Reference: Platform Events¶
Event Details¶
ACK_MESSAGES¶
Acknowledge messages event is used by some LimaCharlie Sensors (e.g. USP). It is not used by the EDR.
BACKOFF¶
Used for flow control. Provides a number of seconds that the Sensor should wait before sending events to the cloud.
billing_record¶
This event is emitted for all kinds of billable records for the Organization.
Sample Event:
{
"record": {
"cat": "extension",
"k": "ext-strelka:bytes_scanned",
"oid": "8cbe27f4-aaaa-bbbb-cccc-138cd51389cd",
"record_id": "3bbbe4d9-925b-4538-bcad-e2e1ba2be923-0",
"ts": "2024-05-30 00:44:37",
"v": 2797
}
}
CLOUD_ADAPTER_DISABLED¶
This event is emitted when a Cloud Adapter gets disabled because it has been erroring for a long period of time.
Sample Event:
{
"event":{
"error": "invalid api key"
},
"routing": {
"event_time": 1644444297696,
"event_type": "cloud_adapter_disabled",
"oid": "8cbe27f4-aaaa-cccc-bbbb-138cd51389cd"
}
}
DATA_DROPPED¶
This event is generated by the Sensor when it has been offline and the events generated overflowed its internal buffer before they could be sent to the cloud, resulting in dropped events.
DELETED_SENSOR¶
Deleted Sensor deployment events are produced when a sensor that was previously deleted from an Org attempts to connect to the LimaCharlie cloud.
Sample Event:
{
"routing": {
"oid": "d9ae5c17-d519-4ef5-a4ac-c454a95d31ca",
"iid": "ca812425-5a36-4c73-a0a0-935a8ace6451",
"sid": "a75cc927-bf28-4178-a42d-25ecc8a6be81",
"plat": 536870912,
"arch": 2,
"ext_ip": "104.196.34.101",
"int_ip": "172.17.0.2",
"hostname": "linux-server-1",
"event_type": "deleted_sensor",
"event_time": 1561741553230
},
"event": {
"denied_for": "720h0m0s"
}
}
DISCONNECTED¶
This platform event is generated by the LimaCharlie backend when a sensor disconnects from the cloud. This event applies to all sensor types (Windows, macOS, Linux, Chrome, Edge) and is generated server-side, not by the endpoint itself.
Sample Event:
{
"routing": {
"oid": "d9ae5c17-d519-4ef5-a4ac-c454a95d31ca",
"sid": "a75cc927-bf28-4178-a42d-25ecc8a6be81",
"event_type": "disconnected",
"event_time": 1561741553230
},
"event": {}
}
ENROLLMENT¶
Enrollment deployment events are produced when a sensor enrolls into the Organization for the first time.
Sample Event:
{
"routing": {
"oid": "d9ae5c17-d519-4ef5-a4ac-c454a95d31ca",
"iid": "ca812425-5a36-4c73-a0a0-935a8ace6451",
"sid": "a75cc927-bf28-4178-a42d-25ecc8a6be81",
"plat": 536870912,
"arch": 2,
"event_type": "enrollment",
"event_time": 1561741553230
},
"event": {
"public_ip": "104.196.34.101",
"internal_ip": "172.17.0.2",
"host_name": "linux-server-1"
}
}
EXPORT_COMPLETE¶
An export of artifact data is completed and ready for download.
Sample Event:
{
"routing" : {
"log_id" : "ca812425-5a36-4c73-a0a0-935a8ace6451",
"event_type" : "export_complete",
"log_type" : "pcap",
"oid" : "ca812425-5a36-4c73-a0a0-935a8ace6451",
"event_time" : 1561741553230
},
"event" : {
"size" : 2048,
"source" : "a75cc927-bf28-4178-a42d-25ecc8a6be81",
"original_path" : "/data/pcap/dat.pcap",
"export_id" : "d9ae5c17-d519-4ef5-a4ac-c454a95d31ca"
}
}
INGEST¶
A new artifact has been ingested.
Sample Event:
{
"routing" : {
"log_id" : "ca812425-5a36-4c73-a0a0-935a8ace6451",
"event_type" : "ingest",
"log_type" : "pcap",
"oid" : "ca812425-5a36-4c73-a0a0-935a8ace6451",
"event_time" : 1561741553230
},
"event" : {
"size" : 2048,
"source" : "a75cc927-bf28-4178-a42d-25ecc8a6be81",
"original_path" : "/data/pcap/dat.pcap",
"original_md5" : "adjfnwonefowrnfowef"
}
}
QUOTA_CHANGED¶
Quota changed events are emitted when the quota for an Organization changes.
Sample Event:
{
"event":{
"new_quota": 30,
"old_quota": 25
},
"routing": {
"event_time": 1644444297696,
"event_type": "quota_changed",
"oid": "8cbe27f4-aaaa-cccc-bbbb-138cd51389cd"
}
}
RUN¶
Emitted after a run command has been issued (e.g. to run a payload, shell command, etc.).
SELF_TEST_RESULT¶
Internal event used during a power-on-self-test (POST) of the sensor.
