latest version of the CLI (Python SDK) supports it through --dry-run like:

$ limacharlie replay --entire-org --last-seconds 86400 --dry-run --rule-name tracer

The dry-run feature is not yet available in the webapp, but that is coming.

October 31, 2022

New API Available: number of events retained from a sensor over time

October 18, 2022

Billing for deploying payloads

As previously announced, starting today deploying Payloads via LimaCharlie is priced at $0.19 per 1 GB of data sent. For example, a 1GB payload sent to 10 endpoints will cost $1.9 (10GBs x $0.19).

This change will only impact organizations that leverage Payloads functionality, as well as Atomic Red Team, LimaCharlie Net installers & Dumper services (they are running as Payloads in LC).

To understand the impact on your organization, check the Metered Usage section of the Billing page. You will notice the “Payload Data Sent” metric along with the size of payloads deployed and price.

The reasoning for this update is that as of October 1, 2022, Google Cloud has started billing on outbound bandwidth from load balancers. As LimaCharlie is on GCP, we’re adjusting our pricing accordingly.

Other items in this release include:

- Support tab and support dropdown are now only available after sign in - Adjusted the email verification flow on signup which now gives a user the ability to "continue" with their signup process instead of having to log in in a separate window - Fixed a bug where some hyperlinks were displayed in a wrong color

October 12, 2022

CrowdStrike sensor and user experience enhancements

LimaCharlie continues to expand the list of telemetry sources we support. In this release, we added a new CrowdStrike sensor enabling users to ingest CrowdStrike EDR events normalized to LimaCharlie format.

This allows you to bring in all of your security data into LimaCharlie, write detections on this data, take advantage of our 1 year data storage, and send what you need to the destinations of your choice via Outputs.

CrowdStrike sensor is billed based on usage ($0.15 / GB).

Other items in this release include:

  • Fixed a bug when creating a rule with a hash and any special characters resulted in app crash; fixed a few other bugs related to D&R rule creation 

  • Intercom help chat is now available to LimaCharlie customers using custom branded sites (i.e., to MSSPs using LimaCharlie but not to their customers)

  • Support dropdown adjusted for custom brand site users vs admins

  • ‘Select/ unselect all’ toggle now working on Permissions modal

  • Add-on enhancements enabling users to save and view lookups and services

  • Updated the error message shown in sensor timeline view when there are no events to display

September 28, 2022

‘Advanced Filters’ and user experience enhancements

To make it easier for LimaCharlie users to drill down into their detection & response coverage and sensor deployments, we have added a new ‘Advanced Filters’ feature. 

You can filter sensors based on the following criteria:

  • hostname (contains, omits, is, is not)

  • is_isolated (true, false)

  • is_kernel_available (true, false)

  • sid (contains, omits, is, is not)

You can filter detection & response rules based on the following criteria:

  • name (contains, omits, is, is not)

  • author (contains, omits, is, is not)

  • updatedBy (contains, omits, is, is not)

  • enabled (true, false)

  • tags (contains, is)

Note that filters are not case sensitive. 

In the future, we plan to expand this functionality to other parts of the product such as detections. 

If there are other parameters you would like to be able to filter on, please let us know.

Other enhancements include:

  • Console logs added to org creation that improve troubleshooting errors for users.

  • Link stylings on Add-on descriptions match links in rest of application (dark mode accessible)

  • Copy added to payload install for billing transparency

  • Truncated table cell values now reveal on hover

  • Various process page table speed optimizations, including an omission of process modules on initial page load that results in modules being needed to load separately (when one clicks ‘view modules’ in the toolbar)

  • Fixed a bug where when attempting to download the .msi installer for Windows, users would get an .exe installer instead.

  • Addressed a limitation where the sensor selection box in the web app would not accept arbitrary values (such as * in reliable-tasking where it is an expected value)

  • Some enhancements to Detections & Response logic (no effect on users).

September 22, 2022

Extended Platform & Template Strings

  • Sensor information now includes its Extended Platform allowing you to see that, for example, "this is a Defender endpoint, but it's a Windows machine". Or, "that this is a Carbon Black sensor, but it's a Windows machine". This will show up in the UI in the sensor list as well as sensor details.

  • Template Strings in LimaCharlie now support two new "functions" (anon and token) to perform tokenization or anonymization of specific fields:

September 21, 2022

More visibility into the coverage & replay of Sigma/Soteria rules

In this release, we are continuing to deliver on our promise to provide more visibility into the security coverage. 

  • Users can now click on individual rules from Sigma and Soteria rulesets; they can see the content of all Sigma rules, as well as enable/disable individual rules from both rulesets. 

  • All rules from Sigma and Soteria can now also be replayed against historical traffic enabling even more granular retroactive threat hunting capabilities. 

  • Users have the ability to add and remove tags from any rule (including managed rulesets) making it easy to categorize detection & response rules and manage them at scale. 

Other enhancements include:

  • ‘Analyst’ role added to onboarding survey options

  • Fixed a bug where selected table rows were not colored correctly

  • Changed toggle track color for increased visibility on light mode

  • Added a warning text when LC Adapter ingestion method is GCS or S3

September 7, 2022

Announcing the ability to see Sigma & Soteria rules enabled for the organization

At LimaCharlie we believe cybersecurity needs to be transparent: the exact set of malicious activity and behavior you’re protected from should be known and you should be able to test/prove this. 

Driven by this core belief, we now give users the ability to see the list of all detection & response rules in place in your organization - not just your own (custom) rules, but also rules managed by Sigma and Soteria rulesets. You will also soon get the ability to enable/disable individual rules yourself.

In the few weeks that follow, we will be adding more advanced capabilities to give you even more visibility and control of your security coverage. 

With Sigma, you will soon have the ability to view the content of the individual rules. 

While the content of Soteria rules will remain hidden as it is the intellectual property of Soteria, we will be exposing details such as MITRE ATT&CK mapping and other metadata. A reminder that you can check the dynamic MITRE ATT&CK mapping here

August 31, 2022

Announcing the ability to define suppression as a part of D&R rules

LimaCharlie has added the ability to define suppression as a part of detection and response rules. This enables users to specify the maximum number of times a select action will trigger within a defined period. When that threshold is reached, LimaCharlie will suppress the action (that action will no longer take place).

For example, if the same event occurs on the same machine (or on different machines within the same tenant) again and again, you can suppress the duplicate alert for the user-specified time. Or, you can say “generate a LimaCharlie detection every time X happens but only send a PagerDuty alert once per hour”.

To learn more about this feature and how it can be used, check out this help article or visit our technical documentation.

August 16, 2022

LimaCharlie has added a new ingestion method for logs and telemetry coming from external sources - events in the AWS Simple Queue Service (SQS). 

Other user experience enhancements in this release include:

  • Updated table aesthetics to include alternating color schemes

  • Fixed payload deletion flow that was showing a misleading ‘in-progress’ indication, suggesting all payloads were being deleted

  • Fixed bug causing repeating fields in output configuration

  • A number of Comms-related deletions – no changes on user experience

  • Removed pagination and applied table virtualization to Cloud Adapters for UI consistency and performance improvement for a large list of cloud adapters

  • Fixed bug with creating a false positive rule from detections that would sometimes suggest an existing name and override an existing rule

  • Added a support dropdown on the navigation (for non-custom branded domains only)

  • Updated default value for service requests to run in sync, and not as a background task

  • Added a link to collect ideas for new external sources to be added as sensors on the sensor list

  • Added an Org token JWT onto the Rest API page

  • Migrated Org List and Switch Org List tables to be virtualized (no user impact)

  • Added helper text on billing summary to clarify that it’s not real-time (the billing summary is updated daily)

August 4, 2022

Billing for Payloads

Starting October 1, 2022, deploying Payloads via LimaCharlie will be priced at $0.19 per 1 GB of data sent. For example, a 1GB payload sent to 10 endpoints will cost $1.9 (10GBs x  $0.19).

This change will only impact organizations that leverage Payloads functionality, as well as Atomic Red Team, LimaCharlie Net installers & Dumper services (they are running as Payloads in LC).

To understand the impact on your organization, check the Metered Usage section of the Billing page. You will notice the new “Payload Data Sent” metric along with the size of payloads deployed and price. Note this price is shown for your information only; you won’t be charged for Payloads before October 1, 2022.

The reasoning for this update is that starting October 1, 2022, Google Cloud will start billing on outbound bandwidth from load balancers.

August 3, 2022

New Slack Audit Logs Sensor

We have added a new Slack sensor that allows the ingestion of Slack audit logs directly into LimaCharlie.

The Audit Logs API enables monitoring the audit events happening in an Enterprise Grid organization to ensure compliance, to prevent any inappropriate system access, and to allow security teams to audit suspicious behavior within their enterprise.

After Slack Audit Logs are ingested into LimaCharlie, you can have detection & response rules run on them at wire speed.

Get started by configuring a new sensor in the LimaCharlie web application. Note you need to be on the Enterprise Grid Slack plan to use this capability.

Other additions & updates include:

  • The chart under “vSensor Quota” on the billing page has been updated to show the high watermark of concurrently connected sensors (metric used for billing) instead of the total number of sensors online

  • Fixed a bug where Search modal didn’t close appropriately when selecting a link to the timeline event

  • Fixed a bug when Sensor tag search did not return correct results 

  • Added a link to release notes to the “web app updated” banner pop up

July 27, 2022

User experience and performance enhancements

  • Made improvements to the main sensor list to enhance performance. While not noticeable for smaller lists, there was an increasing delay as the number of sensors grew. As a result we’ve also removed pagination on the sensor list.

  • Added groups to ‘users and roles’ page, so that users can see all accounts that have access to their organization through groups.

  • Added various descriptive text and helpful links onto the ‘install sensors’ page regarding how to check release notes, test new sensor versions, and configure sensors to auto-update

  • Updated Adapters list display to remove tags and reflect the status as 'enabled/disabled' vs 'online/offline'

  • Updated Adapter creation flow copy at completion to clarify differences between sensor and adapter completion

  • Increased timeout for searches related to the main search bar

  • Updated copy at org creation replacing ‘region’ with ‘data residency region’ for added clarity

  • Updated the edit Adapter modal to display descriptive placeholder text like the Adapter creation form

  • Fixed bug for seen D&R rules for WEL events in replay

  • Fixed bug where event select input was not displaying custom events on load

July 20, 2022

User experience and performance enhancements

The release focused on small user experience and performance enhancements. 

  • Performance improvements to the detections list

  • Improved the dropdown performance for all dropdowns with a large list of items

  • Fixed a bug on removing group members where a user was briefly shown as a part of the group after having been removed

  • Use the new schema API to suggest possible Event Types based on the sensor type instead of the old static list 

  • Added an error message that gets displayed when a user without the payload.use permission attempts to issue a command in the Console section

  • Added centering events timeline on the selected event when a user goes to the Timeline either from a URL they've copy pasted, or from the "View in Timeline" link from a Detection

  • Marked the "secret key" field required on the output setup step (it previously appeared under “advanced options”)

July 19, 2022

Support for Templating

We've started rolling out support for template strings to multiple areas of LimaCharlie. This allows you to customize what would normally be a literal string so that it now supports formatting based on the context of execution. In all cases, backwards compatibility should be maintained. Detection names in the report action from D&R rules now supports it like:

yaml - action: report name: Evil executable on {{ .routing.hostname }}

Tasking in the task action from D&R rules now supports it like:

artifact_get {{ .event.FILE_PATH }}

The SMTP Output now supports a custom subject fields that use string templates. It also supports a new template parameter which is a string template to use for the body of the email (either in plain text or html):

The Slack Output supports 3 new parameters:

  • color: to specify the color of the "attachment" part of the Slack message.

  • message: a string template for the "message" part of the Slack message.

  • attachment_text: a string template for the "attachment" part of the Slack message.

Support for Transforms

Transforms are now available for all Outputs via the custom_transform field. A Transform allows you to specify an alternate format for the data sent from an Output. For example, this could to customize a webhook format for a specific platform as in the Google Chat example. Or it could be to simply pair down the data sent via output to only the specific fields. Finally, it also allows you to create new fields in the Output that are either literal values, or composite values (as a String Template). Detailed documentation and examples are available:

July 14, 2022

Sensor 4.27.3

  • Linux File Integrity Monitoring now leverages eBPF support for better performance. This stops most usage of inotify by the sensor.

  • Enhanced reliability of inotify usage on Linux when eBPF is not available.

  • General CPU performance enhancements across all platforms.

  • Fixes possible issue with Netlink usage on Linux for process notification.

  • Fixes rare race conditions that could hang network connectivity during network outages.

July 13, 2022

Sigma Converter Service

LimaCharlie is happy to contribute to the Sigma Project ( by maintaining the LimaCharlie Backend for Sigma, enabling most Sigma rules to be converted to the Detection & Response rule format.

A LimaCharlie Service is available to apply many of those converted rules with a single click to an Organization. For cases where you either have your own Sigma rules, or you would like to convert/apply specific rules yourself, the Sigma Converter service described below can help streamline the process.

The full documentation is available here:

July 11, 2022

Sensor Versioning Tags

Certain Sensor Tags in LimaCharlie had a special meaning. Tagging a sensor with latest would update that single sensor to the latest sensor version for example.

We are now transitioning these tags to have the lc: prefix. The goal of this is to reduce the likeliness of someone not being aware of those special tags and apply them with unintended consequences. Starting today, the following tags are supported in that fashion: lc:latestlc:stablelc:experimentallc:no_kernel and lc:debug.

The old versions of these tags remain operational for now, but will be turned off on August 1st. If you rely on these tags, we suggest you transition to the new form.

More documentation here:

July 6, 2022

The ability to reset password

LimaCharlie users can now reset their password without having to contact support.

Simply click on the Forgot your password? link and follow the steps to reset the password.

July 5, 2022

Schema Inspection

It is now possible to inspect the schema of events in LimaCharlie.

Documentation on the "learned" schema:

API documentation:

The schema provided is learned on a per-org basis since the data ingested in LimaCharlie can vary from tenant to tenant.

This new API can be useful when building integrations with external products requiring a strict schema.

July 4, 2022

Announcing the ability to bring in telemetry from external sources without having to host a LimaCharlie Adapter (aka “cloud to cloud”).

LimaCharlie allows security professionals to ingest logs or telemetry from any external source in real-time. It includes built-in parsing for popular formats, with the option to define your own for custom sources.

Prior to this release, if someone wanted to bring, say, Office 365 logs into LimaCharlie, they would need to run an Adapter on premises or on their cloud. The Adapter would pull the data from the third-part and send it to the LimaCharlie cloud.

Starting today, for cloud-based log sources such as GitHub, 1Password, GCP, VMWare Carbon Black EDR, you no longer have to download the installer and run the Adapter. Simply enter the API credentials in the web app and click “save”.

Log sources that are not hosted on the cloud, such as Syslog, will continue to require an Adapter to be run on premises.

To learn more or to get started, check out the help article: How do I ingest logs or telemetry from cloud-based external sources?

June 8, 2022

Sensor 4.27.2

  • Fix possible performance degradation issue on hosts with heavy process / network activity.

  • Report User of processes in Windows instead of the Owner (small distinction in some cases).

  • Report a specific error code on artifact_get where the file is empty (0 bytes).

May 31, 2022

GitHub Sensor

We have added a new GitHub sensor that allows the ingestion of GitHub audit logs directly into LimaCharlie.

GitHub enables a wide variety of powerful capabilities beyond managing a developer’s code, such as automating the deployment of cloud resources and “infrastructure-as-code”. Securing DevOps infrastructure is critical to prevent privilege escalations or malicious actors from taking control of the cloud deployments.

To ensure full observability, security, and compliance, GitHub Enterprise Server provides logs of audited system, user, organization, and repository events. These logs can now be ingested directly into LimaCharlie and have detection & response rules run on them at wire speed.

Get started by configuring a new sensor in the LimaCharlie web application.

May 26, 2022

New Outputs flag for storage optimization

We have added a new Outputs flag - 'Do not include routing' - which allows users to forward only the original logs to Outputs, excluding the routing label. This flag can be found under "Advanced Options" of the Output configuration.

This can be helpful for users wanting to use LimaCharlie for storage optimization since the routing label can add significant overhead. Watch the webinar recording to learn more about using LimaCharlie to reduce spending on Splunk and other high-cost security data solutions.

May 17, 2022

Updated 'Billing & Usage' Page

Along with several user experience enhancements released today, we have combined ‘Usage’ & ‘Billing’ pages into one - ‘Billing and Usage’ - to make it easy to manage the credit card and quota in one place.

May 13, 2022

Sensor 4.27.1

  • Fixes an issue on Linux eBPF that could result in unexpected data at the end of the FILE_PATH values.

May 4, 2022

Sensor 4.27.0

  • MacOS will now report MAC address

  • Fix issue where macOS machines on some network could have difficulty connecting to the cloud

  • Linux using eBPF will now acquire command lines directly from eBPF, eliminating race conditions for short-lived processes

April 27, 2022

Duo Sensor We have added a new Duo Sensor. By bringing the logs from Duo's cloud-based two-factor authentication services to LimaCharlie, companies can increase their visibility into the environment, meet compliance requirements and identify security risks. Duo Sensor collects two types of Duo logs: - Authentication Logs provide visibility into where and how users authenticate, including usernames, location, time, type of authentication factor, and more. This allows you to understand the normal behavior and identify potentially abnormal activity. - Administrator Logs track the username, time, and type of administrator activity, including groups, user, integration, and device management. This allows you to track any admin changes and identify suspicious activity.

Org Templates LimaCharlie organizations (Orgs) are tenants in the cloud, conceptually equivalent to "projects". When creating a new Org, you will now notice the following grouped offerings that activate LimaCharlie capabilities right from the get go:

  • Incident Response

    • Use open-source Sigma ruleset to receive detections

    • Collect Velociraptor artifacts through LimaCharlie

    • Automatically kickstart IR investigation powered by Sweep

    • Historical threat hunting powered by Replay

  • Extended Detection & Response Standard

    • Use open-source Sigma ruleset to receive detections

    • Run Atomic Red Team tests

    • Historical threat hunting powered by Replay

  • Extended Detection & Response Premium

    • Use curated Soteria MSSP ruleset to receive detections ($0.5 per vSensor per month; free on the free tier)

    • Run Atomic Red Team tests

    • Historical threat hunting powered by Replay

By pre-selecting some of these options for you, we hope to launch you right into our cloud capabilities and give you a sample of the dynamic offerings you can leverage here at LimaCharlie

April 14, 2022

Real-time detections

LimaCharlie is proud to be operating at wire speed, whether we are talking about collecting events, sending data to other destinations via outputs, or anything else. As you know, round-trip times for detection and response to take place in LimaCharlie are generally under 100ms.

Until recently, however, detections would show up in a web app with a delay of about 1 minute (the detection and response on the endpoint happened instantly, but feedback in the UI was slightly delayed).

We are excited to share that now, detections will also appear in the web app in real-time.

April 1, 2022

New IoC Search & Removal of the old Search Page

We are excited to announce that you can now search for sensors and indicators of compromise (IoC) no matter where you are in the web app. By default, LimaCharlie will detect the IoC type from the search term, but you remain in control of the locations you want to look for. You have the option to search in all IoC types, or to select a specific type such as domain, user name, file hash and others.We have also removed the old Search page. If you have any feedback or suggestions on how to make the Search even better - please let us know.

March 25, 2022

Introducing new Microsoft Defender Sensor

We have added a new Microsoft Defender Sensor.

Microsoft Defender has two values streams:

  • Defender for Cloud logs will come into LimaCharlie as one Microsoft Defender sensor.

  • Defender for Endpoints, on the other hand, will be mirrored as multiple sensors in LimaCharlie (similarly to the way we handle Carbon Black sensors).

Microsoft Defender is a usage-based sensor billed at $0.15 / GB.Check this step-by-step guide to get started with Microsoft Defender log collection.

March 14, 2022

Introducing new Windows Event Log Sensor

We have added a new Windows Event Log Sensor.

There might be times when you would not want to deploy the LimaCharlie agent on the endpoint, but you would still like to connect Windows Event Logs from the system. With the addition of the Windows Event Log sensor that runs on the LimaCharlie Adapter, you now have the ability to do it. Check this step-by-step guide to get started with the WEL collection. 

Introducing Google Cloud BigQuery output

LimaCharlie has added a new Google Cloud BigQuery output.

With the addition of the Google Cloud BigQuery output destination, LimaCharlie users can now output events and detections to a Google Cloud BigQuery Table to turn security data into valuable insights. Visit the technical doc or help doc for details or get started in the web app by navigating to the Outputs view.

February 25, 2022

Sensor 4.26.1 This is a minor update targeting Linux performance.

  • Fixes an issue where network tracking in Linux could result in uncapped memory usage.

February 22, 2022

Microsoft Office 365 sensor

We have added a new capability that allows users to bring Microsoft Office 365 logs into LimaCharlie. This gives security professionals more visibility into the cloud and allows them to have all security data in one place. As with all other LimaCharlie sensors, Microsoft Office 365 comes with one year of full telemetry storage, the ability to generate detections, and execute automations powered by LimaCharlie’s real-time Detection, Automation & Response engine. Some of the use cases Microsoft Office 365 addition enables are:

  • Monitoring global admin changes and specifically account creations of admin roles

  • Monitoring mass deletion of data such as emails or files, especially across multiple accounts

  • Monitoring changes in security configs

  • Monitoring logins from unexpected places that then perform data exfiltration tasks

  • Identifying email exfiltration

As LimaCharlie provides 1 year of full telemetry storage, it can also help organizations to satisfy their compliance requirements, and eliminate the need to purchase more expensive Microsoft Office 365 licenses.

Microsoft Office 365 sensor is billed on usage, at $0.15/GB (includes storage), similarly to our Syslog, AWS CloudTrail Logs, GCP Audit Logs, and 1Password sensors.

To get started, simply click “Add New Sensor” from the Sensors view of the web app. For a step-by-step guide, please visit our Help Center.

February 5, 2022

LimaCharlie Agent v4.26.0

This update brings significant changes under the hood to performance and reliability. It also brings Linux capabilities more on par with Windows and macOS.

  • Linux eBPF support for kernel 5.7+

    • Better performance for network connections and process notifications

    • File events now generated on Linux

    • Network isolation now supported

    • FIM still handled through inotify, but will be transitioning to eBPF in next release

  • Windows Kernel driver update

    • Should provide better performance around File IO tracking

February 3, 2022

New Sensors, vSensor & usage-based sensors

  • We have added six new sensors to receive telemetry from the external sources, which you can now configure in a few simple steps directly from the LimaCharlie web app. This allows you to bring in all of your security data into LimaCharlie, write detections on this data, take advantage of our 1 year data storage, and send what you need to the destinations of your choice via Outputs.

    • You will see Text/Syslog, JSON logs, Amazon AWS CloudTrail Logs, Google Cloud Platform Logs, 1Password audit event logs, and the VMWare Carbon Black EDR sensors

    • The setup flow is simple:

      • When you go to Add a New Sensor & select/create an installation key, you will be taken to the page where you can select the executable for your architecture, the method you want to use to pull your data and the method-specific parameters

      • We will give you a command line to run the adapter

  • We have introduced a definition of vSensor. vSensor (virtual sensor) represents a unified way of managing your capacity for all sensor types. You can find more information here. Essentially, nothing changes for any of the existing users leveraging our EDR sensors (just where you saw the word "Sensor" in quota is now "vSensor").

    • This change becomes relevant once you want to use the VMWare Carbon Black EDR sensor as it will only use 0.2 vSensor value. Therefore it will cost $0.5/month for one VMWare Carbon Black (includes 1 year full telemetry storage)

  • We are also officially introducing the usage-based sensors: Text/Syslog, JSON logs, Amazon AWS CloudTrail Logs, Google Cloud Platform Logs, 1Password audit event log sensors. Logs & data from other external sources are also billed based on usage. The price is set to $0.15 / GB for all usage-based sensors. You can learn more here.

February 1, 2022

D&R Rules detection Target

In an effort to better formalize mechanisms in a way that is more intuitive, we've changed the way you can create Detections from other Detections. As a reminder: this feature enables use cases like adding new responses to pre-existing D&R rules. For example, you could add a isolate network to a Sigma detection. The legacy mechanism used to rely on using a _DETECTION-NAME (_ prefix in all capital letters of the name of the Detection).

The new mechanism reuses the concept of target that allows you to run D&R rules on things like deployment events. We're introducing a detection target, like: target: detection that tells LimaCharlie you intend to apply this rule to Detections. When using this target, the `event: ` or `events: ` statements refer to the Detection name you wish to apply the rule to.

More documentation is available here. Don't worry though, if you are using the old-style of rule for Detections, all your rules will work as-is. We're converting them automatically to the new format in the backend. So you can take your time in porting them to the new style at your pace.

Sigma Source

We've recently changed the source of our Sigma CI/CD pipeline behind the sigma Service. You can now find the D&R rules part of the Sigma Service here. This should not have any impact on current operations, but you may see some errors pop up in your Platform Logs Errors today as the switch over coincides with some fixes to the Sigma --> D&R conversion.

January 11, 2022

Tailored Outputs & Advanced Search Update

We released a new type of Output stream called tailored. It allows users to send specific events, as defined by D&R rules actions to the Output. The goal of this feature is to allow more granularity on the events sent to an Output compared to the basic filters available in the traditional Output streams. Documentation can be accessed here.

Additionally, our latest release includes an enhancement of our search feature. Once inside an organization, you now route to Search via Dashboard. Upon clicking the top-right search bar, a module opens with options to filter a search for Sensors or Indicators within that org. Search results display the number of hosts where the indicator has been seen today, this week, this month and this year. Diving deeper into View Locations displays the first and last time it was observed on each host.

December 17, 2021

Velociraptor Service Beta

We have released a beta of the velociraptor service. This service will automate the deployment, running and collection off Velociraptor Artifacts. It supports 3 actions:

  • list to show all built-in Artifacts the latest release of Velociraptor supports

  • show to display usage of a specific built-in Artifact

  • collect to trigger an actual collection of Artifacts

The service requires the reliable-tasking service to be installed (so that Velociraptor can collect on large scale even if some endpoints are offline). The service supports built-in Artifacts but also deploying custom Artifact YAML config files.This beta does not have a custom web UI. To use it:

  • subscribe to the service

  • go to the Service Request section

  • select the velociraptor tab

  • turn off the Run as background job toggle to see results immediately

  • select the action collect

  • select an artifact_name from the list

  • select a sensor (or tag) to identify where to collect from

December 14, 2021

Web-app Updates & Billing Redesign

  • The Timeline of a sensor's events has received some performance improvements as well as a facelift: there's much more space in there to look at the content of events. We made the tree view optional, enabling Timeline to be used as a more general log viewer for ingested logs from external sources (GCP, 1Password, etc.) We've also removed the default event filters when you visit Timeline, so it's up to you how you want to narrow your search.

  • The list of D&R Rules will look a little different (no more paragraphs of text next to it) and will also be a lot faster if you have a large number of rules

  • Same as above with False Positive Rules

  • Added a confirmation step when closing most dialogs to make sure we don't accidentally lose input

  • Several other small bug fixes and tweaks

  • We heard from many of our users that it was often hard to tell what they were going to pay, so we designed two new pages to help with that: Usage and Billing. Front and center to the Usage page is the org's Quota Rate and Metered Usage. Quota Rate is calculated as (base cost per sensor + add-ons cost per sensor) * quota. Metered Usage sums up pay-per-use features such as Replay or Artifact Collection. Adding Quota Rate + Metered Usage together should give a good estimate of how an org's bill is trending. The Billing page is where you can view / edit payment method and delete your org, if required.Other highlights:

    • Chart to see peak online sensors vs your quota

    • Chart + table breakdown of all metered usage

    • It's now possible to see if there's an existing payment method, including customers who are on unified billing

November 29, 2021

Sensor v4.25.5

  • Fixes stability issues with running on hardened/customized versions of Linux.

  • Fixes rare deadlocks when unloading a sensor.

  • Enhances the performance of the Process List (os_processes) and Network (netstat) views in the webapp for Windows and macOS (Linux will soon follow with eBPF support). This is done by better caching on the sensor. Initial listing request when a sensor starts will still have a cold-start that can take up to a minute, follow on listings will be much quicker.

November 16, 2021

Chromium Sensor Update

The Chromium sensor has been updated and has been published to the Google Chrome Web Store and Microsoft Edge Add-ons store.

  • Old version 1.2.0

  • New version 1.3.0

Notable change: bug fix for atom generation so it now produces good per-request atoms that play nicely in the Timeline.

No user action is required as the extension should automatically be updated.

November 14, 2021

UX Improvements

We listen to you feedback & continue to make LimaCharlie experience easier and more intuitive. Sometimes it requires small tweaks and enhancements; at other times it warrants larger redesigns. In this release, we have made changes to the following parts of the experience:

  • Exfil Control

  • Yara Scanning

  • Artifact Collection

It should now be easier to understand how they work, what configuration options are available, and how to get them setup quickly. Also, Org Descriptions are now visible on the Organizations list.

November 8, 2021

Sensor v4.25.4

  • Fixes to the IS_OUTGOING flag in NETWORK_ACTIVITY on certain platforms.

  • Support for a new sensor tag put to allow users to put a specific Payload on disk without executing it or deleting it after it has been written.

  • Fixed an issue that could result in a sensor crash of macOS during sensor network isolation.

  • The USER_OBSERVED event is now regenerated every 24h. This can help build UEBA detections in a more reliable way.

  • Fixing certain network connections on macOS showing an invalid local IP.

November 1, 2021

Outputs UX Improvements

Forwarding data directly out of LimaCharlie in real-time using Outputs is one of the capabilities we're most proud of at LimaCharlie. It gives you the freedom to collect telemetry and fit LimaCharlie into your existing infrastructure however makes sense for your org.

Setting them up just got way easier. We've redesigned the flow for adding new outputs and configuring existing ones so that you can see at-a-glance what data streams are available, what destinations are supported, what's required to get data streaming into your destination of choice, and samples of what data you should expect to receive.

October 11, 2021

Web-app Onboarding & 'Add Sensor' flow

We've deployed a new web-app onboarding flow to make it easier to get started with LimaCharlie, from creating a new organization to seeing your first sensor deployed.

The most important part of this is the Add Sensor flow which you can find from the Sensors page. No more jumping between pages for keys / downloads / checking for successful deployments. None of the old stuff has changed yet so don't worry if you've got a flow that you're happy with.

However, if you use groups to manage user permissions across organizations, you may also notice the groups are missing from the front page of the app. We wanted to focus the front page on orgs, so groups got moved. You can find them inside the menu under "Manage Groups".

October 7, 2021

Enhanced Rule Validation We've deployed enhanced rule validation for D&R rules. Previously we had some cases where we did not validate the structure of a rule until runtime, and in some cases without producing errors.

The new validation means you may start seeing errors pushing rules to LimaCharlie from rules which previously did not generate errors, if those rules do in fact contain errors.This does not prevent previously working rules from working, it merely highlights rules that were already having issues.

September 30, 2021

Sensor v4.25.3

  • Fixes issues in the File IO reporting on Windows that could lead to missed events.

  • Minor fix to the run command that could lead to issues in some automation scenarios.

Stable Version Now 4.25.2 We've moved the official "Stable" version to 4.25.2 which has been running without major issues. This will not upgrade any Organizations automatically, it will only move the labeled versions used when you trigger a sensor version upgrade from the web interface.

August 25, 2021

Replaying and Testing D&R Rules in the web app

Hey all! Following the revamp we did to replay, we wanted to do some integration in the web app to shorten the feedback loop when writing rules. We ended up basically redesigning the D&R rule editing experience . Some things you might notice:

  • Full page editors for both D&R and FP rules

  • Draft rules for both of them, too

  • Ability to Replay rules both from the list or from the editor, testing them against historical data or directly passed events

  • Timeline events have a Start D&R Rule action which takes you to the editor with the event handy for testing

Check out our demo. Let us know if you have any issues or feedback!

August 2, 2021

Artifact Ingestion IP

The ingestion path for Artifact Ingestion is now using a static IP address across all clusters. This means that the IP address that the service domain resolves to, like , now resolves to a single IP address that is static. This makes it simpler to whitelist the IP across your networks.

July 28, 2021

Replay Revamp

Over the weekend, we will be completing the deployment of a major revamp to Replay.

  • vastly enhanced performance and reliability

  • will use the latest version of the D&R engine

  • will support very large scale replay jobs with more ease

  • better stats on jobs

  • Replay will become a cornerstone of D&R rules development as we integrate it for live feedback throughout the web app

This move requires updating a few moving pieces:

  • Python SDK

  • Replay Service

  • Relay backend

This means that the state of Replay during the weekend will be in flux. Please let us know if this may be causing you issues.

July 22, 2021

New Events Stateful Parameter

This new stateful parameter now allows you to create stateful rules at the Sensor level (instead of the Process level).

This enables, for example, the detection of N number of bad authentications from Windows Event Logs with T amount of time.

See the doc for more:

LimaCharlie 2FA

You will now be able to add a 2FA step to the LimaCharlie authentication on top of whatever settings your auth provider uses.

By heading into the User Profile, you'll be able to enroll yourself.

The initial rollout will only support SMS based 2FA, although we intend to add more over time.

Why is it limited to SMS? Simply put, we're very conscious of the complexity of authentication in general, and for that reason we use Firebase Authentication, which in turns integrates many auth providers like Google, Microsoft and Github. By leveraging Firebase for this, we can ensure that the implementation is rock solid. Unfortunately, Firebase does not yet support other forms of 2FA, but it's on their road map, and when they roll it out, we will support it right away.

We considered doing our own implementation, but decided against it for the current time. We strongly encourage you to use solid auth providers like Google and Office365 which support their own 2FA and anomaly detection. This new 2FA is either an extra-secure step on top of your provider; or a stop gap solution if you want to use email based authentication without a provider.

July 19, 2021

New D&R Rule Operator: Scope We've introduced a new operator to D&R rules: scope. This allows you to scope the path of all sub-rules to a sub-path specified. More concretely, this allows for rules that target specific sub parts of the event, like in the case of NETWORK_CONNECTIONS events. More details:

July 14, 2021

Webhook Output Compression change

This is a minor update that could have an impact if you use webhook or webhook_bulk Outputs along with compression enabled.

We've fixed the behavior of compression on the HTTP headers of those outputs. When the change is deployed, these outputs using compression will now receive headers:

  • content-type: application/json

  • content-encoding: gzip

whereas before the fix they would only receive content-type: application/octet-stream.

This change will enable the automatic processing of various receiving webservers to remove the gzip encoding automatically. Practically it means will be able to, for example, using webhook_bulk with compression enabled to send data to the REST API directly.

In most cases, this should not have an impact. However if you are receiving compressed webhooks via a server that automatically removed gzip encoding, then the content of your webhooks will be automatically decoded.

This change will be deployed in the coming days. As always, please let us know if you have any issues or concerns.

July 9, 2021

Slack Output Documentation

Since the move from Slack to deprecate Legacy tokens, we had not updated our documentation on getting the Slack Output working.We've now remedied that:

Time Zone Preference You can now select your preferred time zone in the web app! Go to Settings inside your User Profile and you can choose which time zone you'd prefer to see timestamps formatted in. Check it out!

July 8, 2021

WEL Event Format

If you have not built D&R rules for real-time Windows Event Logs, you can stop reading.

It's recently come to our attention that some Windows Event Logs, as ingested through the real-time mechanism ( may be formatted slightly differently from what was intended.

Specifically, in some cases, some events could have a Event envelope. The correct path generated is event/EVENT/System for example, and in the badly formatted events you would have event/EVENT/Event/System.

This error was due to do some variable structures in the Windows Event Logs that we'd missed as part of the normalization step.

All Sigma rules automatically generated by LimaCharlie use the correct path, so unless you've created your own rules specifically for the real-time Windows Event Log events, there should be no impact.

Given the low expected impact, we intend to deploy the fix to all clusters tomorrow. If this has an impact on your operations please get in touch with us so we can evaluate the impact vs the impact from mismatched Sigma rules.

July 7, 2021

We have added a new course to our free learning platform that walks users through the LimaCharlie Add-on Marketplace. Learn how easy it is to get new superpowers or create your own.

July 6, 2021

Infrastructure Service

As outline by this post on our blog: We've released a new Service called infrastructure-service:

We see Infrastructure as Code (IaC) in LimaCharlie as one of our super powers. But we know sometimes it's not the most convenient approach to apply quick IaC templates. This service now allows you to do what you used to do using the CLI, but through the service and its API. On top of the API it provides, it also has its own section in the web UI that makes it easy to copy/paste your org's current configuration for backup, transfer to another org or tweaking.

We plan to make use of this service and IaC even more in the future by providing "templates" you'll be able to apply very easily to your new orgs, and also to use IaC as a fast and reliable way to communicate/apply features and automation in LimaCharlie that involves multiple components (like a FIM rule + several D&R rules for example).

It's also worth noting that this service is now enabled by default on all new organizations to make it easier to bootstrap IaC deployments on new orgs.

June 30, 2021

Net Telemetry

Two new Policy types are available for Net: dns-tracking and conn-tracking. These new policies, when applied, will generate DNS_REQUEST and NETWORK_CONNECTIONS events for the Net sensor they are applied to. Those events will make their way in real-time into LimaCharlie:

  • they will be visible and retained in the Timeline of the Net sensor

  • they will be visible in the Live Feed section of the Net sensor

  • they will go through the D&R rules

June 29, 2021

In an industry first, LimaCharlie is introducing a pure usage-based billing scheme for its EDR capability. Deploy a full-featured, cross-platform agent for as little as $0.02 an endpoint.Read about what this means for cybersecurity:

June 17, 2021

Sensor v4.25.1

  • Enhanced hashing on Windows.

  • More reliable process parent/child tracking under load.

June 8, 2021

New Add-ons Marketplace

We've done a redesign of our add-on browsing / management experience! Some highlights:

  • Add-ons now live in a marketplace which you can browse anytime, specifying which org(s) you want to subscribe to add-ons

  • Add-ons are now searchable! Both from the marketplace and within orgs

  • Add-on authors now get separate preview descriptions & full markdown descriptions to better promote their add-ons

  • We've done a content audit to make sure our published add-ons are as descriptive as possible so everyone can set them up and use them

  • The Add-ons view within orgs is now a focused list of add-ons that are currently enabled in that org

  • Detection add-ons are now marked for deprecation, meaning we don't show them in the new marketplace. We feel that managed rule sets via Service add-ons are a better experience overall since you can simply enable them with no extra steps

Here's a quick tour if you'd like the guided version.

June 2, 2021

VirusTotal API

We've updated the lcr://api/vt API that can be used in D&R rules to support Domains and IPs on top of the existing Hashes support. Usage is exactly as before, the value provided in the lookup will automatically be detected to be a Domain, IP or Hash. Here is an example of a rule leveraging VirusTotal for Domains:

event: DNS_REQUESTop: lookuppath: event/DOMAIN_NAMEresource: lcr://api/vtmetadata_rules: value: 4 length of: true op: is greater than path: /

May 26, 2021

Sensor v4.25.0

The minor version change is the result not of new functionality in this release, but in the update to libYara included. As this was a major update and it is an external library we wanted to be cautious in letting people know of the change.

  • Updated libYara

  • Fix to macOS User Mode (without the Apple Endpoint Security Extension) process tracking that could result in high CPU during sensor updates.

May 12, 2021

Sensor v4.24.3


  • File Integrity Monitoring on Linux has had fixes to support wildcards in paths like /home/*/.ssh/* without impacting system performance like before.


  • You will no longer see the appear in the Recent Applications section of the Dock after a restart

  • We now provide better “silent” installations for enterprise deployments using a preference file (the won’t prompt you with the Install button if you’ve used an MDM profile and place the preference file in the /Library/Preferences folder)

May 9, 2021

Apple Binary/XML Plist Support

The Artifact Ingestion system now support Apple Binary (and XML etc) PLISTs. Ingesting them will produced a parsed version in JSON which you can alert on using the D&R rules engine similarly to Windows Event Logs and others.

May 6, 2021

Web App Update

Sensor View

We've been working on making it easier to navigate & interact with the data for each individual sensor. To that end, we've deepened the navigation so you can drill down into a Sensor in the web app to access available data as well as take action from one place. Just click a Sensor from the list within an org and you'll see the new view.

Today you'll be able to see Overview, Artifacts, Timeline, Console, and Processes accessible from this view (Console pictured below). The intention is to deprecate Live View and consolidate most its functionality into this new one-stop-shop for everything on a Sensor. We're still working on finishing Processes and will be working on bringing File System and Network Connections into this view next.


We've created a new page, accessible from the Sidebar, for viewing all Artifacts within an Organization. The Artifact Collection page is now just for configuring rules, and there's no longer a need to open up a separate window to view & filter collected Artifacts.

April 26, 2021

Web App Historical/Timeline

Clicking on a Sensor in the Sensor List now brings you into a more complete view of all the information about that Sensor, including the Timeline (historical view) and the Live Console. This means the Historical view button has been moved to the sidebar menu found by clicking on a specific Sensor.

As we keep refactoring things you'll find more and more Sensor-specific views in this Sensor section.

This also comes with a change in the URL for these view. The historical URL now looks like /orgs/OID/sensors/SID/timeline. The links generated in the Detections have also been adjusted to point to this new path.

April 13, 2021

EXP Datacenter Decommissioning

The "Experimental" Datacenter will decommissioned from General Availability on Friday (April 16, 2021). We've reached out privately to users who had small deployments on this datacenter a few weeks ago, so we don't expect this announcement to have an impact on anyone. We just wanted to have it on the record for transparency or for those who noticed it gone from the list of datacenters.

April 8, 2021

Webapp - Event Explorer Rewrite

If you use explorer to dig into Sensors' event histories, this is for you! We rewrote the Explorer view to have improved performance, UX, and consistency of how event trees are constructed. It should feel familiar, but more approachable.

Some of its features:

  • The view is still at its core a browsable list of events, anchored at a chosen point in time. Clicking an event selects it for the viewer to show related events in a tree graph, as well as details of the raw event.

  • The URL contains the exact state of the filters and event tree you're looking at. Feel free to share with a colleague!

  • The keyboard controls have been expanded upon. There's a helpful Controls button to get you familiarized.

We hope it feels solid for you! Any feedback and bug reports are welcome.

April 5, 2021

Sigma Service & Live Windows Event Logs

Since a few days ago, the Sigma Service now generates Windows Event Logs based D&R rules that apply to Live Windows Event Logs (as announced March 16) on top of the previously-supported Artifact-based (files) Windows Event Logs.

This means that as you switch to using Live WEL, you will keep the coverage provided by Sigma.

As usual, the Sigma D&R rules used are available here for transparency:

Sensor v4.24.2

  • Enhanced performance with network tracking on Linux Docker environments.

  • Tweaks to process termination increasing reliability of the ordering of some events, leading to better stateful detection and parent->child ordering of events.

Note: with this release we are also bumping up the Stable version to 4.24.1.

March 22, 2021

Sensor v2.24.1

  • Fixes a possible memory leak that could occur in certain rare cases on Linux / Docker environments.

  • Fix also enhances memory and CPU performance a little bit on all platforms.

March 15, 2021

Preview: Real-time Windows Event Logs

We will be rolling out a major new feature early this week: The ability to capture Windows Event Logs (WEL) in real-time. Windows 2008 and above will be supported as we rely on APIs introduced then.The new events will be received just like any normal LimaCharlie event, encapsulated in an event of type WEL. Like the collection of WEL on disk, the real-time WEL collection contains the JSON form of each event.This means that with this feature, you will be able to write normal EDR-based D&R rules for WEL, including using stateful rules between WEL and first-class LimaCharlie events.The collection will still be configured from the Artifact Collection menu, by specifying a path of the form "wel://<log-source>:<log-filter>" as opposed to a traditional file path of a log file to collect.The collection will have a billing component (exact amount TBD) per number of events since collection can vary wildly depending on tenant.

Example configuration:


Example event:

{ "event": { "EVENT": { "EventData": { "ClientProcessId": "5136", "CountOfCredentialsReturned": "0", "ProcessCreationTime": "2021-03-15T02:55:19.2369319Z", "ReadOperation": "%%8100", "ReturnCode": "3221226021", "SubjectDomainName": "WIN-5GD8E0AG2OD", "SubjectLogonId": "0x1b8de", "SubjectUserName": "testuser", "SubjectUserSid": "S-1-5-21-4156042152-1734453135-989269774-1000", "TargetName": "MicrosoftAccount:user=02rlaxvkrpaxteab", "Type": "0" }, "System": { "Channel": "Security", "Computer": "WIN-5GD8E0AG2OD", "Correlation": { "ActivityID": "{cc484453-193e-0001-fe44-48cc3e19d701}" }, "EventID": "5379", "EventRecordID": "41750", "Execution": { "ProcessID": "664", "ThreadID": "748" }, "Keywords": "0x8020000000000000", "Level": "0", "Opcode": "0", "Provider": { "Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "Name": "Microsoft-Windows-Security-Auditing" }, "Security": "", "Task": "13824", "TimeCreated": { "SystemTime": "2021-03-15T02:55:21.9656464Z" }, "Version": "0" } } }, "routing": { ... }, "ts": "2021-03-15 02:55:22" }


March 13, 2021

We’ve rolled out a change that lets you stay logged into LimaCharlie across browser tabs.This is on by default. You can change this in the LimaCharlie web application within Settings -> View User Profile -> Settings -> Allow Session Across Browser Tabs

March 1, 2021

White Label Changes

To those who use LimaCharlie's white label functionality -- we've just pushed out visual changes for your sites. Highlights:

  • Installation Keys & Sensor Downloads now appear together in a new section called Install Sensors

  • Incident Response moved from sidebar to the Sensors section

  • Menu reorganization

For more information please refer to our blog post:

February 24, 2021

Web App Changes

  • We've just pushed a major update to the Sensors List. We feel it's a lot better than it used to. Cosmetic and performance changes.

February 17, 2021

Python SDK/CLI v3.18.0

  • Added support for lc-net Policies to the Configs CLI to manage the policies through config files.

  • Added the --all flag to limacharlie configsto sync all types.

  • Produce warning on limacharlie config if no config type to fetch/push is specified.

February 13, 2021

D&R Rules Changes:

  • We’ve introduced Time Descriptors to D&R Rules. These enable you to specify very custom time of day/week/year when parts of a rule are in effect. These unlock a bunch of UEBA use cases. For details see our documentation on D&R rules & times.

  • The event: _* portion of D&R Rules now support a special wildcard to have a rule match all Detections being re-processed by the D&R Rule Engine. This is useful to apply a rule to all detections generated. See the last paragraph:

February 10, 2021

User interface updates

Some visual changes were made in the web application user interface. Details can be found in our blog post.

January 8, 2021

New Element in Event Routing

You may start to notice in the next few weeks a new element in the routing element of the events generated by LimaCharlie.

The new element is called ‘did’ (a string) and will be used to represent the DeviceID, a value that will tie together multiple SensorIDs when the multiple sensors refer to the same Device. The implementation of this new value will also gradually roll out so you may see it get populated to a value if, for example, you have a Windows sensor and a Chrome sensor on the same box. This new value will take more importance in the future as we introduce more sensors platforms to provide you with a top level view of a user's device.

January 5, 2021

Output Pricing

Starting March 1st, we will be introducing a per GB cost to non-Google Cloud Storage (GCS) Outputs in LimaCharlie. The cost will be $0.12 per GB.

The goal of this pricing is not to monetize the feature but rather to ensure a fair and scalable future for the feature. The cost introduced is the exact cost incurred by Google Cloud, our cloud infrastructure provider.

The exclusion of GCS is due to much lower costs for bandwidth within the Google Cloud.

You will likely start seeing these line items pop up in the billing section ahead of the price taking effect. We do this to provide lead time for you to evaluate the final cost once it takes effect.

If you are using Insight (our 1 year of data retention) exclusively this change will have no effect on your billing.

January 4, 2021

Insight Historical Search Throttling

We are rolling out throttling of Historical search ("object" search). You will now be limited to 20 searches per hour per Organization on a rolling window.

The goal of this is not so much to limit the number of searches done by a user as much as reducing the risk of users performing a high number of queries in an automated fashion without realizing. This API is backed by Google Cloud's BigQuery on our end and that service is very sensitive price-wise. It is able to search across peta-bytes in the blink of an eye (which is why we chose it for long term scalability), but it's also not cheap. We've decided on this approach for now as it allows us to have a sanity ceiling in a transparent way most users won't hit. The alternative would have been to bill directly users per search but we felt this approach would have been more likely to lead to surprise bills which nobody wants.We'll be refining this approach over time. Please let us know if you have feedback or concerns.Note that searches are not limited to single IOCs. Using the batch API (see related API documentation and Python SDK documentation) you can query for multiple IOCs at once, which will count as a single query. This can be a great way to still get the coverage you need but in a more efficient way.

December 17, 2020

Python CLI Config Push

  • We've released a new version of the Python SDK / CLI tool that refactors the old `Sync` module into a new cleaner module called `Configs` so you can consider Sync deprecated (although it is still present in the SDK/CLI).

  • We've also released a sample MSSP repo demonstrating infrastructure-as-code config management as part of a webinar.

  • Documentation to the new Configs module

  • The new Configs module can also be invoked via the CLI: `limacharlie configs --help`

December 9, 2020

Sensor v4.23.1

  • Enhancements to macOS support. Fixed some issues with upgrading the new System Extensions as well as the support for old Kernel Extensions.

December 3, 2020

Sensor v4.23.0

  • Revamp support for macOS 11 (Big Sur). This was a huge effort of re-writing the entire kernel acquisition pipeline and we were caught a bit off guard by the actual release date. Thanks for your patience. On a good note, our capabilities are actually better than they used to be.

