Flexible Output

Output your data wherever you want. LimaCharlie has modules supporting Slack, Google Cloud Storage, S3, SFTP, Syslog, SMTP and SCP. Out of the box we provide you with a quickstart script to get a Splunk instance setup to receive data in minutes.

You can have as many Output modules active as you want and adjust the granularity (event, detect and audit levels). This means you can stream to two different syslog destinations using the Syslog Output module and then send the same data to cold storage over an Scp Output module.

Documentation on setting up output connections can be found here.


Create Custom D&R Rules

LimaCharlie has a customizable Detection & Response Rules engine. The Detection component is a scriptable rule system that can be chained with multiple conditions that will match certain events. When the Detection component matches the Response component is actioned. Responses are actioned in real-time by the sensor automating your ability to investigate, mitigate or apply tags and more using our easy to use serverless functions.

The well documented Detection and Response engine consume instructions using the YAML format. Examples of this engine works, along with documentation, can be found here.


Subscribe to Pre-Made Solutions

Browse the ever-growing collection of detections and enable them with the click of a button. Developers are able to write their own D&R rules and - if they choose - publish them in the LimaCharlie marketplace.

Detect exploits from common document formats, prevent crytpomining in browser or through applications, detect tampering of file systems, subscribe to malware domain feeds, check for evil maid attacks and many more.


Python API and CLI

LimaCharlie provides a Python command line utility that functions as an abstraction of the API. The utility provides real-time interaction with the sensors and enables advanced hunter capabilities. Send commands to the sensor, isolate the host, request files from the endpoint, trigger a YARA scan and much more.


Visual Digger Console [BETA]

Digger is a standalone web app provided for LimaCharlie.io users which allows them to directly interface with LC data in their own storage space (currently AWS S3) and to interact with LC agents in real-time. It provides a series of workbenches (built on top of the public LC API) designed to explore their data or interact with LC in a user friendly way.

You can learn how to get started with Digger by downloading the Getting Started manual.


Simple D&R Creation

LimaCharlie is a an extremely powerful and customizable tool that was built to be accessible. LimaCharlie has a GUI based detection and response wizard to help new users get started creating simple D&R rules.

With a few clicks users can create a wide variety of detection and response rules that can be immediately applied to all agents, or subset of. Once the rule has been created users can view the YAML to further their understanding, or modify it to create a more complex rule.


Slack Integration

Streamline the way your team responds to threats using LimaCharlie's integration with Slack. Alert level detections can be sent to any Slack channel to notify your team and trigger an investigation where the results can be documented with an audit trail.


REST Automation

LimaCharlie exposes a full-featured and well documented REST API: from sensor tagging to the creation of Detection & Response rules to sending interactive commands to the sensors. There is no black-box with inaccessible magic - you have full control.

LimaCharlie enables automation and integration with other systems and feeds like no other tool can. Use the PULL mode data feed - an HTTPS-based data stream (like Twitter streaming endpoints) - to create realtime integrations.


YARA Scanning

LimaCharlie makes use of YARA file and memory scanning to identify malware. YARA provides a rule-based approach to create descriptions of malware families based on textual or binary patterns.


Cross Platform

LimaCharlie provides light-weight, cross platform sensors to give you unparalleled endpoint visibility. With near feature parity across all platforms, our sensors have a tiny footprint with low over-head and respond in real-time.

Available for 32-bit Windows, 64-bit Windows, MacOS and all flavours of Linux.


Virus Total

Use LimaCharlie with Virus Total. Bring your own key and have hashes from your endpoints checked on VT automatically. Make it part of your Detection & Response rules to automate response in real-time. Pool your queries and save money.