---
name: limacharlie-expert
description: Use this skill when the user mentions LimaCharlie or wants to work with endpoint detection, cloud security monitoring, detection rules, or security automation. This provides an overview of LimaCharlie components and their interconnections.
---

# LimaCharlie Expert

Entry point skill for all LimaCharlie tasks. Provides component overview and routes to specialized skills.

## Core Components

### Telemetry Sources

**Sensors (Endpoint Agents)**
- Generate Events (NEW_PROCESS, DNS_REQUEST, NETWORK_CONNECTIONS, etc.)
- Execute sensor commands (history_dump, file_hash, os_processes, etc.)
- Receive D&R rule actions (isolate network, kill process, etc.)
- Have Tags applied to them

**Adapters**
- Ingest cloud/SaaS logs: AWS, Azure, GCP, M365, Okta, CrowdStrike, etc.
- Convert external telemetry into Events
- Feed same pipeline as Sensors

**Installation Keys**
- Enroll Sensors to organization
- Can auto-apply Tags

### Detection Engine

**D&R Rules**
- Match against Events
- Generate Detections
- Execute Response Actions:
  - `task` - run sensor commands
  - `run extension` - trigger Extensions
  - `add tag` / `remove tag` - modify sensor Tags
  - `isolate network` / `rejoin network`
  - `seal` / `unseal` - tamper protection
  - `report` - create Detection
  - `wait` - delay for action chaining

**Stateful Rules**
- Correlate multiple Events over time
- Track counts, sequences, unique values
- Generate Detections with aggregated context

**YARA Rules**
- Real-time process scanning
- On-demand file/memory scanning
- Generate YARA_DETECTION Events → trigger D&R rules

**False Positive Rules**
- Suppress Detections
- Filter before Outputs

**Managed Rulesets**
- Pre-built D&R rules (Sigma, Soteria, SOC Prime)

### Data Structures

**Events** (`event` stream)
- Structure: `{routing: {...}, event: {...}}`
- Generated by: Sensors, Adapters
- Matched by: D&R Rules
- Stored in: Insight
- Queried by: LCQL
- Forwarded by: Outputs

**Detections** (`detect` stream)
- Generated by: D&R Rules
- Includes: routing (from Event) + detect (Event data) + metadata (`cat`, `priority`, `detect_data`)
- Can trigger: D&R rules, Outputs

**Audit** (`audit` stream)
- Platform actions, config changes

**Deployment** (`deployment` stream)
- Sensor lifecycle events

### Storage & Configuration

**Insight**
- 1-year retention of Events, Detections, Audit logs
- Queried by LCQL

**Config Hive**
- Stores: Secrets, Lookups (key-value), D&R rules, YARA rules
- Used by: D&R rules (lookup action), Extensions, Cloud Sensors
- Namespaces for organization

**Tags**
- Applied to: Sensors
- Used to: Target D&R rules, filter, group
- Modified by: D&R rules (add/remove tag actions), manual assignment, auto-enrollment

### Query & Investigation

**LCQL (LimaCharlie Query Language)**
- Query: Events, Detections, Audit logs in Insight
- Returns: Filtered, aggregated, joined data

**Timeline**
- Per-Sensor Event history
- Complete forensic record

**Sensor Commands**
- 100+ investigative/response commands
- Triggered by: D&R rules (task action), manual execution, Extensions, API

**Replay**
- Test D&R rules against historical Events from Insight

### Automation

**Extensions**
- Serverless functions
- Triggered by: D&R rules (run extension), API, schedules
- Can: Access Config Hive, call external APIs, read Events, respond with actions (add tag, run sensor command)
- Built-in: YARA Manager, Artifact Manager, VirusTotal, GreyNoise, etc.

**Playbooks**
- Visual workflow builder
- Orchestrates: D&R rules, Extensions, sensor commands

**API & SDK**
- Python/Go SDKs
- REST API for all platform operations

### Data Forwarding

**Outputs**
- Destinations: SIEM, data lakes, Slack, webhooks, S3, etc.
- Source streams: event, detect, audit, deployment
- Can: Filter, transform data

## Component Interconnections

### Primary Data Flow
```
Sensors/Adapters → Events → D&R Rules → Detections → Outputs
                      ↓          ↓           ↓
                   Insight    Actions    Outputs
```

### D&R Rule → Response Actions
D&R rules can trigger:
- **Extensions** → external enrichment/logic → respond with actions back to LC
- **Sensor commands** → investigate/contain on specific Sensor
- **Tags** → add/remove tags on Sensor → trigger other D&R rules targeting those tags
- **Network isolation** → quarantine Sensor
- **Detections** → generate alert → sent to Outputs
- **Wait** → chain multiple actions sequentially