SENSOR_CLONE¶
Sensor clone events are generated when the LimaCharlie Cloud detects that a specific Sensor ID may have been cloned.
Sample Event:
{
"routing": {
"oid": "d9ae5c17-d519-4ef5-a4ac-c454a95d31ca",
"iid": "ca812425-5a36-4c73-a0a0-935a8ace6451",
"sid": "a75cc927-bf28-4178-a42d-25ecc8a6be81",
"plat": 536870912,
"arch": 2,
"event_type": "sensor_clone",
"event_time": 1561741553230
},
"event": {
"previous_hostname" : "server-1",
"new_hostname" : "server-2"
}
}
SENSOR_CRASH¶
This event is generated when a Sensor has crashed. It will include some telemetry useful to help LimaCharlie troubleshoot the crash.
Sample Event:
{
"routing": {
"arch": 2,
"event_time": 1670861698000,
"event_type": "sensor_crash",
"hostname": "linux-server-1",
"ext_ip": "104.196.34.101",
"int_ip": "172.17.0.2",
"oid": "8cbe27f4-aaaa-cccc-bbbb-138cd51389cd",
"plat": 268435456,
"iid": "ca812425-5a36-4c73-a0a0-935a8ace6451",
"sid": "a75cc927-bf28-4178-a42d-25ecc8a6be81"
},
"event": {
"crash_context": {
"FILE_ID": 63,
"LINE_NUMBER": 1216,
"THREAD_ID": 7808
}
}
}
SENSOR_OVER_QUOTA¶
Over quota deployment events are produced when a Sensor tries to connect but the Organization quota is already reached.
Sample Event:
{
"routing": {
"oid": "d9ae5c17-d519-4ef5-a4ac-c454a95d31ca",
"iid": "ca812425-5a36-4c73-a0a0-935a8ace6451",
"sid": "a75cc927-bf28-4178-a42d-25ecc8a6be81",
"plat": 536870912,
"arch": 2,
"event_type": "sensor_over_quota",
"event_time": 1561741553230
},
"event": {
"public_ip": "104.196.34.101",
"internal_ip": "172.17.0.2",
"host_name": "linux-server-1"
}
}
SET_PERFORMANCE_MODE¶
Enables performance mode in the kernel (e.g., disables file tracking on Windows).
SYNC¶
Internal event used as a heartbeat to the cloud. Sent by default every 10 minutes.
UNLOAD_KERNEL¶
Allows manual unloading of kernel component.
UPDATE¶
Internal event used to update the configuration of a specific collector within the endpoint.
*_per_cloud_adapter¶
Events that are emitted once per period per cloud adapter. See Schedule Events Reference for more details.
Sample Event:
{
"event": {
"frequency": 1800,
"adapter_name": "office-audit",
"runtime_mtd": {
"entity_name": "81c72a07-9540-4341-9c35-66f6cfe1b9d7",
"entity_type": "adapter",
"mtd": {
"platform": "office365",
"hostname": "office-365-audit",
"adapter_type": "office365"
},
"published_at": 1689858693935
}
}
}
*_per_org¶
Events that are emitted once per period per org. See Schedule Events Reference for more details.
Sample Event:
{
"event": {
"frequency": 86400
},
"routing": {
"event_id": "0f236fbb-31df-4d11-b6ab-c6b71a63a072",
"event_time": 1673298756512,
"event_type": "1h_per_org",
"oid": "8cbe27f4-bfa1-4afb-ba19-138cd51389cd",
"sid": "00000000-0000-0000-0000-000000000000",
"tags": []
}
}
*_per_sensor¶
Events that are emitted once per period per Sensor. See Schedule Events Reference for more details.
Sample Event:
{
"event": {
"frequency": 1800,
"runtime_mtd": {
"entity_name": "81c72a07-9540-4341-9c35-66f6cfe1b9d7",
"entity_type": "sensor",
"mtd": {
"bytes_recv": 6202524,
"conn_at": 1689819872,
"eps_in": 1,
"eps_out": 0,
"q_size": 0
},
"published_at": 1689858693935
}
}
}
Similar to agents, Sensors send telemetry to the LimaCharlie platform in the form of EDR telemetry or forwarded logs. Sensors are offered as a scalable, serverless solution for securely connecting endpoints of an organization to the cloud.
Endpoint Detection & Response
In LimaCharlie, an Organization represents a tenant within the SecOps Cloud Platform, providing a self-contained environment to manage security data, configurations, and assets independently. Each Organization has its own sensors, detection rules, data sources, and outputs, offering complete control over security operations. This structure enables flexible, multi-tenant setups, ideal for managed security providers or enterprises managing multiple departments or clients.
Adapters serve as flexible data ingestion mechanisms for both on-premise and cloud environments.
In LimaCharlie, a Sensor ID is a unique identifier assigned to each deployed endpoint agent (sensor). It distinguishes individual sensors across an organization's infrastructure, allowing LimaCharlie to track, manage, and communicate with each endpoint. The Sensor ID is critical for operations such as sending commands, collecting telemetry, and monitoring activity, ensuring that actions and data are accurately linked to specific devices or endpoints.