Create a new skill for the lc-essentials plugin following best practices and framework conventions. Use when adding LimaCharlie API operations, orchestration workflows, or specialized capabilities to the plugin.

Pre-defined report templates combining data collection and visualization. Usage: /lc-essentials:reporting-templates

Research adapter documentation from multiple sources in parallel. Gathers configuration parameters, examples, and credential requirements from local docs, GitHub usp-adapters repo, and external API documentation.

Collect comprehensive asset profile for a SINGLE sensor. Designed to be spawned in parallel (batched) by the sensor-coverage skill. Gathers OS version, packages, users, services, autoruns, and network connections. Returns structured JSON profile.

Search for malicious behaviors within a SINGLE LimaCharlie organization using LCQL queries. Designed to be spawned in parallel (one instance per org) by the threat-report-evaluation skill. Returns summarized findings with sample events.

Survey a single cloud platform (GCP, AWS, Azure, DigitalOcean) to discover projects, VMs, and security-relevant log sources. Designed to be spawned in parallel (one instance per platform) by the onboard-new-org skill. Returns structured JSON with discovered resources.

Generate and validate D&R rules for a specific detection layer within a SINGLE LimaCharlie organization. Designed to be spawned in parallel (one per layer) by the threat-report-evaluation skill. Returns validated rules ready for deployment.

Analyze cross-tenant patterns and detect systemic issues from aggregated coverage data. Receives per-org results from org-coverage-reporter agents and identifies platform degradation, coordinated enrollments, SLA compliance patterns, risk concentration, silent sensor patterns, and temporal correlations. Returns fleet-wide summary with actionable recommendations.

Investigate a single FP pattern to determine if it's truly a false positive or might be a real threat. Designed to be spawned in parallel (one instance per pattern) by the fp-pattern-finder skill. Returns structured verdict with reasoning.

Analyze coverage gaps and calculate risk scores for sensors in a LimaCharlie organization. Receives sensor classification data from the parent skill and returns risk-scored gap analysis with remediation priorities. Designed to be spawned by the sensor-coverage skill.

Render interactive HTML dashboards from structured JSON data using Jinja2 templates and D3.js charts. Designed to be spawned by the graphic-output skill. Produces self-contained HTML files with embedded visualizations. Built with strict data accuracy guardrails - NEVER fabricates data.

Search for IOCs within a SINGLE LimaCharlie organization. Designed to be spawned in parallel (one instance per org) by the threat-report-evaluation skill. Returns summarized findings classified by severity.

Audit adapters for a single LimaCharlie organization. Designed for parallel execution by the adapter-assistant skill. Returns adapter inventory, error states, and configuration issues.

Collect comprehensive coverage data for a SINGLE LimaCharlie organization. Designed to be spawned in parallel (one instance per org) by the sensor-coverage skill. Gathers sensor inventory, classifies by offline duration, validates telemetry health, calculates risk scores, and returns structured JSON for fleet-wide aggregation. Incorporates gap-analyzer logic internally.

Collect comprehensive reporting data for a SINGLE LimaCharlie organization. Designed to be spawned in parallel (one instance per org) by the reporting skill. Gathers usage stats, billing, sensors, detections, and rules. Returns structured data for aggregation.

Parse threat reports (PDF, HTML, text files) and extract ALL IOCs and behaviors. Returns structured JSON with categorized indicators. Designed to be spawned by the threat-report-evaluation skill to offload report parsing from main context. Expects reports to already be downloaded to local files.

Deploy LimaCharlie EDR to VMs on a single cloud platform using native deployment methods (OS Config for GCP, SSM for AWS, Run Command for Azure). Designed to be spawned in parallel (one instance per platform) by the onboard-new-org skill. Handles installation key retrieval, command execution, and deployment verification.

Complete adapter lifecycle assistant for LimaCharlie. Supports External Adapters (cloud-managed), Cloud Sensors (SaaS/cloud integrations), and On-prem USP adapters. Dynamically researches adapter types from local docs and GitHub usp-adapters repo. Creates, validates, deploys, and troubleshoots adapter configurations. Handles parsing rules (Grok, regex), field mappings, credential setup, and multi-adapter configs. Use when setting up new data sources (Okta, S3, Azure Event Hub, syslog, webhook, etc.), troubleshooting ingestion issues, or managing adapter deployments.

Automatically detect false positive patterns in detections using deterministic analysis. Fetches historic detections for a time window, runs pattern detection script to identify noisy patterns (single-host concentration, identical command-lines, service accounts, same hash, temporal periodicity, etc.), generates narrow FP rules for each pattern, and presents for user approval before deployment. Use for bulk FP tuning, detection noise analysis, or automated alert fatigue reduction.

