Can I test rules across multiple organizations simultaneously?

Yes, the skill can spawn parallel sub-agents to replay rules across multiple LimaCharlie organizations and aggregate a summarized match report for cross-org analysis.

What information is required to begin a detection task?

You need the Organization ID (OID), a specific description of the threat behavior, the target platform (Windows, Linux, or macOS), and the intended priority level.

How does the skill help reduce false positives?

It utilizes an iterative testing loop that includes historical replays and unit tests with both positive and negative test cases to identify and exclude legitimate activity before deployment.

Can I write my own D&R rule YAML with this skill?

No, this skill is designed to use specific generation functions to ensure syntax validity against organization-specific schemas, preventing the manual errors common in D&R and LCQL syntax.

LimaCharlie Detection Engineering

Name: LimaCharlie Detection Engineering
Author: refractionPOINT

byrefractionPOINT

•

Seguridad y Pruebas

Builds, tests, and deploys LimaCharlie Detection and Response (D&R) rules through an automated, validated development lifecycle.

Acerca de

The Detection Engineering skill transforms Claude into a specialized security analyst capable of managing the entire lifecycle of LimaCharlie D&R rules. It guides users through threat research, data schema exploration, and the generation of validated detection logic without requiring manual YAML or LCQL syntax. By integrating iterative testing phases—including unit tests with mock events and historical replays across multiple organizations—it ensures high-fidelity detections while minimizing false positives before final deployment to your security infrastructure.

Características Principales

Automated D&R rule and LCQL query generation using validated schemas
Standardized deployment workflow with built-in naming conventions and priority levels
Cross-organization parallel testing with the dr-replay-tester agent
Multi-phase testing including unit tests and historical data replay
3 GitHub stars
Comprehensive event schema research and sensor data availability checks

Casos de Uso

Validating existing detection logic against historical data to reduce false positive alerts
Creating high-fidelity detections for specific MITRE ATT&CK techniques like encoded PowerShell execution
Rapidly deploying standardized security rules across multiple LimaCharlie organizations

Acerca de

Características Principales

Automated D&R rule and LCQL query generation using validated schemas
Standardized deployment workflow with built-in naming conventions and priority levels
Cross-organization parallel testing with the dr-replay-tester agent
Multi-phase testing including unit tests and historical data replay
3 GitHub stars
Comprehensive event schema research and sensor data availability checks

Casos de Uso

Validating existing detection logic against historical data to reduce false positive alerts
Creating high-fidelity detections for specific MITRE ATT&CK techniques like encoded PowerShell execution
Rapidly deploying standardized security rules across multiple LimaCharlie organizations