Wednesday, October 2nd
Addition of False Positive Rules (http://doc.limacharlie.io/en/master/dr/#false-positive-rules), add them from the D&R page or through quick-add on the Detections page.
Adding Performance Mode Rules. Accessible through the Exfil page, set the performance mode automatically without D&R rules.
Friday September 20th
Detection & Response Rule Validation: In an effort to help people learn D&R rules more easily, we are introducing a more thorough validation of the rules. Prior to this, we did not warn on unexpected extraneous parameters in a rule.Starting this weekend, we will be deploying better validation. This will NOT apply to existing rule, they will keep running fine. But when trying to push a new rule or an update to an existing one, you may get validation errors if there is an issue.
Adding support for Microsoft Auth to log in to the web interface (like Google Auth).
Various bug fixes.
Adding support for Yara scanning a directory and its subdirectories.
Adding an active keepalive mechanism. This will help make the stateful detections and general "online" presence of sensors more reliable.
Thursday, September 19th
=== Possibly Important note for compatibility ===
This patch, to be released later today on
pipfixes a bug in the
Manager.replicantRequest()call. The isSynchronous behaved inverted. This patch fixes the name of the parameter and its doc. It's not a major change, but if you issue Replicant requests manually in the SDK you may want to verify your use.
Friday, September 13th
The latest sensor version on Windows did not properly associate the DNS request Process with a ID. This patch version fixes it. It's the only change.
Thursday, September 12th
output.limacharlie.io and Python SDK prior to 2.18.0The old HTTP streaming API will be deprecated within a week or two.
If you are using it directly, you can switch to the new API (https://doc.limacharlie.io/en/master/outputs/#http-streaming) which is very similar but should be more resilient and better performant.If you are using the Python SDK, please update to the latest version, the Spout functionality (relying on the HTTP streaming API) has been moved to the new API (
Monday, September 9th
Alternate Data Streams (ADS) are now listed inline in the
dir_listresults on Windows.
mem_readcommand now supports dumping the memory to a local file. This can be used in combination with the
log_getcommand to support getting large memory dumps.
Small memory leak fixed.
Toggle in User Profile to remove the chat widget.
Clicking historical view link from Search page should now highlight the relevant event more reliably.
New streaming API is used by web UI and SDKs to get real-time access to sensors. Change is transparent but no longer requires access to high-ports, all is now streamed over a single HTTPS 443 connection.
Display pricing information in the Billing page for upcoming usage-based billing of some services.
Added Replay rule eval limit parameter (to avoid billing surprises if a Replay job is very expensive).
External Logs now display unknown data as a HexDump.
External Logs now display logs paginated resulting in much better performance.
Added support for Windows Prefetch files to External Logs, they get converted to JSON, so you can visualize and build DR rules on them.
Sunday, September 1st
New Pipe related events on Windows:
OPEN_NAMED_PIPEsimilar to Sysmon events.
file_getcommands can now read files exclusively locked by other processes on Windows (requires kernel presence), like IE History files.
Custom Payload support. Upload custom executables to LC and launch them through the agent on a host, get the STDOUT and STDERR back. Uses new
Shell command support. An extension of the Payload support, execute a command through the default shell and get the STDOUT and STDERR back. Uses new
Better crash handling, more likely to report detailed logs for review.
Payload management support.
Added support for limits on number of event evaluated and rule evaluation.
Added a new call to just validate a DR rule without running it.
limacharlie initCLI function to initialize a new organization's config files.
Wednesday, August 28th
Normalized Billing: we now offer to automatically normalize the billing email used for organizations.
Any new Organization created on LC by someone from your corporate domain will automatically have the billing email address set to a corporate standard address (often finance dept) of your choosing.If this is something you would like, drop us a line.Also note that Stripe Invoices will now have the Organization Name the Invoice is about in the header.
Monday, August 19th
Various UI tweaks
Added permissions for upcoming payload execution service.
Added optional parametersstart=andend=to the Historical view to set hard start and end timestamps to visualize. Useful for edge cases where a single sensor produces a ton of data and it’s too much for a 30m time window.
Support for new large log upload feature.
Sunday, August 18
Large log upload support. Logs ingested can now be up to 4GB
Support for large log uploads.
Tuesday, August 13th
New support and download links for the Linux Alpine compatible sensor.
Large refactor of all Replicants into first-class Services in the Organization page.
Large refactor of Incidents (in the Warroom) into more generic Jobs in the Org Dashboard.
Enable those Services directly from their panel on top of the Add-ons section.
Historical view’s Cascading Event Selector now supports an@element to filter the events on the parent + children tree of a specific atom. Can be combined with the Download button to download all events within a specific process tree.
Many small visual tweaks.
Added visual indication if a sensor has Kernel data supported in the Sensor List.
