Evaluate threat reports, breach analyses, and IOC reports to search for compromise indicators across LimaCharlie organizations. Extract IOCs (hashes, domains, IPs, file paths), perform IOC searches, identify malicious behaviors, generate LCQL queries, create D&R rules and lookups. Use when investigating threats, APT reports, malware analysis, breach postmortems, or threat intelligence feeds. Emphasizes working ONLY with data from the report and organization, never making assumptions.
View on GitHubmarketplace/plugins/lc-essentials/skills/threat-report-evaluation/SKILL.md
January 23, 2026
Select agents to install to:
npx add-skill https://github.com/refractionPOINT/lc-ai/blob/main/marketplace/plugins/lc-essentials/skills/threat-report-evaluation/SKILL.md -a claude-code --skill threat-report-evaluationInstallation paths:
.claude/skills/threat-report-evaluation/# Threat Report Evaluation & IOC Analysis
Systematically evaluate threat reports to determine organizational impact and create comprehensive defense-in-depth detections.
---
## LimaCharlie Integration
> **Prerequisites**: Run `/init-lc` to initialize LimaCharlie context.
### API Access Pattern
All LimaCharlie API calls go through the `limacharlie-api-executor` sub-agent:
```
Task(
subagent_type="lc-essentials:limacharlie-api-executor",
model="sonnet",
prompt="Execute LimaCharlie API call:
- Function: <function-name>
- Parameters: {<params>}
- Return: RAW | <extraction instructions>
- Script path: {skill_base_directory}/../../scripts/analyze-lc-result.sh"
)
```
### Critical Rules
| Rule | Wrong | Right |
|------|-------|-------|
| **MCP Access** | Call `mcp__*` directly | Use `limacharlie-api-executor` sub-agent |
| **LCQL Queries** | Write query syntax manually | Use `generate_lcql_query()` first |
| **D&R Rules** | Write YAML manually | Use `generate_dr_rule_*()` + `validate_dr_rule_components()` |
| **Timestamps** | Calculate epoch values | Use `date +%s` or `date -d '7 days ago' +%s` |
| **OID** | Use org name | Use UUID (call `list_user_orgs` if needed) |
---
## Architecture
This skill uses specialized sub-agents to reduce context usage and enable parallel processing:
```
Main Skill (Orchestrator)
├── Phase 0: Download report to /tmp/ (keeps content out of main context)
├── Phase 1: Spawn threat-report-parser → Get structured IOCs/behaviors
├── Phase 2: Platform check (lightweight API call)
├── Phase 3: Spawn ioc-hunter agents (parallel, one per org)
├── Phase 4: Spawn behavior-hunter agents (parallel, one per org)
├── Phase 5: User checkpoint - present findings
├── Phase 6: Spawn detection-builder agents (parallel, by layer)
├── Phase 7: User approval - confirm rules to deploy
├── Phase 8: Deploy approved rules
└── Phase 9: Generate final report from aggregated summaries
```
## Critical Principles
- Extract IOCs and behavior