From 4089bae96c32543ba8f98b5f87cf9c57d90c252e Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Wed, 18 Dec 2024 16:34:01 -0800 Subject: [PATCH 1/3] Tweaking LimaCharlie Linux EDR Telemetry. --- EDR_telem_linux.json | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/EDR_telem_linux.json b/EDR_telem_linux.json index 37ae39b..3f03aaf 100644 --- a/EDR_telem_linux.json +++ b/EDR_telem_linux.json @@ -37,7 +37,7 @@ "CrowdStrike":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", - "LimaCharlie":"No", + "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", "SentinelOne":"Yes", @@ -52,7 +52,7 @@ "CrowdStrike":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", - "LimaCharlie":"No", + "LimaCharlie":"Yes", "MDE":"No", "Qualys":"Yes", "SentinelOne":"Yes", @@ -67,7 +67,7 @@ "CrowdStrike":"No", "ESET Inspect":"Yes", "Elastic":"Yes", - "LimaCharlie":"No", + "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", "SentinelOne":"Yes", @@ -82,7 +82,7 @@ "CrowdStrike":"Yes", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"No", + "LimaCharlie":"Via EnablingTelemetry", "MDE":"Yes", "Qualys":"No", "SentinelOne":"Yes", @@ -97,7 +97,7 @@ "CrowdStrike":"Yes", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"No", + "LimaCharlie":"Via EnablingTelemetry", "MDE":"No", "Qualys":"No", "SentinelOne":"No", @@ -112,7 +112,7 @@ "CrowdStrike":"Yes", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"No", + "LimaCharlie":"Via EnablingTelemetry", "MDE":"No", "Qualys":"No", "SentinelOne":"Yes", @@ -202,7 +202,7 @@ "CrowdStrike":"No", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"No", + "LimaCharlie":"Via EnablingTelemetry", "MDE":"No", "Qualys":"No", "SentinelOne":"Yes", @@ -217,7 +217,7 @@ "CrowdStrike":"No", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"No", + "LimaCharlie":"Via EnablingTelemetry", "MDE":"No", "Qualys":"No", "SentinelOne":"No", @@ -232,7 +232,7 @@ "CrowdStrike":"No", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"No", + "LimaCharlie":"Via EnablingTelemetry", "MDE":"No", "Qualys":"No", "SentinelOne":"Yes", @@ -337,7 +337,7 @@ "CrowdStrike":"No", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"No", + "LimaCharlie":"Yes", "MDE":"No", "Qualys":"No", "SentinelOne":"Yes", @@ -352,7 +352,7 @@ "CrowdStrike":"No", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"No", + "LimaCharlie":"Yes", "MDE":"No", "Qualys":"No", "SentinelOne":"Yes", @@ -367,7 +367,7 @@ "CrowdStrike":"No", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"No", + "LimaCharlie":"Yes", "MDE":"No", "Qualys":"No", "SentinelOne":"No", @@ -442,7 +442,7 @@ "CrowdStrike":"No", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"No", + "LimaCharlie":"Yes", "MDE":"No", "Qualys":"No", "SentinelOne":"No", From 7da819bca888b285c568cde7a12c14a0269b5f0c Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Sat, 21 Dec 2024 18:10:03 -0800 Subject: [PATCH 2/3] No such thing as IMPHash on Linux ELFs. --- EDR_telem_linux.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/EDR_telem_linux.json b/EDR_telem_linux.json index 3f03aaf..1006f54 100644 --- a/EDR_telem_linux.json +++ b/EDR_telem_linux.json @@ -442,11 +442,11 @@ "CrowdStrike":"No", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"Yes", + "LimaCharlie":"No", "MDE":"No", "Qualys":"No", "SentinelOne":"No", "Sysmon":"Yes", "Uptycs":"No" } -] \ No newline at end of file +] From a51fc26ced7acc81a1b9d0888be93a5441de0016 Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Sat, 28 Dec 2024 17:04:52 -0800 Subject: [PATCH 3/3] Update EDR_telem_linux.json Marking fuzzy hash as Yes since we support TLSH. --- EDR_telem_linux.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EDR_telem_linux.json b/EDR_telem_linux.json index 9854ade..ff80dbf 100644 --- a/EDR_telem_linux.json +++ b/EDR_telem_linux.json @@ -442,7 +442,7 @@ "CrowdStrike":"No", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"No", + "LimaCharlie":"Yes", "MDE":"No", "Qualys":"No", "SentinelOne":"No",