Why do I get Unauthorized errors from the REST API?¶
- Make sure the API endpoint you're trying to reach is enabled for LimaCharlie Cloud customers. The supported endpoints are the ones listed in the "LimaCharlie Cloud" category here.
- If you are using the tasking API to send tasks to sensors, make sure you are subscribed to the the "tasking" add-on, otherwise your access tokens will lack the privilege required.
How do I select which events are sent back to me?¶
- Only certain events are sent back to the cloud for performance reasons.
- All events sent to the cloud are always sent to whatever Output you've configured.
- You can trigger the retrieval of additional events from the sensor through two ways:
- Sending the
history_dumptask to a sensor will tell it to send home all events cached in memory.
- Using the
add_exfiltask to a sensor will tell it to send all instances of a specific event home for a specific amount of time.
- This means a common strategy is to have "first level" detections that look for general
suspicious behavior, and when necessary for those detections to trigger
history_dumpto get full context.
How do LimaCharlie events map with Sysmon events on Windows?¶
Many events generated in LimaCharlie have a good analog event in Sysmon (as described here):
- Event ID 1 (Process creation): NEW_PROCES
- Event ID 3 (Network connection): NEW_*_CONNECTION
- Event ID 5 (Process terminated): TERMINATE_PROCESS
- Event ID 6 (Driver loaded): MODULE_LOAD, CODE_IDENTITY, DRIVER_CHANGE
- Event ID 7 (Image loaded): MODULE_LOAD, CODE_IDENTITY
- Event ID 8 (Create remote thread): NEW_REMOTE_THREAD
- Event ID 10 (ProcessAccess): REMOTE_PROCESS_HANDLE
- Event ID 11 (FileCreate): FILE_CREATE
- Event ID 12 (RegistryEvent object create and delete): REGISTRY_CREATE, REGISTRY_DELETE
- Event ID 13 (RegistryEvent value set): REGISTRY_WRITE
- Event ID 14 (RegistryEvent rename): REGISTRY_CREATE
- Event ID 17 (PipeEvent created): NEW_NAMED_PIPE
- Event ID 18 (PipeEvent connected): OPEN_NAMED_PIPE
Obviously, we also have tons of other events that are not found in Sysmon.
Why do I get an error 110 when isolating a host from the network?¶
segregate_network command requires kernel support to be running on the target host. Kernel support is not always
available depending on the operating system type and version. Error 110 signifies
means the sensor failed to access the kernel component. You can view the status of kernel access via the sensor list
of your organization or the REST API.
Currently supported OSes and versions kernel access:
- Windows 7 and up.
- MacOS 10.7 and up.