Best use case
forensics-hunt is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
It is a strong fit for teams already working in Codex.
Threat hunt using Sigma rules against log sources
Teams using forensics-hunt should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
$curl -o ~/.claude/skills/forensics-hunt/SKILL.md --create-dirs "https://raw.githubusercontent.com/jmagly/aiwg/main/.agents/skills/forensics-hunt/SKILL.md"
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/forensics-hunt/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How forensics-hunt Compares
| Feature / Agent | forensics-hunt | Standard Approach |
|---|---|---|
| Platform Support | Codex | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Threat hunt using Sigma rules against log sources
Which AI agents support this skill?
This skill is designed for Codex.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
SKILL.md Source
# /forensics-hunt Perform structured threat hunting by executing Sigma detection rules against collected log sources. Supports targeted rule selection or full rule set execution. Outputs matched detections with evidence context and MITRE ATT&CK annotations. ## Usage `/forensics-hunt [options]` ## Arguments | Argument | Required | Description | |----------|----------|-------------| | --rules | No | Rule IDs to run, comma-separated, or `all` (default: `all`) | | --target | No | Target hostname to scope the hunt | | --logs-path | No | Path to collected logs directory (default: `.aiwg/forensics/acquisition/logs/`) | | --output | No | Output path (default: `.aiwg/forensics/analysis/hunt-findings.md`) | | --severity | No | Minimum rule severity to execute: `low`, `medium`, `high`, `critical` (default: `medium`) | | --since | No | Only evaluate log entries after this timestamp | | --format | No | Output format: `markdown` (default), `json`, `sigma-results` | | --list-rules | No | List available rules without executing | ## Behavior When invoked, this command: 1. **Discover Log Sources** - Locate collected logs at specified or default path - Identify log types: auth, syslog, journal, audit, application - Map log formats to compatible Sigma field mappings - Validate log file integrity against acquisition checksums 2. **Load Sigma Rules** - Load rules from `@$AIWG_ROOT/agentic/code/frameworks/forensics-complete/sigma/` - Filter by `--rules` selection or severity threshold - Resolve rule dependencies and required fields - Report rules skipped due to missing log sources 3. **Execute Detections** - Run each applicable rule against relevant log sources - Apply field mappings to normalize log formats - Filter by `--since` timestamp if provided - Track match counts and false positive indicators 4. **Detection Categories** | Category | Example Rules | |----------|--------------| | Authentication | `ssh-brute-force-success`, `password-spray`, `invalid-user-spikes` | | Privilege Escalation | `sudo-to-root`, `suid-execution`, `new-root-session` | | Persistence | `cron-modification`, `new-systemd-unit`, `authorized-key-added` | | Lateral Movement | `internal-ssh-from-new-host`, `ssh-agent-forwarding` | | Defense Evasion | `log-deletion`, `audit-tampering`, `history-cleared` | | Exfiltration | `large-outbound-transfer`, `curl-to-external`, `dns-exfil` | | C2 | `reverse-shell-indicators`, `beaconing-intervals`, `tunnel-traffic` | 5. **Result Enrichment** - Extract matching log lines as evidence - Provide context window (5 lines before/after match) - Link detections to MITRE ATT&CK technique IDs - Score detection confidence (HIGH/MEDIUM/LOW) based on rule quality 6. **Hunt Summary** - Count detections by severity and category - Identify accounts, IPs, and processes involved - Generate prioritized finding list - Recommend follow-up investigation steps ## Examples ### Example 1: Full rule set, all logs ```bash /forensics-hunt ``` ### Example 2: Specific rules against a target ```bash /forensics-hunt --rules ssh-brute-force-success,sudo-to-root --target web01 ``` ### Example 3: High and critical severity only ```bash /forensics-hunt --severity high ``` ### Example 4: Hunt recent log entries ```bash /forensics-hunt --since 2026-02-26T18:00:00Z --severity medium ``` ### