| name | incident-responder |
| description | Use this skill when the user needs help executing incident response workflows, investigating security incidents, containing threats, collecting forensic evidence, or performing remediation actions. |
LimaCharlie Incident Responder
This skill helps you execute comprehensive incident response workflows using LimaCharlie's capabilities. Use this when users need assistance with security incident investigation, threat containment, forensic collection, remediation, and recovery operations.
Overview
LimaCharlie provides incident response teams with a powerful, centralized solution that enables rapid response to security incidents with real-time visibility, instant deployment, and comprehensive response capabilities.
Key IR Capabilities
- Instant Deployment: Launch LimaCharlie in seconds, gaining immediate visibility and control
- Real-time Response: Execute response actions within 100ms of detection
- Unified Visibility: Centralized view across endpoints, networks, and cloud environments
- Advanced Analytics: Powerful query language (LCQL) for threat hunting and investigation
- Automated Response: D&R rules for automated containment and remediation
- Forensic Collection: Comprehensive artifact and evidence gathering
- Historical Analysis: One year of historical data for retrospective investigations
Incident Response Phases
LimaCharlie supports all phases of the incident response lifecycle:
- Detection: Real-time alerting via D&R rules, threat feeds, behavioral detection, YARA scanning
- Investigation: Timeline analysis, LCQL queries, process trees, historical data analysis
- Containment: Network isolation, process termination, sensor sealing, tag-based orchestration
- Eradication: Malware removal, deny tree, file deletion, persistence cleanup
- Recovery: Network rejoin, service restoration, reinfection monitoring
- Lessons Learned: Detection tuning, D&R rule creation, automated prevention
Working with Timestamps
IMPORTANT: When users provide relative time offsets (e.g., "last hour", "past 24 hours", "last week"), you MUST dynamically compute the current epoch timestamp based on the actual current time. Never use hardcoded or placeholder timestamps.
Computing Current Epoch
import time
# Compute current time dynamically
current_epoch_seconds = int(time.time())
current_epoch_milliseconds = int(time.time() * 1000)
The granularity (seconds vs milliseconds) depends on the specific API or MCP tool. Always check the tool signature or API documentation to determine which unit to use.
Common Relative Time Calculations
Example: "Show me events from the incident timeframe"
end_time = int(time.time()) # Current time
start_time = end_time - 3600 # 1 hour ago
Common offsets (in seconds):
- 1 hour = 3600
- 24 hours = 86400
- 7 days = 604800
- 30 days = 2592000
For millisecond-based APIs, multiply by 1000.
Critical Rules
NEVER:
- Use hardcoded timestamps
- Use placeholder values like
1234567890 - Assume a specific current time
ALWAYS:
- Compute dynamically using
time.time() - Check the API/tool signature for correct granularity
- Verify the time range is valid (start < end)
Quick Response Guide
Immediate Containment
Network Isolation:
respond:
- action: isolate network
Process Termination:
respond:
- action: task
command: deny_tree <<routing/this>>
Sensor Protection:
respond:
- action: seal
Essential Commands
history_dump # Recent process history
os_processes # Running processes
netstat # Network connections
file_info <path> # File metadata
file_hash <path> # Calculate hash
os_autoruns # Persistence mechanisms (Windows)
artifact_get <path> # Collect file
Investigation Tools
Timeline Analysis
Every sensor maintains a complete timeline. Key commands:
history_dump- Recent process historyos_processes- Current processesnetstat- Network connectionsdir_list <path>- Directory contentsfile_info <path>- File metadata
LCQL Queries
Process Execution:
-24h | plat == windows | NEW_PROCESS | event/COMMAND_LINE contains 'powershell' | event/FILE_PATH as path routing/hostname as host
Network Connections:
-12h | NETWORK_CONNECTIONS | event/NETWORK_ACTIVITY/DESTINATION/IP_ADDRESS == '192.0.2.100' | event/FILE_PATH as process routing/hostname as host
Lateral Movement:
-24h | * | event/* contains 'psexec' | routing/hostname as host routing/event_type as event
See REFERENCE.md for complete LCQL syntax.
Process Investigation
os_processes # List all processes
mem_map --pid <pid> # Memory map
mem_find_string --pid <pid> --string <str> # Search memory
mem_handles --pid <pid> # Handles (Windows)
File System Investigation
dir_list <path> # List directory
file_info <path> # File metadata
file_hash <path> # Calculate hash
dir_find_hash <dir> --hash <hash> # Find by hash
hidden_module_scan # Rootkit detection
Registry Investigation (Windows)
os_autoruns # Autorun entries
os_services # Services
os_packages # Installed software
os_users # User accounts
Containment Actions
Network Isolation
Stateful (persists across reboot):
respond:
- action: isolate network
Stateless (does not persist):
segregate_network
Remove isolation:
respond:
- action: rejoin network
Process Control
# Kill process tree (recommended)
respond:
- action: task
command: deny_tree <<routing/this>>
# Manual commands
os_kill_process --pid <pid> # Kill process
os_suspend --pid <pid> # Suspend
os_resume --pid <pid> # Resume
File Operations
file_del <path> # Delete file
file_mov <source> <dest> # Move/quarantine
Sensor Protection
respond:
- action: seal # Enable tamper resistance
- action: unseal # Remove tamper resistance
Forensic Collection
# Collect files
artifact_get <path>
# Windows Event Logs
artifact_get C:\Windows\System32\winevt\Logs\Security.evtx
# Browser history
artifact_get C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\History
# Prefetch files (Windows)
artifact_get C:\Windows\Prefetch\*.pf
# Timeline export
history_dump
os_processes
os_autoruns
netstat
Common IR Workflows
Workflow 1: Malware Response
detect:
event: YARA_DETECTION
op: exists
path: event/PROCESS/*
respond:
- action: report
name: "Active malware detected"
priority: 5
- action: task
command: history_dump
investigation: malware-incident
- action: isolate network
- action: task
command: deny_tree <<routing/this>>
- action: wait
duration: 5s
- action: task
command: file_del {{ .event.FILE_PATH }}
- action: add tag
tag: malware-incident
ttl: 86400
Workflow 2: Lateral Movement
detect:
event: NEW_PROCESS
op: contains
path: event/COMMAND_LINE
value: psexec
case sensitive: false
respond:
- action: report
name: "Lateral movement via PsExec"
priority: 5
- action: isolate network
- action: task
command: history_dump
investigation: lateral-movement
- action: add tag
tag: lateral-movement-victim
Workflow 3: Web Shell
detect:
event: NEW_PROCESS
op: ends with
path: event/PARENT/FILE_PATH
value: w3wp.exe
with child:
op: ends with
event: NEW_PROCESS
path: event/FILE_PATH
value: cmd.exe
respond:
- action: report
name: "Web shell detected"
priority: 5
- action: task
command: deny_tree <<routing/this>>
Workflow 4: Ransomware
detect:
event: NEW_DOCUMENT
op: contains
path: event/FILE_PATH
value: .encrypted
with events:
event: NEW_DOCUMENT
op: contains
path: event/FILE_PATH
value: .encrypted
count: 10
within: 60
respond:
- action: report
name: "Ransomware detected"
priority: 5
- action: isolate network
- action: task
command: deny_tree <<routing/this>>
- action: seal
See EXAMPLES.md for complete step-by-step scenarios.
Best Practices
Investigation
- Work from hypothesis - develop and test theories
- Document everything - maintain detailed notes
- Preserve evidence - collect before changing
- Use investigation IDs - group related actions
- Timeline first - review before issuing commands
- Cross-reference - correlate across data sources
Containment
- Isolate early - prevent spread
- Maintain communication - LC connectivity preserved
- Tag systems - track incident scope
- Kill process trees - use deny_tree
- Seal sensors - enable tamper resistance
- Verify effectiveness - confirm actions succeeded
Forensic Collection
- Volatile data first - memory, network, processes
- Hash before collection - document integrity
- Use investigation IDs - group collections
- Preserve timelines - export before remediation
- Chain of custody - track what, when, who
- Automate collection - use D&R rules
Response Automation
Automate:
- High-confidence detections (known malware)
- Non-destructive actions (collection, tagging)
- Well-tested containment (network isolation)
Require approval:
- Destructive actions (file deletion)
- Business-critical systems
- Novel/ambiguous threats
Progressive approach:
- Alert only
- Alert + collect
- Alert + collect + contain
- Full automation
Quick Command Reference
Investigation
history_dump # Process history
os_processes # Running processes
os_services # Services
os_autoruns # Persistence
netstat # Network connections
file_info <path> # File metadata
file_hash <path> # File hash
dir_list <path> # Directory listing
mem_strings --pid <pid> # Memory strings
Containment
isolate network # Network isolation (D&R action)
segregate_network # Network isolation (command)
deny_tree <atom_id> # Kill process tree
os_kill_process --pid <pid> # Kill process
seal # Tamper resistance (D&R action)
Collection
artifact_get <path> # Collect file
os_packages # Installed software
os_users # User accounts
log_get <log_name> # Event log (Windows)
Remediation
file_del <path> # Delete file
file_mov <src> <dst> # Move file
rejoin_network # Remove isolation
unseal # Remove seal (D&R action)
D&R Actions Reference
Report:
- action: report
name: detection-name
priority: 1-5
Containment:
- action: isolate network
- action: rejoin network
- action: seal
- action: unseal
Tagging:
- action: add tag
tag: incident-tag
ttl: 86400
Task:
- action: task
command: history_dump
investigation: incident-id
suppression:
is_global: false
max_count: 1
period: 5m
Wait:
- action: wait
duration: 5s
Navigation
SKILL.md (This Document)
- IR overview and methodology
- Quick response guide
- Essential investigation tools
- Common IR workflows
- Best practices
REFERENCE.md
Complete technical reference:
- All sensor commands with syntax
- All D&R response actions
- Complete LCQL query syntax
- Event field paths and template variables
- Platform-specific notes
EXAMPLES.md
Complete IR scenarios with step-by-step workflows:
- Ransomware detection and response
- Compromised credentials and lateral movement
- Web shell detection and remediation
- Advanced persistent threat investigation
- Data exfiltration detection
TROUBLESHOOTING.md
Problem-solving guidance:
- Sensor command issues
- Network isolation problems
- D&R rule troubleshooting
- LCQL query issues
- Investigation challenges
- Escalation guidance
Response Time Guidelines
- Critical (malware, ransomware): Immediate automated containment
- High priority (lateral movement): <5 minute response
- Medium priority (suspicious behavior): <30 minute response
- Low priority (policy violations): <4 hour response
Incident Severity Matrix
Priority 5 - Critical: Active malware, data exfiltration, widespread compromise, critical system impact
Priority 4 - High: Lateral movement, privilege escalation, known malicious indicators, multiple systems
Priority 3 - Medium: Suspicious behavior, policy violations, unauthorized access, single system
Priority 2 - Low: Anomalous activity, failed attacks, potential false positives, minimal impact
Priority 1 - Informational: Benign events, compliance monitoring, baseline tracking
Summary
LimaCharlie provides comprehensive incident response capabilities:
- Detect: Real-time alerting with D&R rules and threat feeds
- Investigate: Timeline analysis, LCQL queries, sensor commands
- Contain: Network isolation, process termination, sensor sealing
- Eradicate: Malware removal, persistence elimination
- Recover: Service restoration, network rejoin
- Learn: D&R rule creation, automated prevention
Use this skill to guide users through complete IR workflows. Always emphasize testing, documentation, and gradual automation.
For detailed syntax: REFERENCE.md For complete scenarios: EXAMPLES.md For troubleshooting: TROUBLESHOOTING.md