Scaling your SOC startup with

LimaCharlie prsents itself as a ‘Security Infrastructure as a Service’ platform. The platform can connect to multiple sources via ‘sensors’ and then provides scalable access to security tools such as AtomicRedTeam, Velociraptor, VirusTotal etc.

In addition, deployment is easy and pricing is transparent, making it a perfect storm to scale a SOC.

LimaCharlie integrates with many different sources, but a common one being Windows endpoints. It installs via a sensor, and reports telemetry to the console, where you can then apply D&R (Detection & Response) rules as well as collect artefacts for forensics analysis.


The following sources are currently supported:

  • Windows (Ingest events such as process events, file system, registry, network, WEL) you can then run YARA rules via the sensor and directly connect to the machine via a shell where you can then respond directly.
  • MacOS and Linux (same as above)
  • Docker (same capabilities as above)
  • VMWare Carbon Black (Ingest EDR events from CB)
  • Office 365 (audit events)
  • Windows Event Logs
  • Microsoft Defender
  • Duo
  • Common Event Format logs (ArcSight CEF logs)
  • Net (Network events)

Deploying the sensor to Windows was super simple, within near real-time of running the one liner PowerShell command to install the sensor (.exe), it was reporting telemetry to the LimaCharlie console.

Detection & Response via LimaCharlie

The rules in LC are split into ‘Detection’ & ‘Response’, the syntax is very similar to Sigma.

A basic rule to detect DNS requests to ‘’, which then generates an alert called “DNS Hit”:

# Detection


op: is

path: event/DOMAIN_NAME


# Response

- action: report

name: DNS Hit

An example view of the D&R interface.

Add-Ons & Marketplace

The real scalability comes in here, LC offers 3 categories of ‘add-ons’:

  • API
  • Services
  • Lookups


Essentially an area full of currated IOC and IOA lists that embed directly into the D&R rules.


Multiple services are available, which provide additional capabilities:

  • PCAP
  • Memory dumper
  • Atomic red team
  • Pager Duty
  • SOC Prime
  • Sigma
  • Velociraptor
  • YARA
  • Zeek

It’s free to get started: free tier with 2 max sensors and no charge for add-ons / usage.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store