Developed by Digital Defense Institute
β οΈ CRITICAL DISCLAIMERβ οΈ THIS PROJECT IS A PROOF OF CONCEPT AND WORK IN PROGRESS
- DO NOT rely solely on this tool for production security investigations
- ALWAYS validate AI-generated findings with human expertise
- REQUIRES proper training and understanding of both LimaCharlie and security operations
- ALL OUTPUTS must be verified by qualified security professionals
- USER ASSUMES ALL RISKS associated with the use of these tools
- NO WARRANTY is provided for accuracy, completeness, or fitness for any purpose
This tool is intended to augment human analysts, not replace them. Critical security decisions should NEVER be made based solely on AI-generated content without thorough validation.
See DISCLAIMER.md for full legal disclaimer.
A comprehensive guide and reference for using Claude AI with the LimaCharlie Model Context Protocol (MCP) integration for security operations, threat hunting, and incident response.
This repository provides documentation, examples, and best practices for leveraging Claude AI's capabilities with LimaCharlie's SecOps Cloud Platform through the MCP integration. Whether you're a security analyst, incident responder, or detection engineer, this workbench will help you maximize the power of AI-assisted security operations.
LimaCharlie is a SecOps Cloud Platform that provides endpoint detection and response (EDR), log management, and threat detection capabilities. It offers a powerful, API-first approach to security operations.
The Model Context Protocol (MCP) is an open protocol that enables Claude AI to interact with external systems and tools. The LimaCharlie MCP integration allows Claude to directly query sensors, analyze detections, and assist with security investigations.
- LimaCharlie MCP Documentation: docs.limacharlie.io/docs/mcp-server
- Claude Code MCP Guide: docs.anthropic.com/en/docs/claude-code/mcp
- Node.js (v18+) - nodejs.org
- Claude Code CLI -
npm install -g @anthropic-ai/claude-code(Learn more) - LimaCharlie Account - limacharlie.io
1. Clone this repository with submodules
git clone --recurse-submodules https://github.com/Digital-Defense-Institute/lc-claude-workbench.gitOr if you already cloned without submodules:
git submodule update --init --recursive2. Enter the project directory
cd lc-claude-workbench3. Install Claude Code
npm install -g @anthropic-ai/claude-code4. Get your LimaCharlie Organization API Key and Org ID
- Navigate to:
https://app.limacharlie.io/org/<your-org-id>/rest-api - Create a "User-Generated API Key" (this is at ORG level, not user level)
5. Configure MCP (run from project directory)
claude mcp add \
limacharlie \
https://mcp.limacharlie.io/mcp \
--transport http \
--header "Authorization: Bearer YOUR_API_KEY:YOUR_ORG_ID"6. Start Claude in this project
claude7. Test it Ask Claude: "List my LimaCharlie sensors"
π For detailed setup instructions, troubleshooting, and security best practices, see setup.md
- CLAUDE.md - Essential usage guide with critical notes and quick reference
- instructions/ - Detailed documentation directory:
- CLAUDE-REFERENCE.md - Complete MCP function reference
- CLAUDE-WORKFLOWS.md - Common workflows and examples
- LCQL_EXAMPLES.md - LimaCharlie Query Language patterns
- SAMPLE_EVENTS.md - Event structure examples for detection engineering
- Atoms - Unique event/process identifiers (more reliable than PIDs)
- LCQL - LimaCharlie Query Language for searching events
- UTC Timestamps - Always required for API queries
- Time Ranges - Start with small ranges and expand as needed
π See CLAUDE.md for critical usage notes and common pitfalls
- Incident Response - Triage detections, investigate processes, collect IOCs
- Threat Hunting - Search for unsigned binaries, suspicious PowerShell, network anomalies
- Detection Engineering - Generate AI-powered detection rules and response actions
- Compliance - Monitor system changes, audit user activities, track data access
π See examples/ for detailed playbooks and workflows
Core Functions: Sensor management, process inspection, detection queries, LCQL execution AI Functions: Generate detection rules, LCQL queries, and analyst summaries from natural language
π See instructions/CLAUDE-REFERENCE.md for complete function reference π See instructions/LCQL_EXAMPLES.md for query patterns
- Augment human security analysts (not replace them)
- Generate hypotheses for further investigation
- Speed up initial triage and data gathering
- Learn about security operations and AI integration
- Experiment in safe, non-production environments
- Make automated decisions without human review
- Replace security professionals or their judgment
- Handle sensitive incidents without proper oversight
- Generate final reports without validation
- Operate in production without extensive testing
- Human-in-the-loop: Always have qualified personnel review outputs
- Validation workflows: Establish procedures to verify AI findings
- Audit trails: Log all AI suggestions and human decisions
- Training: Ensure users understand both the tool and its limitations
- Fallback procedures: Maintain manual investigation capabilities
This project is maintained by Digital Defense Institute. We welcome contributions! Please:
- Fork the repository
- Create a feature branch
- Add your improvements (documentation, examples, workflows)
- Submit a pull request
- Additional LCQL query examples
- Detection rule templates
- Incident response playbooks
- Integration workflows
- Performance optimization tips
This project is licensed under the MIT License - see the LICENSE file for details.
- LimaCharlie Documentation
- LimaCharlie MCP Server
- LimaCharlie API Reference
- LCQL Reference
- LimaCharlie Community Forum
- Claude Code Product Page
- Claude Code GitHub Repository
- Claude Code Overview
- Claude Code Memory Management
- Claude Code MCP Integration
- LimaCharlie Support: support.limacharlie.io
- Community Forum: community.limacharlie.com
- Issues: Use the GitHub Issues tab for bug reports and feature requests
- Digital Defense Institute - Project development and maintenance
- The LimaCharlie team for their excellent SecOps Cloud Platform and MCP integration
- Anthropic for Claude AI and the Model Context Protocol
- The security community for continuous feedback and improvements
Developed and Maintained by: Digital Defense Institute
Note: This is a community resource developed by Digital Defense Institute. For official LimaCharlie documentation, please visit docs.limacharlie.io.
