LimaCharlie Cloud Quick Start

Logging in

To access LimaCharlie.io, you will first need to create an account. This account can be attached to a specific email address (which will require you to verify the email), or through a Google account (easiest by far).

From the bottom of https://limacharlie.io follow the login instructions. If an email verification is required you will be prompted to do so.

Create an Organization

The first thing to do with your new access is to go create an organization. Everything under limacharlie.io is structured under organizations. Sensors belong to organizations and billing is tied to them as well.

On the right side of the Member Organizations section of the dashboard, click on "Create".

Select a datacenter. This will decide where your sensors will connect to in the world. Many contries are available. Note that since LCC does not do any retention, this is mainly a factor to decide the geolocation of where the data from the sensors will be processed, not stored (this last one is up to you).

Enter an organization name. This name must be unique. The "Name Available" indicator should indicate a green checkbox a few seconds after you've entered a valid name.

LimaCharlie comes with a free tier of two sensors. You do not need a credit card to get this free tier, but if you decide to upgrade your quota, you will have to enter your credit card information.

Click "Create". Within a few seconds you should see an indication that your organization is ready.

Dashboard

Click on the top left link to "Dashboard".

The dashboard shows you a list of all the organizations you have access to. You should see the organization you just created.

On the left-most side of the organization record, you should see a dot that is either green or red. If you hover over it it will show you the details of the current organization status. In less than 30 seconds, the dot should turn green with a status of "NORMAL".

Click on the name of the organization to go see its details.

Organization View

This view is centered around the particular organization you just created. It contains a few different sections:

Installation Keys

Here you can manage all your installation keys. These are the keys that allow you enroll sensors into this organization.

Outputs

Outputs decide how and where the data and detections from your sensors should go to.

Sensors

This is a list of all the sensors enrolled into your organization.

D&R Rules

This is where you can manage the Detection & Response rules.

Detections

If you enable Insight (retention), you will see the latest detections here.

If you enable Insight (retention), you will be able to search your organization for historical indicators here.

Sensor Downloads

These are simply reference links to download the sensor installers. Quick tip, here is the pattern you can use to download the installers directly to your computers: https://limacharlie.io/get/windows/32 for the Windows 32 bit installer https://limacharlie.io/get/windows/64 for the Windows 64 bit installer https://limacharlie.io/get/linux/64 for the Linux 64 bit installer https://limacharlie.io/get/mac/64 for the MacOS 64 bit installer

Billing

The details of your current plan as well as how to change it is displayed here. If you decide you want to increase your sensor quota to, say 20, you would simply enter "20" in the line beside the "REQUEST QUOTA" button. A quick reflection of the new price you will be paying monthly will appear to the right. If you then click on the "REQUEST QUOTA" button, you should get an indication of the new quota getting reflected within a few seconds.

Logs

This is a central location where you can find all the relevant logs. The management logs are generated by limacharlie.io and report activity at an account and organization level. Who requested quota, gained access to the organization, billing etc.

The error log reports errors generated by various components of LimaCharlie, like Outputs failing to send data for example.

Finally the audit logs are LimaCharlie internal logs about things like creation of new installation keys, deletion of sensors or commands sent to sensors.

REST API

Described in more details here.

Add-ons

This is where you can subscribe to optional capabilities from the marketplace and view currently active add-on subscriptions.

Users

Here you can manage which users have access to your organization in limacharlie.io.

Integrations

Some integrations require additional information (like VirusTotal API key), you can specify them here.

Enable Insight

With the LimaCharlie free tier, Insight (data retention) is included for the full year. We recommend you enable it through the Billing section. It is optional. If you'd like to configure forwarding of your data somewhere feel free to proceed with the Create Outputs section later on.

Enabling Insight will provide you with much moreimmediate feedback from your sensors without having to configure anything.

Create an Installation Key

Now that we got our bearings, let's move ahead. Click on the "+" for Installation Keys. The popup will ask you to give the new key a description (this is purely for your benefit) and a list of comma separated tags.

The tags you specify will automatically get applied to the sensors who enroll using this key. They can be added/removed from sensors in the future, but this provides a convenient mechanism to manage the sensors you install by creating keys for logical groups like "server", "workstation", "executive" or "sales".

Click "Create". The new key should appear in the Installation Keys section.

Now click the copy icon (two superimposed squares) of the new key. This will copy the key (a long encoded string) into your clipboard.

Install a Sensor

On the computer where you want to install the sensor, download the installer. For example on Linux we might do:

wget --content-disposition https://limacharlie.io/get/linux/64

Each platform may have small subtleties, you should have a look at the detailed instructions.

For the purpose of this quick-start, we will simply install the sensor on a Linux server without persistence (the sensor will not install permanently on the computer).

Once you've downloaded the sensor via wget, you need to make it executable: chmod +x ./lc_linux_64.

Then we run the installer as root with the -d <installation key> argument (where <installation key> is the key copied from clipboard in the last step above). It should look like this: sudo ./lc_linux_64 -d AAAABgAAAQ4HAAABJjCCASIwDQYJ........ Press enter, you should see some output to standard out on the command line.

That's it, your sensor is running. Although other platforms can be slightly different, they're all equally easy.

Confirm Enrollment

Back on the limacharlie.io website. If you refresh the organization view page you were on, you should now see your sensor's hostname in the Sensors sections and a quota of 1 / 2 in the Billing section. This page refreshes the details of your organization automatically but it does so at a slow frequency. So to check quick changes you may need to refresh it.

If you click on the "Details" link of the Sensors section, you will get a popup of the details of this new sensor. There you can add and remove tags as well as delete the sensor. Deleting the sensor will prevent it from connecting to your organization. This is a useful feature if you somehow lose control over an Installation Key and unknown people start registering sensors.

Create an Output

This section is optional.

If you want to forward your data to infrastructure you own, here is how to do it: That is the job of the Outputs. Click on the "+" of the Outputs section. The popup will let you define:

A name (a unique name to the output within your organization, purely for your benefit).

A module, this is the method used to export the data from limacharlie.io to your data storage.

A stream, this is the type of data to export. Events is a raw stream of all events from sensors. Detections is a stream of all the alerts, or things detected. * Audit is a stream of the auditing events, to be used for compliance mainly.

Depending on the module you chose, different options will be available. The outputs are quite simple to configure, which one is the best depends on your organization. Modules include Syslog, SFTP and Amazon S3 Buckets, which covers the most common use cases.

A good, safe recommendation for output would be using SFTP.

For a basic setup, creating a Ubuntu server with SFTP in a cloud provider such as Google Cloud or Digital Ocean, along with a Splunk Free version does a great job.

Some more documentation on Output can be found here. More tutorials and apps for Splunk and ELK will become available shortly.

For the purpose of this quick start, we recommend you use the installation script that will install a free Splunk instance on a Ubuntu LTS box and configure it to receive LimaCharlie data through SFTP. It's the quickest way of getting started. Simply create a Ubuntu LTS box somewhere (we use Digital Ocean) with abour 2 GB of RAM minimum then copy the installation script over, make it executable (chmod +x ./install_simple_splunk.sh) and execute is as root. Once installed (takes about 2 minutes) all the relevant configuration information you need for the LimaCharlie Output.

Go Live

You can go live with your sensor to see data coming back in real-time and interact with it. To do this go to the Sensor List section and click on the Go Live button beside your sensor. This will open a new window where you can perform various opeations with the sensor in real-time.

Confirm Data

From Insight

If you enabled Insight, then things should happen by themselves. Go to the Sensor List section and click on the "History" button beside your sensor. It can take up to 2 minutes for your data to show up there (rest assured all detection and response is in real-time, only the long term storage can take some time to populate).

From Outputs

Data should start flowing to your Output fairly quickly, depending on how much data your sensor is generating. If an error is encountered by the output, details will be given in the Error Log section and the output will be retried after a few minutes.

That's it, you're now ready to start adding more sensors!

You can also have a look at the REST Documentation including the various commands you can send to a sensor.