At Recon InfoSec we run many aspects of our security operations on LimaCharlie. It's an API-first EDR platform that gives us total control over how we build and run our security stack. We can deploy sensors across any environment, and from there we have complete flexibility. We bring in telemetry from virtually any source and process it at wire speed with detection and response actions that we write and tune, plus we have infinite knobs and dials to adjust everything from what telemetry we’re surfacing, to how it is transformed through the system, and what we finally pass on for post processing. Instead of working around a vendor's assumptions about how security operations should look, we build the exact platform we need to best serve our customers.
So with great power comes great responsibility. A Lego set this awesome will also give you very sore feet if just spread across the carpet. And while LimaCharlie gives you great visibility into each individual org, if you’re managing several of them, you need to be able to understand them in the context of the whole. E.g, if output data has suddenly spiked, is a particular org responsible? What is the lowest volume time of the day so I know when to plan production changes? How many sensors are online here versus there? Are quotas set appropriately? Etc. Etc. Etc.? To this end, we built a Prometheus exporter that hits the LimaCharlie API across all your orgs and pulls down those stats, nicely formatted and labeled. From there, you can plug it into Grafana or your graphing tool of choice and you've got a unified view of everything. Time series observability like this is useful for a single LimaCharlie organization, and practically mandatory for anyone with multiple organizations. So for any enterprises that may have divided things up by region or business unit, MSSP, or security operations providers like Recon, this tool can be invaluable
Out of the box, this exporter tracks online sensor count and quota as gauges, plus log bytes, output bytes, sensor events, sensor times, and USP bytes as counters, polling every 10 minutes by default. Configuration is simple, with two files and a Dockerfile included so you can be up and running quickly.
We built it because we needed it. We're sharing this with the community because anyone managing LimaCharlie orgs can benefit from it too. It's MIT licensed and available now at https://github.com/ReconInfoSec/prometheus_lcexporter.
We built this for our own environment, so if your setup is different, there are likely places where it could be more flexible. Pull requests are welcome. If you've got ideas for how to make it work better for your situation, bring them. That's why it's open source.
If LimaCharlie's capabilities sound like what your security operations need, but you'd rather have a team running it for you, that's exactly what we do at Recon InfoSec. We live on this platform every day and we know how to get the most out of it. Reach out to learn more about our Managed Security Operations.