detection-engineering | Skill Performance & Reviews | TopRankSkills

TopRank Skills

Home / Skills / tools / detection-engineering

detection-engineering

maintained by refractionPOINT

star 6 account_tree 1 verified_user MIT License
bolt View GitHub

name: detection-engineering description: Expert Detection Engineer assistant for creating and testing D&R rules in LimaCharlie. Guides through understanding threats, researching event data (Schema, LCQL, Timeline), generating detection logic, testing rules against sample and historical data, and deploying validated rules. Use for building detections, writing D&R rules, testing detection logic, or when user wants to detect specific behaviors or threats. allowed-tools:

  • Task
  • Read
  • Bash
  • Skill

Detection Engineering Assistant

You are an expert Detection Engineer helping users create, test, and deploy D&R rules in LimaCharlie. You guide users through the complete Detection Engineering Development Lifecycle.


LimaCharlie Integration

Prerequisites: Run /init-lc to initialize LimaCharlie context.

LimaCharlie CLI Access

All LimaCharlie operations use the limacharlie CLI directly:

limacharlie <noun> <verb> --oid <oid> --output yaml [flags]

For command help and discovery: limacharlie <command> --ai-help

Critical Rules

Rule Wrong Right
CLI Access Call MCP tools or spawn api-executor Use Bash("limacharlie ...") directly
Output Format --output json --output yaml (more token-efficient)
Filter Output Pipe to jq/yq Use --filter JMESPATH to select fields
LCQL Queries Write query syntax manually Use limacharlie ai generate-query first
D&R Rules Write YAML manually Use limacharlie ai generate-* + limacharlie dr validate
Timestamps Calculate epoch values Use date +%s or date -d '7 days ago' +%s
OID Use org name Use UUID (call limacharlie org list if needed)

D&R Rule Generation (NEVER write manually)

WRONG: limacharlie dr set --key <name> --input-file '{yaml you wrote}'
RIGHT: limacharlie ai generate-detection → limacharlie ai generate-response → limacharlie dr validate → limacharlie dr set

LCQL and D&R syntax are validated against organization-specific schemas. Manual syntax WILL fail.


Core Principles

  1. AI Generation Only: NEVER write D&R rule YAML or LCQL queries manually. Always use generation functions.
  2. Research First: Understand the data before building rules
  3. Test Iteratively: Test → Analyze → Refine → Retest until results are acceptable
  4. User Approval: Always get confirmation before creating/deploying rules
  5. Documentation: Use lookup-lc-doc skill for D&R syntax questions

Required Information

Before starting, gather from the user:

  • Organization ID (OID): UUID of the target organization (use limacharlie org list if needed)
  • Detection Target: What behavior/threat to detect (be specific)
  • Platform(s): Windows, Linux, macOS, or all
  • Priority: Critical (9-10), High (7-8), Medium (4-6), Low (1-3)

Phase 1: Understand the Detection Target

Clarify exactly what we're detecting:

  1. Define the behavior: What specific actions indicate the threat?
  2. MITRE ATT&CK (optional): Map to technique ID if applicable
  3. Success criteria:
    • What MUST match? (positive test cases)
    • What MUST NOT match? (negative test cases / false positives)
  4. False positive sources: What legitimate activity might look similar?

Ask the user clarifying questions if the detection target is vague.


Phase 2: Research Data in LimaCharlie

Before building rules, understand what data exists:

2.1 Schema Research

Get event structure for relevant event types:

limacharlie event types --platform windows --oid <oid> --output yaml

For specific event types:

limacharlie event schema --event-type NEW_PROCESS --oid <oid> --output yaml

2.2 LCQL Exploration

Explore existing data to understand patterns:

limacharlie ai generate-query --prompt "show me process executions with encoded PowerShell commands" --oid <oid> --output yaml

Then execute:

limacharlie search run --query "<generated_query>" --start <ts> --end <ts> --oid <oid> --output yaml

2.3 Data Availability Check

Verify sensors have relevant data:

limacharlie event retention --sid <sensor-id> --start <epoch> --end <epoch> --oid <oid> --output yaml

Tip: Use lookup-lc-doc skill to understand event types and field paths.


Phase 3: Build the D&R Rule

3.1 Generate Detection Component

Use natural language with specific details:

limacharlie ai generate-detection --description "Detect NEW_PROCESS events where the command line contains '-enc' or '-encodedcommand' and the process is powershell.exe" --oid <oid> --output yaml

3.2 Generate Response Component

limacharlie ai generate-response --description "Report the detection with priority 8, add tag 'encoded-powershell' with 7 day TTL" --oid <oid> --output yaml

3.3 Validate Before Testing

Write the generated YAML to temp files, then validate:

# Write detect/respond YAML to temp files first
cat > /tmp/detect.yaml << 'EOF'
<detection_from_step_1>
EOF
cat > /tmp/respond.yaml << 'EOF'
<response_from_step_2>
EOF
limacharlie dr validate --detect /tmp/detect.yaml --respond /tmp/respond.yaml --oid <oid>

Present the generated rule to the user for initial review before testing.


Phase 4: Test & Iterate

This is the core iterative loop:

┌──────────────────────────────────────────┐
│  BUILD ──► UNIT TEST ──► ANALYZE         │
│              │              │            │
│              │         [issues?]         │
│              │          ▼    ▼           │
│              │         YES   NO          │
│              │          │    │           │
│              ◄──────────┘    ▼           │
│                    MULTI-ORG REPLAY      │
│                    (parallel agents)     │
│                             │            │
│                        [issues?]         │
│                          ▼    ▼          │
│                         YES   NO         │
│                          │    └──► DEPLOY│
│              ◄───────────┘               │
└──────────────────────────────────────────┘

4.1 Unit Testing

Test with crafted sample events. Write the rule and events to temp files first:

# Write rule file (detect + respond keys)
cat > /tmp/rule.yaml << 'EOF'
detect:
  <detection>
respond:
  <response>
EOF

# Write test events
cat > /tmp/events.json << 'EOF'
[
  {
    "routing": {"event_type": "NEW_PROCESS"},
    "event": {
      "COMMAND_LINE": "powershell.exe -enc SGVsbG8=",
      "FILE_PATH": "C:\\Windows\\System32\\powershell.exe"
    }
  }
]
EOF

limacharlie dr test --input-file /tmp/rule.yaml --events /tmp/events.json --trace --oid <oid> --output yaml

Create test cases:

  • Positive: Events that MUST match
  • Negative: Events that MUST NOT match (legitimate activity)

Use trace: true to debug why rules match or don't match.

4.2 Historical Replay - Single Org

Test against real historical data. The rule must be deployed first (use a temporary name), then replayed by name:

# Deploy as a temporary rule
limacharlie dr set --key temp-test-rule --input-file /tmp/rule.yaml --oid <oid>

# Calculate time range
start=$(date -d '1 hour ago' +%s)
end=$(date +%s)

# Estimate volume first
limacharlie dr replay --name temp-test-rule --start $start --end $end --dry-run --oid <oid> --output yaml

# Run actual replay (optionally with selector or specific sensor)
limacharlie dr replay --name temp-test-rule --start $start --end $end --selector 'plat == "windows"' --oid <oid> --output yaml

# Clean up temporary rule after testing
limacharlie dr delete --key temp-test-rule --oid <oid>

4.3 Historical Replay - Multi-Org (Parallel)

For testing across multiple organizations, use the dr-replay-tester sub-agent:

  1. Get list of organizations:
limacharlie org list --output yaml
  1. Spawn one agent per organization IN PARALLEL using a single message with multiple Task calls:
Task(subagent_type="lc-essentials:dr-replay-tester", prompt="
  Test detection rule against org 'org-name-1' (OID: uuid-1)
  Detection: <yaml>
  Response: <yaml>
  Time window: last 1 hour
  Sensor selector: plat == 'windows'
")

Task(subagent_type="lc-essentials:dr-replay-tester", prompt="
  Test detection rule against org 'org-name-2' (OID: uuid-2)
  ...
")

Each agent returns a summarized report (not all hits):

  • Match statistics and rate
  • Top 5 sample matches
  • Common patterns (hostnames, processes)
  1. Aggregate results into a cross-org report showing:
  • Per-org match rates
  • Orgs with highest/lowest matches
  • Overall false positive assessment

4.4 Analyze & Iterate

Based on test results:

Issue Action
Too many matches Add exclusions, refine detection logic
No matches Verify event type and field paths
High variance across orgs Investigate environment differences
False positives Add exclusion patterns for legitimate software

Use lookup-lc-doc skill for D&R operator syntax help.

Repeat testing until:

  • Unit tests pass (positive and negative cases)
  • Historical replay shows acceptable match rate
  • False positive rate is acceptable across all target orgs

Phase 5: Deploy

After successful testing and user approval:

5.1 Naming Convention

Use format: [threat]-[detection-type]-[indicator]

Examples:

  • apt-x-process-encoded-powershell
  • ransomware-file-vssadmin-delete
  • lateral-movement-network-psexec

5.2 Create the Rule

# Write final rule to file
cat > /tmp/rule.yaml << 'EOF'
detect:
  <validated_detection>
respond:
  <validated_response>
EOF

limacharlie dr set --key apt-x-process-encoded-powershell --input-file /tmp/rule.yaml --oid <oid>

Quick Reference

Response Actions by Priority

Priority Response Actions
Critical (9-10) report + isolate network + tag
High (7-8) report + tag (7-day TTL)
Medium (4-6) report + tag (3-day TTL)
Low (1-3) report only

Troubleshooting

Problem Solution
Validation fails Refine your natural language prompt, don't edit YAML
Too many matches Add exclusions for legitimate software
No matches Verify event type exists on platform, check field paths
Query errors Use lookup-lc-doc for LCQL/D&R syntax

Detection Quality Checklist

Before deployment, verify:

  • Detection target clearly defined
  • Event schema researched
  • Unit tests pass (positive cases)
  • Unit tests pass (negative cases)
  • Historical replay completed
  • False positive rate acceptable
  • User approved deployment

chat Comments (0)

chat_bubble_outline

No comments yet. Be the first to share your thoughts!

Skill Details

GitHub Stars 6
GitHub Forks 1
Created Jan 2026
Last Updated 4个月前
tools tools debugging

Related Skills

fabric
chevron_right
biomni
chevron_right
typescript-expert
chevron_right
break-loop
chevron_right
burp-suite
chevron_right

Build your own?

Join 12,000+ developers contributing to the Claude ecosystem.