Reference: Schedule Events¶
Schedule events are triggered automatically at various intervals per Organization or per Sensor, observable in rules via the schedule target.
Scheduling events have a very similar structure whether they are per-sensor or per-org.
The event component contains a single key, frequency which is the number of seconds frequency this scheduling event is for. The event type also contains the human readable version of the frequency.
The following frequencies are currently emitted:
30m:30m_per_organd30m_per_sensor1h:1h_per_organd1h_per_sensor3h:3h_per_organd3h_per_sensor6h:6h_per_organd6h_per_sensor12h:12h_per_organd12h_per_sensor24h:24h_per_organd24h_per_sensor168h(7 days):168h_per_organd168h_per_sensor
Scheduling events are generated for each org that meets the following criteria:
- Has had at least 1 sensor online in the last 7 days.
Scheduling events are generated for each sensor that meets the following criteria:
- Has been online at least once in the last 30 days.
Scheduling events are not retained as part of the year retention in LimaCharlie. To leverage them, create D&R rules that target the schedule target and take the relevant action when matched. For example to issue an os_packages once per week on Windows hosts:
detect:
target: schedule
event: 168h_per_sensor
op: is platform
name: windows
respond:
- action: task
command: os_packages
investigation: weekly-package-list
In LimaCharlie, an Organization represents a tenant within the SecOps Cloud Platform, providing a self-contained environment to manage security data, configurations, and assets independently. Each Organization has its own sensors, detection rules, data sources, and outputs, offering complete control over security operations. This structure enables flexible, multi-tenant setups, ideal for managed security providers or enterprises managing multiple departments or clients.
Similar to agents, Sensors send telemetry to the LimaCharlie platform in the form of EDR telemetry or forwarded logs. Sensors are offered as a scalable, serverless solution for securely connecting endpoints of an organization to the cloud.