Developer Roll Up: July 2022

We have most certainly been adding fuel to the fire, this is easily the biggest update we have had all year! We continue to add team members and our engineering capability is growing. The list of improvements and new capabitliite is too much to try and summarize, you will have to read the release notes below.

On August 4th @ 10.00 AM / 1.00 PM ET we will be hosting a peer discussion on moving cybersecurity toward an engineering-centric future. The discussion will take place between Larry Maccherone, Joe Anderson and Maxime Lamothe-Brassard. It is going to be an interesting discussion and I hope you will join us. You can register for the talk at the following link: Moving cybersecurity towards an engineering-centric future

Schema Inspection

It is now possible to inspect the schema of events in LimaCharlie.

The schema provided is learned on a per-org basis since the data ingested in LimaCharlie can vary from tenant to tenant.

This new API can be useful when building integrations with external products requiring a strict schema.


Announcing the ability to bring in telemetry from external sources without having to host a LimaCharlie Adapter (aka “cloud to cloud”).

LimaCharlie allows security professionals to ingest logs or telemetry from any external source in real-time. It includes built-in parsing for popular formats, with the option to define your own for custom sources.

Prior to this release, if someone wanted to bring, say, Office 365 logs into LimaCharlie, they would need to run an Adapter on premises or on their cloud. The Adapter would pull the data from the third-party and send it to the LimaCharlie cloud.

Starting today, for cloud-based log sources such as GitHub, 1Password, GCP, VMWare Carbon Black EDR, you no longer have to download the installer and run the Adapter. Simply enter the API credentials in the web app and click “save”.

Log sources that are not hosted on the cloud, such as Syslog, will continue to require an Adapter to be run on premises.

To learn more or to get started, check out the help article: How do I ingest logs or telemetry from cloud-based external sources?

The ability to reset password

Following today's release, LimaCharlie users can reset their password without having to contact support.

Simply click on the ‘Forgot your password?‘ link and follow the steps to reset the password.

Sensor Versioning Tags

As you may know, certain Sensor Tags in LimaCharlie had a special meaning.

Tagging a sensor with latest would update that single sensor to the latest sensor version for example.

We are now transitioning these tags to have the lc: prefix. The goal of this is to reduce the likeliness of someone not being aware of those special tags and apply them with unintended consequences.

Starting today, the following tags are supported in that fashion: lc:latest, lc:stable, lc:experimental, lc:no_kernel and lc:debug.

The old versions of these tags remain operational for now, but will be turned off on August 1st. So if you rely on these tags, we suggest you transition to the new form.

More documentation here:

Sigma Converter Service

LimaCharlie is happy to contribute to the Sigma Project ( by maintaining the LimaCharlie Backend for Sigma, enabling most Sigma rules to be converted to the Detection & Response rule format.

A LimaCharlie Service is available to apply many of those converted rules with a single click to an Organization.

For cases where you either have your own Sigma rules, or you would like to convert/apply specific rules yourself, the Sigma Converter service described below can help streamline the process.

The full documentation is available here:

Sensor 4.27.3

  • Linux File Integrity Monitoring now leverages eBPF support for better performance. This stops most usage of inotify by the sensor.

  • Enhanced reliability of inotify usage on Linux when eBPF is not available.

  • General CPU performance enhancements across all platforms.

  • Fixes possible issue with Netlink usage on Linux for process notification.

  • Fixes rare race conditions that could hang network connectivity during network outages.

Support for Templating

We've started rolling out support for template strings to multiple areas of LimaCharlie.

This allows you to customize what would normally be a literal string so that it now supports formatting based on the context of execution.

In all cases, backwards compatibility should be maintained.

Detection names in the report action from D&R rules now supports it like:


- action: report

  name: Evil executable on {{ .routing.hostname }}

Tasking in the task action from D&R rules now supports it like:

artifact_get {{ .event.FILE_PATH }}

The SMTP Output now supports a custom subject fields that use string templates. It also supports a new template parameter which is a string template to use for the body of the email (either in plain text or html):

The Slack Output supports 3 new parameters:

color: to specify the color of the "attachment" part of the Slack message.

message: a string template for the "message" part of the Slack message.

attachment_text: a string template for the "attachment" part of the Slack message.

Support for Transforms

Transforms are now available for all Outputs via the custom_transform field.

A Transform allows you to specify an alternate format for the data sent from an Output.

For example, this could to customize a webhook format for a specific platform as in the Google Chat example. Or it could be to simply pair down the data sent via output to only the specific fields. Finally, it also allows you to create new fields in the Output that are either literal values, or composite values (as a String Template).

Detailed documentation and examples are available:

User Experience Enhancements & Performance Improvements

We have been working on a number of user experience & performance enhancements. Some notable ones that were released today include:

  • Made improvements to the main sensor list to enhance performance. While not noticeable for smaller lists, there was an increasing delay as the number of sensors grew. As a result we’ve also removed pagination on the sensor list.

  • Added groups to ‘users and roles’ page, so that users can see all accounts that have access to their organization through groups.

  • Added various descriptive text and helpful links onto the ‘install sensors’ page regarding how to check release notes, test new sensor versions, and configure sensors to auto-update.

As always, you can find a full list in the release notes:

If you have ideas, suggestions or any feedback – please let us know in comments, via Intercom chat bubble in the web app, in #feature-requests (or you can simply DM me anytime)

Replay billing change

If you do not use large Replay jobs, this does not affect you.

Currently, Replay is billed per-operator evaluation. If an event is processed but does not match the event_type being targeted by the rule, this currently does not count as an evaluation.

Starting September 1st, each event processed will now count as a single evaluation. This change is designed to make billing more fair across various Organization sizes.

Unless you specifically make very large Replay jobs targeting very rare event types, this will not have a material effect on your billing.

*** This is a Security Bloggers Network syndicated blog from LimaCharlie's Blog authored by LimaCharlie's Blog. Read the original post at: