Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From lc-essentials
Generates URLs to LimaCharlie web UI for dashboard, sensors, detections, D&R rules, FP rules, secrets, outputs, investigations, playbooks, AI agents, and sensor pages like timeline and processes.
npx claudepluginhub refractionpoint/lc-ai --plugin lc-essentialsHow this skill is triggered — by the user, by Claude, or both
Slash command
/lc-essentials:web-ui-linkThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Generate direct URLs to any page in the LimaCharlie web application at `https://app.limacharlie.io`.
Generates multi-tenant security and operational reports from LimaCharlie: billing summaries, usage roll-ups, detection trends, sensor health monitoring, configuration audits across organizations.
Creates, tests, and deploys D&R detection rules in LimaCharlie via CLI. Guides threat research, LCQL queries, schema exploration, rule generation, validation, and iterative testing against data.
Guides SentinelOne Purple MCP tools: uvx install, Service User token auth, GraphQL/REST APIs, transport modes, rate limits, error handling for 23 read-only tools across Purple AI, alerts, vulnerabilities, assets.
Share bugs, ideas, or general feedback.
Generate direct URLs to any page in the LimaCharlie web application at https://app.limacharlie.io.
Prerequisites: Run
/init-lcto initialize LimaCharlie context.
All LimaCharlie operations use the limacharlie CLI directly:
limacharlie <noun> <verb> --oid <oid> --output yaml [flags]
For command help and discovery: limacharlie <command> --ai-help
| Rule | Wrong | Right |
|---|---|---|
| CLI Access | Call MCP tools or spawn api-executor | Use Bash("limacharlie ...") directly |
| Output Format | --output json | --output yaml (more token-efficient) |
| Filter Output | Pipe to jq/yq | Use --filter JMESPATH to select fields |
| OID | Use org name | Use UUID (call limacharlie org list if needed) |
Invoke this skill when users:
Common trigger phrases:
All URLs use the base: https://app.limacharlie.io
/orgs/{oid}/*)These routes require an Organization ID (OID).
| Feature | Path | Aliases/Keywords |
|---|---|---|
| Dashboard | /orgs/{oid}/dashboard | home, overview, main |
| Sensors | /orgs/{oid}/sensors | endpoints, agents, hosts, machines |
| Query Console | /orgs/{oid}/search | search, query, lcql, hunt |
| Detections | /orgs/{oid}/detections | alerts, findings, incidents |
| D&R Rules | /orgs/{oid}/dr-rules | detection rules, d&r, dr rules |
| FP Rules | /orgs/{oid}/fp-rules | false positive, fp, suppression |
| Secrets Manager | /orgs/{oid}/secrets-manager | secrets, credentials, keys |
| Outputs | /orgs/{oid}/outputs | output destinations, siem, destinations |
| Lookups | /orgs/{oid}/lookups | lookup tables, reference data, ioc lists |
| Payloads | /orgs/{oid}/payloads | payload management |
| YARA Rules | /orgs/{oid}/yara-rules | yara, malware rules |
| Artifacts | /orgs/{oid}/artifacts | collected artifacts, evidence |
| Investigations | /orgs/{oid}/investigations | cases, incidents, timelines, investigations |
| Cases | /add-ons/extension-detail/ext-cases | cases, triage, SOC queue, SLA |
| Extensions | /orgs/{oid}/extensions | add-ons, subscriptions |
| External Adapters | /orgs/{oid}/external-adapters | adapters, data ingestion |
| Installation Keys | /orgs/{oid}/installation-keys | install keys, deployment keys |
| Install Sensors | /orgs/{oid}/install-sensors | sensor installation, deploy sensors |
| Users & Roles | /orgs/{oid}/users | users, permissions, access, roles |
| Billing & Usage | /orgs/{oid}/billing-usage | billing, usage, quota, costs |
| REST API | /orgs/{oid}/rest-api | api keys, api configuration |
| Integrations | /orgs/{oid}/integrations | third-party integrations |
| AI Agents | /orgs/{oid}/ai-agents | ai, agents |
| Playbooks | /orgs/{oid}/playbooks | automation, workflows |
| Management Logs | /orgs/{oid}/logs/management | audit logs, management logs |
| YARA Service | /orgs/{oid}/yara | yara scanning |
| Exfil Control | /orgs/{oid}/exfil | exfiltration, data control |
| Sensor Cull | /orgs/{oid}/sensor-cull | cleanup, stale sensors |
| Reliable Tasking | /orgs/{oid}/reliable-tasking | offline tasking |
| Vulnerabilities | /orgs/{oid}/vulnerabilities | vulns, cve, security issues |
| Artifact Collection | /orgs/{oid}/artifact-collection | collection rules |
/orgs/{oid}/sensors/{sid}/*)These routes require both Organization ID (OID) and Sensor ID (SID).
