Can I use this for multi-host compromises?

Yes, the skill is designed to assess the scope of a threat across all sensors in an organization and link findings from multiple hosts into a single investigation.

Does this skill require manual LCQL query writing?

No, the skill mandates using the generate_lcql_query tool to ensure syntax accuracy and proper field mapping, preventing common investigation errors.

Where are the investigation results stored?

Findings are saved as structured records within LimaCharlie's Investigation Hive, including events, detections, entities, and analyst notes.

What is the primary purpose of the investigation-creation skill?

It automates the process of investigating security events in LimaCharlie, moving beyond process trees to identify initial access, lateral movement, and organization-wide scope.

How does it handle different timestamp formats?

The skill automatically handles the conversion between LimaCharlie's 13-digit millisecond timestamps and the 10-digit second format required by specific API endpoints.

LimaCharlie Holistic Security Investigation

Name: LimaCharlie Holistic Security Investigation
Author: refractionPOINT

$refractionPOINT$ byrefractionPOINT

•

보안 및 테스팅

Conducts comprehensive security investigations and builds detailed incident reports using LimaCharlie telemetry and threat hunting patterns.

This skill transforms Claude into an expert SOC analyst capable of performing deep-dive investigations into security events and detections within the LimaCharlie platform. It moves beyond simple process tree analysis to identify initial access vectors, assess organization-wide scope, and detect lateral movement. By automating the collection of telemetry, converting complex timestamps, and generating validated LCQL queries, it ensures high-fidelity results that are documented as structured Investigation Hive records for incident response and threat hunting teams.

주요 기능

01Validated LCQL query generation to prevent syntax errors and manual query failures

023 GitHub stars

03Organization-wide scope assessment and IOC hunting across multiple sensors

04Standardized handling of large result sets and millisecond-to-second timestamp conversions

05Automated LimaCharlie Hive investigation record creation and documentation

06Holistic attack chain reconstruction from initial access to lateral movement

사용 사례

01Triage complex security alerts to determine true vs. false positives and assess business impact.

02Perform proactive threat hunting for specific IOCs across an entire organization's fleet.

03Build comprehensive incident response reports that document the full lifecycle of an attack.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add refractionpoint/lc-ai investigation-creation

For use in Claude.ai and ChatGPT

Download Skill