Collect LimaCharlie EDR logs

Supported in:

This document explains how to ingest the LimaCharlie EDR logs to Google Security Operations using Google Cloud Storage. The parser extracts events from JSON formatted logs, normalizes fields into the UDM, and handles both top-level and nested events. It specifically parses various event types, including DNS requests, process creation, file modifications, network connections, and registry changes, mapping relevant fields to their UDM equivalents and enriching the data with LimaCharlie specific context.

Before you begin

Ensure that you have the following prerequisites:

  • Google SecOps instance
  • Privileged access to Google Cloud
  • Privileged access to LimaCharlie

Create a Google Cloud Storage Bucket

  1. Sign in to the Google Cloud console.

  2. Go to the Cloud Storage Buckets page.

    Go to Buckets

  3. Click Create.

  4. On the Create a bucket page, enter your bucket information. After each of the following steps, click Continue to proceed to the next step:

    1. In the Get started section, do the following:

      • Enter a unique name that meets the bucket name requirements (for example, cloudrun-logs).
      • To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloads section, and then select Enable Hierarchical namespace on this bucket.
      • To add a bucket label, click the expander arrow to expand the Labels section.
      • Click Add label, and specify a key and a value for your label.

    2. In the Choose where to store your data section, do the following:

      • Select a Location type.
      • Use the location type's menu to select a Location where object data within your bucket will be permanently stored.
      • To set up cross-bucket replication, expand the Set up cross-bucket replication section.

    3. In the Choose a storage class for your data section, either select a default storage class for the bucket, or select Autoclass for automatic storage class management of your bucket's data.

    4. In the Choose how to control access to objects section, select not to enforce public access prevention, and select an access control model for your bucket's objects.

    1. In the Choose how to protect object data section, do the following:
      • Select any of the options under Data protection that you want to set for your bucket.
      • To choose how your object data will be encrypted, click the Data encryption expander arrow, and then select a Data encryption method.

  5. Click Create.

Configure Log Export in LimaCharlie EDR

  1. Sign in to the LimaCharlie portal.
  2. Select Outputs from the left menu.
  3. Click Add Output.
  4. Choose output stream: Select Events.
  5. Choose output destination: Select Google Cloud Storage.
  6. Provide the following configuration details:
    • Bucket: Path to the Google Cloud Storage bucket.
    • Secret Key: Secret json key identifying a service account.
    • Sec per File: Number of seconds after which a file is cut and uploaded.
    • Compression: Set to False.
    • Indexing: Set to False.
    • Dir: Directory prefix where to output the files on the remote host.
  7. Click Save output.

Configure a feed in Google SecOps to ingest LimaCharlie EDR logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, Limacharlie EDR Logs).
  4. Select Google Cloud Storage as the Source type.
  5. Select LimaCharlie as the Log type.
  6. Click Get Service Account as the Chronicle Service Account.
  7. Click Next.

  8. Specify values for the following input parameters:

    • Storage Bucket URI: Google Cloud Storage bucket URL in gs://my-bucket/<value> format.
    • URI Is A: Select Directory which includes subdirectories.
    • Source deletion options: Select deletion option according to your preference.
    • Asset namespace: The asset namespace.
    • Ingestion labels: The label applied to the events from this feed.

  9. Click Next.

  10. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM mapping table

Log Field UDM Mapping Logic
cat security_result.summary Renamed from cat. Applies when detect is not empty.
detect.event.COMMAND_LINE principal.process.command_line Renamed from detect.event.COMMAND_LINE. Applies when event_type is one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.COMMAND_LINE principal.process.command_line Renamed from detect.event.COMMAND_LINE. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.FILE_PATH principal.process.file.full_path Renamed from detect.event.FILE_PATH. Applies when event_type is one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.FILE_PATH principal.process.file.full_path Renamed from detect.event.FILE_PATH. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.HASH principal.process.file.sha256 Renamed from detect.event.HASH. Applies when event_type is one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.HASH principal.process.file.sha256 Renamed from detect.event.HASH. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.HASH_MD5 principal.process.file.md5 Renamed from detect.event.HASH_MD5. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.HASH_SHA1 principal.process.file.sha1 Renamed from detect.event.HASH_SHA1. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.PARENT.COMMAND_LINE principal.process.command_line Renamed from detect.event.PARENT.COMMAND_LINE. Applies when event_type is one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.PARENT.COMMAND_LINE principal.process.parent_process.command_line Renamed from detect.event.PARENT.COMMAND_LINE. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.PARENT.FILE_PATH principal.process.file.full_path Renamed from detect.event.PARENT.FILE_PATH. Applies when event_type is one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.PARENT.FILE_PATH principal.process.parent_process.file.full_path Renamed from detect.event.PARENT.FILE_PATH. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.PARENT.HASH principal.process.file.sha256 Renamed from detect.event.PARENT.HASH. Applies when event_type is one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.PARENT.HASH principal.process.parent_process.file.sha256 Renamed from detect.event.PARENT.HASH. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.PARENT_PROCESS_ID principal.process.pid Renamed from detect.event.PARENT_PROCESS_ID. Applies when event_type is one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.PARENT_PROCESS_ID principal.process.parent_process.pid Renamed from detect.event.PARENT_PROCESS_ID. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.PROCESS_ID target.process.pid Renamed from detect.event.PROCESS_ID. Applies when event_type is one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.PROCESS_ID principal.process.pid Renamed from detect.event.PROCESS_ID. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect.event.USER_NAME principal.user.userid Renamed from detect.event.USER_NAME. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is not empty.
detect_mtd.description security_result.description Renamed from detect_mtd.description. Applies when detect is not empty.
detect_mtd.level security_result.severity Copied from detect_mtd.level and converted to uppercase. Applies when detect is not empty.
event.COMMAND_LINE principal.process.command_line Renamed from event.COMMAND_LINE. Applies when event_type is one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.COMMAND_LINE principal.process.command_line Renamed from event.COMMAND_LINE. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.DLL target.file.full_path Copied from event.DLL. Applies when event_type is SERVICE_CHANGE.
event.DOMAIN_NAME network.dns.questions.0.name, network.dns.answers.0.name Renamed to a.name, then copied to q.name, then merged into network.dns.questions and network.dns.answers arrays. Applies when event_type is DNS_REQUEST.
event.DNS_TYPE network.dns.answers.0.type Renamed to a.type, then merged into network.dns.answers array. Applies when event_type is DNS_REQUEST.
event.ERROR security_result.severity_details Copied from event.ERROR. Applies when event.ERROR is not empty.
event.EXECUTABLE target.process.command_line Copied from event.EXECUTABLE. Applies when event_type is SERVICE_CHANGE.
event.FILE_PATH target.file.full_path Renamed from event.FILE_PATH. Applies when event_type is one of NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, or FILE_READ and detect is empty.
event.FILE_PATH principal.process.file.full_path Renamed from event.FILE_PATH. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.FILE_PATH target.process.file.full_path Renamed from event.FILE_PATH. Applies when event_type is one of NEW_PROCESS, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.HASH target.file.sha256 Renamed from event.HASH. Applies when event_type is one of NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, or FILE_READ and detect is empty.
event.HASH principal.process.file.sha256 Renamed from event.HASH. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.HASH target.process.file.sha256 Renamed from event.HASH. Applies when event_type is one of NEW_PROCESS, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.HASH_MD5 principal.process.file.md5 Renamed from event.HASH_MD5. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.HASH_SHA1 principal.process.file.sha1 Renamed from event.HASH_SHA1. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.IP_ADDRESS network.dns.answers.0.data Renamed to a.data, then merged into network.dns.answers array. Applies when event_type is DNS_REQUEST and event.IP_ADDRESS is not empty.
