Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From lc-advanced-skills
Manages LimaCharlie multi-tenant configurations as IaC in ext-git-sync compatible git repos. Initializes repos, adds/removes tenants, handles global/tenant D&R rules, outputs, FIM, extensions.
npx claudepluginhub refractionpoint/lc-ai --plugin lc-advanced-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/lc-advanced-skills:limacharlie-iacThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Manage multi-tenant LimaCharlie configurations using git-based Infrastructure as Code, compatible with the `ext-git-sync` extension.
templates/README.mdtemplates/hives/artifact.yamltemplates/hives/dr-general.yamltemplates/hives/exfil.yamltemplates/hives/extensions.yamltemplates/hives/fp.yamltemplates/hives/installation_keys.yamltemplates/hives/integrity.yamltemplates/hives/outputs.yamltemplates/hives/resources.yamltemplates/org-manifest.yamltemplates/orgs/index.yaml.templateGenerates URLs to LimaCharlie web UI for dashboard, sensors, detections, D&R rules, FP rules, secrets, outputs, investigations, playbooks, AI agents, and sensor pages like timeline and processes.
Onboards LimaCharlie organizations by discovering cloud CLIs (GCP, AWS, Azure, DigitalOcean), surveying projects/VMs/logs, deploying EDR via cloud services, creating log adapters, and verifying connectivity. Use for new tenant setup or cloud integration.
Reviews SentinelOne XSPM misconfigurations across AWS, Azure, GCP, Kubernetes, identity, and IaC. Covers detection, compliance standards, MITRE ATT&CK mappings, remediation steps, evidence, and MSP posture workflows.
Share bugs, ideas, or general feedback.
Manage multi-tenant LimaCharlie configurations using git-based Infrastructure as Code, compatible with the ext-git-sync extension.
Prerequisites: Run
/init-lcto initialize LimaCharlie context.
All LimaCharlie operations use the limacharlie CLI directly:
limacharlie <noun> <verb> --oid <oid> --output yaml [flags]
For command help and discovery: limacharlie <command> --ai-help
| Rule | Wrong | Right |
|---|---|---|
| CLI Access | Call MCP tools or spawn api-executor | Use Bash("limacharlie ...") directly |
| Output Format | --output json | --output yaml (more token-efficient) |
| Filter Output | Pipe to jq/yq | Use --filter JMESPATH to select fields |
| D&R Rules | Write YAML manually | Use limacharlie ai generate-* + limacharlie dr validate |
| OID | Use org name | Use UUID (call limacharlie org list if needed) |
This skill helps you manage LimaCharlie organizations using Infrastructure as Code:
┌─────────────────────────────────────────────────────────────────┐
│ IaC REPOSITORY (ext-git-sync compatible) │
│ │
│ org-manifest.yaml ← Friendly name → OID mapping │
│ │
│ hives/ ← GLOBAL configs (all tenants) │
│ ├── dr-general.yaml D&R rules │
│ ├── fp.yaml False positives │
│ ├── outputs.yaml Output destinations │
│ ├── extensions.yaml Extensions to enable │
│ ├── integrity.yaml FIM rules │
│ └── ... │
│ │
│ orgs/ ← PER-TENANT configs │
│ ├── <oid-1>/ │
│ │ ├── index.yaml Includes global + custom │
│ │ └── custom/ Tenant-specific overrides │
│ │ ├── rules.yaml │
│ │ └── fim.yaml │
│ └── <oid-2>/ │
│ └── index.yaml │
│ │
│ exports/ ← Auto-generated by ext-git-sync │
│ └── orgs/... │
└─────────────────────────────────────────────────────────────────┘
This skill generates repositories compatible with LimaCharlie's ext-git-sync extension:
orgs/ are OIDs (required by ext-git-sync)index.yaml that includes global and custom configshives/ are shared via relative path includesSince OID folders are hard to read, the skill maintains org-manifest.yaml:
version: 1
orgs:
acme-corp:
oid: 7e41e07b-c44c-43a3-b78d-41f34204789d
description: "Acme Corporation - Production"
added: "2025-11-30"
globex:
oid: a326700d-3cd7-49d1-ad08-20b396d8549d
description: "Globex Industries"
added: "2025-11-30"
You refer to orgs by friendly name; the skill translates to OIDs.
