After creating an Artifact Collection rule in LimaCharlie you may need to wait a few hours before artifacts are collected and appear in LimaCharlie. In some circumstances, like during incident response, you may wish to bring in those artifacts immediately.

Single Endpoint

The fastest way to bring in artifacts immediately from and endpoint is by using the console.

1. In the LimaCharlie web app click on a sensor and then choose Console

2. In the console type the following command:

artifact_get --file c:\\windows\\system32\\winevt\\logs\\Security.evtx --days-retention 30

Multiple Endpoints

You can efficiently collect artifacts from multiple endpoints with the LimaCharlie CLI / SDK and a simple script.

Reference: Learn how to install & use the LimaCharlie CLI / SDK

The sample script used will cause the collection of all Windows Event Log (EVTX) files located in the "C:\Windows\System32\winevt\" directory.

1. Install the LimaCharlie CLI

2. Log into your LimaCharlie account using the command: `limacharlie login`

3. Download this simple Python script (shown below), and save it as collect.py

4. Run the Python script using the command: `python collect.py`

Once you run the command, you'll start seeing a list of each artifact being collected.

Sample Script (collect.py)

import limacharlie

# The is_interactive allows us to do sensor.simpleRequest() calls
# and get the response inline in this script.
lc = limacharlie.Manager( is_interactive = True, inv_id = "init-artifact-col" )

for sensor in lc.sensors():
# If a sensor is offline, we'll just skip it.
if not sensor.isOnline():
print( "skipping %s since it's not online" % ( sensor.sid, ) )
continue

# We only care about Windows boxes.
if not sensor.isWindows():
print( "skipping %s since it's not a Windows box" % ( sensor.sid, ) )
continue

print( "Listing event logs directory for %s" % ( sensor.sid, ) )

# List all the evtx on the box.
try:
dirList = sensor.simpleRequest( "dir_list c:\\\\windows\\\\system32\\\\winevt\\\\ *.evtx -d 3" )[ 'event' ]
except Exception as e:
print( "error getting dir list from %s: %s" % ( sensor.sid, e ) )
continue

# Issue an artifact_get for every evtx.
# Since our dir_list was for *.evtx we can just get
# all the entries blindly without checking their name.
for entry in dirList.get( "DIRECTORY_LIST", [] ):
filePath = entry[ "FILE_PATH" ]
print( "collecting from %s: %s" % ( sensor.sid, filePath ) )
filePath = filePath.replace( "\\", "\\\\" )
# We don't really care about getting the response here
# so we'll just send them blindly. The results will
# be in the Artifact section of LC.
# We also ignore the cert for convenience in this example
# since many Windows Server instances ship without Google certs.
sensor.request( [ "artifact_get --file '%s' --days-retention 30 --is-ignore-cert" % ( filePath, ) ] )
Did this answer your question?