lc-advanced-skills

Create a new skill for the lc-essentials plugin following best practices and framework conventions. Use when adding LimaCharlie API operations, orchestration workflows, or specialized capabilities to the plugin.

Pre-defined report templates combining data collection and visualization. Usage: /lc-essentials:reporting-templates

Research adapter documentation from multiple sources in parallel. Gathers configuration parameters, examples, and credential requirements from local docs, GitHub usp-adapters repo, and external API documentation.

Collect comprehensive asset profile for a SINGLE sensor. Designed to be spawned in parallel (batched) by the sensor-coverage skill. Gathers OS version, packages, users, services, autoruns, and network connections. Returns structured JSON profile.

Search for malicious behaviors within a SINGLE LimaCharlie organization using LCQL queries. Designed to be spawned in parallel (one instance per org) by the threat-report-evaluation skill. Returns summarized findings with sample events.

Survey a single cloud platform (GCP, AWS, Azure, DigitalOcean) to discover projects, VMs, and security-relevant log sources. Designed to be spawned in parallel (one instance per platform) by the onboard-new-org skill. Returns structured JSON with discovered resources.

Generate and validate D&R rules for a specific detection layer within a SINGLE LimaCharlie organization. Designed to be spawned in parallel (one per layer) by the threat-report-evaluation skill. Returns validated rules ready for deployment.

Complete adapter lifecycle assistant for LimaCharlie. Supports External Adapters (cloud-managed), Cloud Sensors (SaaS/cloud integrations), and On-prem USP adapters. Dynamically researches adapter types from local docs and GitHub usp-adapters repo. Creates, validates, deploys, and troubleshoots adapter configurations. Handles parsing rules (Grok, regex), field mappings, credential setup, and multi-adapter configs. Use when setting up new data sources (Okta, S3, Azure Event Hub, syslog, webhook, etc.), troubleshooting ingestion issues, or managing adapter deployments.

Automatically detect false positive patterns in detections using deterministic analysis. Fetches historic detections for a time window, runs pattern detection script to identify noisy patterns (single-host concentration, identical command-lines, service accounts, same hash, temporal periodicity, etc.), generates narrow FP rules for each pattern, and presents for user approval before deployment. Use for bulk FP tuning, detection noise analysis, or automated alert fatigue reduction.

Generate interactive HTML dashboards and visualizations from LimaCharlie data using Jinja2 templates and D3.js charts. Creates professional, self-contained HTML reports with pie charts, bar charts, line graphs, gauges, sortable tables, and responsive layouts. Supports MSSP multi-tenant dashboards, single-org details, sensor health reports, detection analytics, and billing summaries. Integrates with reporting, sensor-health, and detection-engineering skills. Built with strict data accuracy guardrails - NEVER fabricates, estimates, or infers data. Use for "visual report", "dashboard", "HTML output", "interactive charts", "export HTML", "generate visualization", "graphical report".

Set up automated Slack notifications for LimaCharlie case events. Creates a Python playbook, D&R rules, API key, and secrets so that case creations, resolutions, severity upgrades, and closures post rich messages to a Slack channel. Usage - /init-cases-to-slack <org_name>

REQUIRED for ANY operation involving ai-team or ai-agent definitions: deploy, install, update, upgrade, remove, push, sync, or modify AI agents and Agentic SOC configurations in a LimaCharlie organization. This includes modifying agent prompts, updating hive configs (ai_agent, dr-general), managing API keys and secrets, subscribing to extensions, and pushing changes after editing source YAML files in ai-teams/ or ai-agents/ directories. Trigger words: ai-team, ai-agent, ai_agent hive, deploy SOC, install agent, push agent, update agent, sync agent, baselining-soc, tiered-soc, lean-soc, exposure-team, intel-team, l1-bot, general-analyst, bulk-triage, l2-analyst, malware-analyst, containment, threat-hunter, soc-manager, shift-reporter. Examples: "deploy tiered-soc to my org", "install lean-soc", "update the l1-bot agent", "push agent changes to the org", "remove the tiered SOC", "modify the bulk-triage prompt".