hunt-ioc

$npx mdskill add dandye/ai-runbooks/hunt-ioc

Hunt hidden threats by scanning IOCs against your SIEM.

  • Detects malicious IPs, domains, hashes, and URLs in your environment.
  • Integrates with chronicle, GTI Enterprise, and UDM search APIs.
  • Validates formats before executing structured queries for each indicator.
  • Returns enriched findings with timestamps, sources, and case references.

SKILL.md

.github/skills/hunt-iocView on GitHub ↗
---
name: hunt-ioc
description: "Hunt for specific IOCs across your environment. Use when you have a list of IPs, domains, hashes, or URLs from threat intel and want to check if they appear in your SIEM. Systematic searching with enrichment and documentation."
required_roles:
  chronicle: roles/chronicle.editor
  gti: GTI Enterprise
personas: [threat-hunter, tier2-analyst]
---

# IOC Threat Hunt Skill

Proactively hunt for specific Indicators of Compromise (IOCs) across the environment based on threat intelligence feeds, recent incidents, or emerging threats.

## Inputs

- `IOC_LIST` - Comma-separated list of IOC values to hunt
- `IOC_TYPES` - Corresponding types (e.g., "IP Address, Domain, File Hash")
- `HUNT_TIMEFRAME_HOURS` - Lookback period (default: 96)
- *(Optional)* `HUNT_CASE_ID` - SOAR case for tracking
- *(Optional)* `REASON_FOR_HUNT` - Why these IOCs are being hunted

## Workflow

### Step 1: Parse and Validate IOCs

Parse `IOC_LIST` and `IOC_TYPES` into structured list.
Validate IOC formats (IP regex, hash length, etc.).

### Step 2: Initial IOC Match Check

```
secops-mcp.get_ioc_matches(hours_back=HUNT_TIMEFRAME_HOURS)
```

Check if any IOCs appear in integrated threat feeds.

### Step 3: Iterative SIEM Search

For each IOC, construct appropriate UDM query:

**IP Address:**
```udm
(principal.ip = "IOC" OR target.ip = "IOC" OR network.ip = "IOC")
```

**Domain:**
```udm
(principal.hostname = "IOC" OR target.hostname = "IOC" OR network.dns.questions.name = "IOC")
```

**File Hash:**
```udm
(target.file.sha256 = "IOC" OR target.file.md5 = "IOC" OR target.file.sha1 = "IOC")
```

**URL:**
```udm
target.url = "IOC"
```

Execute each search:
```
secops-mcp.search_security_events(text=query, hours_back=HUNT_TIMEFRAME_HOURS)
```

### Step 4: Analyze Results

For each search result:
- Identify affected hosts, users, processes
- Note event types (login, network connection, file execution)
- Assess if activity is suspicious or expected

### Step 5: Enrich Hits

If hits found for an IOC:

Use `/enrich-ioc` for the IOC itself.

For involved entities (hosts, users):
```
secops-mcp.lookup_entity(entity_value=ENTITY)
```

### Step 6: Document Hunt

Use `/document-in-case` (if HUNT_CASE_ID provided):

```
IOC Hunt Summary:
- IOCs Hunted: [list]
- Timeframe: [hours]
- Queries Used: [list with results summary]
- IOCs with Hits: [list with details]
- IOCs with No Hits: [list - confirms environment is clean]
- Enrichment: [for hits]
- Recommendations: [next steps]
```

### Step 7: Escalate or Conclude

**Confirmed malicious activity:**
→ Create/update incident case
→ Trigger appropriate response runbook

**No significant findings:**
→ Document hunt completion
→ Note clean IOCs for future reference

## Output Summary Template

```markdown
# IOC Hunt Results

**Hunt Date:** [timestamp]
**Timeframe:** Last [X] hours
**Reason:** [REASON_FOR_HUNT]

## IOCs Searched
| IOC | Type | Result | Notes |
|-----|------|--------|-------|
| 198.51.100.10 | IP | NO HITS | Clean |
| evil.com | Domain | 3 HITS | DNS lookups from HOST1 |

## Hits Analysis
[Details for each IOC with hits]

## Recommendations
[Actions to take]
```

## Required Outputs

**After completing this skill, you MUST report these outputs:**

| Output | Description |
|--------|-------------|
| `MATCHES` | IOCs found in SIEM (list of IOCs with hits) |
| `MATCH_CONTEXT` | Context for each match (events, assets, users affected) |
| `MATCHES_FOUND` | Boolean: `true` if any IOCs found in environment, `false` otherwise |

## Critical Requirements

- Search ALL provided IOCs (don't skip any)
- Use correct timeframe (not 1 hour instead of 72)
- Document negative results (confirms environment is clean)
- Don't declare "clean" if there were obvious hits

More from dandye/ai-runbooks

SkillDescription
analyze-content-gapsIdentify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.
audit-contentComprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.
check-duplicates"Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases."
close-case-artifact"Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause."
cluster-documentsAutomated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.
confirm-action"Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response."
correlate-ioc"Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases."
deep-dive-ioc"Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
design-metadata-schemaDesign comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.
document-in-case"Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."