Support for Containers and VM's


Whether you are a fan of containers or virtual machines (or both) LimaCharlie has got you covered. The LimaCharlie sensor can now be installed in template-based environments.

The installation methodology is that same as a regular install but you need to be careful to stage the sensor properly in your templates. 

The most common mistake is to install the sensor directly in the template, and then instantiate the rest of the infrastructure from this template. This will result in "cloned sensors", sensors running using the same Sensor ID (SID) on different hosts/VMs/Containers.

If these occur, a sensor_clone event will be generated as well as an error in your dashboard. If this happens you have two choices:

  1. Fix the installation process and re-deploy.

  2. Run a de-duplication process with a Detection & Response rule like this.

Preparing sensors to run properly from templates can be done in one of two ways:

  1. Run the installer on the template, shut down the service and delete the "identity files".

  2. Script the sensor installation process in the templating process.

For solution 1, the identity files you will want to remove are:

  • Windows: %windir%\system32\hcp*

  • Linux: depending on the install location of the sensor, the hcp* files like /usr/local/hcp*.

  • MacOS: /usr/local/hcp*

For solution 2, you can start a simple shell script like this to fetch the installer and run it on first boot:

Screen Shot 2019-10-03 at 10.27.57 AM.png

Full instructions can be found in the doc here: Containers and Virtual Machines

If you have any questions, or would like to book a demo, please contact us.


Welcome to Barcelona!


LimaCharlie is adding new capabilities at a rapid pace. Our vision of Security Infrastructure as a Service continues to evolve, as well as our global footprint.

A team of security researchers has recently set up a branch in Barcelona, Spain.  Refraction Point EMEA is working on an innovative form of threat intelligence that will ultimately be delivered as a service through the LimaCharlie platform.

This new approach for gauging evolving threats is a form of decision intelligence. It promises to help defenders make assessments faster and easier than ever before.

Our European counterparts have a big challenge ahead of them but their progress so far is impressive and we are excited to see this product roll into production. We are also excited to come up with a reason to go visit the new office.




Today we are happy to announce support for one of our most requested features, that has been made possible by our implementation of advanced role-based access control (RBAC), Payloads.

Payloads are executables that can be delivered and executed through LimaCharlie's sensor (or agent). Payloads can be any executable. The main use case is to run something with specific functionality not available in the LimaCharlie offering. This feature can be used to run custom executables provided by another vendor to cleanup a machine, forensic utilities or firmware-related utilities, etc. The usefulness of this feature in a time-critical incident response cannot be understated. We encourage our users to use native functionality first as it comes with all the benefits of being tightly integrated into the platform, but if you need this powerful capability it is there.

In order to place tight controls over who can deploy and run payloads we have added specific permissions.

Payloads are managed with two permissions:

  • payload.ctrl: allows you to create and delete payloads.

  • payload.use: allows you to run a given payload.

Payloads are uploaded to the LimaCharlie platform and given a name. The task can then be used to run the payload with optional arguments.

The STDOUT and STDERR data will be returned in a related RECEIPT event, up to ~10 MB. If your payload generates more data, we recommend to pipe the data to a file on disk and use the log_get command to retrieve it.

A detailed explanation of how this new capability works can be found in the documentation here.

If you have any questions or want to request a new feature please do not hesitate to contact us.

And please remember, with great power comes great responsibility.



Introducing Code Labs


In the interest of helping users get up to speed with the more advanced capabilities of the LimaCharlie infrastructure, along with our online course, we are now producing code labs.

Code labs are guided exercises that walk the user through the process of implementing a solution using components of LimaCharlie. During the process each step is explained in detail which should leave the user with a "hands-on" understanding of the underlying technology.

For our first code lab we have chosen to explore the implementation of a Detection & Response (DR) rule to detect the MITRE ATT&CK framework Control Panel Items execution. DR rules are similar to Google Cloud Functions or AWS Lambda. They enable you to push DR logic to the LimaCharlie cloud where it will be applied in real-time to the data produced by the sensors (or agents). DR rules can also be applied to historical telemetry and external logs. For this lab we focus on the simple case where rules are applied to sensor events in real-time.

We believe this new format will go a long way in helping LimaCharlie users get the most out of our Security Infrastructure as a Service.

