| name | limacharlie-expert |
| description | Use this skill when the user mentions LimaCharlie or wants to work with endpoint detection, cloud security monitoring, detection rules, or security automation. This provides an overview of LimaCharlie components and their interconnections. |
LimaCharlie Expert
Entry point skill for all LimaCharlie tasks. Provides component overview and routes to specialized skills.
Core Components
Telemetry Sources
Sensors (Endpoint Agents)
- Generate Events (NEW_PROCESS, DNS_REQUEST, NETWORK_CONNECTIONS, etc.)
- Execute sensor commands (history_dump, file_hash, os_processes, etc.)
- Receive D&R rule actions (isolate network, kill process, etc.)
- Have Tags applied to them
Adapters
- Ingest cloud/SaaS logs: AWS, Azure, GCP, M365, Okta, CrowdStrike, etc.
- Convert external telemetry into Events
- Feed same pipeline as Sensors
Installation Keys
- Enroll Sensors to organization
- Can auto-apply Tags
Detection Engine
D&R Rules
- Match against Events
- Generate Detections
- Execute Response Actions:
task- run sensor commandsrun extension- trigger Extensionsadd tag/remove tag- modify sensor Tagsisolate network/rejoin networkseal/unseal- tamper protectionreport- create Detectionwait- delay for action chaining
Stateful Rules
- Correlate multiple Events over time
- Track counts, sequences, unique values
- Generate Detections with aggregated context
YARA Rules
- Real-time process scanning
- On-demand file/memory scanning
- Generate YARA_DETECTION Events → trigger D&R rules
False Positive Rules
- Suppress Detections
- Filter before Outputs
Managed Rulesets
- Pre-built D&R rules (Sigma, Soteria, SOC Prime)
Data Structures
Events (event stream)
- Structure:
{routing: {...}, event: {...}} - Generated by: Sensors, Adapters
- Matched by: D&R Rules
- Stored in: Insight
- Queried by: LCQL
- Forwarded by: Outputs
Detections (detect stream)
- Generated by: D&R Rules
- Includes: routing (from Event) + detect (Event data) + metadata (
cat,priority,detect_data) - Can trigger: D&R rules, Outputs
Audit (audit stream)
- Platform actions, config changes
Deployment (deployment stream)
- Sensor lifecycle events
Storage & Configuration
Insight
- 1-year retention of Events, Detections, Audit logs
- Queried by LCQL
Config Hive
- Stores: Secrets, Lookups (key-value), D&R rules, YARA rules
- Used by: D&R rules (lookup action), Extensions, Cloud Sensors
- Namespaces for organization
Tags
- Applied to: Sensors
- Used to: Target D&R rules, filter, group
- Modified by: D&R rules (add/remove tag actions), manual assignment, auto-enrollment
Query & Investigation
LCQL (LimaCharlie Query Language)
- Query: Events, Detections, Audit logs in Insight
- Returns: Filtered, aggregated, joined data
Timeline
- Per-Sensor Event history
- Complete forensic record
Sensor Commands
- 100+ investigative/response commands
- Triggered by: D&R rules (task action), manual execution, Extensions, API
Replay
- Test D&R rules against historical Events from Insight
Automation
Extensions
- Serverless functions
- Triggered by: D&R rules (run extension), API, schedules
- Can: Access Config Hive, call external APIs, read Events, respond with actions (add tag, run sensor command)
- Built-in: YARA Manager, Artifact Manager, VirusTotal, GreyNoise, etc.
Playbooks
- Visual workflow builder
- Orchestrates: D&R rules, Extensions, sensor commands
API & SDK
- Python/Go SDKs
- REST API for all platform operations
Data Forwarding
Outputs
- Destinations: SIEM, data lakes, Slack, webhooks, S3, etc.
- Source streams: event, detect, audit, deployment
- Can: Filter, transform data
Component Interconnections
Primary Data Flow
Sensors/Adapters → Events → D&R Rules → Detections → Outputs
↓ ↓ ↓
Insight Actions Outputs
D&R Rule → Response Actions
D&R rules can trigger:
- Extensions → external enrichment/logic → respond with actions back to LC
- Sensor commands → investigate/contain on specific Sensor
- Tags → add/remove tags on Sensor → trigger other D&R rules targeting those tags
- Network isolation → quarantine Sensor
- Detections → generate alert → sent to Outputs
- Wait → chain multiple actions sequentially
Tag-Based Connections
D&R rule → Adds Tag to Sensor → Second D&R rule targets that Tag → Executes actions
Installation Key → Auto-applies Tag → Sensor enrolled with Tag → Targeted by D&R rules
Config Hive Integration
D&R rule → Lookup action → Config Hive (IOC lists, thresholds)
Extension → Reads secrets from Config Hive → Calls external API
Cloud Sensor → Stores credentials in Config Hive
Extension Integration
D&R rule → Run extension → Extension calls external API (VirusTotal) →
Extension responds with: add tag, run sensor command, generate Event
Extension can: Read Config Hive, access Event data, trigger actions
Stateful Rule Correlation
Multiple Events (same/different Sensors) → Stateful rule (time window) →
Counts/aggregates → Threshold met → Generate Detection
LCQL Query Flow
LCQL query → Insight (Events/Detections/Audit) → Results →
Used for: hunting, investigation, rule creation
Multi-Component Chains
Example: Detection → Enrichment → Response
Event → D&R rule → Detection + Run extension (VirusTotal) →
Extension adds tag "malware-confirmed" →
Second D&R rule (targets "malware-confirmed" tag) →
Isolate network + task: artifact_get
Example: Tag-based progressive response
Detection → Add tag "investigate" → Manual review → Add tag "incident-confirmed" →
D&R rule on "incident-confirmed" → Automated containment actions
Field Paths & Targeting
Event field paths:
event/FILE_PATH,event/COMMAND_LINE,event/DOMAIN_NAMErouting/hostname,routing/sid,routing/event_type,routing/tags
Detection field paths:
detect/*(original Event data)cat,priority,detect_data,routing/*
D&R rule targeting:
- Target by:
routing/tags,routing/sid, platform, event type - Filter by: any field path in Event
Component Output/Input Matrix
| Component | Generates | Consumes | Triggers |
|---|---|---|---|
| Sensors | Events | Sensor commands, network isolation | - |
| Adapters | Events | - | - |
| D&R Rules | Detections | Events, Detections | Extensions, sensor commands, Tags |
| Extensions | Actions (tags, commands) | Events, Config Hive | Sensor commands, Tags, Events |
| Config Hive | Data (secrets, lookups) | API/manual input | - |
| Tags | Targeting metadata | D&R actions, manual, Installation Keys | D&R rule targeting |
| Outputs | External forwarding | Events, Detections, Audit | - |
| LCQL | Query results | Insight (Events/Detections/Audit) | - |
| Insight | Searchable data | Events, Detections, Audit | - |
| Stateful Rules | Detections | Multiple Events over time | Extensions, sensor commands, Tags |
Specialized Skills
Route to these skills for detailed implementation:
Telemetry: sensor-manager, adapter-configurator, onboard-external-telemetry
Detection: dr-rule-builder, stateful-rule-designer, sigma-rule-deployer, yara-manager
Investigation: incident-responder, threat-hunter, lcql-query-builder, forensic-analyst, artifact-collector
Automation: playbook-automator, extension-developer, api-integrator, threat-intel-integrator
Management: config-hive-manager, infrastructure-as-code, output-configurator, cloud-security-monitor, performance-optimizer
Additional Documentation: If the specialized skills above don't provide enough information, the full LimaCharlie documentation is available in the public repository at https://github.com/refractionPOINT/documentation/tree/master/limacharlie
Key Mechanics
Response timing: D&R rules execute <100ms, sensor commands 1-5s
Data retention: Insight stores 1 year by default
Stateless vs Stateful isolation: segregate_network (command) vs isolate network (D&R action, persists reboot)
Event types: 100+ event types (NEW_PROCESS, DNS_REQUEST, NETWORK_CONNECTIONS, WEL, YARA_DETECTION, etc.)
Sensor platforms: Windows, Linux, macOS, Chrome
Action chaining: Use wait action to sequence multiple responses in D&R rules
LimaCharlie is component-based: combine Sensors/Adapters (telemetry) + D&R rules (detection) + Extensions (enrichment/custom logic) + Sensor commands (response) + Outputs (integration) + LCQL (hunting) to build security solutions.