Threat Hunting Across Historical Telemetry


Recently we announced a new capability that allows MSSPs to perform retroactive hunting on up to a year’s worth of telemetry data. This ability to retroactively apply Detection & Response (D&R) rules to the LimaCharlie telemetry is very powerful and through the use of the API can be used to build Continuous Delivery (CD) / Continuous Integration (CI) into detection systems.

Previously only available through the API, we are now offering this capability through our Replicant platform. Replicants can be thought of as digital automatons: expert driven algorithms which perform tasks normally carried out by humans. Each Replicant has a particular specialization and can be enabled at the click of a button.


The Replay Replicant allows an analyst to select a date range and search an endpoint’s history, or scan across the history of the entire fleet, for indicators of compromise (IOC). Almost any detection that can be written can be applied retroactively against historical telemetry.

Imagine waking up one morning with the details being reported of a new threat actor targeting your industry. You have details on how this new threat can be detected, but how do you know if you have seen it inside your network during the last year? Using LimaCharlie’s Replay Replicant you can retroactively scan all of the historical telemetry across your entire fleet in just a few minutes with a couple of clicks.

The user interface for the Replay Replicant is simple. It requires that a user select a date range for the scan, D&R rule to use and finally an endpoint or set of endpoints to scan. Once this data has been provided the user initiates the process and the results are displayed in an incident card.


And that in a nutshell is the new Replay Replicant. You can read the doc for the Replay API here.

We are pretty excited about the direction we are taking with the Replicant platform and see it as an important building block in our quest to build the world’s best system of information security infrastructure on demand.

If you have any questions or ideas for new features we would love to talk. You can get a hold of us on Twitter, join our community slack group or contact us directly.

Happy hunting!


Christopher Luft

My name is Christopher Luft and I am an artist turned computer scientist turned something else.