New Extension: ext-feedback — Human-in-the-Loop for AI Agents, D&R Rules, and Automation
We’re excited to release ext-feedback, a new extension that brings interactive human feedback directly into your LimaCharlie workflows — whether they’re driven by AI agents, D&R rules, or automation scripts.
The Problem
As AI agents and automated response take on more of the SOC workload, there are still moments where a human needs to weigh in — approving containment of a production server, confirming an investigation finding, or answering a question only an analyst can answer. Until now, building that feedback loop required custom glue code outside of LimaCharlie.
What ext-feedback Does
ext-feedback gives any part of the LimaCharlie platform — AI agents, D&R rules, playbooks, or your own scripts — a way to pause and ask a human for input. You can request:
- Approvals — Approve or Deny a proposed action
- Acknowledgements — Confirm receipt of a notification
- Free-form answers — Ask an open-ended question and collect a text response
Responses are routed back into LimaCharlie as structured data, delivered to a Case (as a note), a Playbook (as a trigger), or an AI Agent (to resume an AI session with the human’s feedback as context).
Built for AI Agents
This is a key building block for the Agentic SOC. AI agents can use ext-feedback to loop in a human at decision points — requesting approval before taking a high-impact action, asking an analyst for context during an investigation, or confirming a finding before escalating. The human’s response feeds back into the AI agent session, so the agent can pick up where it left off with the analyst’s input.
Five Channels, One Workflow
Configure one or more channels to reach your team wherever they are:
- Web — Built-in UI, no setup required. Just share the link.
- Slack — Interactive Block Kit messages with Approve/Deny buttons right in your channel.
- Microsoft Teams — Adaptive Cards with action buttons via incoming webhook.
- Telegram — Inline keyboard buttons in your ops chat.
- Email — HTML emails with a link to respond, delivered via SMTP.
All channels feed responses back through the same pipeline — your D&R rules, AI agents, and playbooks don’t need to care which channel was used.
Timeouts
Every request supports an optional timeout. If nobody responds within the deadline, ext-feedback automatically submits a default choice you define. This lets you build escalation patterns: “If the on-call doesn’t approve isolation within 15 minutes, auto-approve and notify the team lead.”
CLI & SDK Access
The LimaCharlie CLI and Python SDK have full support for ext-feedback, so you can integrate feedback requests into your own tooling and scripts:
# Send an approval request from the CLI
limacharlie feedback request-approval \
--channel security-oncall \
--question "Isolate host compromised-01?" \
--destination case \
--case-id 42 \
--approved-content '{"action": "isolate"}' \
--denied-content '{"action": "skip"}' \
--timeout 900 \
--timeout-choice approved
# Manage channels
limacharlie feedback channel list
limacharlie feedback channel add --name ops-slack --type slack --output-name slack-output
limacharlie feedback channel remove --name old-channel
Or use the Python SDK directly:
from limacharlie.client import Client
from limacharlie.sdk.organization import Organization
from limacharlie.sdk.feedback import Feedback
org = Organization(Client(oid="your-oid", api_key="your-key"))
feedback = Feedback(org)
resp = feedback.request_simple_approval(
channel="security-oncall",
question="Isolate host compromised-01?",
feedback_destination="case",
case_id="42",
approved_content={"action": "isolate"},
denied_content={"action": "skip"},
timeout_seconds=900,
timeout_choice="approved",
)
print(resp["url"]) # Shareable feedback URL
Example: Approval Gate Before Host Isolation
A D&R rule detects a compromised host and, instead of isolating immediately, sends a feedback request:
# Response action in your D&R rule
- action: extension request
extension name: ext-feedback
extension action: request_simple_approval
extension request:
channel: security-oncall
question: "Isolate host {{ .event.ENDPOINT }}? Detection: {{ .detect.name }}"
feedback_destination: playbook
playbook_name: handle-isolation-decision
approved_content:
action: isolate
sensor_id: "{{ .event.SENSOR_ID }}"
denied_content:
action: monitor
timeout_seconds: 900
timeout_choice: approved
The on-call analyst gets a Slack message (or Teams card, or Telegram message, or email) with Approve/Deny buttons. Their response triggers the handle-isolation-decision playbook with the structured content, which proceeds accordingly.
Getting Started
- Subscribe to the extension: ext-feedback on the Add-Ons Marketplace
- Configure a channel in the extension config (the Web channel works out of the box with zero setup)
- Add a feedback request to your D&R rules, AI agents, or scripts
- Read the full docs: ext-feedback Documentation
We’d love to hear how you use it — drop your use cases and feedback in this thread.