"Set up a new IaC repo" or "Initialize LimaCharlie IaC at /path/to/repo"
Creates a new ext-git-sync compatible repository:
<repo-path>/
├── org-manifest.yaml
├── hives/
│ ├── dr-general.yaml
│ ├── fp.yaml
│ ├── outputs.yaml
│ ├── extensions.yaml
│ ├── integrity.yaml
│ ├── artifact.yaml
│ ├── exfil.yaml
│ ├── resources.yaml
│ └── installation_keys.yaml
├── orgs/
│ └── .gitkeep
├── exports/
│ └── .gitkeep
├── README.md
└── .gitignore
Workflow:
version: 3 headersorg-manifest.yaml"Add tenant acme-corp" or "Add org Acme Corporation to IaC"
Adds an existing LimaCharlie organization to the repository:
Workflow:
limacharlie org list --output yamlorgs/<oid>/index.yaml with global includesorgs/<oid>/custom/ directory for future customizationsorg-manifest.yamllimacharlie sync pullExample index.yaml generated:
version: 3
include:
# Global configurations
- ../../hives/extensions.yaml
- ../../hives/dr-general.yaml
- ../../hives/fp.yaml
- ../../hives/outputs.yaml
- ../../hives/integrity.yaml
- ../../hives/artifact.yaml
- ../../hives/exfil.yaml
- ../../hives/resources.yaml
- ../../hives/installation_keys.yaml
# Custom configurations for this org (uncomment as needed)
# - custom/rules.yaml
# - custom/fim.yaml
# - custom/outputs.yaml
"Create new org called acme-corp" or "Create tenant Acme Corporation in US region"
Creates a new organization in LimaCharlie AND adds it to the repository:
Workflow:
create_org to create organization in LC"Remove acme-corp from IaC" (does NOT delete the org in LC)
Workflow:
org-manifest.yamlorgs/<oid>/ directoryorg-manifest.yaml"Add detection for encoded PowerShell to all tenants" "Create global rule to detect mimikatz"
Creates a NEW rule and adds it to global config:
Workflow:
limacharlie ai generate-detection, limacharlie ai generate-response)limacharlie dr validatehives/dr-general.yaml"Import rule encoded-powershell from acme-corp" "Get rule mimikatz-detection from globex into IaC"
Fetches an EXISTING rule from a LimaCharlie tenant and adds it to the IaC repo:
Workflow:
org-manifest.yamllimacharlie dr get --key encoded-powershell --oid <tenant-oid> --output yaml
hives/dr-general.yamlorgs/<oid>/custom/rules.yaml"Promote rule encoded-powershell from acme-corp to global" "Make rule X from globex apply to all tenants"
Takes an existing rule from ONE tenant and makes it apply to ALL tenants:
Workflow:
org-manifest.yamllimacharlie dr get --key <name> --oid <oid> --output yamlhives/dr-general.yamlorgs/<oid>/custom/rules.yamlExample:
User: "Promote rule lateral-movement-psexec from acme-corp to global"
Skill:
1. Fetches rule from acme-corp (OID: 7e41e07b-...)
2. Adds to hives/dr-general.yaml:
hives:
dr-general:
lateral-movement-psexec:
data:
detect: ...
respond: ...