  • Fixing possible connectivity issues that could also impact performance that were introduced in v4.22.0. We strongly recommend using the new v4.23.0 installers for new installs. If you have issues with previous installs on v4.22.0, you may swap the new installer for the older executable on disk.

  • We have added a capability to perform core-upgrades (as opposed to the normal day to day updates that we issue 99% of the time) from the cloud, so without having to swap executables or re-install as mentioned in the point above. We will be releasing instructions on doing core-upgrades within a day or two. We believe v.4.23.0 brings us back in a very stable core which should not require updates for a long time.

* Please note that macOS 11 (Big Sur) will still require a series of pop ups to confirm access by LimaCharlie to various parts of the OS by the new App bundle required to support Apple’s new frameworks. Unfortunately that’s just going to be part of life on the Apple ecosystem for the foreseeable future, all vendors are impacted. It is possible to bypass these by using enterprise deployment platforms and whitelisting the LimaCharlie certs at the enterprise level. We will be producing documentation on that topic in the future.

November 25, 2020

Sensor v4.22.1

  • Fixes an issue where Yara scanning would always be enabled even without rules being set. This fixes a memory leak on Linux.

  • Fixing proxy support where some proxies would reply with an HTTP 1.1 OK even to HTTP 1.0 requests.

  • Fixing support for Payloads and Artifact collection with proxies.

  • Better error reporting to artifact errors.

    In addition, the installer has also been updated for Windows. Mainly this changes an internal behavior of the agent where some payloads used to be loaded into memory manually, this new version loads them "properly" from OS perspective. This solves some issues with proxies and environment variable use and the sensor. You should not need to upgrade the installer on existing deployments unless you have a specific need for it.

November 13, 2020

Sensor v4.22.0

  • Hardened LC protocol with the sensor talking to the cloud. This fixes a rare issue where a sensor could become unresponsive if it had encountered a failure mid-enrollment.

  • New task available dns_resolve. It will cause the sensor to resolve a given domain name. This is mainly geared towards a future global-level API to correlate multiple sensors and users living on the same devices.

We recommend using the new installers for future installs, but should not be needed for current ones.

October 20, 2020

Two new services allowing for the creation of alerts/messages in the respective platforms.

These are designed to be mainly used as part of D&R rule actions to trigger escalation of an alert. They can also be used by other Services.

October 19, 2020

Sensor v4.21.3

  • Ability to use scripts (like .bat) as Payloads

  • Small performance tweak

The ability to run a script is provided by adding the ability to set the file extension of the payload. This is done by adding the extension to the Payload name. For example, if you create a new payload named extract everything.bat, the temporary name of the Payload when sent to the endpoint will end with .bat which will make Windows interpret the Payload as batch file. This mechanism should allow of the execution of any file type associated with execution on the endpoint. It is the equivalent of starting a shell and just "calling" the payload.

Dumper Service now supports dumping the MFT on Windows

We've added a new option, target to the Dumper Service. This option supports memory (the default) and mft. The MFT dumping behaves the same way as memory, except that it dumps the MFT as a pipe-delimited CSV file of type mftcsv in the Artifact Collection system.

Artifact Collection parsing for mftcsv and csv types

The Artifact Collection systems has two new parsers: mftcsv and csv. This means you can write D&R rules on the contents of the MFT dump announced above. The generic csv type will parse any CSV file, assuming the first line is a header definition of the columns.

August 19th, 2020

Sensor v4.21.0

  • Basic Proxy support:

  • Small enhancement to Linux packet capture.

Note: proxy support requires new version of the installer, if you keep installers locally for deployments you will want to re-download the latest.

Web App v2.28.10

  • Adding a timer to the delete-org dialog to help avoid deleting by mistake.

  • Adding banner in web app when an organization has past-due billing to help make billing issues more visible.

Wednesday, July 15, 2020

New sensor-cull Service

This new service is free and be subscribed to from the add-ons section of your organizations.It allows you to set rules that automate the deletion of sensors that have not connected to your org after N days. This is useful for docker deployments or other template/VM based deployments where sensors continually enroll, and then are not seen again once the container/VM is destroyed.

Wednesday, July 1st, 2020

Sensor v4.20.1

This is a minor update with a single fix:

  • A local Docker installation could cause an override of the FQDN  to host.docker.internal. This has been mainly observed on Windows, but all platforms now ignore this FQDN locally and report their hostname instead in those instances.

Tuesday, June 16th, 2020

Web UI v2.28.6

  • Advanced Artifact Search. If you go in Artifact Collection, there is now a link to a full page viewer of Artifact and search above the list at the bottom.

  • Fixed hostname display in Detections from Artifacts.

  • Hiding certain event types from the Exfil Service to avoid mistakenly enabling extremely verbose events fleet wide. Still available through API. This will like be reverted when we release the next version of our main endpoint service which will have better performance.

  • Adding Packet Capture section to Artifact Collection. More details in its own annoucement shortly.

Sensor v4.20.0

  • More information in REGISTRY_WRITE operations. Includes type, size and first N bytes of the value written.

  • Network capture capability on Linux sensor. More details to follow.

  • Windows kernel small fix to memory leak issue in some rare network configurations.

Linux Packet Capture

This is a big capability rollout we're very excited about. It is now possible to configure automatic pcap capture on Linux hosts from the cloud.Configured through the Artifact Collection screen, you can specify a list of hosts filtered by tag. Then in each a list of captures to run where each capture is a combination of a network interface and a filter expression (tcpdum-like).When activated, captures will be started (synchronized every ~10m) on the hosts. Captures will be automatically uploaded to the LimaCharlie cloud's Artifact Collection in 30MB chunks where they will be retained for the retention period specified in the rule.This closes an important detection loop. For example:

You can now capture network traffic from (for example) a proxy. Have the network capture retained automatically in the cloud. This capture on its way in gets translated into JSON where you may apply D&R rules to automate detection and response from the PCAP header layers. You may then have those PCAPs automatically converted into Zeek logs using a D&R rule on PCAP ingestion using the Zeek service. These Zeek logs get re-ingested in the Artifact Collection service (with a custom retention of your choosing) where they also get converted to JSON and again can be used to base D&R rules from them to automate even more.This is the first step towards more XDR-like capabilities. On our future roadmap is to include a managed Suricata service allowing you to run as many network detection rules as you want without impacting endpoints directly.As part of this rollout are changes to the Zeek service to make it more usable and customizable (see documentation link below). The Python SDK has also been modified to provide simple iteration over PCAPs from one or many hosts, which can be used to further automate off-site pipelines.Some doc: free to reach out if you have any more questions.The LimaCharlie Team

Friday, May 29th 2020

Artifact Export Pricing

This is a heads up that beginning next month (July), we will be introducing a price around Artifact exports.The reason for adding a usage-based pricing around this is that large bulk exports (like Artifacts) incur network bandwidth costs for LimaCharlie. It is not our intent to specifically monetize this feature but given the cost is non-trivial, we will be setting the price to be at-cost ( should have little to no impact on most users unless you do frequent exports of original Artifacts.Our longer term intent to lessen the impact on pricing like this is to favor the development (both internally at LimaCharlie and externally by LC users) of Services through our Service framework since these services will be able to use Artifact data from the cloud at a much lesser cost.The new pricing will be $0.12 per GB exported.

Tuesday, May 26th 2020

Renaming External Logs

We've renamed External Logs to Artifact Collection in order to make it more descriptive. This renaming also translates into the commands like log_get which are now artifact_get etc. The old commands are still supported as aliases to the new ones. The events generated by the sensors have not been renamed for backward compatibility. New Webhook-Bulk Output

The new webhook_bulk Output now allows you to transmit batches of events/detections/audit-logs via webhook. The old webhook (still available) transmitted a webhook per-event which was not suitable for large amounts of events.These changes (including the web UI) are rolling out over the next few hours.

OLE VBA Macro Parsing The Artifact Collection system can now detect, parse and extract OLE (MS Word, Excel etc) documents that contain VBA macros and extract them. This means you can now build D&R rules that look for specific content in VBA macros from documents ingested.

Wednesday, May 20th 2020

Sensor 4.19.6

  • Fixes specific to stability in Docker environments.

  • Fix to specific cases on Windows where kernel notifications could lead in blocking of handles.

  • Added to Windows REGISTRY_WRITE events: registry value size, registry value type and first 16 bytes of the value itself.

Tuesday, May 19th 2020

Reliable-Tasking Service

We've just released a new service called reliable-tasking. This service allows you to task multiple endpoints at once, including offline endpoints. In the event an endpoint is offline, the service will wait for it to come back online and issue the task then. An optional ttl is also available to limit the amount of time the task will be pending for offline endpoints.As all Services, it is available through the REST API, D&R rules and SDK.

Sunday, May 17th 2020

Centralized Invoices

We have been working on providing a capability to do a single centralized Invoice for users of LC at scale like MSSPs. This feature will see a single invoice sent to you monthly for all organizations created under your domain so you can pay a one time instead of each org individually.We expect to be ready for roll-out within a week or two. If this is something you're interested in let us know and we will contact you when it's available.

Saturday, May 16th 2020

Sensor v4.19.5

This is a single change release with very minor impact.

  • The "atoms" that are used to correlate all events now implement a new encoding scheme that Greatly improves searching for specific events by Atom, which is most commonly needed in the Historical view of the web UI. The "crawling" up the parent process tree in this view should become Much faster (it is now O(1)) for sensors upgraded to this new version.

Saturday, May 16th 2020

Sensor v4.19.5

This is a single change release with very minor impact.

  • The "atoms" that are used to correlate all events now implement a new encoding scheme that Greatly improves searching for specific events by Atom, which is most commonly needed in the Historical view of the web UI. The "crawling" up the parent process tree in this view should become Much faster (it is now O(1)) for sensors upgraded to this new version.

Thursday, May 14th 2020

Rolling Directory Reset

Tonight, after 6 PM Pacific Time, we will be performing an upgrade to most datacenters' Sensor Directory service. This is part of an effort to increase performance and reliability of the service.The side-effect is that over a few minutes, the sensor list may be partial or unreliable. This will not impact general telemetry collection of the sensors.Let us know if you have any questions.

Wednesday, May 13th 2020

Sensor v4.19.4

  • Small tweak to Windows kernel extension. Fixes rare cases causing blocking delay on pipe closure and possible memory leak in certain network configurations

  • Better file path expansion in kernel read file.

Thursday, May 7th 2020


Tuesday, May 5th 2020

Sensor v4.19.3

  • os_processes now supports a --pid to list single process and a --is-no-modules to report only the process information and not all its modules (lighter weight event).

  • os_version on Windows now adds a FRIENDLY component that lists a few human-readable strings from the registry.

  • The CODE_IDENTITY event now includes several attributes found in the file_info like various file times. Nix OSes also include UID, GID and Mode.

  • The FILE_INFO_REP event now includes UID, GID and Mode.

  • All file hashes are now generated from the kernel when available.

  • Process information acquisition has been streamlined, should result in better performance.

Monday, May 4th 2020

Web UI v2.26.0

  • Added a toggle to enable/disable a D&R rule without deleting it.

  • Added a Web App Domain value in the Integrations section. If set, this domain name (like for example) will be used in the generation of URL links. At the moment the only link generated is found in the Detections generated. If the Integration value is set, you will find a links value at the root of the JSON detections that is the equivalent of the link we have in our web UI to go to the Historic view to the event in question. This is off by default so that you may set it to the value of your white-label domain (if applicable).

Saturday, April 25 2020

Sensor v4.19.2

  • Command line arguments on Windows and OSX should now more reliably contain the full value event when extremely long.

  • Fixing a bug on DNS for Linux that could cause the Linux sensor to block for a long when restarting. Consequentially, you may need to manually restart the Linux sensor after upgrading to this new version if you are upgrading from 4.19.x.

  • Fixing an issue where extreme numbers of process starts on a machine could result in some TERMINATION events being lost. This in turn could result in slow memory leak from internal mechanisms tracking process termination.

  • Enhanced error numbers for External Log fetching through log_get.

Side note: we recently changed our EV Certificate used to sign Windows components. During the switch an error was made and the wrong .cat file was included when deploying the driver. This could result in Windows 10 Secure Boot enabled systems to reject the driver signing. This update fixes this.

Friday, April 17th 2020

Sensor v4.19.1:

  • Ability to ignore cert validity (--is-ignore-cert) for log_get and run, for more info on why see:

  • The NETWORK_CONNECTIONS event now contains the original connection timestamp for each connection within.

  • Signed MSI installers are now available for Windows. Note that sensor uninstallation is not possible using the MSI, you will still have to use the `uninstall` command or uninstall locally. See for instructions on using your Installation Key with them.

  • Linux sample installer has been modified to support Debian and CentOS families.Sensor Upgrade Staging:

  • It is now possible to test-upgrade specific sensors within an Organization without upgrading the whole Organization. This allows you to specify test machines within the Org to deploy the new sensor versions to. This is done using a "magic" sensor tag latest

  • The SMTP Output now supports a subject parameter to override the Subject line.

  • The NEW_DOCUMENT and FILE_TYPE_ACCESSED specifics are now -documented: 

Thursday, April 16th 2020

Sensor v4.19.0

  • Linux now supports DNS (through static libpcap).

  • Windows fixes issue where some system configs could see a memory leak in kernel related to network connections.

  • Hostname now reported as FQDN when possible.

  • Small performance tweaks.

Saturday, April 11th 2020

Python SDK v3.7.0 Adding a new API to get a timeline of specific IoC types from a sensor.

Wednesday, April 1st 2020

  • New UI for generic Service requests. Uses the service request definitions from external services. Main use case is for the Dumper service at the moment. Will become more fleshed out in the future.

  • Minor cosmetic tweaks.

  • Historic view now displays relevant default events for Chrome sensors.

  • Fixes to historic view in some corner cases with sensors with very little data.

  • Adding process hash to the process view and the network view of the Live page.

  • Sensor network isolation is now a first class feature. New UI elements in sensor detail view and sensor list filters for it.

Sunday, March 29th 2020

Python SDK v3.6.0 Adding CLI accessors for Events and Detections to STDOUT

Tuesday, March 24th 2020

Persistent Network Isolation Network isolation currently requires D&R rules in order to make network persistence persistent across reboots.

This is changing. We've streamlined the isolation concept into a first-class API instead of a mix of D&R rules and sensor commands. Managing network isolation will be safer and more intuitive.

The new REST API: The new D&R rule Actions: The Python SDK:

The Web UI will also be updated so you can see, sort and modify the Isolation state of a sensor directly from there. If you want to see a preview before we push it to prod:, you will be able to toggle the isolation state in the details panel of a sensor in the sensor list section.

IMPORTANT: Now this new persistent mode can clash with the old way of managing isolation through D&R rules. This means that if you use the segregate_network sensor command as part of a D&R rule, you will likely want to modify those rules to use the new isolate network Action. This new Action sets the isolation mode persistently.

In order to avoid bad surprises, we will be doing the transition gradually. Starting now, you can use the new isolate network and rejoin network Actions as part of your rules. But the persistence on reboot will NOT be enforced so that the current behavior is mostly maintained. Then starting next week, we will enable the enforcement of the persistence on reboot. This means you can now put in place the small D&R rule changes (if you're affected) and not worry about it. Then next week you'll be free to remove the older D&R rules using the segregate_network command.

Sunday, March 15th 2020

Towards Authenticated D&R Rules At the moment, a user or api key having the permission to create a D&R rule gives complete access to all the Response capabilities in D&R rules, including tasking sensors.

In the next few days and weeks, we will be moving towards enforcing the relevant permissions from the creator of a D&R rules to the Response components of new rules.

This means that in order for a user/api key to create a D&R rule that tasks a sensor in the Response component, that user/api key will require having the sensor.task permission.

This concept will apply to sensor.task, sensor.tag and replicant.task.

This move will only apply to NEW D&R rules, so anything currently in prod will not be affected.The rollout of this will be progressive in order to make the transition smooth:

  1. Within a few days we will now generate Errors when permissions are missing from a new rule, but the rule will still be created. Within the next few weeks (there will be another announcement) we will eventually turn these Errors into enforcement.

  2. The goal of this transition is to move towards a system that provides greater oversight onto more "active" types of access. This will become more critical as we expand 1st and eventually 3rd party Services.

Wednesday, March 11th 2020

Cap on D&R Rule Matches

In very rare occasions we've seen certain D&R rules match abnormally often. Some of those cases resulted in degraded performance of the cluster.In order to limit the impact of these, we've implemented a new system that will temporarily disable a rule in the affected subset of endpoints at run-time. When this occurs, an error is emitted to the Error log.The threshold is currently very high (on the order of 500 / minute / backend-service) so it should not have any impact on any normal rules. So this is more for awareness.

Python SDK 3.4.0

Added Manager.getApiKeys(), Manager.addApiKey() and Manager.removeApiKey(). This functionality is also available through the REST interface:

Tuesday, March 10th 2020

Python SDK v3.3.0

  • Adds accessors for jobs from Services:

Sensor v4.18.7

  • Log uploads have built-in retries in the agent.

  • Fixing case that would cause the sensor to restart.

  • Windows signing certificate has changed (3 year renewal). No effect unless you specifically whitelisted the cert.

  • CODE_IDENTITY hashes are now entirely gathered from the kernel which should help cases where another piece of software enforces no-sharing of file handles.

  • EXISTING_PROCESS generation fixed when pre-existing state has cycles in parent-child relationships.

This releases fixes stability issues and is recommended.Note that with this release, we are moving v4.18.6 to the Stable sensor branch. v4.18.7 is now Latest.

Also, on top of changes above:

  • Fixed an issue where some Windows processes leaking process handles would not be detected as "terminated". This had implications on memory and stateful detection over time.

Monday, March 9th 2020

LimaCharlie Chrome Sensor v1.1.0

(pending Chrome Web Store review) The new Chrome sensor version should be available soon.It will include:

  • history_dump parameter support, like selecting specific event type or atom.

  • Exfil Watch rule support, so you can create watch rules for specific patterns in events to send to the cloud.

  • 3 new events: BROWSER_REQUEST_CONTEXT is a root event for all activity related to a specific request in the browser. HTTP_REQUEST_HEADERS contains the list of all headers sent in the request. HTTP_RESPONSE_HEADERS contains the list of all headers in the response to a request.

The _HEADERS events are not sent to the cloud by default, but you can get them by using history_dump for a specific atom (or event type) or creating a watch rule looking for specific content pattern.Screenshot shows the relationship between all these events.

Friday, March 6th 2020

The package names (and IDs for Chrome) from the os_packages command now get indexed for IoC searches.

Tuesday, February 25th 2020

lc-service v1.6.0:

Wednesday, February 19th 2020

Sensor v4.18.6

  • Fixes a long standing stability issue on all platforms.

Friday, February 7th 2020

Sensor v4.18.5

  • Single change to MacOS sensor. Fixing compatibility issue with FUSE filesystems.

Tuesday, February 4th 2020

Sensor v4.18.4

  • Fixes to MacOS kernel acquisition of Processes and File IO.

  • General stability fixes.

Tuesday, January 28th 2020

Python SDK v3.2.1 (and REST API)

Note that the dataset for the IP query described above has only been created a few weeks back, so older queries may not return anything.

Sunday, January 26th 2020

Python SDK v3.2.0

Completes the move towards a single CLI interface by moving the limacharlie-upload to limacharlie logs upload. A limacharlie logs get_original CLI was also added to download original logs.

Saturday, January 25th 2020

Additional API Key Flairs

We've introduced 3 new API Key Flairs:

  • [segment] isolates what a key's user can see to whatever is created by that key.

  • [secret] allows resource names created by the key to be seen by others, but not the content of the resources.

  • [root] an escape-hatch that allows the user of the key to override any resources created by any other keys even if these had [lock] .

See the doc:

Friday, January 17th 2020

Whitelabel Configurations

If you do not make use of a whitelabel, you can ignore.The whitelabel system now supports a new configuration to hide more "management" parts of the UI to all users except specific domains. So for example if your whitelabel is for your company "SecCo", you can specify that all users who are NOT will not be able to see the Groups UI, the Create Org button, the Personal Add-on UI and the User Profile.This is something useful if you want to provide a leaner experience to your users through your white label.If this is something you want, get in touch and we will deploy the change to your whitelabel.

Thursday, January 16th 2020

Python SDK v3.0.0

This is a major release specifically because it breaks existing CLI interface. The SDK itself remains compatible.Many modules previously instantiated through dedicated CLI interfaces like limacharlie-search or through the Python module like python -m limacharlie.Sync have been moved into a single proper CLI tool like:

  • limacharlie search ...

  • limacharlie sync ...

  • etc

As reflected in the README: should provide a better experience when using the CLI. The modules moved are:

  • dr to manage D&R rules

  • search to search for IoCs across organizations

  • replay to run Replay jobs

  • sync to export/import entire Organization configs

GitHub: refractionPOINT/python-limacharlie

Python API for the service. Contribute to refractionPOINT/python-limacharlie development by creating an account on GitHub.

Web UI v2.19.1

  • Removed the "limacharlie" reference from a few spots in whitelabels.

  • Moved some subsections behind permission walls: interaction with services like exfil , responder etc now require the replicant.task permission. Sensor Downloads requires the ikey.list permission. This helps effectively hide complexity away from users with limited permission sets.

Monday, January 13th 2020

Sensor v4.18.3

  • More aggressive new process processing, results in better data accuracy.

  • Fixes to run-time memory validation resulting in more stable sensor.

  • Fixes to Docker deployment modes, specifically network namespace tracking. Fixes performance in Linux when namespaces are not used. See doc for new NET_NS environment variable usage:

  • Adding OriginalFileName to CODE_IDENTITY events on Windows. Adds support for some new Sigma rules as well.Sensor v4.18.3

    • More aggressive new process processing, results in better data accuracy.

    • Fixes to run-time memory validation resulting in more stable sensor.

    • Fixes to Docker deployment modes, specifically network namespace tracking. Fixes performance in Linux when namespaces are not used. See doc for new NET_NS environment variable usage:

    • Adding OriginalFileName to CODE_IDENTITY events on Windows. Adds support for some new Sigma rules as well.

Saturday, January 11th 2020

Web UI v2.19.0

API Key Flair Support

A new feature is available on all datacenters. This feature allows you to specify some characteristics relating to new API Keys. Currently two Flair are supported:

  • [bulk] modifies the API quota applied to the key to be higher

  • [lock] locks resources created with the API key so that they may only be modified by the same key.

More details:

Wednesday, December 25th 2020

Deprecation: --is-not-compiled flag for yara_ commands.

As part of the overhaul of some of our Yara capabilities, we will be deprecating this flag in the next week. Its functionality will become the default behavior.If you are using the Yara related capabilities through the Yara service, this will have no impact. You may be impacted only if you if you issue those commands yourself in an automated manner.In essence, you will no longer be able to run pre-compiled Yara rules through LC, only "normal" rules (text) will be supported. This becomes more effective as we add more platforms and architectures since compiled Yara rules are not cross-platform.As usual, let us know if you have any concerns.

Tuesday, December 24th 2020

Sensor v4.18.2

  • Adding TCP connection state to connections on MacOS

  • Fixing issue with ad-hoc Yara scans.

Tuesday, December 17th 2020

API Change:/org/{oid} (

As we grow, we're encountering extra-large organizations which makes certain APIs less relevant than before. We've begun onboarding organizations which make use of container-clusters and create a lot of churn in sensors. This means the n_sensors value returned by this API is less relevant, and in some cases very expensive to compute. As far as we know, no-one is actively making use of this parameter. If you are, please let us know so we can work our an appropriate alternative. Otherwise our plan is to deprecate this value returned by the API. Python SDK 2.19.2

The Manager.sensors() API call is now easier to use for larger organizations. Pagination used to be done manually, but this function now returns a generator instead. This means doing a for sensor in manager.sensors(): will now iterate over ALL sensors as is the expectation.

Sunday, December 16 2019

Python SDK v2.19.0

  • Adding option to CLI to upload External Logs with a given N days of retention.

  • Adding an API call to the Manager object to get all sensors with a given tag.

Web UI v2.18.1

  • Adding a checkbox to "only display online sensors" in the sensor list.

Friday, December 13 2019

Sensor v4.18.1

  • Enhanced performance.

  • Bug fix where some process terminations were being lost. Could lead to CPU usage creep.

Thursday, December 12th 2019

Sensor v4.18.0

  • Support for day-granularity for external log ingestion. Will be enabled in the Web App shortly.

  • Added support for container clusters mode using a privileged container and the host file-system mount. More on this later.

  • Better support for TCPv6 and UDPv6 on Linux.

  • More timely VOLUME_MOUNT notifications.

  • Additional installer logging.

  • Drive type now included in VOLUME_MOUNT on Windows.

Friday, December 6th 2019

Variables in D&R rules

A new capability part of D&R rules has been rolled out to all clusters.

It allows you to track simple state per sensor/boot and use it as part of rules. The documentation above contains an example of rules to detect physical attacks from removable media (rubber ducky attack).

Wednesday, December 4th 2019

Changes to billing for External Logs

Starting today, we will be beginning to transition the way we do billing for External Logs.

