LimaCharlie’s data visualization allows analysts to make sense of large amounts of data in a short amount of time. Anomalies are easy to spot and the details can be investigated with just a few clicks.
The visualization can be used to examine up to a year’s worth of telemetry across the entire fleet. With this interface user can explore the prevalence and timing for domains, IP addresses, files, file paths, hashes and users. Once an anomaly is identified users can then can examine a particular endpoint across all data types for a given period of time.
The graphs for a given endpoint can be quite noisy and using the various filtering options the user can strip information back and find potential indicators of compromise (IOC).
Once a search has narrowed the investigation down to a particular point in time an analyst can click on a link and launch the historical telemetry explorer to examine any process attached to the event being investigated. If anything of concern is discovered the host can immediately be isolated from the network and a search across the rest of the fleet for similar IOCs can be launched.