Can I use this for multi-host compromises?

Yes, the skill is designed to assess the scope of a threat across all sensors in an organization and link findings from multiple hosts into a single investigation.

Does this skill require manual LCQL query writing?

No, the skill mandates using the generate_lcql_query tool to ensure syntax accuracy and proper field mapping, preventing common investigation errors.

Where are the investigation results stored?

Findings are saved as structured records within LimaCharlie's Investigation Hive, including events, detections, entities, and analyst notes.

What is the primary purpose of the investigation-creation skill?

It automates the process of investigating security events in LimaCharlie, moving beyond process trees to identify initial access, lateral movement, and organization-wide scope.

How does it handle different timestamp formats?

The skill automatically handles the conversion between LimaCharlie's 13-digit millisecond timestamps and the 10-digit second format required by specific API endpoints.

LimaCharlie Holistic Security Investigation

Name: LimaCharlie Holistic Security Investigation
Author: refractionPOINT

byrefractionPOINT

•

Seguridad y Pruebas

Conducts comprehensive security investigations and builds detailed incident reports using LimaCharlie telemetry and threat hunting patterns.

Acerca de

This skill transforms Claude into an expert SOC analyst capable of performing deep-dive investigations into security events and detections within the LimaCharlie platform. It moves beyond simple process tree analysis to identify initial access vectors, assess organization-wide scope, and detect lateral movement. By automating the collection of telemetry, converting complex timestamps, and generating validated LCQL queries, it ensures high-fidelity results that are documented as structured Investigation Hive records for incident response and threat hunting teams.

Características Principales

Validated LCQL query generation to prevent syntax errors and manual query failures
3 GitHub stars
Organization-wide scope assessment and IOC hunting across multiple sensors
Standardized handling of large result sets and millisecond-to-second timestamp conversions
Automated LimaCharlie Hive investigation record creation and documentation
Holistic attack chain reconstruction from initial access to lateral movement

Casos de Uso

Triage complex security alerts to determine true vs. false positives and assess business impact.
Perform proactive threat hunting for specific IOCs across an entire organization's fleet.
Build comprehensive incident response reports that document the full lifecycle of an attack.

Acerca de

Características Principales

Validated LCQL query generation to prevent syntax errors and manual query failures
3 GitHub stars
Organization-wide scope assessment and IOC hunting across multiple sensors
Standardized handling of large result sets and millisecond-to-second timestamp conversions
Automated LimaCharlie Hive investigation record creation and documentation
Holistic attack chain reconstruction from initial access to lateral movement

Casos de Uso

Triage complex security alerts to determine true vs. false positives and assess business impact.
Perform proactive threat hunting for specific IOCs across an entire organization's fleet.
Build comprehensive incident response reports that document the full lifecycle of an attack.