Automate LimaCharlie security operations via CLI: engineer, test, and deploy detection rules; tune noisy alerts; task sensors and payloads fleet-wide for live response and forensics; investigate cases with telemetry enrichment; monitor sensor and fleet health; integrate Velociraptor DFIR; fetch platform docs.
npx claudepluginhub refractionpoint/lc-ai --plugin lc-essentialsAsk a question about LimaCharlie and get an answer from the documentation. Usage: /lc-essentials:ask <your question>
Initialize the current working directory's CLAUDE.md with LimaCharlie CLI guidelines. Merges AUTOINIT.md content into a '# Using LimaCharlie' section. Safe to run multiple times.
Test D&R rules via historical replay against a SINGLE LimaCharlie organization. Designed to be spawned in parallel (one instance per org) by the detection-engineering skill. Returns summarized results (stats, samples, patterns) instead of all matches.
Check sensor health for a SINGLE LimaCharlie organization. This agent is designed to be spawned in parallel (one instance per org) by the sensor-health skill. Accepts org ID and parameters in the prompt, returns findings for that org only.
Execute sensor tasks (live response commands) on a single sensor and return results. Designed for parallel execution by parent skills. Handles online verification, task execution, and result formatting.
Expert Detection Engineer assistant for creating and testing D&R rules in LimaCharlie. Guides through understanding threats, researching event data (Schema, LCQL, Timeline), generating detection logic, testing rules against sample and historical data, and deploying validated rules. Use for building detections, writing D&R rules, testing detection logic, or when user wants to detect specific behaviors or threats.
Investigate noisy/common alerts and create false positive (FP) rules to suppress benign detections. Analyzes detection frequency over 7 days, identifies patterns, generates and tests FP rules with operator approval before deployment. Use for tuning detection noise, reducing alert fatigue, suppressing known-safe activity, or when specific detections need filtering. Human-in-the-loop workflow ensures no FP rules are deployed without explicit approval.
Deploy payloads and shell commands fleet-wide using reliable tasking. Execute scripts, collect data, or run commands across all endpoints with automatic handling of offline sensors. Use for vulnerability scanning, data collection, software inventory, compliance checks, or any fleet-wide operation.
Investigate security cases from the LimaCharlie Cases extension. Performs HOLISTIC investigations - not just process trees, but initial access hunting, org-wide scope assessment, lateral movement detection, and full host context. Enriches cases with telemetry references, entities/IOCs, analyst notes, and investigation summary/conclusion. Use for SOC triage, incident investigation, threat hunting, alert triage, or building SOC working reports. Supports case lifecycle management (triage, classify, resolve).
Search and retrieve LimaCharlie documentation from GitHub repositories. Use when users ask about LimaCharlie platform features, SDKs, APIs, D&R rules, LCQL, sensors, outputs, extensions, integrations, AI skills, agents, or any LimaCharlie-related topics.
Generate comprehensive sensor health and status reports across all LimaCharlie organizations. Use when users ask about sensor connectivity, data availability, offline sensors, sensors not reporting events, or fleet-wide health queries (e.g., "show me sensors online but not sending data", "list sensors offline for 7 days across all orgs").
Send tasks (commands) to EDR sensors to gather data or take action. Handles offline agents via reliable-tasking, collects responses via LCQL queries, and creates D&R rules for automated response handling. Use for live response, data collection, forensic acquisition, or fleet-wide operations like "get OS version from all Windows servers" or "isolate all hosts with tag X".
Velociraptor DFIR integration for LimaCharlie. List available VQL artifacts, view artifact definitions, launch forensic collections on endpoints. Find raw collection data in Artifacts (type:velociraptor, source:SID). Query processed JSON events from the 'velociraptor' sensor (tag:ext:ext-velociraptor). Build D&R rules for velociraptor_collection events. Use for: forensic triage, incident response, threat hunting, VQL artifact collection.
Generate URLs for the LimaCharlie web application interface. Quickly open the web UI for any feature: dashboard, sensors, detections, D&R rules, FP rules, secrets, outputs, lookups, payloads, YARA rules, artifacts, investigations, extensions, adapters, installation keys, billing, users, playbooks, AI agents, and more. For sensor-specific pages: timeline, console, processes, network, file-system, live-feed. For groups: members, organizations, permissions. Use for "open dashboard", "link to detections", "web UI for sensor", "open D&R rules page", "browser link", "app link", "open in web", "show me URL for", "go to".
Qiushi Skill: methodology skills for AI agents guided by seeking truth from facts, with Claude Code, Cursor, OpenClaw, Codex, OpenCode, and Hermes guidance.
Uses power tools
Uses Bash, Write, or Edit tools
Comprehensive UI/UX design plugin for mobile (iOS, Android, React Native) and web applications with design systems, accessibility, and modern patterns
Ultra-compressed communication mode. Cuts ~75% of tokens while keeping full technical accuracy by speaking like a caveman.
Intelligent prompt optimization using skill-based architecture. Enriches vague prompts with research-based clarifying questions before Claude Code executes them