LimaCharlie Expert
Entry point skill for all LimaCharlie tasks. Provides component overview and routes to specialized skills.
Core Components
Telemetry Sources
Sensors (Endpoint Agents)
- •Generate Events (NEW_PROCESS, DNS_REQUEST, NETWORK_CONNECTIONS, etc.)
- •Execute sensor commands (history_dump, file_hash, os_processes, etc.)
- •Receive D&R rule actions (isolate network, kill process, etc.)
- •Have Tags applied to them
Adapters
- •Ingest cloud/SaaS logs: AWS, Azure, GCP, M365, Okta, CrowdStrike, etc.
- •Convert external telemetry into Events
- •Feed same pipeline as Sensors
Installation Keys
- •Enroll Sensors to organization
- •Can auto-apply Tags
Detection Engine
D&R Rules
- •Match against Events
- •Generate Detections
- •Execute Response Actions:
- •
task- run sensor commands - •
run extension- trigger Extensions - •
add tag/remove tag- modify sensor Tags - •
isolate network/rejoin network - •
seal/unseal- tamper protection - •
report- create Detection - •
wait- delay for action chaining
- •
Stateful Rules
- •Correlate multiple Events over time
- •Track counts, sequences, unique values
- •Generate Detections with aggregated context
YARA Rules
- •Real-time process scanning
- •On-demand file/memory scanning
- •Generate YARA_DETECTION Events → trigger D&R rules
False Positive Rules
- •Suppress Detections
- •Filter before Outputs
Managed Rulesets
- •Pre-built D&R rules (Sigma, Soteria, SOC Prime)
Data Structures
Events (event stream)
- •Structure:
{routing: {...}, event: {...}} - •Generated by: Sensors, Adapters
- •Matched by: D&R Rules
- •Stored in: Insight
- •Queried by: LCQL
- •Forwarded by: Outputs
Detections (detect stream)
- •Generated by: D&R Rules
- •Includes: routing (from Event) + detect (Event data) + metadata (
cat,priority,detect_data) - •Can trigger: D&R rules, Outputs
Audit (audit stream)
- •Platform actions, config changes
Deployment (deployment stream)
- •Sensor lifecycle events
Storage & Configuration
Insight
- •1-year retention of Events, Detections, Audit logs
- •Queried by LCQL
Config Hive
- •Stores: Secrets, Lookups (key-value), D&R rules, YARA rules
- •Used by: D&R rules (lookup action), Extensions, Cloud Sensors
- •Namespaces for organization
Tags
- •Applied to: Sensors
- •Used to: Target D&R rules, filter, group
- •Modified by: D&R rules (add/remove tag actions), manual assignment, auto-enrollment
Query & Investigation
LCQL (LimaCharlie Query Language)
- •Query: Events, Detections, Audit logs in Insight
- •Returns: Filtered, aggregated, joined data
Timeline
- •Per-Sensor Event history
- •Complete forensic record
Sensor Commands
- •100+ investigative/response commands
- •Triggered by: D&R rules (task action), manual execution, Extensions, API
Replay
- •Test D&R rules against historical Events from Insight
Automation
Extensions
- •Serverless functions
- •Triggered by: D&R rules (run extension), API, schedules
- •Can: Access Config Hive, call external APIs, read Events, respond with actions (add tag, run sensor command)
- •Built-in: YARA Manager, Artifact Manager, VirusTotal, GreyNoise, etc.
Playbooks
- •Visual workflow builder
- •Orchestrates: D&R rules, Extensions, sensor commands
API & SDK
- •Python/Go SDKs
- •REST API for all platform operations
Data Forwarding
Outputs
- •Destinations: SIEM, data lakes, Slack, webhooks, S3, etc.
