LimaCharlie automates common tasks performed by security analysts using Replicants.
Replicants can be thought of as digital automatons: expert driven algorithms which utilize some basic artificial intelligence to perform tasks that would normally be completed by humans.
Each replicant has a particular specialization and can be enabled at the click of a button. More information on the various Replicants currently available can be found here.
Storage & Search Tools
Insight is a scalable storage and search capability that can be enabled on LimaCharlie accounts with a single-click. Once enabled, users immediately have access to their historic endpoint telemetry through the investigative tools available in our web-interface, or API.
Output your data wherever you want. LimaCharlie has modules supporting Slack, Google Cloud Storage, S3, SFTP, Syslog, SMTP and SCP. Out of the box we provide you with a quickstart script to get a Splunk instance setup to receive data in minutes.
You can have as many Output modules active as you want and adjust the granularity (event, detect and audit levels). This means you can stream to two different syslog destinations using the Syslog Output module and then send the same data to cold storage over an Scp Output module.
Documentation on setting up output connections can be found here.
Threat Feeds & Lookups
Subscribe to a number of threat feeds each at the click of a button, or leverage your own using our simple integration model for lookups.
Solutions for IP reputation, IP addresses detected by NIDS Sensors in EU countries, associations with crypto mining in the browser, Dyre Botnet, Feodo (Cridex, Bugat) Command & Control, Cisco Talos IP Blacklist, TOR IP addresses, Zeus Command & Control Servers, LoJax UEFI Rootkit, ransomeware, malware, spyware and more!
Use LimaCharlie with Virus Total. Bring your own key and have hashes from your endpoints checked on VT automatically. Make it part of your Detection & Response rules to automate response in real-time. Pool your queries and save money.
Create Custom D&R Rules
LimaCharlie has a customizable Detection & Response Rules engine. The Detection component is a scriptable rule system that can be chained with multiple conditions that will match certain events. When the Detection component matches the Response component is actioned. Responses are actioned in real-time by the sensor automating your ability to investigate, mitigate or apply tags and more using our easy to use serverless functions.
The well documented Detection and Response engine consume instructions using the YAML format. Examples of this engine works, along with documentation, can be found here.
Simple D&R Creation
LimaCharlie is a an extremely powerful and customizable tool that was built to be accessible. LimaCharlie has a GUI based detection and response wizard to help new users get started creating simple D&R rules.
With a few clicks users can create a wide variety of detection and response rules that can be immediately applied to all agents, or subset of. Once the rule has been created users can view the YAML to further their understanding, or modify it to create a more complex rule.
Watch this video to see how easy complex detection and response rules are to make.
Subscribe to Pre-Made Solutions
Browse the ever-growing collection of detections and enable them with the click of a button. Developers are able to write their own D&R rules and - if they choose - publish them in the LimaCharlie marketplace.
Detect exploits from common document formats, prevent crytpomining in browser or through applications, detect tampering of file systems, subscribe to malware domain feeds, check for evil maid attacks and many more.
Python API and CLI
LimaCharlie provides a Python command line utility that functions as an abstraction of the API. The utility provides real-time interaction with the sensors and enables advanced hunter capabilities. Send commands to the sensor, isolate the host, request files from the endpoint, trigger a YARA scan and much more.
Streamline the way your team responds to threats using LimaCharlie's integration with Slack. Alert level detections can be sent to any Slack channel. Notify your team and trigger an investigation where the results can be documented with an audit trail.
LimaCharlie exposes a full-featured and well documented REST API: from sensor tagging to the creation of Detection & Response rules to sending interactive commands to the sensors. There is no black-box with inaccessible magic - you have full control.
LimaCharlie enables automation and integration with other systems and feeds like no other tool can. Use the PULL mode data feed - an HTTPS-based data stream (like Twitter streaming endpoints) - to create realtime integrations.
LimaCharlie makes use of YARA file and memory scanning to identify malware. YARA provides a rule-based approach to create descriptions of malware families based on textual or binary patterns.
LimaCharlie provides light-weight, cross platform sensors to give you unparalleled endpoint visibility. With near feature parity across all platforms, our sensors have a tiny footprint with low over-head and respond in real-time.
Available for 32-bit Windows, 64-bit Windows, MacOS and all flavours of Linux (Solaris & OpenBSD on request). Production builds available for Linux and Windows on 32 & 64 bit ARM. Experimental builds for Android and MIPS.
Dark Theme + White Label
LimaCharlie employs a template-based approach to the front-end which enables easy theme switching and deep white labelling. Customers operating at a certain scale can opt for a completed self-branded user interface. The branded user interface combined with advanced role-based access control (RBAC) makes for a powerful offering.
Historical Threat Hunting
LimaCharlie allows you to perform retroactive threat hunting on up to a year’s worth of telemetry data.
This ability to retroactively apply Detection & Response (D&R) rules to the LimaCharlie telemetry is very powerful and through the use of the API can be used to build Continuous Delivery (CD) / Continuous Integration (CI) into detection systems.
The user interface allows an analyst to select a date range and search an endpoint’s history, or scan across the history of the entire fleet, for indicators of compromise (IOC) on demand. Almost any detection that can be written can be applied retroactively against historical telemetry.