← Back to Blog

February 5th, 2024

Developer Roll Up: January

Picture of Christoper Luft, LimaCharlie Co-Founder and Creative Technologist
Christopher Luft
blog post header image

We have come to the end of the first month of 2024 and have already seen a lot of exciting progress from the team at LimaCharlie.

Upcoming Events

Fast and Scalable DFIR with LimaCharlie When: February 7 @ 10:00am PT

Join Eric Capuano on February 7, 2024 as he discusses the powerful capabilities of SecOps Cloud Platform for fast and scalable incident response & digital forensics. These new features will empower DFIR teams to not only get instant visibility into “right of boom” activities of an ongoing intrusion, but also quickly gather and process historical evidence for understanding root-cause and all post-compromise activities occurring “left of boom.”

Register now.

The Future of Security Operations: An Inside Look at the LimaCharlie SecOps Cloud Platform When: February 13 @ 10:00am PT

So, you’ve heard of LimaCharlie, but want to know more? Do you want to better understand how you can best utilize the SecOps Cloud Platform for your environment? Join Matt Bromiley, Lead Solutions Engineer, as he breaks down the SCP and provides an in-depth look at how LimaCharlie is redefining security operations.

Register now.

Defender Fridays When: Every Friday @ 10:30am PT

Join us every Friday as we delve into the dynamic world of information security, exploring its defensive side with seasoned professionals from across the industry. Our aim is simple yet ambitious: to foster a collaborative space where ideas flow freely, experiences are shared, and knowledge expands. This month, we are joined by David Burkett, Haroon Meer, Christopher Crowley, and Markus Schober.

Register for the series.

New Lookups

Lookups are changing, but don't worry, old-style lookups are staying for a long time.

The main change in lookups is that they are moving from being global entities tied to Users, to being more in line with the rest of LimaCharlie where each lookup is now an object that lives within an Org. These new lookups can now be created, updated and accessed via the lookup Hive. Because they now live in Orgs, it means you no longer need to Subscribe to a lookup to use it.

Using a lookup is exactly as before (minus the Subscription), the only difference is that you no longer refer to the lookup via lcr://lookup/..., instead you now use hive://lookup/.... You can also now use infrastructure as code to manage your lookups across different tenants.

The new lookups are located under 'Automation' in the web app.

For more information about Config Hive and lookups, check out the technical documentation:

https://docs.limacharlie.io/docs/platform-management-config-hive

https://docs.limacharlie.io/docs/platform-management-config-hive-lookups

Announcing new AWS Ruleset

We are excited to announce the addition of a new extension - a managed set of Detection & Response rules for AWS developed by Soteria. The ruleset is designed for detecting malicious activity in AWS.

To get started, subscribe your tenant to the extension: https://app.limacharlie.io/add-ons/extension-detail/soteria-rules-aws Then, configure AWS CloudTrail Logs Sensor to start collecting AWS audit logs.

Ability to rename an organization in the web app

LimaCharlie users can now rename their organizations self-serve. To rename an organization, navigate to Billing > Billing and Usage, and scroll down to the “Rename Organization” section. To rename an organization, users require billing.ctrl permission.

Sensor 4.29.0

This is a smaller release but with really good stuff.

  • Contains a beta of the new seal command. More on this later, but this the first step in introducing tamper resistence in the agent. Currently only available on Windows.

  • We are re-introducing our arm64 build in beta. This new build should have better compatibility than before. It was tested on arm64 machines in GCP, AWS and Raspberry pi. You can download the new build here (links in webapp will show up soon). Let us know how this build works out! (Both the 4.29.0 sensor installer and 4.29.0 version in the cloud are required for this to work)

  • Bug fix with network tracking.

Velociraptor Improvements

For the Velociraptor fans, we have some new resources for you:

  • New documentation for the Velociraptor extension

  • The team at LimaCharlie has built an awesome open source POC using LimaCharlie to automate sending triage acquisitions to Plaso/Timesketch using a webhook output... Works like this:

  • Use LC to kick off a KAPE Triage acquisition on an endpoint

  • A D&R rule watches for the collection to be uploaded to LC and fires a webhook to a tailored output

  • Your Timesketch server catches the webhook and uses the REST API to download the collection

  • Plaso begins processing the evidence and populating Timesketch with forensic timeline data 

This is a force multiplier for DFIR folks leveraging LimaCharlie in intrusion scenarios where historical data needs deeper analysis.

New tutorial in the docs! Now you can send your Velociraptor hunts to BigQuery for easier analysis of large datasets! Similar in nature to how Velociraptor Notebooks work, but without requiring any infrastructure 

New extensions -  Lookup Manager, Yara Manager, and Zeek

The Lookup Manager extension allows you to create, maintain & automatically refresh lookups in the organization to then reference them in Detection & Response Rules.

The Yara Manager extension allows you to create, maintain & automatically refresh Yara rules in the organization. Yara rules are records stored in config Hive that can be leveraged by other extensions such as BinLib to automate Yara scanning.

The saved Lookup and Yara Configurations can be managed across tenants using Infrastructure as Code extension. To manage lookup and Yara versions across all of your tenants, update the file under the original Authenticated Resource Locator. Once a day, LimaCharlie will then sync all of the tenants that use the configuration.

The Zeek extension, once enabled, will watch for PCAP files being ingested through the Artifact Ingestion system. Individual PCAPs can be run on Zeek using an artifact id in our Manual Run feature. For each PCAP, the Zeek extension will run the Zeek tool on the PCAP. All the resulting Zeek log files will then be ingested as first-class telemetry into a LimaCharlie adapter where they can be viewed or Detection & Response rules can be created to generated detections or automate responses.

Learn more and get started:

The ability to add lookups in several formats

We have updated the new lookups functionality to allow creating lookups in several formats - YAML, JSON, and newline. Once created, lookups will be converted into JSON.

Copyright © LimaCharlie 2024