usr_mtd:
enabled: true
3. All tenants now get this rule via their index.yaml includes
"Copy rule X from acme-corp to globex" "Give globex the same custom-detection rule that acme-corp has"
Copies a rule from one tenant to another (without making it global):
Workflow:
orgs/<dest-oid>/custom/rules.yamlindex.yaml to include custom rules if needed"Add custom detection only for acme-corp" "Create rule for globex to detect their specific app"
Creates a NEW rule for ONE tenant only:
Workflow:
org-manifest.yamlorgs/<oid>/custom/rules.yamlorgs/<oid>/index.yaml to include custom rules"Show all global rules" "What rules does acme-corp have?" "List custom rules for globex"
Displays rules from the IaC repo:
Global Rules (hives/dr-general.yaml)
════════════════════════════════════
- encoded-powershell-execution (enabled)
- mimikatz-command-line (enabled)
- lateral-movement-psexec (enabled)
Tenant: acme-corp (7e41e07b-...)
Custom Rules (orgs/.../custom/rules.yaml)
─────────────────────────────────────────
- acme-specific-app-detection (enabled)
Tenant: globex (a326700d-...)
Custom Rules: (none)
"Add global output to send detections to Slack" "Enable Zeek extension for all orgs" "Add FIM rule to watch /etc/passwd globally"
Adds configuration that applies to ALL tenants:
Supported global config types:
| Type | File | Command Example |
|---|---|---|
| D&R Rules | hives/dr-general.yaml | "Add detection for X" |
| False Positives | hives/fp.yaml | "Add FP rule for Y" |
| Outputs | hives/outputs.yaml | "Add Slack output" |
| Extensions | hives/extensions.yaml | "Enable Zeek extension" |
| FIM | hives/integrity.yaml | "Add FIM for /etc/passwd" |
| Artifact Collection | hives/artifact.yaml | "Collect auth.log" |
| Exfil Watch | hives/exfil.yaml | "Watch for large uploads" |
| Resources | hives/resources.yaml | "Add payload X" |
| Installation Keys | hives/installation_keys.yaml | "Add Windows install key" |
"Add custom FIM for acme-corp to watch /opt/app" "acme-corp needs a custom Slack output"
Adds configuration specific to ONE tenant:
Workflow:
org-manifest.yamlorgs/<oid>/custom/orgs/<oid>/index.yaml to include it"Import all rules from acme-corp" "Bootstrap IaC from globex's current config"
Imports ALL D&R rules from a tenant into the IaC repo:
Workflow:
limacharlie dr list --oid <oid> --output yaml and limacharlie dr get --key <name> --oid <oid> --output yaml"Show tenants in IaC" or "List orgs"
IaC Repository Tenants
══════════════════════
Friendly Name OID Custom Configs
─────────────────────────────────────────────────────────────────────
acme-corp 7e41e07b-c44c-43a3-b78d-41f34204789d rules, fim
globex a326700d-3cd7-49d1-ad08-20b396d8549d (none)
initech cb639126-e0bc-4563-a577-2e559c0610b2 outputs
Total: 3 tenants
"Show IaC structure" or "What's in the repo?"
Displays the current repository layout with file summaries.
"Validate IaC repo" or "Check for errors"
Validates the repository structure and configurations:
Checks:
index.yaml files have valid includes"Sync acme-corp from LC" or "Pull current config for globex"
Exports current configuration from LimaCharlie into the repository:
Workflow:
limacharlie sync pullexports/orgs/<oid>/"Deploy acme-corp" or "Push configs to LC"
Deploys configuration to LimaCharlie using the CLI:
limacharlie sync push \
--config-file ./orgs/<oid>/index.yaml \
--oid <oid> \
--force \
--hive-dr-general \
--hive-fp \
--outputs \
--integrity \
--artifact \
--exfil \
--resources \
--extensions \
--installation-keys
Note: For production, recommend using ext-git-sync's recurring sync.
CRITICAL: Never write D&R YAML manually. Always use AI generation.
When creating NEW detection rules:
# 1. Generate detection component from natural language
limacharlie ai generate-detection --description "..." --oid <oid> --output yaml
# 2. Generate response component from natural language
limacharlie ai generate-response --description "..." --oid <oid> --output yaml
# 3. Write to temp files and validate before adding to repo
cat > /tmp/detect.yaml << 'EOF'
<detection_yaml>
EOF
cat > /tmp/respond.yaml << 'EOF'
<response_yaml>
EOF
limacharlie dr validate --detect /tmp/detect.yaml --respond /tmp/respond.yaml --oid <oid>
When IMPORTING existing rules from LC, fetch them via API - no generation needed.
After initializing the repo and adding tenants, each org needs ext-git-sync configured:
Subscribe to ext-git-sync extension in each org:
limacharlie extension subscribe --name ext-git-sync --oid <oid> --output yaml
Create SSH deploy key:
ssh-keygen -t ed25519 -C "lc-gitsync-<org-name>" -f ~/.ssh/lc-gitsync
Add public key to GitHub (Settings → Deploy keys → Allow write access)
Store private key in LC Secret Manager for each org:
limacharlie secret set --key git-sync-ssh-key --input-file /tmp/ssh-key.txt --oid <oid>
Configure ext-git-sync using the exact config schema below
CRITICAL: Use these exact field names when configuring ext-git-sync:
# Required fields
repo_url: "git@github.com:your-org/your-repo.git" # NOT "repository"
branch: "main"
conf_root: "orgs/<oid>/index.yaml" # Path to org's config entry point
# SSH authentication (recommended)
ssh_key_source: "secret" # Use LC Secret Manager
ssh_key_secret_name: "git-sync-ssh-key" # Name of secret containing private key
# Alternative: inline SSH key (not recommended for production)
# ssh_key_source: "inline"
# ssh_key: "<private_key_content>"
CLI Example:
cat > /tmp/ext-git-sync-config.yaml << 'EOF'
repo_url: "git@github.com:your-org/your-repo.git"
branch: "main"
conf_root: "orgs/<oid>/index.yaml"
ssh_key_source: "secret"
ssh_key_secret_name: "git-sync-ssh-key"
EOF
limacharlie extension config-set --name ext-git-sync --input-file /tmp/ext-git-sync-config.yaml --oid <org-oid>
For MSSP scenarios, you can use ONE deploy key across all orgs:
After configuration, verify the setup is working:
Check extension subscription:
limacharlie extension list --oid <oid> --output yaml
# Should show ext-git-sync in the list
Verify secret exists:
limacharlie secret list --oid <oid> --output yaml
# Should include "git-sync-ssh-key"
Check extension config:
limacharlie extension config-get --name ext-git-sync --oid <oid> --output yaml
# Verify repo_url, branch, conf_root are correct
Check for org errors:
limacharlie org errors --oid <oid> --output yaml
# Look for ext-git-sync errors (SSH auth failures, repo access issues)
Trigger manual sync (optional):
my-lc-iac/
├── org-manifest.yaml # Friendly name → OID mapping
│
├── hives/ # Global configurations
│ ├── dr-general.yaml # Detection rules
│ ├── fp.yaml # False positive rules
│ ├── outputs.yaml # Output destinations
│ ├── extensions.yaml # Extensions to enable
│ ├── integrity.yaml # FIM rules
│ ├── artifact.yaml # Artifact collection
│ ├── exfil.yaml # Exfil monitoring
│ ├── resources.yaml # Resources/payloads
│ └── installation_keys.yaml # Sensor install keys
│
├── orgs/ # Per-tenant configurations
│ ├── 7e41e07b-...-789d/ # acme-corp (OID)
│ │ ├── index.yaml # Includes global + custom
│ │ └── custom/ # Tenant-specific
│ │ ├── rules.yaml
│ │ └── fim.yaml
│ │
│ └── a326700d-...-549d/ # globex (OID)
│ └── index.yaml
│
├── exports/ # ext-git-sync exports land here
│ └── orgs/
│ └── ...
│
├── README.md
└── .gitignore
version: 3
hives:
dr-general:
rule-name-here:
data:
detect:
event: NEW_PROCESS
op: contains
path: event/COMMAND_LINE
value: "-enc"
respond:
- action: report
name: encoded-powershell
usr_mtd:
enabled: true
expiry: 0
tags: []
version: 3
extensions:
- ext-infrastructure
- ext-velociraptor
- ext-reliable-tasking
version: 3
outputs:
slack-alerts:
for: detect
module: slack
slack_api_token: hive://secret/slack-token
slack_channel: "#security-alerts"
version: 3
integrity:
ssh-keys:
patterns:
- /root/.ssh/authorized_keys
- /home/*/.ssh/authorized_keys
platforms:
- linux
tags: []
version: 3
installation_keys:
windows:
desc: "Windows endpoints"
tags:
- windows
linux:
desc: "Linux servers"
tags:
- linux
version: 1
orgs:
acme-corp:
oid: 7e41e07b-c44c-43a3-b78d-41f34204789d
description: "Acme Corporation - Production"
added: "2025-11-30"
globex:
oid: a326700d-3cd7-49d1-ad08-20b396d8549d
description: "Globex Industries"
added: "2025-11-30"
Use consistent naming: [category]-[description]
encoded-powershell-executionmimikatz-command-linelateral-movement-psexechive://secret/secret-namelimacharlie sync push --dry-run before deployingdetection-engineering skill to test rules| Issue | Solution |
|---|---|
| Include path not found | Check relative path from index.yaml location |
| YAML syntax error | Validate with python -c "import yaml; yaml.safe_load(open('file.yaml'))" |
| Org not in manifest | Run "add tenant" command |
| Rule not appearing | Check enabled: true in usr_mtd |
| Rule exists in LC but not IaC | Use "import rule" command |
| Issue | Cause | Solution |
|---|---|---|
| "repo_url is required" | Wrong field name | Use repo_url, not repository |
| "ssh_key is required" | Secret doesn't exist or wrong name | Verify secret exists with limacharlie secret list --oid <oid> --output yaml |
| "conf_root not found" | Wrong path in config | Use full path: orgs/<oid>/index.yaml |
| SSH auth failure | Deploy key not added or wrong key | Verify public key is in GitHub deploy keys |
| "Host key verification failed" | First connection to GitHub | Add GitHub to known_hosts or use ssh -o StrictHostKeyChecking=no |
| Sync runs but no changes | Branch mismatch | Verify branch field matches your repo's default branch |
| Extension not in list | Not subscribed | Run limacharlie extension subscribe --name ext-git-sync --oid <oid> |
Check org errors first:
limacharlie org errors --oid <oid> --output yaml
This shows recent errors from ext-git-sync including SSH failures and config issues.
Verify the complete config:
limacharlie extension config-get --name ext-git-sync --oid <oid> --output yaml
Ensure all required fields are present: repo_url, branch, conf_root, ssh_key_source, ssh_key_secret_name
Test SSH key locally:
ssh -i ~/.ssh/your-key -T git@github.com
Should return: "Hi username! You've successfully authenticated..."
Verify GitHub deploy key permissions:
| Command | Example |
|---|---|
| Initialize repo | "Set up IaC repo at ~/lc-config" |
| Add tenant | "Add tenant acme-corp" |
| Create tenant | "Create new org called acme-corp" |
| Add global rule | "Add detection for encoded PowerShell" |
| Import rule | "Import rule X from acme-corp" |
| Promote rule | "Promote rule X from acme-corp to global" |
| Copy rule | "Copy rule X from acme-corp to globex" |
| Add tenant rule | "Add custom rule for acme-corp only" |
| List rules | "Show global rules" |
| List tenants | "Show tenants in IaC" |
| Validate | "Validate IaC repo" |
| Deploy | "Deploy acme-corp" |
| Sync | "Sync acme-corp from LC" |
| Skill | Use Case |
|---|---|
detection-engineering | Test and refine D&R rules before adding to IaC |
lookup-lc-doc | Reference D&R syntax and operators |
reporting | Generate reports across managed orgs |