- •Source streams: event, detect, audit, deployment
- •Can: Filter, transform data
Component Interconnections
Primary Data Flow
Sensors/Adapters → Events → D&R Rules → Detections → Outputs
↓ ↓ ↓
Insight Actions Outputs
D&R Rule → Response Actions
D&R rules can trigger:
- •Extensions → external enrichment/logic → respond with actions back to LC
- •Sensor commands → investigate/contain on specific Sensor
- •Tags → add/remove tags on Sensor → trigger other D&R rules targeting those tags
- •Network isolation → quarantine Sensor
- •Detections → generate alert → sent to Outputs
- •Wait → chain multiple actions sequentially
Tag-Based Connections
D&R rule → Adds Tag to Sensor → Second D&R rule targets that Tag → Executes actions Installation Key → Auto-applies Tag → Sensor enrolled with Tag → Targeted by D&R rules
Config Hive Integration
D&R rule → Lookup action → Config Hive (IOC lists, thresholds) Extension → Reads secrets from Config Hive → Calls external API Cloud Sensor → Stores credentials in Config Hive
Extension Integration
D&R rule → Run extension → Extension calls external API (VirusTotal) → Extension responds with: add tag, run sensor command, generate Event Extension can: Read Config Hive, access Event data, trigger actions
Stateful Rule Correlation
Multiple Events (same/different Sensors) → Stateful rule (time window) → Counts/aggregates → Threshold met → Generate Detection
LCQL Query Flow
LCQL query → Insight (Events/Detections/Audit) → Results → Used for: hunting, investigation, rule creation
Multi-Component Chains
Example: Detection → Enrichment → Response
Event → D&R rule → Detection + Run extension (VirusTotal) → Extension adds tag "malware-confirmed" → Second D&R rule (targets "malware-confirmed" tag) → Isolate network + task: artifact_get
Example: Tag-based progressive response
Detection → Add tag "investigate" → Manual review → Add tag "incident-confirmed" → D&R rule on "incident-confirmed" → Automated containment actions
Field Paths & Targeting
Event field paths:
- •
event/FILE_PATH,event/COMMAND_LINE,event/DOMAIN_NAME - •
routing/hostname,routing/sid,routing/event_type,routing/tags
Detection field paths:
- •
detect/*(original Event data) - •
cat,priority,detect_data,routing/*
D&R rule targeting:
- •Target by:
routing/tags,routing/sid, platform, event type - •Filter by: any field path in Event
Component Output/Input Matrix
| Component | Generates | Consumes | Triggers |
|---|---|---|---|
| Sensors | Events | Sensor commands, network isolation | - |
| Adapters | Events | - | - |
| D&R Rules | Detections | Events, Detections | Extensions, sensor commands, Tags |
| Extensions | Actions (tags, commands) | Events, Config Hive | Sensor commands, Tags, Events |
| Config Hive | Data (secrets, lookups) | API/manual input | - |
| Tags | Targeting metadata | D&R actions, manual, Installation Keys | D&R rule targeting |
| Outputs | External forwarding | Events, Detections, Audit | - |
| LCQL | Query results | Insight (Events/Detections/Audit) | - |
| Insight | Searchable data | Events, Detections, Audit | - |
| Stateful Rules | Detections | Multiple Events over time | Extensions, sensor commands, Tags |
Specialized Skills
Route to these skills for detailed implementation:
Telemetry: sensor-manager, adapter-configurator, onboard-external-telemetry
Detection: dr-rule-builder, stateful-rule-designer, sigma-rule-deployer, yara-manager
Investigation: incident-responder, threat-hunter, lcql-query-builder, forensic-analyst, artifact-collector
Automation: playbook-automator, extension-developer, api-integrator, threat-intel-integrator
Management: config-hive-manager, infrastructure-as-code, output-configurator, cloud-security-monitor, performance-optimizer
Additional Documentation: If the specialized skills above don't provide enough information, the full LimaCharlie documentation is available in the public repository at https://github.com/refractionPOINT/documentation/tree/master/limacharlie
Key Mechanics
Response timing: D&R rules execute <100ms, sensor commands 1-5s
Data retention: Insight stores 1 year by default
Stateless vs Stateful isolation: segregate_network (command) vs isolate network (D&R action, persists reboot)
Event types: 100+ event types (NEW_PROCESS, DNS_REQUEST, NETWORK_CONNECTIONS, WEL, YARA_DETECTION, etc.)
Sensor platforms: Windows, Linux, macOS, Chrome
Action chaining: Use wait action to sequence multiple responses in D&R rules
LimaCharlie is component-based: combine Sensors/Adapters (telemetry) + D&R rules (detection) + Extensions (enrichment/custom logic) + Sensor commands (response) + Outputs (integration) + LCQL (hunting) to build security solutions.