LimaCharlie Demo

LimaCharlie Demo

A brief and high-level demonstration of the LimaCharlie platform. In this video, we walk you through the installation of a sensor and demonstrate some of what is possible.

LimaCharlie gives security teams full flexibility and control over their security posture by offering security infrastructure as a service.

Get started by creating an account. Once in, create a new tenant by choosing where you want your data to be processed and stored, and if you want to apply any preconfigurations. Depending on your selection, LimaCharlie will use infrastructure as code to apply a config and pre-set your environment the way you need it. You can change this at any time - infrastructure as code is core to what we do.

The four core components of LimaCharlie are sensors, outputs, detection, automation & response engine, and services.

The LimaCharlie sensor brings the logs and telemetry from any source - endpoints, network, cloud, browser, or any other external source. You can deploy sensors manually or at scale using RMM, SCCM, MDM, and other tools. Let’s quickly deploy a Windows sensor.

To get started we need to create an installation key. Installation keys are used to create sets of sensors within your organization.

Give your new key a description and add any tags you would like associated with the sensors created under this key.

Select the key you just created. Then download the appropriate installer for your architecture. Copy the installation command to your clipboard and run it in your terminal You can view the details of the sensor by clicking on it in the sensor list. Once the sensor is connected, it will start receiving telemetry in real-time.

You can browse telemetry, send commands, deploy executables, View running processes, memory strings, and memory maps. View network connections, what is going in, and what is going out, search file systems across your fleet, and more. Everything you see is using a true-real time connection to the endpoint.

To detect, respond, and automate processes, you can use LimaCharlie’s detection and response engine utilizing the open source Sigma ruleset, managed Soteria ruleset, or bring in existing detection and response logic from SOC Prime. With LimaCharlie, we give you the flexibility to write your own rules in YAML to protect against your unique requirements.

Ingest, retain, transform, route, search, and respond to all security data with one year of full telemetry storage by default. Decide what to send, where to send it, and use advanced filters to manage granularity of data. You can send detections to Slack or send only essential data to Splunk or other SIEM, dramatically reducing your data storage costs... And since we index all the data ingested for indicators of compromise, you can use LimaChrlie search to conduct investigations.

When a detection is triggered, navigate to the event timeline and investigate the issue. Isolate the endpoint, send commands or executables to remediate, or mark the detection as a false positive.

LimaCharlie builds its own security tools and makes it easy to integrate with your existing security stack. Leverage the LimaCharlie marketplace to enable Yara scanning, File & Registry Integrity monitoring, security posture testing with Atomic Red Team, forensic artifacts collection with Velociraptor, full multitenancy, integrations with Zeek, Twilio, PagerDuty, the ability to leverage threat feeds, and many other capabilities.

LimaCharlie is a common fabric for the integration and operationalization of security tools. Get support in our community Slack or read our detailed technical docs. Learn more or sign up for free with no credit card required at

General Links



Free Education: