LimaCharlie EDR¶
About¶
LimaCharlie gives security teams full control over how they manage their security infrastructure. Get full visibility into your coverage, build what you want, control your data, get the security capabilities you need, for however long you need them, and pay only for what you use.
Product Details¶
Vendor URL: LimaCharlie EDR
Product Type: Endpoint Detection and Response
Product Tier: Tier I
Integration Method: Syslog
Integration URL: LimaCharlie EDR - Cyderes Documentation
Log Guide: LimaCharlie EDR Guide
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 95%
Data Label: LIMACHARLIE_EDR
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
cat | metadata.description |
cat | security_result.severity |
cat | security_result.summary |
detect_mtd.level | security_result.severity |
detect_mtd.references | security_result.detection_fields.detection_ref.value |
detect_mtd.tags | security_result.detection_fields.detection_tags.value |
detect.event.CNAME | network.dns.authority.name |
detect.event.CNAME | target.administrative_domain |
detect.event.COMMAND_LINE | target.process.command_line |
detect.event.DNS_TYPE | network.dns.questions.type |
detect.event.DOMAIN_NAME | network.dns.questions.name |
detect.event.FILE_PATH | target.file.full_path |
detect.event.HASH | target.file.sha256 |
detect.event.MAC_ADDRESS | principal.mac |
detect.event.MEMORY_SIZE | principal.asset.hardware.ram |
detect.event.PARENT_PROCESS_ID | target.process.parent_pid |
detect.event.PARENT.COMMAND_LINE | principal.process.command_line |
detect.event.PARENT.FILE_PATH | principal.process.file.full_path |
detect.event.PARENT.HASH | principal.process.file.sha256 |
detect.event.PARENT.PARENT_PROCESS_ID | principal.process.parent_pid |
detect.event.PARENT.PROCESS_ID | principal.process.pid |
detect.event.PARENT.USER_NAME | principal.user.userid |
detect.event.PROCESS_ID | target.process.pid |
detect.event.USER_NAME | target.user.userid |
event.CNAME | network.dns.authority.name |
event.CNAME | target.administrative_domain |
event.COMMAND_LINE | target.process.command_line |
event.DNS_TYPE | network.dns.questions.type |
event.DOMAIN_NAME | network.dns.questions.name |
event.EVENTS.PARENT_PROCESS_ID | principal.process.parent_pid |
event.EVENTS.SOURCE.COMMAND_LINE | principal.process.command_line |
event.EVENTS.SOURCE.FILE_PATH | principal.process.file.full_path |
event.EVENTS.SOURCE.HASH | principal.process.file.sha256 |
event.EVENTS.SOURCE.PROCESS_ID | principal.process.pid |
event.EVENTS.SOURCE.REGISTRY_KEY | target.registry.registry_key |
event.EVENTS.SOURCE.REGISTRY_VALUE | target.registry.registry_value_data |
event.EVENTS.SOURCE.USER_NAME | principal.user.userid |
event.EVENTS.TARGET.COMMAND_LINE | target.process.command_line |
event.EVENTS.TARGET.EXECUTABLE | target.process.file.full_path |
event.EVENTS.TARGET.FILE_PATH | target.file.full_path |
event.EVENTS.TARGET.FILE_SIZE | target.file.size |
event.EVENTS.TARGET.HASH | target.file.sha256 |
event.EVENTS.TARGET.HASH_MD5 | target.file.md5 |
event.EVENTS.TARGET.HASH_SHA1 | target.file.sha1 |
event.EVENTS.TARGET.PARENT_PROCESS_ID | target.process.parent_pid |
event.EVENTS.TARGET.PROCESS_ID | target.process.pid |
event.EVENTS.TARGET.USER_NAME | target.user.userid |
