hunt-apt

Name: hunt-apt
Author: dandye/ai-runbooks

$npx mdskill add dandye/ai-runbooks/hunt-apt

Hunt APT groups by scanning SIEM and GTI for TTPs and IOCs.

Locates indicators of compromise and tactics for named threat actors.
Integrates GTI Enterprise, SIEM, and MITRE ATT&CK frameworks.
Prioritizes findings using threat intelligence reports and timeline events.
Delivers structured intelligence on TTPs, IOCs, and actor activities.

SKILL.md

.github/skills/hunt-aptView on GitHub ↗

---
name: hunt-apt
description: "Hunt for a specific APT/threat actor in your environment. Use when you have a threat actor name or GTI collection ID and want to search for their TTPs and IOCs. Gathers intelligence from GTI, searches SIEM for IOCs and TTP-based indicators, and documents findings."
required_roles:
  chronicle: roles/chronicle.editor
  gti: GTI Enterprise+
personas: [threat-hunter, tier3-analyst]
---

# APT Threat Hunt Skill

Proactively hunt for TTPs and IOCs associated with a specific Advanced Persistent Threat (APT) group based on threat intelligence.

## Inputs

- `THREAT_ACTOR_ID` - GTI Collection ID or name of the target APT group
- `HUNT_TIMEFRAME_HOURS` - Lookback period (default: 168 = 7 days)
- *(Optional)* `TARGET_SCOPE_QUERY` - UDM query to narrow scope
- *(Optional)* `HUNT_HYPOTHESIS` - Specific hypothesis guiding the hunt
- *(Optional)* `HUNT_CASE_ID` - SOAR case for tracking

## Workflow

### Step 1: Identify Actor & Gather Intelligence

If starting with a name:
```
gti-mcp.search_threat_actors(query="APT_NAME")
```

Then gather comprehensive intelligence:
```
gti-mcp.get_collection_report(id=THREAT_ACTOR_ID)
gti-mcp.get_collection_mitre_tree(id=THREAT_ACTOR_ID)
gti-mcp.get_collection_timeline_events(id=THREAT_ACTOR_ID)
```

Extract associated IOCs:
```
gti-mcp.get_entities_related_to_a_collection(id=THREAT_ACTOR_ID, relationship_name="files")
gti-mcp.get_entities_related_to_a_collection(id=THREAT_ACTOR_ID, relationship_name="domains")
gti-mcp.get_entities_related_to_a_collection(id=THREAT_ACTOR_ID, relationship_name="urls")
```

Store as `GTI_IOC_LIST`.

### Step 2: Check SIEM IOC Matches

```
secops-mcp.get_ioc_matches(hours_back=HUNT_TIMEFRAME_HOURS)
```

Correlate results with `GTI_IOC_LIST`.

### Step 3: IOC-Based SIEM Search

For each IOC type in `GTI_IOC_LIST`, construct and execute UDM queries:

```
secops-mcp.search_security_events(
    text="UDM query for IOC",
    hours_back=HUNT_TIMEFRAME_HOURS
)
```

Document both positive and negative results → `IOC_SEARCH_FINDINGS`.

### Step 4: TTP-Based SIEM Search

Based on MITRE techniques from Step 1:
- Use `gti-mcp.get_threat_intel(query="MITRE technique details")` for detection ideas
- Formulate TTP-specific UDM queries
- Execute searches over the timeframe
- Combine with `TARGET_SCOPE_QUERY` if provided

Document results → `TTP_SEARCH_FINDINGS`.

### Step 5: Enrich Findings

If hits found (`IOC_SEARCH_FINDINGS` or `TTP_SEARCH_FINDINGS`):

For each found IOC or entity:
```
secops-mcp.lookup_entity(entity_value=FOUND_ITEM)
gti-mcp.get_..._report(identifier=FOUND_ITEM)
```

### Step 6: Check Related Cases

Use `/find-relevant-case` with found IOCs and entities.

### Step 7: Document & Report

Use `/document-in-case` (if HUNT_CASE_ID provided).

Use `/generate-report` with `REPORT_TYPE="apt_hunt"`:
- Hunt objective and hypothesis
- Threat actor summary
- TTPs investigated
- IOCs searched
- SIEM queries used
- Findings (positive AND negative)
- Recommendations

### Step 8: Escalate or Conclude

**Confirmed threat found:**
→ Escalate to Incident Response
→ Create incident case

**No threat found:**
→ Document negative findings
→ Conclude hunt

## Required Outputs

**After completing this skill, you MUST report these outputs:**

| Output | Description |
|--------|-------------|
| `ACTOR_IOCS` | IOCs associated with threat actor from GTI |
| `ACTOR_TTPS` | TTPs from threat actor profile (MITRE techniques) |
| `HUNT_RESULTS` | SIEM search results for actor indicators |
| `DISCOVERED_INDICATORS` | IOCs found in environment matching actor profile |
| `CONFIRMED_IOCS` | IOCs confirmed malicious via GTI enrichment |

## Key Intelligence Sources

| Source | Tool |
|--------|------|
| Actor Profile | `get_collection_report` |
| TTPs | `get_collection_mitre_tree` |
| Timeline | `get_collection_timeline_events` |
| Related IOCs | `get_entities_related_to_a_collection` |
| Technique Details | `get_threat_intel` |

## Critical Requirements

- Document ALL queries used (for reproducibility)
- Report negative findings (no hits is valuable intel)
- Don't report false positives as confirmed threats

More from dandye/ai-runbooks

Skill	Description
analyze-content-gaps	Identify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.
audit-content	Comprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.
check-duplicates	"Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases."
close-case-artifact	"Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause."
cluster-documents	Automated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.
confirm-action	"Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response."
correlate-ioc	"Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases."
deep-dive-ioc	"Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
design-metadata-schema	Design comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.
document-in-case	"Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."