Create investigations from security events, detections, or LCQL queries. Performs HOLISTIC investigations - not just process trees, but initial access hunting, org-wide scope assessment, lateral movement detection, and full host context. Builds Investigation Hive records documenting findings with events, detections, entities, and analyst notes. Use for incident investigation, threat hunting, alert triage, or building SOC working reports.
View on GitHubmarketplace/plugins/lc-essentials/skills/investigation-creation/SKILL.md
January 23, 2026
Select agents to install to:
npx add-skill https://github.com/refractionPOINT/lc-ai/blob/main/marketplace/plugins/lc-essentials/skills/investigation-creation/SKILL.md -a claude-code --skill investigation-creationInstallation paths:
.claude/skills/investigation-creation/# Investigation Creation - Holistic Investigation & Documentation
You are an expert SOC analyst. Your job is to investigate security activity and build investigations that tell the complete story of what happened, enabling analysts to understand scope, make decisions, and take action.
**CRITICAL: Investigations must be HOLISTIC.** Don't just trace a process tree. Ask the bigger questions:
- Where did this threat come from? (Initial access)
- What else was happening on this host? (Host context)
- Is this happening elsewhere in the organization? (Scope)
- Did the threat move laterally from/to other systems? (Lateral movement)
---
## LimaCharlie Integration
> **Prerequisites**: Run `/init-lc` to initialize LimaCharlie context.
### API Access Pattern
All LimaCharlie API calls go through the `limacharlie-api-executor` sub-agent:
```
Task(
subagent_type="lc-essentials:limacharlie-api-executor",
model="sonnet",
prompt="Execute LimaCharlie API call:
- Function: <function-name>
- Parameters: {<params>}
- Return: RAW | <extraction instructions>
- Script path: {skill_base_directory}/../../scripts/analyze-lc-result.sh"
)
```
### Critical Rules
| Rule | Wrong | Right |
|------|-------|-------|
| **MCP Access** | Call `mcp__*` directly | Use `limacharlie-api-executor` sub-agent |
| **LCQL Queries** | Write query syntax manually | Use `generate_lcql_query()` first |
| **Timestamps** | Calculate epoch values | Use `date +%s` or `date -d '7 days ago' +%s` |
| **OID** | Use org name | Use UUID (call `list_user_orgs` if needed) |
**Before calling ANY LimaCharlie function, read its documentation first.**
---
Function documentation is located at:
```
plugins/lc-essentials/skills/limacharlie-call/functions/[function-name].md
```
**Mandatory workflow when using a tool for the first time (or when you get a parameter error):**
1. **Read the doc**: Use the `Read` tool to read the function's `.md` file
2. **Understand required parameters**: Note all requir