LimaCharlie allows you to browse one year of historical telemetry so that you can search for IoCs and gain full visibility into your endpoints.
Select the sensor you would like to explore, and go to the Timeline view.
Everything shown in the Timeline view is a real-time representation of the activity on the endpoint.
To get familiar with the controls you can use in this area, click on the Controls button above the Search box.
To start looking at the timeline, first, select date & time you would like to explore. LimaCharlie will display all available events in the 24 hour window (12 hours before the selected time and 12 hours after the selected time). As you scroll, you can scroll past the 12 hour window on either side and additional events won't show up on the little event histogram.
Select the event types you would like to see, or clear the filter to browse all events. Note that we will only show the event types that are present in the selected time period. You can see NEW_PROCESSES, DNS_REQUESTS and many more types of events; for the full list of what's available, please refer to our technical documentation.
Besides seeing the process names, paths, commands, user details and the time, you are able to see what code is signed (represented by the โ
symbol next to the process name). Exploring the CODE_IDENTITY event will show you the details of the signing & who the signer is.
The Search box allows you to search for anything inside any of the events in the list. It's a generic string match on anything inside the events (Process Name, File Path, etc).
Clicking on the event will expend the process tree as well as show the event & routing details.
Clicking the Download button will download the JSON file with the details of the filtered events list.
On the right hand side of the event details view, you have the ability to go to the parent, copy event to the clipboard, start a detection & response rule, and root the tree. Root Here will re-draw the tree from the current event as the root. This is important because we don't display the entire tree - if you want to see siblings of the current event under its parent process, you will need to go to the parent and Root Here.
Clicking Start D&R Rule will populate the event details and start a draft detection & response rule which can then be edited for your needs.
You can also root the graph or start a new D&R rule by right clicking on an event on the graph itself.
