-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tweaking LimaCharlie Linux EDR Telemetry. #103
Conversation
Hi @maximelb , thank you for this PR. I have personally tested the LimaCharlie, and the events you refer to in the documentation were unavailable during testing. I consulted the documentation but could not corroborate it with the results of the telemetry generator script. Would you mind running the script on your end and sharing any evidence of the changes you are proposing? I might have made a mistake, so I would really appreciate it if you could run it and double-check my work. Thank you! |
Ah sorry @tsale I didn't realize the test scripts now were for the telemetry itself. Will do. What probably happened is that we recently enhanced the eBPF support which is required for a bunch of those events. Before this it was easy to be missing some requirement for the eBPF support. |
Thanks @maximelb. That's great to hear! If you provide me with the evidence to support these changes after running the script, I will be more than happy to merge this PR. |
@tsale Is this what you're looking for? ubuntu-jammy-6.8.0-1020-gcp-1-function_output_log.csv |
I think these are the results of the script you run. It indicates that every module was run successfully. What we need is evidence that you can see the events on the LimaCharlie platform. |
Ok, here are the sample events per category. If you need a raw dump, I can share it as well. File Modifications:
Service:
IMPHash: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for providing evidence regarding the File Manipulation and Service Activity categories. I am ok with changing those to "Yes". However, could you please provide more information and evidence regarding the events that you have as "Via EnablingTelemetry"?
Sure, I will send something tomorrow. Honestly it's because we can natively tap into any local system log, so anything in any log can be alerted and automatically collected. So I suspect we actually have a bunch of the other items as Enabling Telemetry but I figured those were the obvious ones I knew were logged. |
That sounds great! If you can show us how a user can enable those events and share some evidence that the telemetry for those events is generated after running the telemetry generator script, I’d be happy to go ahead and merge this for you. |
Marking fuzzy hash as Yes since we support TLSH.
Ok, I removed the "with extra data" because frankly I don't feel like figuring out where Linux stores those logs. :) So I think we're good? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thank you!
Pull Request Template
This PR adds types of EDR telemetry supported by LimaCharlie on Linux. A lot of the full events supported, and some partially via on-host default logs that can automatically be leveraged/parsed/alerting. Some of the categories are mainly supported through eBPF built-in to LimaCharlie.
Description
Please provide the below information so we can validate before merging:
1: Yes
2: Open documentation: https://docs.limacharlie.io/docs/reference-edr-events
3: -
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.
No tests have been run since it's a simple JSON change limited to LimaCharlie's capabilities only.
Test Configuration:
Checklist:
Don't stress yourself out, just answer the above to the best of your ability and we can discuss in the comments 🙂