Generate interactive HTML dashboards and visualizations from LimaCharlie data using Jinja2 templates and D3.js charts. Creates professional, self-contained HTML reports with pie charts, bar charts, line graphs, gauges, sortable tables, and responsive layouts. Supports MSSP multi-tenant dashboards, single-org details, sensor health reports, detection analytics, and billing summaries. Integrates with reporting, sensor-health, and detection-engineering skills. Built with strict data accuracy guardrails - NEVER fabricates, estimates, or infers data. Use for "visual report", "dashboard", "HTML output", "interactive charts", "export HTML", "generate visualization", "graphical report".

Set up automated Slack notifications for LimaCharlie case events. Creates a Python playbook, D&R rules, API key, and secrets so that case creations, resolutions, severity upgrades, and closures post rich messages to a Slack channel. Usage - /init-cases-to-slack <org_name>

REQUIRED for ANY operation involving ai-team or ai-agent definitions: deploy, install, update, upgrade, remove, push, sync, or modify AI agents and Agentic SOC configurations in a LimaCharlie organization. This includes modifying agent prompts, updating hive configs (ai_agent, dr-general), managing API keys and secrets, subscribing to extensions, and pushing changes after editing source YAML files in ai-teams/ or ai-agents/ directories. Trigger words: ai-team, ai-agent, ai_agent hive, deploy SOC, install agent, push agent, update agent, sync agent, baselining-soc, tiered-soc, lean-soc, exposure-team, intel-team, l1-bot, general-analyst, bulk-triage, l2-analyst, malware-analyst, containment, threat-hunter, soc-manager, shift-reporter. Examples: "deploy tiered-soc to my org", "install lean-soc", "update the l1-bot agent", "push agent changes to the org", "remove the tiered SOC", "modify the bulk-triage prompt".

Manage LimaCharlie Infrastructure as Code using ext-git-sync compatible repository structure. Initialize IaC repos, add/remove tenants, manage global and tenant-specific configurations (D&R rules, outputs, FIM, extensions, etc.), and coordinate with ext-git-sync for deployment. Supports importing existing rules from tenants and promoting tenant rules to global. Use when setting up multi-tenant config management, adding orgs to IaC, or managing detection rules across organizations via git.

Complete organization onboarding wizard for LimaCharlie. Discovers local cloud CLIs (GCP, AWS, Azure, DigitalOcean), surveys cloud projects, identifies VMs for EDR installation and security-relevant log sources (IAM, audit logs, network logs). Guides EDR deployment via OS Config (GCP), SSM (AWS), VM Run Command (Azure). Creates cloud adapters for log ingestion. Confirms sensor connectivity and data flow. Use when setting up new tenants, connecting cloud infrastructure, deploying EDR fleet-wide, or onboarding hybrid environments.

Customize and test Grok parsing for USP, Cloud Sensor, and External adapters. Helps generate parsing rules from sample logs, validate against test data, and deploy configurations. Use when setting up new log sources, troubleshooting parsing issues, or modifying field extraction for adapters.

Generate comprehensive multi-tenant security and operational reports from LimaCharlie. Provides billing summaries, usage roll-ups, detection trends, sensor health monitoring, and configuration audits across multiple organizations. Supports both per-tenant detailed breakdowns and cross-tenant aggregated roll-ups. Built with strict data accuracy guardrails to prevent fabricated metrics. Supports partial report generation when some organizations fail, with transparent error documentation. Time windows always displayed, detection limits clearly flagged, zero cost calculations.

Comprehensive Asset Inventory & Coverage Tracker for LimaCharlie. Builds sensor inventories, detects coverage gaps (stale/silent endpoints, Shadow IT), calculates risk scores, validates telemetry health, and compares actual vs expected assets. Use for fleet inventory, coverage SLA tracking, offline sensor detection, telemetry health checks, asset compliance audits, or when asked about endpoint health, asset management, or coverage gaps.

Deploy a temporary LimaCharlie Adapter on the local Linux or Mac OS host for testing log ingestion. Downloads the adapter, auto-detects log sources, and streams them to your LimaCharlie organization.

Deploy a temporary LimaCharlie EDR agent on the local Linux or Mac OS host for testing. Downloads and runs the LC sensor in a temp directory with automatic cleanup. Use for testing detection rules, investigating sensor behavior, or development. Requires selecting or creating a LimaCharlie organization first.

Evaluate threat reports, breach analyses, and IOC reports to search for compromise indicators across LimaCharlie organizations. Extract IOCs (hashes, domains, IPs, file paths), perform IOC searches, identify malicious behaviors, generate LCQL queries, create D&R rules and lookups. Use when investigating threats, APT reports, malware analysis, breach postmortems, or threat intelligence feeds. Emphasizes working ONLY with data from the report and organization, never making assumptions.