The code lab can be viewed here.


If you have an idea for our next topic please let us know. Happy hunting!


Fail Forward Fast


About five months ago the team at LimaCharlie launched a framework for automation that was built around the idea of Replicants. A Replicant was to be a digital automaton: a platform for building algorithms that could be configured by the user to automate away some of the drudgery.

The platform worked exceedingly well in that it allowed us to build out a wide variety of capabilities quickly. The Replicants were able to perform complex tasks on-demand for a single endpoint or continuously across the entire fleet.

The problem with the Replicants, as we came to understand it, was with the mental model. The concept worked great for us as developers building out the capabilities but it did not fit when thinking about it from the perspective of a user. The interface was awkward and having the Replicants grouped together did not make a lot of sense.

After spending some time thinking about it we came to the conclusion that users did not care about the Replicants but rather what they could do for them. Replicants use their individual abilities to do jobs and provide said abilities as a service. And so we refactored the technology to provide users with a set of services that can perform jobs at the user’s request.

We still use the Replicant platform on the backend to build out our services but now deliver the services that they offer using a familiar pattern.

Services are provided through the main navigation menu and with them you can automate YARA scanning, run detection and response rules against historical data, perform file integrity monitoring, automate incident response tasks and adjust your telemetry verbosity with more to come.

The process of arriving at this new delivery model has been an interesting one and exemplifies the benefits of being an early stage company adhering to an agile development philosophy.  Instinct often drives us towards the core of a problem and through an iterative process the solution can be honed.



Detection & Response Across Log Files


LimaCharlie’s Detection & Response (D&R) rules provide unmatched capabilities to customize specific behaviors and automate the response when detected. Up until now this feature was limited to data coming from endpoints. We recently introduced the ability to automatically fetch and ingest external logs onto LimaCharlie and knew right away we had to extend the D&R rules to those logs.

LimaCharlie has introduced the concept of D&R targets and you can now create D&R rules that specifically target different log types ingested. This means that, for example, you can create your own regular expressions that if matching a log line from your web proxy logs, generates a Detection. The possibilities are limitless.

The rules apply to any logs ingested, from the unstructured text logs to the raw Windows Event Logs and PCAP.

Information on log ingestion can be found in the documentation here, and information on log specific DR rules can be found here.

This concept of D&R targets opens up a whole new realm of possibilities and we are excited to explore new ways in which it can be applied. If you have any questions or would like a demo of our Security Infrastructure as a Service please do not hesitate to contact us.

D&R Targets

What is in a namespace?


LimaCharlie has introduced the concept of namespaces to our Detection and Response (DR) rules. What this means is that MSSPs can create proprietary rules which can be applied to customer organizations without letting those customers see the source for the given DR rules. This allows managed security providers to protect their intellectual property and leverage their expertise while taking advantage of the web application’s advanced role-based access control.

By default all DR rules are created in the general namespace which means you don’t have to worry about namespace related unless you want to make use of the feature. However, if you plan on having multiple groups of people accessing DR rules and want to maintain some segmentation, then namespaces are for you. 

To learn more about how to implement D&R rules inside of a managed namespace you can read the documentation.

The introduction of namespaces is another step towards creating the best Security Infrastructure as a Service in existence. You can get started using the LimaCharlie free tier - no credit card required - by signing up on the website:


Growing With LimaCharlie


As our customers grow with us we have continued to listen to them and have added a new feature to help manage multiple analysts across multiple organizations. Today we are introducing a top-level user management scheme that allows for the creation of user groups with defined permissions across organizations.

You heard that right, now you can create groups of analysts with permissions that span multiple organizations which should drastically reduce the administration required and allow for fine grained access control.

Organization Groups

The new feature can be found at the top of the root dashboard. In the upper right corner you will see a new ‘Create Group’ button. Clicking on this will prompt you to name the new group.

Once you name the group you will see it show up in the list of groups. From here you can click on it, select the organizations, set permissions and add users. Users can be a mix of owners and members of various groups that have access to a variety of organizations with different permission levels - the possibilities are endless.


The team at is committed to making the best tools out there for MSSPs and other security providers to run their operations. If you have an idea for a feature or would like a demonstration of how our Security Infrastructure as a Service can be used to enhance your pipeline please don’t hesitate to contact us.