By default, LimaCharlie sensors send events to the cloud based on a standard profile that includes events like NEW_PROCESS, DNS_REQUEST etc. We don’t send all events to the cloud as it can be very heavy on the endpoint & require a lot of storage.

In Exfil Control (Event Collection Settings), you have the ability to replace the default profile by a custom set of rules you define.

To start with event collection settings, simply navigate to the Events Collection under Sensors.

Note that you need to have exfil add-on enabled. When the exfil is enabled, LimaCharlie will automatically display the list default rules which can be edited and customized.

The rule customization can be done in two ways: by configuring Event Rules or Watch Rules.

The Event Rules simply define a list of events that should be sent to the cloud based on platform and tags. It enables you to say, for example, "if a Windows sensor is tagged as collect, I want to collect DNS_REQUEST events" or "at all times, I want to collect THREAD_INJECTION events from the Linux machines".

The effect of the rules is additive. Meaning if a sensor matches two rules, the event set it will send to the cloud is the union of the events specified in both rules.

Note that turning on very verbose events (like FILE_READ for example) may have a detrimental effect on performance in the cloud, the network bandwidth and Web UI. We recommend that you make more targeted use of the history_dump command as well as the exfil_* commands and Exfil Watch rules (below) to acquire the events you need more selectively.

To create an Event rule, click Add Event Collection Rule.

Choose what platforms the event collection rule will apply. If left un-selected, it will collect events from all platforms.

Then, select the events you would like to collect.

Lastly, you have the ability to optionally specify the tag. Setting the tag (or comma-separated list of tags) will allow you to only collect the specified list of events from sensors that have a specific tag applied. Filter tags are tags that must ALL be present on a sensor for it to match (ANDed), while the platform of the sensor much match one of the platforms in the filter (ORed).

Tagging allows you to create powerful rules and automations. Let's say that by default, you are collecting a limited number of events from all endpoints. Using LimaCharlie D&R rules, you can say "if evil.exe is discovered, tag the endpoint as compromised ". In the Exfil Control section you can then define a rule that "for endpoints tagged as compromised, I want to collect all events". Note that Exfil configurations are synchronized with sensors every few minutes.

The above scenario can also by accomplished by issuing an exfil_add as part of that automation, which will make the change in Exfil effective immediately.

This action as a part of the D&R rule tells the sensor to start sending REGISTRY_WRITE for 120s. This command tells the agent to do it now, whereas the tagging + Exfil service rule is what checks the sensor has the right Exfil events over time.

The Watch Rules define additional events that should be sent to the cloud based on the content of each individual event.

The Watch Rules allow you to specify a platform and tag to select which sensors the rule applies to, plus these elements:

For example:

The above rule would tell the sensor to send to the cloud, in real-time, all MODULE_LOAD events where the FILE_PATH ends with the value wininet.dll.

Filter tags are tags that must ALL be present on a sensor for it to match (ANDed), while the platform of the sensor much match one of the platforms in the filter (ORed). The watch rules are currently limited to operate on text fields.