Monday, August 12th
*Replicants and Incidents Changes*
This change will occur within the next few days:
After feedback from users, and seeing how much the platform is expanding, we’ve decided to re-factor the way you interface with Replicants. All Replicants (and the Warroom page) have been morphed into proper sections of your Organization’s menu.
We think this will make interaction with various more advanced features of LC more intuitive and will normalize interactions across all those features. Obviously this is a work in progress and we look forward to your feedback.
For example, managing File Integrity Monitoring will no longer require you to go in the Warroom, find the Integrity Replicant, interact with it. Instead there will now be a “File/Reg Integrity” menu in the page Organization view that will bring you directly to those features.
Incidents, which previously appeared as a result of interactions with some Replicants in the Warroom section will also transform. We’ve made them generic and renamed them to Jobs. They will now appear in the Dashboard section of your Organization’s UI.
Although the new Jobs are very similar in content to the old Incidents, they will not be backwards-compatible. This means that as we switch to the new UI, you will lose access to the old Incidents (not Detections) from your Replicants. If you need to keep a copy, we suggest you do so now before the move. Given Replicants and Incidents were generally not heavily used we don’t expect this to have a high impact, but if you have any issues please let us know.*
Wednesday, August 7th
Added internal mechanism for performing a backoff, this will be used for more reliable transmission with the cloud.
Added internal event to report when sensor drop events (after long disconnection from the cloud)
Added a new Linux “architecture”: Alpine. The sensor is available at [https://app.limacharlie.io/get/linux/alpine64](https://app.limacharlie.io/get/linux/alpine64) and proper display of this new architecture will be deployed in the upcoming web app version. This sensor architecture will allow you to run the LimaCharlie sensor within Alpine Linux containers. We will have an upcoming blog article on the topic.
Saturday, August 4th
Support for new Sensor Quota, Resources, Users and User Permissions API endpoints.
Support for the above API endpoints in Sync.
Wednesday, July 31st
New—traceoption to the Replay CLI as well support fortrace: truein the Replay REST API. If you specify it, it will return an additionaltracesfield that specify each operation as it was evaluated and the success or failure of the operation. Should help to help you figure out exactly where errors occur when developing a new rule.
Tuesday, July 30th
Added support for Exfil Replicant config to the Sync module.
Fixed small bugs with Sync including Python 3 compat.
Monday, July 29th
Enable the new Exfil Replicant. Manages which events are sent to the cloud automatically. This means DR rules doingexfil_addare not necessary anymore. You need to enable this Replicant and interact with it in the Warroom section. This includes a new Watchlist capability that allows you to specify certain event patterns when you want a matching event sent back to the cloud in real-time even if not in the list of “default” events.
Many many fixes.
New 100% width design for org pages. Should be more usable.
Listing domains relevant to an organization in the Sensor Download section. This allows you to know which domain the agent uses to talk to the cloud so you can whitelist it.
Adds support for Exfil control via the Replicant (as mentioned above), including the new Watch list.
Windows network isolation now correctly terminates existing connections when enabled.
Better Windows kernel component unloading resulting in more timely sensor upgrades.
Fixes a bug with unicode handling in certain cases on Windows.(edited)
Note: the new exfil watch list currently only supports filtering based on strings, not integers. This support will be added at a later date.
Backend Capability Update:
The new DR rules for Logs are now available. Using the target: login a DR rule, you can now describe detections to be applied to logs as they are ingested. You can read about it here: https://doc.limacharlie.io/en/master/dr/#targets
Small fixes for Python 3
Add support for Exfil Replicant
Monday, July 22nd
Adding Organization Groups, they allow you to control RBAC across several organizations and users through one entity.- Small visual tweaks.
Cleaner handling/hiding of some UI elements when required permissions are not present.
Monday, July 5th
Windows performance enhancement. Should solve some high CPU/Mem usage on some hosts running software generating very high volumes of thread injections and process creation
Friday, June 21st
Further fixes to reliability of OSX kernel acquisition of network connections. If you are runningv4.13.1 it is recommended you update.
Thursday, June 20th
Fixes to OSX kernel acquisition of network connections.
Wednesday, June 19th
New event on network connection termination.
Adding partial read capability tofile_getcommand.
Small quality of life fixes.
Small fix to Sync (Infrastructure as Code)
Adding support for Logging and Integrity Replicants in the Sync functionality.
Tuesday, June 18th
Enhanced Data Visualization interface and General Availability.
Support a URL parameter of?session_type=LOCALto enable persistent login of the current session.
Small UI tweak
Thursday, June 13th
Moved live web-based chat to different provider.
Better file vs domain detection in organization dashboard search box.
New prevalence visualization page, private beta for the moment, will be in General Availability shortly.
Wednesday, June 5th
Fix to kernel-sourced events on hosts where time is wrong.
Small fix to component unloads.
Enhanced kernel component upgrade mechanism.
Thursday, May 30th
Required for compatibility with MacOS 10.14.5 and up. Introduces a new config file on disk namedhcp_hbs.
Dedupes memory strings on the sensor before reporting to the cloud.
Enables FIM on Linux. It has some caveats, see http://doc.limacharlie.io/en/develop/replicants/#linux
Introduces ground-work for more reliable messaging in upcoming versions.
Adds support for setting Installation Key via an environment variable on Linux, this will be rolled out in the public installers shortly.
Friday, May 24th
Logging Replicant now supports setting up files/directories paths to watch for changes and ingest on change. For example on Linux setting:/var/log/syslog.1to get general syslog content once a day.
Many various fixes.
The Detections page now loads a dynamic amount of content. 7 days by default, but goes down to 1h if there is too many detections.
Thursday, May 16th
Adding Replay Replicant. Allows you to run Replay jobs from the UI in a managed way instead of the CLI/SDK.
Fixed bug where clicking in Text Area for D&R rules forced-recenter the page.
Monday, May 13th
Tons of tweaks and small fixes.
Introducing User API Keys:
Available from the User Profile section (top left menu).
Produce a key similarly to the Org API Keys.
These keys can be provided to the jwtREST endpoint to get a JWT for the REST API. But instead of providing an oid, you provide the UID in the uid parameter.
The JWT produced represents ALL org+permissions accesses you have as a user on LimaCharlie. This means the JWT can be used to issue API calls to multiple organizations. The token mirrors the various User permissions you have across your organizations.
This makes this User API Key very powerful. Unless you have specific scenarios where you require it, we recommend you stick to Org API Keys. If you have questions or want to discuss don’t hesitate to get in touch.
Enabling External Logs feature in beta. This is recommended to be used with the new Logging Replicant subscription, or using the new Ingestion Keys available in the RESP API section of your organization. More details to come.
Usage Overview is not available in the Billing section (at the bottom). It provides some metrics around your usage of LimaCharlie.
Sunday, May 5th
Linux sensor now reports detailed version information inos_version.
Better atom linkage between some stateful events likeSENSITIVE_PROCESS_ACCESSandREMOTE_PROCESS_HANDLE.
Although not enabled yet, this version includes necessary code for upcoming log collection mechanism.
MacOS version should now be notarized for upcoming MacOS release.
Sunday, April 3rd
Adding a new “magic search” on the org front page. This search field combines an agent search by SID and hostname with searching for IoCs. It will expand to any new data sets in LC in the future. It’s a quick search for everything.
Important overhaul to the UI of various aspects of the Replicants / WarRoom.
Wednesday, March 27th
Better reliability in Windows driver deployment.
Better propagation of decoration metadata (like file signing status and file hash) through various events.
More reliable process reporting in Linux using NetLink sockets.
Adding SHA1 and MD5 to CODE_IDENTITY events.
Adding relationship atoms to composite events like PROCESS_LIST so the process can be correlated from these events.
Friday, March 22nd
Adding a way to push updates to Resources through a REST interface.
Access the Resource Access Token through the new User Profile section available from the top left menu.
Various other enhancements and fixes.
Monday, March 4th
Tons of tweaks and bug fixes.
Adding tags to the sensor list.
Historical view will now asynchronously try to resolve missing parent events using a new API. You can expect a???parent node to pop-in with real information within a few seconds of being displayed.
Replicants are now widely available. To enable, go to the Addons, “Replicant” tab and subscribe. This will give you access to the “Warroom” section in your organization.
Responder Replicant automates the old “sweep” functionality in a more complete way and done from the cloud (not the browser) so you can launch it on a sensor and move on, fire-and-forget.
Yara Replicant manages Yara signatures and which sets of signatures should be scanned constantly on which hosts. Also enables an on-demand scan from those signature sets. Automated investigation of hits to come.
Integrity Replicant manages FIM rules similarly to the Yara Replicant. Automated investigation of hits to come.
Yara and Integrity Replicants require the new sensorv4.9.0to work properly.
Sunday, March 3rd
Yara in sensor has been updated. Windows, MacOS and Linux (except ARM build) now also support common Yara modules like “PE”.
Yara now defines some common variables like file_path and file_name used by some commonly available Signature sets.
Yara and File Integrity Monitoring now support the “update protocol”. This increases efficiency of maintaining up to date signature sets and FIM watch-sets. This feature is required for the upcoming Replicant soft-launch.
Parent atoms are now correctly propagated within the process list. This feature is required for the upcoming automated parent finding feature in the Historical view.
Windows driver unload sequence has been tweaked to provide better consistant unload/load cycles.
Internal IP reported by sensor should now more reliably represent the actual internal IP address of the interface used to reach the internet. This solves cases where a host with VMs could report the IP of the wrong interface.
Enabling common support for ARM and ARM64 sensors in all datacenters (installer availability coming very soon).