TLDR; your bill for External Logs will go down in the short term and will be more granular in the long term.

At the moment, we bill a flat price based on usage at ingestion time that includes a full year of retention. This model has begun to show its limitations as we introduce more data formats to External Logs that are more geared towards forensics (like memory dumps) and are large in nature.

The transition begins with moving the billing to be per bytes-day, adding the concept of retention period to the billing. This means the billing code will change to LC-LOG-BYTES-DAY. The side-effect is that the number of bytes that show up in the billing will become much bigger (365 times bigger), but the associate price will actually be going down to about $1.04 per GB for the one year of retention.

The second phase of the transition will come shortly after where we will introduce the optional number of days of retention requested at ingestion time. This will allow you to, for example, ingest a large memory dump file with a retention of 7 days and you will be billed only for those 7 days.

The new pricing will be of $0.01 per 3.5GB-day and billing will have a granularity of 1 day. Billing will still be performed at ingestion time and be part of your monthly invoice.

Sunday, December 1st 2019

Sensor v4.17.4

  • Fixing event ordering in queue flush when a sensor loses connection.

  • Fixing issue where file IO renaming had an invalid timestamp on sensor.

  • Enhancements to event relationship tracking in sensor.

  • Enhancements to sensor internal security mechanisms.

Sunday, November 24th 2019

Web UI v2.17.0

  • Adding support for downloading very large External Logs (like full memory dumps). Download is triggered asynchronously.

  • Small fixes.

Friday, November 22nd 2019

Python SDK Tweak

The Insight API to access detections and to access events has been extended to support pagination through the use of a "cursor" parameter.

The Python SDK version 2.18.8 now makes use of this feature. To leverage it to its full potential (streaming large numbers of detections/events), the two relevant APIs now return generators and not lists.

In most cases (iterating through the results) this will have no impact whatsoever.

If however you are specifically doing something that expects a list (like len( results ) you will want to unwind the results first: results = list( results ).

For more details see the commit:

The affected functions are: .getHistoricDetections() and .getHistoricEvents().

"log" Stream

This weekend, we will be deploying the new Output "log" stream that will include "ingest" events from file ingested through the External Logs mechanism. This will allow you to get notifications on file ingestion. You may then use the log_id field to retrieve the original or parsed version of the log if you need to.

These events look like:

{ "event": { "original_md5": "56d0caf4127106cfd7c5398a37807180", "original_path": "/var/log/syslog.1", "size": 1469109, "source": "1c00a331-4fc2-43bd-8282-8641e0124cfe" }, "routing": { "event_time": 1574443133000, "event_type": "ingest", "log_id": "0472dfd8-fbce-461c-ae71-c5d28fbdcfe9", "log_type": "txt", "oid": "c82e5c18-d519-4ef5-b4cc-c454a95d31ca" }}

During the weekend we will also be deploying a new higher-reliability Sensor Directory service. This service is responsible for showing you which sensors are online and routing the sensor tasking properly. The update should take a few minutes and during those few minutes sensors may be showing offline and taskings may not get delivered properly.

Thursday, November 21st 2019

Web UI v2.16.0

  • Refactor of the Detections and External Log sections to be paginated and generally better / easier to use. This is an ongoing refactor as we want to make those sections more operational by introducing things like searching, filtering etc.

  • Re-worded the Sensor Download version management section to better reflect that there is a "latest" version track, and a "stable" version track.

  • Added a new Output Stream for deployment events. This allows you to Output these meta-events like the other streams. We will also introduce in the near future a log Stream to get notifications of new External Log files being processed.

  • Added an option to the Yara Service to create new Source from a Yara rule specified literally in the Web UI.

Yara Scanning in External Logs

The "External Logs" already supports D&R rules, but we're now adding a new operator called yara that can only apply to target: log. It allows you to perform Yara scans in the cloud on those files based on Yara Sources from the Yara Service. Being a D&R operator, it also means you can use it as part of more complex rules.

Adjacent to this, the External Logs also now supports a pe type. It's for Portable Executables (Windows). The parsed version of this format extracts a lot of information from the PE headers into JSON, which you can use to build D&R rules for things like specific imports etc.

Saturday, November 16th 2019

Replicant -> Service This is just a friendly update regarding our re-naming of the old Replicant naming system towards Services.You may notice in the next few days / weeks that various APIs and SDKs start referring to Services instead of Replicants.In all cases, we will maintain legacy "aliases" using the term replicant so that existing code / integrations keep working, but we do encourage you to use "service" going forward.You may still see "replicant" in some error messages here and there as the term is still used internally, but we believe the change in name makes their purpose clearer to new users.

Monday, November 11th 2019

Data Fetching This is a high level announcement that touches on multiple systems.Many services in LC require the user to specify a location where LC should go and fetch some data. For example:

  • Lookup Resources / Addons: where the lookup's content can be fetched, like an HTTPS URL.

  • Yara Service: where a Yara signature source can be found, like a Github repo.

We've begun unifying this set of capabilities using what we call Authenticated Resource Locators (ARL): is a simple format that allows you to specify a location, protocol AND authentication method + creds to use to fetch data.This new format will begin popping up in multiple services and will be the standard for the foreseeable future. Since it is a super-set of the previous capabilities, the other formats will begin being deprecated.This brings in some immediate wins:

  • Resources can now be fetched from authenticated locations and APIs.

  • Yara rules can now be fetched from private Github repositories using Access Tokens.

The new ARL method also brings in automated archive expansion. So if you point to tarball or a zip file, the contents will be expanded and used instead of the archive itself.If you encounter any issues, or any scenarios that worked previously but not anymore, let us know. Conversely if you would like some access protocols (FTP for example) or authentication methods to be added to ARLs, it will also be our pleasure.

Lookup Formats In addition to the above change os using ARLs, LC now understands the MISP JSON format. If you create a Lookup pointing to MISP JSON, the format will be parsed and the lookup will associate the MISP IDs as the Attribute metadata.For example the ARL: [https,]In combination with authentication in ARLs, you should be able to fetch MISP feeds directly from your instances using the REST API.LC similarly supports the JSON OTX Pulse format from AlienVault.

Tuesday, November 5th 2019

It seems v4.17.2 fails to load on some Windows systems, likely due to a binary dependency introduced. We are investigating but will revert the Latest version to the previous version in the meantime. The dependency has been fixed and we're rolling it out as v4.17.3.

Monday, November 4th 2019

Sensor v4.17.2

  • Small stability fixes.

Removal of old Add-ons This should not affect anyone. We are removing the old Add-ons called "dr" and "tasking" since they have not been actively used in the backend in a long time. They used to be a control method for those features, but the new RBAC has made them irrelevant.

Wednesday, October 30th 2019

Pricing Adjustment Over the past year and half the set of capabilities LimaCharlie is delivering have increased drastically, but through all this time our pricing has stayed the same.This has changed the value provided by LimaCharlie a lot, and it has also changed our costs. Obviously we want to keep increasing the value LimaCharlie provides, and to be able to do that it means we'll need to adjust our pricing to go along.Our intent is therefore to increase the pricing of the base sensor from $0.5 to $0.7 per endpoint per month. This will ensure we can keep growing the platform, adding features and generally making things better. This new pricing will be in effect starting December 1st 2019.If you have questions, thoughts or concerns please get in touch, we always appreciate the feedback.Thanks for your support.

Tuesday, October 29th 2019

Sensor v4.17.1

  • Additional hardening of the runtime.

  • Fixes a rare race condition on sensor upgrade that could result in sensor not responding for a long time.

  • Fixes to File Tracking to fix some gaps where some file IO could be missed.

  • Better issue reporting to help us troubleshoot issues.Major

  • The NETWORK_SUMMARY event has been replaced with a new event called NETWORK_CONNECTIONS.

  • The new NETWORK_CONNECTIONS has a similar structure to the SUMMARY, but it now reports ALL network connections in a slightly-batched mode. This means you now will get full net flow data from a single event.

  • Before or after upgrading, you will want to go tweak your D&R rules that referred to the SUMMARY event. The new structure is slightly flatter and can be seen here:

Monday, October 28th 2019

Sigma Support

It's official, the LimaCharlie D&R rules target has been merged into mainline Sigma:

A dump of the pre-generated community rules is also available on our /rulesrepo:

Thursday, October 24th 2019

Cutting Edge Feeds being removed.

The Add-ons currently have available two lc-cutting-edge- feeds. As we move forward with more "managed" options for feeds, rules and services on LimaCharlie both internal and through partners, we will be removing those feeds from public access. They will be back in the short future in a managed format (not requiring D&R rules to be built on them).

This will go in effect today. If you are using them, the only impact is that you will see errors in organization about not having access anymore, but nothing else will be impacted.

Wednesday, October 23rd 2019

The Chrome Sensor is now available on the Chrome Web Store:

Tuesday, October 22nd 2019


We will be decommissioning the old HTTP streaming service that has been replaced by shortly.

This method was deprecated mid-September. It was used by the Web App and SDKs. As long as you have reloaded the web app since then and updated the SDK, there should not be any effect. The Web App and SDKs were updated in mid-September and the change was transparent.

Thursday, October 17th 2019

Web UI v2.14.0

We're about to release a Chrome(OS) sensor. You will begin seeing references to it in the web UI. Official announcement will be coming, but will support HTTP request events, DNS events, network isolation etc.

Wednesday, October 7th 2019

Minor update:

We're migrating the D&R rules String Distance operator from using Levenshtein Distance to using Damerau-Levenshtein Distance. This will bring the behavior closer to the usually expected behavior around string distance. The change will be transparent and no rules need updating.

Monday, October 7th 2019

Sensor v4.16.3

  • Performance mode can be managed through Web UI

  • Multiple stability and hardening fixes.

Wednesday, October 2nd 2019

Web UI v2.13.0

  • Many fixes

  • Addition of False Positive Rules (, add them from the D&R page or through quick-add on the Detections page.

  • Adding Performance Mode Rules. Accessible through the Exfil page, set the performance mode automatically without D&R rules.

Friday September 20th 2019

  • Detection & Response Rule Validation: In an effort to help people learn D&R rules more easily, we are introducing a more thorough validation of the rules. Prior to this, we did not warn on unexpected extraneous parameters in a rule.Starting this weekend, we will be deploying better validation. This will NOT apply to existing rule, they will keep running fine. But when trying to push a new rule or an update to an existing one, you may get validation errors if there is an issue.

Web UI v2.12.4

  • Adding support for Microsoft Auth to log in to the web interface (like Google Auth).

  • Various bug fixes.

Sensor v4.16.2

  • Adding support for Yara scanning a directory and its subdirectories.

  • Adding an active keepalive mechanism. This will help make the stateful detections and general "online" presence of sensors more reliable.

Thursday, September 19th 2019

Python SDK v2.18.5

  • === Possibly Important note for compatibility === This patch, to be released later today on pip fixes a bug in the Manager.replicantRequest()call. The isSynchronous behaved inverted. This patch fixes the name of the parameter and its doc. It's not a major change, but if you issue Replicant requests manually in the SDK you may want to verify your use.

Friday, September 13th 2019

Sensor v4.16.1

  • The latest sensor version on Windows did not properly associate the DNS request Process with a ID. This patch version fixes it. It's the only change.

Thursday, September 12th 2019

Deprecation of and Python SDK prior to 2.18.0The old HTTP streaming API will be deprecated within a week or two.

If you are using it directly, you can switch to the new API ( which is very similar but should be more resilient and better performant.If you are using the Python SDK, please update to the latest version, the Spout functionality (relying on the HTTP streaming API) has been moved to the new API ( transparently.

Monday, September 9th 2019


  • Alternate Data Streams (ADS) are now listed inline in thedir_listresults on Windows.

  • Themem_readcommand now supports dumping the memory to a local file. This can be used in combination with thelog_getcommand to support getting large memory dumps. Small memory leak fixed.

Web UI v2.12.0

  • Toggle in User Profile to remove the chat widget.

  • Clicking historical view link from Search page should now highlight the relevant event more reliably.

  • New streaming API is used by web UI and SDKs to get real-time access to sensors. Change is transparent but no longer requires access to high-ports, all is now streamed over a single HTTPS 443 connection.

  • Display pricing information in the Billing page for upcoming usage-based billing of some services.

  • Added Replay rule eval limit parameter (to avoid billing surprises if a Replay job is very expensive).

  • External Logs now display unknown data as a HexDump.

  • External Logs now display logs paginated resulting in much better performance.

  • Added support for Windows Prefetch files to External Logs, they get converted to JSON, so you can visualize and build DR rules on them.

  • Small fixes.