event.MESSAGE_ID network.dns.id Renamed from event.MESSAGE_ID. Applies when event_type is DNS_REQUEST.
event.NETWORK_ACTIVITY[].DESTINATION.IP_ADDRESS target.ip Merged from event.NETWORK_ACTIVITY[].DESTINATION.IP_ADDRESS. Applies when event_type is NETWORK_CONNECTIONS.
event.NETWORK_ACTIVITY[].SOURCE.IP_ADDRESS principal.ip Merged from event.NETWORK_ACTIVITY[].SOURCE.IP_ADDRESS. Applies when event_type is NETWORK_CONNECTIONS.
event.PARENT.COMMAND_LINE principal.process.command_line Renamed from event.PARENT.COMMAND_LINE. Applies when event_type is one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.PARENT.COMMAND_LINE principal.process.parent_process.command_line Renamed from event.PARENT.COMMAND_LINE. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.PARENT.FILE_PATH principal.process.file.full_path Renamed from event.PARENT.FILE_PATH. Applies when event_type is one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.PARENT.FILE_PATH principal.process.parent_process.file.full_path Renamed from event.PARENT.FILE_PATH. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.PARENT.HASH principal.process.file.sha256 Renamed from event.PARENT.HASH. Applies when event_type is one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.PARENT.HASH principal.process.parent_process.file.sha256 Renamed from event.PARENT.HASH. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.PARENT_PROCESS_ID principal.process.pid Renamed from event.PARENT_PROCESS_ID. Applies when event_type is one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.PARENT_PROCESS_ID principal.process.parent_process.pid Renamed from event.PARENT_PROCESS_ID. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.PROCESS_ID target.process.pid Renamed from event.PROCESS_ID. Applies when event_type is one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.PROCESS_ID principal.process.pid Renamed from event.PROCESS_ID. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
event.REGISTRY_KEY target.registry.registry_key Copied from event.REGISTRY_KEY. Applies when event_type is REGISTRY_WRITE.
event.REGISTRY_VALUE target.registry.registry_value_data Copied from event.REGISTRY_VALUE. Applies when event_type is REGISTRY_WRITE.
event.SVC_DISPLAY_NAME metadata.description Copied from event.SVC_DISPLAY_NAME. Applies when event_type is SERVICE_CHANGE.
event.SVC_NAME target.application Copied from event.SVC_NAME. Applies when event_type is SERVICE_CHANGE.
event.USER_NAME principal.user.userid Renamed from event.USER_NAME. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
routing.event_time metadata.event_timestamp Parsed as a timestamp from routing.event_time using either UNIX_MS or ISO8601 format.
routing.event_type metadata.product_event_type Copied from routing.event_type.
routing.ext_ip principal.ip Copied from routing.ext_ip. Applies when routing.ext_ip is not empty.
routing.hostname principal.hostname Copied from routing.hostname. Applies when routing.hostname is not empty.
routing.int_ip principal.ip Copied from routing.int_ip. Applies when routing.int_ip is not empty.
routing.parent target.process.product_specific_process_id Prepended with "LC:" from routing.parent. Applies when detect is not empty.
routing.parent principal.process.product_specific_process_id Prepended with "LC:" from routing.parent. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and routing.this is empty and routing.parent is not empty.
routing.this principal.process.product_specific_process_id Prepended with "LC:" from routing.this. Applies when event_type is one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and detect is empty.
routing.this principal.process.product_specific_process_id Prepended with "LC:" from routing.this. Applies when event_type is not one of NEW_PROCESS, NEW_DOCUMENT, FILE_MODIFIED, FILE_DELETE, FILE_CREATE, FILE_READ, MODULE_LOAD, TERMINATE_PROCESS, or SENSITIVE_PROCESS_ACCESS and routing.this is not empty. Set to true when detect is not empty. Set to true when detect is not empty and detect_mtd.level is one of high, medium, or critical. Set to a value based on event_type: NETWORK_DNS for DNS_REQUEST, PROCESS_LAUNCH for NEW_PROCESS, PROCESS_UNCATEGORIZED for EXISTING_PROCESS, NETWORK_CONNECTION for CONNECTED or NETWORK_CONNECTIONS, REGISTRY_MODIFICATION for REGISTRY_WRITE, SERVICE_MODIFICATION for SERVICE_CHANGE, FILE_UNCATEGORIZED for NEW_DOCUMENT, FILE_READ for FILE_READ, FILE_DELETION for FILE_DELETE, FILE_CREATION for FILE_CREATE, FILE_MODIFICATION for FILE_MODIFIED, PROCESS_MODULE_LOAD for MODULE_LOAD, PROCESS_TERMINATION for TERMINATE_PROCESS, STATUS_UNCATEGORIZED for CLOUD_NOTIFICATION or RECEIPT, PROCESS_UNCATEGORIZED for REMOTE_PROCESS_HANDLE or NEW_REMOTE_THREAD, or GENERIC_EVENT otherwise. Set to "LimaCharlie EDR". Set to "LimaCharlie". Set to "DNS" when event_type is DNS_REQUEST. Set to "ERROR" when event.ERROR is not empty. Copied from event.HOST_NAME. Applies when event_type is CONNECTED.

Need more help? Get answers from Community members and Google SecOps professionals.