By default, LimaCharlie sensors send events to the cloud based on a standard profile that includes events like
DNS_REQUEST etc. We don’t send all events to the cloud as it can be very heavy on the endpoint & require a lot of storage.
In Exfil Control (Event Collection Settings), you have the ability to replace the default profile by a custom set of rules you define.
To start with event collection settings, simply navigate to the
Events Collection under
Note that you need to have
exfil add-on enabled. When the
exfil is enabled, LimaCharlie will automatically display the list default rules which can be edited and customized.
The rule customization can be done in two ways: by configuring Event Rules or Watch Rules.
The Event Rules simply define a list of events that should be sent to the cloud based on platform and tags. It enables you to say, for example, "if a Windows sensor is tagged as
collect, I want to collect
DNS_REQUEST events" or "at all times, I want to collect
THREAD_INJECTION events from the Linux machines".
The effect of the rules is additive. Meaning if a sensor matches two rules, the event set it will send to the cloud is the union of the events specified in both rules.
Note that turning on very verbose events (like
FILE_READ for example) may have a detrimental effect on performance in the cloud, the network bandwidth and Web UI. We recommend that you make more targeted use of the
history_dump command as well as the
exfil_* commands and Exfil Watch rules (below) to acquire the events you need more selectively.
To create an Event rule, click
Add Event Collection Rule.
Choose what platforms the event collection rule will apply. If left un-selected, it will collect events from all platforms.
Then, select the events you would like to collect.
Lastly, you have the ability to optionally specify the
tag. Setting the tag (or comma-separated list of tags) will allow you to only collect the specified list of events from sensors that have a specific tag applied. Filter tags are tags that must ALL be present on a sensor for it to match (ANDed), while the platform of the sensor much match one of the platforms in the filter (ORed).
Tagging allows you to create powerful rules and automations. Let's say that by default, you are collecting a limited number of events from all endpoints. Using LimaCharlie D&R rules, you can say "if
evil.exe is discovered, tag the endpoint as
compromised ". In the Exfil Control section you can then define a rule that "for endpoints tagged as
compromised, I want to collect all events". Note that Exfil configurations are synchronized with sensors every few minutes.
The above scenario can also by accomplished by issuing an
exfil_add as part of that automation, which will make the change in Exfil effective immediately.
task command: exfil_add REGISTRY_WRITE -e 120
This action as a part of the D&R rule tells the sensor to start sending
REGISTRY_WRITE for 120s. This command tells the agent to do it now, whereas the tagging + Exfil service rule is what checks the sensor has the right Exfil events over time.
The Watch Rules define additional events that should be sent to the cloud based on the content of each individual event.
The Watch Rules allow you to specify a platform and tag to select which sensors the rule applies to, plus these elements:
Event: the specific event type that should be evaluated, like
Path: the path within the
eventcomponent whose value should be evaluated, like
Operator: the type of evaluation/comparison that should be done between the value at Path in the event and the Value.
Value: the value used in the comparison.
Operator: ends with
The above rule would tell the sensor to send to the cloud, in real-time, all
MODULE_LOAD events where the
FILE_PATH ends with the value
Filter tags are tags that must ALL be present on a sensor for it to match (ANDed), while the platform of the sensor much match one of the platforms in the filter (ORed). The watch rules are currently limited to operate on text fields.