| Feature | Path | Aliases/Keywords |
|---|---|---|
| Sensor Overview | /orgs/{oid}/sensors/{sid}/overview | sensor info, sensor details |
| Timeline | /orgs/{oid}/sensors/{sid}/timeline | events, event timeline, history |
| Sensor Detections | /orgs/{oid}/sensors/{sid}/detections | endpoint alerts |
| Live Console | /orgs/{oid}/sensors/{sid}/console | console, terminal, shell, cli |
| Processes | /orgs/{oid}/sensors/{sid}/processes | running processes, process list, ps |
| Network | /orgs/{oid}/sensors/{sid}/network | connections, netstat, network connections |
| File System | /orgs/{oid}/sensors/{sid}/file-system | files, file browser, directories |
| Live Feed | /orgs/{oid}/sensors/{sid}/live-feed | live events, real-time |
| Sensor Artifacts | /orgs/{oid}/sensors/{sid}/artifacts | endpoint artifacts |
| Event Collection | /orgs/{oid}/sensors/{sid}/event-collection | collection rules |
| Sensor Extensions | /orgs/{oid}/sensors/{sid}/extensions | endpoint extensions |
| OS Users | /orgs/{oid}/sensors/{sid}/os-users | local users, user accounts |
| OS Packages | /orgs/{oid}/sensors/{sid}/os-packages | installed packages, software, programs |
| OS Services | /orgs/{oid}/sensors/{sid}/os-services | services, windows services, daemons |
| Autoruns | /orgs/{oid}/sensors/{sid}/os-autoruns | startup, persistence, autostart |
| Analytics | /orgs/{oid}/sensors/{sid}/analytics | sensor analytics |
| File Integrity | /orgs/{oid}/sensors/{sid}/integrity-rules | fim, file integrity monitoring |
| Drivers | /orgs/{oid}/sensors/{sid}/os-drivers | kernel drivers |
/groups/{group_id}/*)These routes require a Group ID.
| Feature | Path | Aliases/Keywords |
|---|---|---|
| Group Members | /groups/{gid}/users | group users, members, owners |
| Group Organizations | /groups/{gid}/organizations | group orgs, member orgs |
| Group Permissions | /groups/{gid}/permissions | access control |
| Group Activity | /groups/{gid}/activity-logs | group logs, audit |
| Feature | Path | Aliases/Keywords |
|---|---|---|
| Marketplace | /add-ons | add-ons, extensions marketplace |
| User Profile | /profile | my profile, account settings |
| Create Organization | /create-org | new org, new organization |
Extract from the user's request:
If the user provided an organization name instead of OID, or if no organization was specified:
limacharlie org list --output yaml
Handling multiple organizations:
If the user requested a sensor-specific URL but provided a hostname instead of SID:
limacharlie sensor list --oid [oid] --output yaml
Then filter the results to find the sensor with hostname matching '[hostname]' and extract its SID.
Use the reference tables above to match the user's request to the correct URL path. Apply keyword/alias matching for flexibility.
Build the complete URL by combining:
https://app.limacharlie.ioReturn the URL in a clickable markdown format:
[Feature Name](https://app.limacharlie.io/orgs/{oid}/feature)
User: "Give me the link to the secrets manager"
Steps:
secrets-managerlimacharlie org list --output yamlResponse:
Here's the link to the Secrets Manager:
[Secrets Manager](https://app.limacharlie.io/orgs/c7e8f940-1234-5678-abcd-1234567890ab/secrets-manager)
User: "Open the timeline for sensor DESKTOP-PROD01 in the production org"
Steps:
timeline (sensor route)limacharlie org list --output yamllimacharlie sensor list --oid <oid> --output yamlResponse:
Here's the timeline for DESKTOP-PROD01:
[Sensor Timeline](https://app.limacharlie.io/orgs/a1b2c3d4-5678-90ab-cdef-1234567890ab/sensors/abc123def456/timeline)
User: "I need links to detections, D&R rules, and the query console"
Response:
Here are your requested links:
- [Detections](https://app.limacharlie.io/orgs/{oid}/detections)
- [D&R Rules](https://app.limacharlie.io/orgs/{oid}/dr-rules)
- [Query Console](https://app.limacharlie.io/orgs/{oid}/search)
User: "Link to the rules page"
Response:
There are several types of rules in LimaCharlie. Which one would you like?
1. **D&R Rules** - Detection & Response rules
https://app.limacharlie.io/orgs/{oid}/dr-rules
2. **FP Rules** - False Positive suppression rules
https://app.limacharlie.io/orgs/{oid}/fp-rules
3. **YARA Rules** - Malware detection rules
https://app.limacharlie.io/orgs/{oid}/yara-rules
4. **Artifact Collection Rules** - Data collection rules
https://app.limacharlie.io/orgs/{oid}/artifact-collection
User: "Link to the threat intel page"
Response:
LimaCharlie doesn't have a dedicated "threat intel" page, but here are related features:
- **Lookups** - Store and query IOC lists, threat intel feeds
https://app.limacharlie.io/orgs/{oid}/lookups
- **D&R Rules** - Create detection rules based on threat intel
https://app.limacharlie.io/orgs/{oid}/dr-rules
- **Query Console** - Hunt for IOCs using LCQL
https://app.limacharlie.io/orgs/{oid}/search
Would you like a link to one of these?
Organization "acme-corp" not found. Your available organizations:
- production (a1b2c3d4-5678-...)
- staging (e5f6g7h8-9012-...)
- dev (i9j0k1l2-3456-...)
Please specify which organization you'd like.
No sensor found with hostname "UNKNOWN-HOST" in organization "production".
Would you like me to:
1. List all sensors in this organization
2. Search for sensors with a similar hostname
The sensor timeline page requires a sensor ID.
Please provide either:
- A sensor SID (e.g., "abc123def456...")
- OR a hostname (e.g., "DESKTOP-PROD01")
I can also list sensors in your organization if you need to find one.
c7e8f940-1234-5678-abcd-1234567890ab)lookup-lc-doc - For documentation about LimaCharlie featuressensor-health - For checking sensor status before linking to sensor pages