### Tag-Based Connections
```
D&R rule → Adds Tag to Sensor → Second D&R rule targets that Tag → Executes actions
Installation Key → Auto-applies Tag → Sensor enrolled with Tag → Targeted by D&R rules
```

### Config Hive Integration
```
D&R rule → Lookup action → Config Hive (IOC lists, thresholds)
Extension → Reads secrets from Config Hive → Calls external API
Cloud Sensor → Stores credentials in Config Hive
```

### Extension Integration
```
D&R rule → Run extension → Extension calls external API (VirusTotal) →
  Extension responds with: add tag, run sensor command, generate Event
Extension can: Read Config Hive, access Event data, trigger actions
```

### Stateful Rule Correlation
```
Multiple Events (same/different Sensors) → Stateful rule (time window) →
  Counts/aggregates → Threshold met → Generate Detection
```

### LCQL Query Flow
```
LCQL query → Insight (Events/Detections/Audit) → Results →
  Used for: hunting, investigation, rule creation
```

### Multi-Component Chains
Example: Detection → Enrichment → Response
```
Event → D&R rule → Detection + Run extension (VirusTotal) →
  Extension adds tag "malware-confirmed" →
  Second D&R rule (targets "malware-confirmed" tag) →
  Isolate network + task: artifact_get
```

Example: Tag-based progressive response
```
Detection → Add tag "investigate" → Manual review → Add tag "incident-confirmed" →
  D&R rule on "incident-confirmed" → Automated containment actions
```

## Field Paths & Targeting

**Event field paths**:
- `event/FILE_PATH`, `event/COMMAND_LINE`, `event/DOMAIN_NAME`
- `routing/hostname`, `routing/sid`, `routing/event_type`, `routing/tags`

**Detection field paths**:
- `detect/*` (original Event data)
- `cat`, `priority`, `detect_data`, `routing/*`

**D&R rule targeting**:
- Target by: `routing/tags`, `routing/sid`, platform, event type
- Filter by: any field path in Event

## Component Output/Input Matrix

| Component | Generates | Consumes | Triggers |
|-----------|-----------|----------|----------|
| Sensors | Events | Sensor commands, network isolation | - |
| Adapters | Events | - | - |
| D&R Rules | Detections | Events, Detections | Extensions, sensor commands, Tags |
| Extensions | Actions (tags, commands) | Events, Config Hive | Sensor commands, Tags, Events |
| Config Hive | Data (secrets, lookups) | API/manual input | - |
| Tags | Targeting metadata | D&R actions, manual, Installation Keys | D&R rule targeting |
| Outputs | External forwarding | Events, Detections, Audit | - |
| LCQL | Query results | Insight (Events/Detections/Audit) | - |
| Insight | Searchable data | Events, Detections, Audit | - |
| Stateful Rules | Detections | Multiple Events over time | Extensions, sensor commands, Tags |

## Specialized Skills

Route to these skills for detailed implementation:

**Telemetry**: `sensor-manager`, `adapter-configurator`, `onboard-external-telemetry`
**Detection**: `dr-rule-builder`, `stateful-rule-designer`, `sigma-rule-deployer`, `yara-manager`
**Investigation**: `incident-responder`, `threat-hunter`, `lcql-query-builder`, `forensic-analyst`, `artifact-collector`
**Automation**: `playbook-automator`, `extension-developer`, `api-integrator`, `threat-intel-integrator`
**Management**: `config-hive-manager`, `infrastructure-as-code`, `output-configurator`, `cloud-security-monitor`, `performance-optimizer`

**Additional Documentation**: If the specialized skills above don't provide enough information, the full LimaCharlie documentation is available in the public repository at https://github.com/refractionPOINT/documentation/tree/master/limacharlie

## Key Mechanics

**Response timing**: D&R rules execute <100ms, sensor commands 1-5s
**Data retention**: Insight stores 1 year by default
**Stateless vs Stateful isolation**: `segregate_network` (command) vs `isolate network` (D&R action, persists reboot)
**Event types**: 100+ event types (NEW_PROCESS, DNS_REQUEST, NETWORK_CONNECTIONS, WEL, YARA_DETECTION, etc.)
**Sensor platforms**: Windows, Linux, macOS, Chrome
**Action chaining**: Use `wait` action to sequence multiple responses in D&R rules

LimaCharlie is component-based: combine Sensors/Adapters (telemetry) + D&R rules (detection) + Extensions (enrichment/custom logic) + Sensor commands (response) + Outputs (integration) + LCQL (hunting) to build security solutions.