Event Data

There are currently 54 different events that can be reported by the endpoint using the LimaCharlie sensor. A complete list of reportable events can be found in the documentation here: LimaCharlie Events

The following is an example of the data produced by the event MODULE_LOAD

{ "MEMORY_SIZE": 241664, "PROCESS_ID": 2904, "FILE_PATH": "C:\\Windows\\System32\\imm32.dll", "MODULE_NAME": "imm32.dll", "TIMESTAMP": 1468335264989, "BASE_ADDRESS": 140715814092800 }

The event telemetry is recorded and transmitted in JSON. The data produced by the MODULE_LOAD event, as presented above, does not include any of the information that is common to all events. An example of the data listed above as it would appear in the stream is as follows. 

{ "routing": { "this": "12d5980c734fb7fed9b550ef9e7031e7", "hostname": "kokaleeOSX-2.local", "event_type": "OS_VERSION_REP", "investigation_id": "61311e8d_req/72024a3a-f87d-4051-9db5-3e0e2a61d8fc", "tags": [ "vip" ], "event_id": "9397fb38-e6d7-4541-bf68-bdf05d13c459", "oid": "361a959a-0d2a-4cff-b161-c48391aa82ca", "iid": "abc4b3d5-7042-4800-97ba-34250418b7d4", "plat": 805306368, "ext_ip": "50.92.31.3", "sid": "14528227-7511-46e2-a195-7824fec6c217", "event_time": 1540756445491, "int_ip": "10.0.1.40", "arch": 2, "moduleid": 2 }, "event": { "MEMORY_SIZE": 241664, "PROCESS_ID": 2904, "FILE_PATH": "C:\\Windows\\System32\\imm32.dll", "MODULE_NAME": "imm32.dll", "TIMESTAMP": 1468335264989, "BASE_ADDRESS": 140715814092800 } }

A typical endpoint can be expected to produce ~1-2 MB per day; however, this can vary dramatically based on endpoint activity. All event data is encrypted using SSL (RSA+AES) while in transit.