Sunday, September 1st 2019

Sensor v4.15.0

  • New Pipe related events on Windows: NEW_NAMED_PIPE and OPEN_NAMED_PIPE similar to Sysmon events.

  • The log_get and file_get commands can now read files exclusively locked by other processes on Windows (requires kernel presence), like IE History files.

  • Custom Payload support. Upload custom executables to LC and launch them through the agent on a host, get the STDOUT and STDERR back. Uses new payload.use and payload.ctrl permissions.

  • Shell command support. An extension of the Payload support, execute a command through the default shell and get the STDOUT and STDERR back. Uses new payload.use permission.

  • Better crash handling, more likely to report detailed logs for review.

Python SDK v2.17.0

  • Payload management support.

  • Added support for limits on number of event evaluated and rule evaluation.

  • Added a new call to just validate a DR rule without running it.

  • Removed the limacharlie init CLI function to initialize a new organization's config files.

Wednesday, August 28th 2019

Normalized Billing: we now offer to automatically normalize the billing email used for organizations. Any new Organization created on LC by someone from your corporate domain will automatically have the billing email address set to a corporate standard address (often finance dept) of your choosing.If this is something you would like, drop us a line.Also note that Stripe Invoices will now have the Organization Name the Invoice is about in the header.

Monday, August 19th 2019

Web UIv2.10.2

  • Various UI tweaks

  • Added permissions for upcoming payload execution service.

  • Added optional parametersstart=andend=to the Historical view to set hard start and end timestamps to visualize. Useful for edge cases where a single sensor produces a ton of data and it’s too much for a 30m time window.

  • Support for new large log upload feature.

Sunday, August 18 2019


  • Large log upload support. Logs ingested can now be up to 4GB

Python SDKv2.16.2

  • Support for large log uploads.

Tuesday, August 13th 2019

Web UIv2.10.0

  • New support and download links for the Linux Alpine compatible sensor.

  • Large refactor of all Replicants into first-class Services in the Organization page.

  • Large refactor of Incidents (in the Warroom) into more generic Jobs in the Org Dashboard.

  • Enable those Services directly from their panel on top of the Add-ons section.

  • Historical view’s Cascading Event Selector now supports an@element to filter the events on the parent + children tree of a specific atom. Can be combined with the Download button to download all events within a specific process tree.

  • Many small visual tweaks.

  • Added visual indication if a sensor has Kernel data supported in the Sensor List.

Monday, August 12th 2019

*Replicants and Incidents Changes*

This change will occur within the next few days:

After feedback from users, and seeing how much the platform is expanding, we’ve decided to re-factor the way you interface with Replicants. All Replicants (and the Warroom page) have been morphed into proper sections of your Organization’s menu.

We think this will make interaction with various more advanced features of LC more intuitive and will normalize interactions across all those features. Obviously this is a work in progress and we look forward to your feedback.

For example, managing File Integrity Monitoring will no longer require you to go in the Warroom, find the Integrity Replicant, interact with it. Instead there will now be a “File/Reg Integrity” menu in the page Organization view that will bring you directly to those features.

Incidents, which previously appeared as a result of interactions with some Replicants in the Warroom section will also transform. We’ve made them generic and renamed them to Jobs. They will now appear in the Dashboard section of your Organization’s UI.

Although the new Jobs are very similar in content to the old Incidents, they will not be backwards-compatible. This means that as we switch to the new UI, you will lose access to the old Incidents (not Detections) from your Replicants. If you need to keep a copy, we suggest you do so now before the move. Given Replicants and Incidents were generally not heavily used we don’t expect this to have a high impact, but if you have any issues please let us know.*

Wednesday, August 7th 2019


  • Added internal mechanism for performing a backoff, this will be used for more reliable transmission with the cloud.

  • Added internal event to report when sensor drop events (after long disconnection from the cloud)

  • Added a new Linux “architecture”: Alpine. The sensor is available at []( and proper display of this new architecture will be deployed in the upcoming web app version. This sensor architecture will allow you to run the LimaCharlie sensor within Alpine Linux containers. We will have an upcoming blog article on the topic.

Saturday, August 4th 2019

Python SDKv2.16.0

  • Support for new Sensor Quota, Resources, Users and User Permissions API endpoints.

  • Support for the above API endpoints in Sync.

Wednesday, July 31st 2019

Python SDKv2.15.1

  • New—traceoption to the Replay CLI as well support fortrace: truein the Replay REST API. If you specify it, it will return an additionaltracesfield that specify each operation as it was evaluated and the success or failure of the operation. Should help to help you figure out exactly where errors occur when developing a new rule.

Tuesday, July 30th 2019

Python SDKv2.15.0

  • Added support for Exfil Replicant config to the Sync module.

  • Fixed small bugs with Sync including Python 3 compat.

Monday, July 29th 2019

Web UIv2.9.0

  • Enable the new Exfil Replicant. Manages which events are sent to the cloud automatically. This means DR rules doingexfil_addare not necessary anymore. You need to enable this Replicant and interact with it in the Warroom section. This includes a new Watchlist capability that allows you to specify certain event patterns when you want a matching event sent back to the cloud in real-time even if not in the list of “default” events.

  • Many many fixes.

  • New 100% width design for org pages. Should be more usable.

  • Listing domains relevant to an organization in the Sensor Download section. This allows you to know which domain the agent uses to talk to the cloud so you can whitelist it.


  • Adds support for Exfil control via the Replicant (as mentioned above), including the new Watch list.

  • Windows network isolation now correctly terminates existing connections when enabled.

  • Better Windows kernel component unloading resulting in more timely sensor upgrades.

  • Fixes a bug with unicode handling in certain cases on Windows.(edited)

Note: the new exfil watch list currently only supports filtering based on strings, not integers. This support will be added at a later date.

Backend Capability Update:

The new DR rules for Logs are now available. Using the target: login a DR rule, you can now describe detections to be applied to logs as they are ingested. You can read about it here:

Python SDKv2.14.4

  • Small fixes for Python 3

  • Add support for Exfil Replicant

Monday, July 22nd 2019

Web Appv2.8.0

  • Adding Organization Groups, they allow you to control RBAC across several organizations and users through one entity.- Small visual tweaks.

  • Cleaner handling/hiding of some UI elements when required permissions are not present.

Monday, July 5th 2019


  • Windows performance enhancement. Should solve some high CPU/Mem usage on some hosts running software generating very high volumes of thread injections and process creation

Friday, June 21st 2019


  • Further fixes to reliability of OSX kernel acquisition of network connections. If you are runningv4.13.1 it is recommended you update.

Thursday, June 20th 2019


  • Fixes to OSX kernel acquisition of network connections.

Wednesday, June 19th 2019


  • New event on network connection termination.

  • Adding partial read capability tofile_getcommand.

Web UIv2.7.9

  • Small quality of life fixes.

Python SDKv2.13.0

  • Small fix to Sync (Infrastructure as Code)

  • Adding support for Logging and Integrity Replicants in the Sync functionality.

Tuesday, June 18th 2019

Web UIv2.7.8

  • Enhanced Data Visualization interface and General Availability.

  • Support a URL parameter of?session_type=LOCALto enable persistent login of the current session.

  • Small UI tweak

Thursday, June 13th 2019

Web UIv2.7.0

  • Moved live web-based chat to different provider.

  • Various fixes.

  • Better file vs domain detection in organization dashboard search box.

  • New prevalence visualization page, private beta for the moment, will be in General Availability shortly.

Wednesday, June 5th 2019


  • Fix to kernel-sourced events on hosts where time is wrong.

  • Small fix to component unloads.

  • Enhanced kernel component upgrade mechanism.

Thursday, May 30th 2019


  • Required for compatibility with MacOS 10.14.5 and up. Introduces a new config file on disk namedhcp_hbs.

  • Dedupes memory strings on the sensor before reporting to the cloud.

  • Enables FIM on Linux. It has some caveats, see

  • Introduces ground-work for more reliable messaging in upcoming versions.

  • Adds support for setting Installation Key via an environment variable on Linux, this will be rolled out in the public installers shortly.

Friday, May 24th 2019

Web UIv2.6.1

  • Logging Replicant now supports setting up files/directories paths to watch for changes and ingest on change. For example on Linux setting:/var/log/syslog.1to get general syslog content once a day.

  • Many various fixes.

  • The Detections page now loads a dynamic amount of content. 7 days by default, but goes down to 1h if there is too many detections.

Thursday, May 16th 2019

Web UIv2.6.0

  • Adding Replay Replicant. Allows you to run Replay jobs from the UI in a managed way instead of the CLI/SDK.

  • Fixed bug where clicking in Text Area for D&R rules forced-recenter the page.

Monday, May 13th 2019

Web UIv2.5.0

  • Tons of tweaks and small fixes.

  • Introducing User API Keys:

  • Available from the User Profile section (top left menu).

  • Produce a key similarly to the Org API Keys.

  • These keys can be provided to the jwtREST endpoint to get a JWT for the REST API. But instead of providing an oid, you provide the UID in the uid parameter.

  • The JWT produced represents ALL org+permissions accesses you have as a user on LimaCharlie. This means the JWT can be used to issue API calls to multiple organizations. The token mirrors the various User permissions you have across your organizations.

  • This makes this User API Key very powerful. Unless you have specific scenarios where you require it, we recommend you stick to Org API Keys. If you have questions or want to discuss don’t hesitate to get in touch.

  • Enabling External Logs feature in beta. This is recommended to be used with the new Logging Replicant subscription, or using the new Ingestion Keys available in the RESP API section of your organization. More details to come.

  • Usage Overview is not available in the Billing section (at the bottom). It provides some metrics around your usage of LimaCharlie.

Sunday, May 5th 2019


  • Linux sensor now reports detailed version information inos_version.

  • Better atom linkage between some stateful events likeSENSITIVE_PROCESS_ACCESSandREMOTE_PROCESS_HANDLE.

  • Although not enabled yet, this version includes necessary code for upcoming log collection mechanism.

  • MacOS version should now be notarized for upcoming MacOS release.

Sunday, April 3rd 2019

Web UIv2.3.0

  • Various fixes

  • Adding a new “magic search” on the org front page. This search field combines an agent search by SID and hostname with searching for IoCs. It will expand to any new data sets in LC in the future. It’s a quick search for everything.

  • Important overhaul to the UI of various aspects of the Replicants / WarRoom.

Wednesday, March 27th 2019


  • Better reliability in Windows driver deployment.

  • Better propagation of decoration metadata (like file signing status and file hash) through various events.

  • More reliable process reporting in Linux using NetLink sockets.

  • Adding SHA1 and MD5 to CODE_IDENTITY events.

  • Adding relationship atoms to composite events like PROCESS_LIST so the process can be correlated from these events.

Friday, March 22nd 2019

Web UIv2.2.7

  • Adding a way to push updates to Resources through a REST interface.

  • Access the Resource Access Token through the new User Profile section available from the top left menu.

  • Various other enhancements and fixes.

Monday, March 4th 2019

Web UIv2.2.0

  • Tons of tweaks and bug fixes.

  • Adding tags to the sensor list.

  • Historical view will now asynchronously try to resolve missing parent events using a new API. You can expect a???parent node to pop-in with real information within a few seconds of being displayed.

  • Replicants are now widely available. To enable, go to the Addons, “Replicant” tab and subscribe. This will give you access to the “Warroom” section in your organization.

  • Responder Replicant automates the old “sweep” functionality in a more complete way and done from the cloud (not the browser) so you can launch it on a sensor and move on, fire-and-forget.

  • Yara Replicant manages Yara signatures and which sets of signatures should be scanned constantly on which hosts. Also enables an on-demand scan from those signature sets. Automated investigation of hits to come.

  • Integrity Replicant manages FIM rules similarly to the Yara Replicant. Automated investigation of hits to come.

  • Yara and Integrity Replicants require the new sensorv4.9.0to work properly.

Sunday, March 3rd 2019


  • Yara in sensor has been updated. Windows, MacOS and Linux (except ARM build) now also support common Yara modules like “PE”.

  • Yara now defines some common variables like file_path and file_name used by some commonly available Signature sets.

  • Yara and File Integrity Monitoring now support the “update protocol”. This increases efficiency of maintaining up to date signature sets and FIM watch-sets. This feature is required for the upcoming Replicant soft-launch.

  • Parent atoms are now correctly propagated within the process list. This feature is required for the upcoming automated parent finding feature in the Historical view.

  • Windows driver unload sequence has been tweaked to provide better consistant unload/load cycles.

  • Internal IP reported by sensor should now more reliably represent the actual internal IP address of the interface used to reach the internet. This solves cases where a host with VMs could report the IP of the wrong interface.

  • Enabling common support for ARM and ARM64 sensors in all datacenters (installer availability coming very soon).