Skip to content

LimaCharlie EDR

LimaCharlie EDR

About

LimaCharlie gives security teams full control over how they manage their security infrastructure. Get full visibility into your coverage, build what you want, control your data, get the security capabilities you need, for however long you need them, and pay only for what you use.

Product Details

Vendor URL: LimaCharlie EDR

Product Type: Endpoint Detection and Response

Product Tier: Tier I

Integration Method: Syslog

Integration URL: LimaCharlie EDR - Cyderes Documentation

Log Guide: LimaCharlie EDR Guide

Parser Details

Log Format: JSON

Expected Normalization Rate: 95%

Data Label: LIMACHARLIE_EDR

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
cat metadata.description
cat security_result.severity
cat security_result.summary
detect_mtd.level security_result.severity
detect_mtd.references security_result.detection_fields.detection_ref.value
detect_mtd.tags security_result.detection_fields.detection_tags.value
detect.event.CNAME network.dns.authority.name
detect.event.CNAME target.administrative_domain
detect.event.COMMAND_LINE target.process.command_line
detect.event.DNS_TYPE network.dns.questions.type
detect.event.DOMAIN_NAME network.dns.questions.name
detect.event.FILE_PATH target.file.full_path
detect.event.HASH target.file.sha256
detect.event.MAC_ADDRESS principal.mac
detect.event.MEMORY_SIZE principal.asset.hardware.ram
detect.event.PARENT_PROCESS_ID target.process.parent_pid
detect.event.PARENT.COMMAND_LINE principal.process.command_line
detect.event.PARENT.FILE_PATH principal.process.file.full_path
detect.event.PARENT.HASH principal.process.file.sha256
detect.event.PARENT.PARENT_PROCESS_ID principal.process.parent_pid
detect.event.PARENT.PROCESS_ID principal.process.pid
detect.event.PARENT.USER_NAME principal.user.userid
detect.event.PROCESS_ID target.process.pid
detect.event.USER_NAME target.user.userid
event.CNAME network.dns.authority.name
event.CNAME target.administrative_domain
event.COMMAND_LINE target.process.command_line
event.DNS_TYPE network.dns.questions.type
event.DOMAIN_NAME network.dns.questions.name
event.EVENTS.PARENT_PROCESS_ID principal.process.parent_pid
event.EVENTS.SOURCE.COMMAND_LINE principal.process.command_line
event.EVENTS.SOURCE.FILE_PATH principal.process.file.full_path
event.EVENTS.SOURCE.HASH principal.process.file.sha256
event.EVENTS.SOURCE.PROCESS_ID principal.process.pid
event.EVENTS.SOURCE.REGISTRY_KEY target.registry.registry_key
event.EVENTS.SOURCE.REGISTRY_VALUE target.registry.registry_value_data
event.EVENTS.SOURCE.USER_NAME principal.user.userid
event.EVENTS.TARGET.COMMAND_LINE target.process.command_line
event.EVENTS.TARGET.EXECUTABLE target.process.file.full_path
event.EVENTS.TARGET.FILE_PATH target.file.full_path
event.EVENTS.TARGET.FILE_SIZE target.file.size
event.EVENTS.TARGET.HASH target.file.sha256
event.EVENTS.TARGET.HASH_MD5 target.file.md5
event.EVENTS.TARGET.HASH_SHA1 target.file.sha1
event.EVENTS.TARGET.PARENT_PROCESS_ID target.process.parent_pid
event.EVENTS.TARGET.PROCESS_ID target.process.pid
event.EVENTS.TARGET.USER_NAME target.user.userid
event.EXECUTABLE target.process.file.full_path
event.FILE_PATH target.file.full_path
event.FILE_SIZE target.file.size
event.HASH target.file.sha256
event.HASH_MD5 target.file.md5
event.HASH_SHA1 target.file.sha1
event.MAC_ADDRESS principal.mac
event.MEMORY_SIZE principal.asset.hardware.ram
event.NOTIFICATION.DOMAIN_NAME network.dns.questions.name
event.PARENT_PROCESS_ID target.process.parent_pid
event.PARENT.COMMAND_LINE principal.process.command_line
event.PARENT.FILE_PATH principal.process.file.full_path
event.PARENT.HASH principal.process.file.sha256
event.PARENT.PARENT_PROCESS_ID principal.process.parent_pid
event.PARENT.PROCESS_ID principal.process.pid
event.PARENT.USER_NAME principal.user.userid
event.PROCESS_ID target.process.pid
event.USER_NAME target.user.userid
routing.event_id metadata.product_log_id
routing.event_type metadata.event_type
routing.ext_ip principal.nat_ip
routing.hostname principal.hostname
routing.int_ip principal.ip
routing.this principal.process.product_specific_process_id

Product Event Types

routing.event_type, cat, detect_mtd.level UDM Event Type alerting
CLOUD_NOTIFICATION STATUS_UNCATEGORIZED
CONNECTED NETWORK_CONNECTION
critical TRUE
DNS NETWORK_DNS
domain_ioc_detection TRUE
EXISTING_PROCESS PROCESS_UNCATEGORIZED
FILE_CREATE FILE_CREATION
FILE_DELETE FILE_DELETION
FILE_MODIFIED FILE_MODIFICATION
FILE_READ FILE_READ
FILE_TYPE_ACCESSED FILE_OPEN
hash_ioc_detection TRUE
hidden_autorun TRUE
high TRUE
ip_ioc_detection TRUE
medium TRUE
MODULE_LOAD PROCESS_ MODULE_LOAD
NEW_DOCUMENT FILE_CREATION
NEW_PROCESS PROCESS_LAUNCH
RECEIPT STATUS_UNCATEGORIZED
REGISTRY_WRITE REGISTRY_MODIFICATION
SENSITIVE_PROCESS_ACCESS PROCESS_UNCATEGORIZED
SERVICE_CHANGE SERVICE_MODIFICATION
Stop Windows Servcie TRUE
Suspicious WMI Execution TRUE
SYNC STATUS_UPDATE
TERMINATE_PROCESS PROCESS_TERMINATION
THREAD_INJECTION PROCESS_INJECTION
unexpected_execution TRUE

Log Sample

{"event":{"PARENT_PROCESS_ID":5828,"PROCESS_ID":19284},"routing":{"arch":2,"did":"","event_id":"1045600-asl145","event_time":1646590380418,"event_type":"TERMINATE_PROCESS","ext_ip":"10.0.0.15","hostname":"Hostname1","iid":"607008-caa1445-09184","int_ip":"10.0.0.6","moduleid":2,"oid":"b24561-11356","parent":"182891ea6447efa11abf333a6224f9aa","plat":268435456,"sid":"707021-ascqw","tags":["windows-end-users"],"this":"cc215-6-111"}}

Sample Parsing

metadata.product_log_id = "1045600-asl145"
metadata.event_timestamp = "2022-03-06T18:13:00.418Z"
metadata.event_type = "PROCESS_TERMINATION"
metadata.vendor_name = "LimaCharlie"
metadata.product_name = "EDR"
metadata.product_event_type = "TERMINATE_PROCESS"
metadata.ingested_timestamp = "2022-03-06T18:18:13.719563Z"
principal.hostname = "Hostname1"
principal.process.product_specific_process_id = "LC:cc215-6-111"
principal.ip = "10.0.0.6"
principal.nat_ip = "10.0.0.15"
principal.asset.ip = "10.0.0.6"
target.process.pid = "19284"
target.process.parent_pid = "5828"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above.