event.EXECUTABLE | target.process.file.full_path |
event.FILE_PATH | target.file.full_path |
event.FILE_SIZE | target.file.size |
event.HASH | target.file.sha256 |
event.HASH_MD5 | target.file.md5 |
event.HASH_SHA1 | target.file.sha1 |
event.MAC_ADDRESS | principal.mac |
event.MEMORY_SIZE | principal.asset.hardware.ram |
event.NOTIFICATION.DOMAIN_NAME | network.dns.questions.name |
event.PARENT_PROCESS_ID | target.process.parent_pid |
event.PARENT.COMMAND_LINE | principal.process.command_line |
event.PARENT.FILE_PATH | principal.process.file.full_path |
event.PARENT.HASH | principal.process.file.sha256 |
event.PARENT.PARENT_PROCESS_ID | principal.process.parent_pid |
event.PARENT.PROCESS_ID | principal.process.pid |
event.PARENT.USER_NAME | principal.user.userid |
event.PROCESS_ID | target.process.pid |
event.USER_NAME | target.user.userid |
routing.event_id | metadata.product_log_id |
routing.event_type | metadata.event_type |
routing.ext_ip | principal.nat_ip |
routing.hostname | principal.hostname |
routing.int_ip | principal.ip |
routing.this | principal.process.product_specific_process_id |
Product Event Types¶
routing.event_type, cat, detect_mtd.level | UDM Event Type | alerting |
---|---|---|
CLOUD_NOTIFICATION | STATUS_UNCATEGORIZED | |
CONNECTED | NETWORK_CONNECTION | |
critical | TRUE | |
DNS | NETWORK_DNS | |
domain_ioc_detection | TRUE | |
EXISTING_PROCESS | PROCESS_UNCATEGORIZED | |
FILE_CREATE | FILE_CREATION | |
FILE_DELETE | FILE_DELETION | |
FILE_MODIFIED | FILE_MODIFICATION | |
FILE_READ | FILE_READ | |
FILE_TYPE_ACCESSED | FILE_OPEN | |
hash_ioc_detection | TRUE | |
hidden_autorun | TRUE | |
high | TRUE | |
ip_ioc_detection | TRUE | |
medium | TRUE | |
MODULE_LOAD | PROCESS_ MODULE_LOAD | |
NEW_DOCUMENT | FILE_CREATION | |
NEW_PROCESS | PROCESS_LAUNCH | |
RECEIPT | STATUS_UNCATEGORIZED | |
REGISTRY_WRITE | REGISTRY_MODIFICATION | |
SENSITIVE_PROCESS_ACCESS | PROCESS_UNCATEGORIZED | |
SERVICE_CHANGE | SERVICE_MODIFICATION | |
Stop Windows Servcie | TRUE | |
Suspicious WMI Execution | TRUE | |
SYNC | STATUS_UPDATE | |
TERMINATE_PROCESS | PROCESS_TERMINATION | |
THREAD_INJECTION | PROCESS_INJECTION | |
unexpected_execution | TRUE |
Log Sample¶
{"event":{"PARENT_PROCESS_ID":5828,"PROCESS_ID":19284},"routing":{"arch":2,"did":"","event_id":"1045600-asl145","event_time":1646590380418,"event_type":"TERMINATE_PROCESS","ext_ip":"10.0.0.15","hostname":"Hostname1","iid":"607008-caa1445-09184","int_ip":"10.0.0.6","moduleid":2,"oid":"b24561-11356","parent":"182891ea6447efa11abf333a6224f9aa","plat":268435456,"sid":"707021-ascqw","tags":["windows-end-users"],"this":"cc215-6-111"}}
Sample Parsing¶
metadata.product_log_id = "1045600-asl145"
metadata.event_timestamp = "2022-03-06T18:13:00.418Z"
metadata.event_type = "PROCESS_TERMINATION"
metadata.vendor_name = "LimaCharlie"
metadata.product_name = "EDR"
metadata.product_event_type = "TERMINATE_PROCESS"
metadata.ingested_timestamp = "2022-03-06T18:18:13.719563Z"
principal.hostname = "Hostname1"
principal.process.product_specific_process_id = "LC:cc215-6-111"
principal.ip = "10.0.0.6"
principal.nat_ip = "10.0.0.15"
principal.asset.ip = "10.0.0.6"
target.process.pid = "19284"
target.process.parent_pid = "5828"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.