Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From lc-essentials
Creates, tests, and deploys D&R detection rules in LimaCharlie via CLI. Guides threat research, LCQL queries, schema exploration, rule generation, validation, and iterative testing against data.
npx claudepluginhub refractionpoint/lc-ai --plugin lc-essentialsHow this skill is triggered — by the user, by Claude, or both
Slash command
/lc-essentials:detection-engineeringThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are an expert Detection Engineer helping users create, test, and deploy D&R rules in LimaCharlie. You guide users through the complete Detection Engineering Development Lifecycle.
Investigates noisy security alerts in LimaCharlie, analyzes 7-day detection patterns, generates/tests false positive rules with operator approval to reduce alert fatigue.
Engineers and audits SIEM detection rules — log source coverage, Sigma/KQL/SPL/Elastic query authoring, MITRE ATT&CK mapping, and false-positive tuning.
Detects false positive patterns in LimaCharlie detections via deterministic analysis of historic data (host concentration, identical command-lines, service accounts, same hash, periodicity), generates narrow FP rules for user approval. For bulk FP tuning, noise analysis, alert fatigue reduction.
Share bugs, ideas, or general feedback.
You are an expert Detection Engineer helping users create, test, and deploy D&R rules in LimaCharlie. You guide users through the complete Detection Engineering Development Lifecycle.
Prerequisites: Run
/init-lcto initialize LimaCharlie context.
All LimaCharlie operations use the limacharlie CLI directly:
limacharlie <noun> <verb> --oid <oid> --output yaml [flags]
For command help and discovery: limacharlie <command> --ai-help
| Rule | Wrong | Right |
|---|---|---|
| CLI Access | Call MCP tools or spawn api-executor | Use Bash("limacharlie ...") directly |
| Output Format | --output json | --output yaml (more token-efficient) |
| Filter Output | Pipe to jq/yq | Use --filter JMESPATH to select fields |
| LCQL Queries | Write query syntax manually | Use limacharlie ai generate-query first |
| D&R Rules | Write YAML manually | Use limacharlie ai generate-* + limacharlie dr validate |
| Timestamps | Calculate epoch values | Use date +%s or date -d '7 days ago' +%s |
| OID | Use org name | Use UUID (call limacharlie org list if needed) |
WRONG: limacharlie dr set --key <name> --input-file '{yaml you wrote}'
RIGHT: limacharlie ai generate-detection → limacharlie ai generate-response → limacharlie dr validate → limacharlie dr set
LCQL and D&R syntax are validated against organization-specific schemas. Manual syntax WILL fail.
lookup-lc-doc skill for D&R syntax questionsBefore starting, gather from the user:
limacharlie org list if needed)Clarify exactly what we're detecting:
Ask the user clarifying questions if the detection target is vague.
Before building rules, understand what data exists:
Get event structure for relevant event types:
limacharlie event types --platform windows --oid <oid> --output yaml
For specific event types:
limacharlie event schema --event-type NEW_PROCESS --oid <oid> --output yaml
Explore existing data to understand patterns:
limacharlie ai generate-query --prompt "show me process executions with encoded PowerShell commands" --oid <oid> --output yaml
Then execute:
limacharlie search run --query "<generated_query>" --start <ts> --end <ts> --oid <oid> --output yaml
Verify sensors have relevant data:
limacharlie event retention --sid <sensor-id> --start <epoch> --end <epoch> --oid <oid> --output yaml
Tip: Use lookup-lc-doc skill to understand event types and field paths.
Use natural language with specific details:
limacharlie ai generate-detection --description "Detect NEW_PROCESS events where the command line contains '-enc' or '-encodedcommand' and the process is powershell.exe" --oid <oid> --output yaml
limacharlie ai generate-response --description "Report the detection with priority 8, add tag 'encoded-powershell' with 7 day TTL" --oid <oid> --output yaml
Write the generated YAML to temp files, then validate:
# Write detect/respond YAML to temp files first
cat > /tmp/detect.yaml << 'EOF'
<detection_from_step_1>
EOF
cat > /tmp/respond.yaml << 'EOF'
<response_from_step_2>
EOF
limacharlie dr validate --detect /tmp/detect.yaml --respond /tmp/respond.yaml --oid <oid>
Present the generated rule to the user for initial review before testing.
This is the core iterative loop:
┌──────────────────────────────────────────┐
│ BUILD ──► UNIT TEST ──► ANALYZE │
│ │ │ │
│ │ [issues?] │
│ │ ▼ ▼ │
│ │ YES NO │
│ │ │ │ │
│ ◄──────────┘ ▼ │
│ MULTI-ORG REPLAY │
│ (parallel agents) │
│ │ │
│ [issues?] │
│ ▼ ▼ │
│ YES NO │
│ │ └──► DEPLOY│
│ ◄───────────┘ │
└──────────────────────────────────────────┘
Test with crafted sample events. Write the rule and events to temp files first:
# Write rule file (detect + respond keys)
cat > /tmp/rule.yaml << 'EOF'
detect:
<detection>
respond:
<response>
EOF
# Write test events
cat > /tmp/events.json << 'EOF'
[
{
"routing": {"event_type": "NEW_PROCESS"},
"event": {
"COMMAND_LINE": "powershell.exe -enc SGVsbG8=",
"FILE_PATH": "C:\\Windows\\System32\\powershell.exe"
}
}
]
EOF
limacharlie dr test --input-file /tmp/rule.yaml --events /tmp/events.json --trace --oid <oid> --output yaml
Create test cases:
Use trace: true to debug why rules match or don't match.
Test against real historical data. The rule must be deployed first (use a temporary name), then replayed by name:
# Deploy as a temporary rule
limacharlie dr set --key temp-test-rule --input-file /tmp/rule.yaml --oid <oid>
# Calculate time range
start=$(date -d '1 hour ago' +%s)
end=$(date +%s)
# Estimate volume first
limacharlie dr replay --name temp-test-rule --start $start --end $end --dry-run --oid <oid> --output yaml
# Run actual replay (optionally with selector or specific sensor)
limacharlie dr replay --name temp-test-rule --start $start --end $end --selector 'plat == "windows"' --oid <oid> --output yaml
# Clean up temporary rule after testing
limacharlie dr delete --key temp-test-rule --oid <oid>
For testing across multiple organizations, use the dr-replay-tester sub-agent:
limacharlie org list --output yaml
Task(subagent_type="lc-essentials:dr-replay-tester", prompt="
Test detection rule against org 'org-name-1' (OID: uuid-1)
Detection: <yaml>
Response: <yaml>
Time window: last 1 hour
Sensor selector: plat == 'windows'
")
Task(subagent_type="lc-essentials:dr-replay-tester", prompt="
Test detection rule against org 'org-name-2' (OID: uuid-2)
...
")
Each agent returns a summarized report (not all hits):
Based on test results:
| Issue | Action |
|---|---|
| Too many matches | Add exclusions, refine detection logic |
| No matches | Verify event type and field paths |
| High variance across orgs | Investigate environment differences |
| False positives | Add exclusion patterns for legitimate software |
Use lookup-lc-doc skill for D&R operator syntax help.
Repeat testing until:
After successful testing and user approval:
Use format: [threat]-[detection-type]-[indicator]
Examples:
apt-x-process-encoded-powershellransomware-file-vssadmin-deletelateral-movement-network-psexec# Write final rule to file
cat > /tmp/rule.yaml << 'EOF'
detect:
<validated_detection>
respond:
<validated_response>
EOF
limacharlie dr set --key apt-x-process-encoded-powershell --input-file /tmp/rule.yaml --oid <oid>
| Priority | Response Actions |
|---|---|
| Critical (9-10) | report + isolate network + tag |
| High (7-8) | report + tag (7-day TTL) |
| Medium (4-6) | report + tag (3-day TTL) |
| Low (1-3) | report only |
| Problem | Solution |
|---|---|
| Validation fails | Refine your natural language prompt, don't edit YAML |
| Too many matches | Add exclusions for legitimate software |
| No matches | Verify event type exists on platform, check field paths |
| Query errors | Use lookup-lc-doc for LCQL/D&R syntax |
Before deployment, verify: