From lc-essentials
Generates URLs to LimaCharlie web UI for dashboard, sensors, detections, D&R rules, FP rules, secrets, outputs, investigations, playbooks, AI agents, and sensor pages like timeline and processes.
npx claudepluginhub refractionpoint/lc-ai --plugin lc-essentialsThis skill is limited to using the following tools:
Generate direct URLs to any page in the LimaCharlie web application at `https://app.limacharlie.io`.
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Migrates code, prompts, and API calls from Claude Sonnet 4.0/4.5 or Opus 4.1 to Opus 4.5, updating model strings on Anthropic, AWS, GCP, Azure platforms.
Analyzes BMad project state from catalog CSV, configs, artifacts, and query to recommend next skills or answer questions. Useful for help requests, 'what next', or starting BMad.
Generate direct URLs to any page in the LimaCharlie web application at https://app.limacharlie.io.
Prerequisites: Run
/init-lcto initialize LimaCharlie context.
All LimaCharlie operations use the limacharlie CLI directly:
limacharlie <noun> <verb> --oid <oid> --output yaml [flags]
For command help and discovery: limacharlie <command> --ai-help
| Rule | Wrong | Right |
|---|---|---|
| CLI Access | Call MCP tools or spawn api-executor | Use Bash("limacharlie ...") directly |
| Output Format | --output json | --output yaml (more token-efficient) |
| Filter Output | Pipe to jq/yq | Use --filter JMESPATH to select fields |
| OID | Use org name | Use UUID (call limacharlie org list if needed) |
Invoke this skill when users:
Common trigger phrases:
All URLs use the base: https://app.limacharlie.io
/orgs/{oid}/*)These routes require an Organization ID (OID).
| Feature | Path | Aliases/Keywords |
|---|---|---|
| Dashboard | /orgs/{oid}/dashboard | home, overview, main |
| Sensors | /orgs/{oid}/sensors | endpoints, agents, hosts, machines |
| Query Console | /orgs/{oid}/search | search, query, lcql, hunt |
| Detections | /orgs/{oid}/detections | alerts, findings, incidents |
| D&R Rules | /orgs/{oid}/dr-rules | detection rules, d&r, dr rules |
| FP Rules | /orgs/{oid}/fp-rules | false positive, fp, suppression |
| Secrets Manager | /orgs/{oid}/secrets-manager | secrets, credentials, keys |
| Outputs | /orgs/{oid}/outputs | output destinations, siem, destinations |
| Lookups | /orgs/{oid}/lookups | lookup tables, reference data, ioc lists |
| Payloads | /orgs/{oid}/payloads | payload management |
| YARA Rules | /orgs/{oid}/yara-rules | yara, malware rules |
| Artifacts | /orgs/{oid}/artifacts | collected artifacts, evidence |
| Investigations | /orgs/{oid}/investigations | cases, incidents, timelines, investigations |
| Cases | /add-ons/extension-detail/ext-cases | cases, triage, SOC queue, SLA |
| Extensions | /orgs/{oid}/extensions | add-ons, subscriptions |
| External Adapters | /orgs/{oid}/external-adapters | adapters, data ingestion |
| Installation Keys | /orgs/{oid}/installation-keys | install keys, deployment keys |
| Install Sensors | /orgs/{oid}/install-sensors | sensor installation, deploy sensors |
| Users & Roles | /orgs/{oid}/users | users, permissions, access, roles |
| Billing & Usage | /orgs/{oid}/billing-usage | billing, usage, quota, costs |
| REST API | /orgs/{oid}/rest-api | api keys, api configuration |
| Integrations | /orgs/{oid}/integrations | third-party integrations |
| AI Agents | /orgs/{oid}/ai-agents | ai, agents |
| Playbooks | /orgs/{oid}/playbooks | automation, workflows |
| Management Logs | /orgs/{oid}/logs/management | audit logs, management logs |
| YARA Service | /orgs/{oid}/yara | yara scanning |
| Exfil Control | /orgs/{oid}/exfil | exfiltration, data control |
| Sensor Cull | /orgs/{oid}/sensor-cull | cleanup, stale sensors |
| Reliable Tasking | /orgs/{oid}/reliable-tasking | offline tasking |
| Vulnerabilities | /orgs/{oid}/vulnerabilities | vulns, cve, security issues |
| Artifact Collection | /orgs/{oid}/artifact-collection | collection rules |
/orgs/{oid}/sensors/{sid}/*)These routes require both Organization ID (OID) and Sensor ID (SID).
| Feature | Path | Aliases/Keywords |
|---|---|---|
| Sensor Overview | /orgs/{oid}/sensors/{sid}/overview | sensor info, sensor details |
| Timeline | /orgs/{oid}/sensors/{sid}/timeline | events, event timeline, history |
| Sensor Detections | /orgs/{oid}/sensors/{sid}/detections | endpoint alerts |
| Live Console | /orgs/{oid}/sensors/{sid}/console | console, terminal, shell, cli |
| Processes | /orgs/{oid}/sensors/{sid}/processes | running processes, process list, ps |
| Network | /orgs/{oid}/sensors/{sid}/network | connections, netstat, network connections |
| File System | /orgs/{oid}/sensors/{sid}/file-system | files, file browser, directories |
| Live Feed | /orgs/{oid}/sensors/{sid}/live-feed | live events, real-time |
| Sensor Artifacts | /orgs/{oid}/sensors/{sid}/artifacts | endpoint artifacts |
| Event Collection | /orgs/{oid}/sensors/{sid}/event-collection | collection rules |
| Sensor Extensions | /orgs/{oid}/sensors/{sid}/extensions | endpoint extensions |
| OS Users | /orgs/{oid}/sensors/{sid}/os-users | local users, user accounts |
| OS Packages | /orgs/{oid}/sensors/{sid}/os-packages | installed packages, software, programs |
| OS Services | /orgs/{oid}/sensors/{sid}/os-services | services, windows services, daemons |
| Autoruns | /orgs/{oid}/sensors/{sid}/os-autoruns | startup, persistence, autostart |
| Analytics | /orgs/{oid}/sensors/{sid}/analytics | sensor analytics |
| File Integrity | /orgs/{oid}/sensors/{sid}/integrity-rules | fim, file integrity monitoring |
| Drivers | /orgs/{oid}/sensors/{sid}/os-drivers | kernel drivers |
/groups/{group_id}/*)These routes require a Group ID.
| Feature | Path | Aliases/Keywords |
|---|---|---|
| Group Members | /groups/{gid}/users | group users, members, owners |
| Group Organizations | /groups/{gid}/organizations | group orgs, member orgs |
| Group Permissions | /groups/{gid}/permissions | access control |
| Group Activity | /groups/{gid}/activity-logs | group logs, audit |
| Feature | Path | Aliases/Keywords |
|---|---|---|
| Marketplace | /add-ons | add-ons, extensions marketplace |
| User Profile | /profile | my profile, account settings |
| Create Organization | /create-org | new org, new organization |
Extract from the user's request:
If the user provided an organization name instead of OID, or if no organization was specified:
limacharlie org list --output yaml
Handling multiple organizations:
If the user requested a sensor-specific URL but provided a hostname instead of SID:
limacharlie sensor list --oid [oid] --output yaml
Then filter the results to find the sensor with hostname matching '[hostname]' and extract its SID.
Use the reference tables above to match the user's request to the correct URL path. Apply keyword/alias matching for flexibility.
Build the complete URL by combining:
https://app.limacharlie.ioReturn the URL in a clickable markdown format:
[Feature Name](https://app.limacharlie.io/orgs/{oid}/feature)
User: "Give me the link to the secrets manager"
Steps:
secrets-managerlimacharlie org list --output yamlResponse:
Here's the link to the Secrets Manager:
[Secrets Manager](https://app.limacharlie.io/orgs/c7e8f940-1234-5678-abcd-1234567890ab/secrets-manager)
User: "Open the timeline for sensor DESKTOP-PROD01 in the production org"
Steps:
timeline (sensor route)limacharlie org list --output yamllimacharlie sensor list --oid <oid> --output yamlResponse:
Here's the timeline for DESKTOP-PROD01:
[Sensor Timeline](https://app.limacharlie.io/orgs/a1b2c3d4-5678-90ab-cdef-1234567890ab/sensors/abc123def456/timeline)
User: "I need links to detections, D&R rules, and the query console"
Response:
Here are your requested links:
- [Detections](https://app.limacharlie.io/orgs/{oid}/detections)
- [D&R Rules](https://app.limacharlie.io/orgs/{oid}/dr-rules)
- [Query Console](https://app.limacharlie.io/orgs/{oid}/search)
User: "Link to the rules page"
Response:
There are several types of rules in LimaCharlie. Which one would you like?
1. **D&R Rules** - Detection & Response rules
https://app.limacharlie.io/orgs/{oid}/dr-rules
2. **FP Rules** - False Positive suppression rules
https://app.limacharlie.io/orgs/{oid}/fp-rules
3. **YARA Rules** - Malware detection rules
https://app.limacharlie.io/orgs/{oid}/yara-rules
4. **Artifact Collection Rules** - Data collection rules
https://app.limacharlie.io/orgs/{oid}/artifact-collection
User: "Link to the threat intel page"
Response:
LimaCharlie doesn't have a dedicated "threat intel" page, but here are related features:
- **Lookups** - Store and query IOC lists, threat intel feeds
https://app.limacharlie.io/orgs/{oid}/lookups
- **D&R Rules** - Create detection rules based on threat intel
https://app.limacharlie.io/orgs/{oid}/dr-rules
- **Query Console** - Hunt for IOCs using LCQL
https://app.limacharlie.io/orgs/{oid}/search
Would you like a link to one of these?
Organization "acme-corp" not found. Your available organizations:
- production (a1b2c3d4-5678-...)
- staging (e5f6g7h8-9012-...)
- dev (i9j0k1l2-3456-...)
Please specify which organization you'd like.
No sensor found with hostname "UNKNOWN-HOST" in organization "production".
Would you like me to:
1. List all sensors in this organization
2. Search for sensors with a similar hostname
The sensor timeline page requires a sensor ID.
Please provide either:
- A sensor SID (e.g., "abc123def456...")
- OR a hostname (e.g., "DESKTOP-PROD01")
I can also list sensors in your organization if you need to find one.
c7e8f940-1234-5678-abcd-1234567890ab)lookup-lc-doc - For documentation about LimaCharlie featuressensor-health - For checking sensor status before linking to sensor pages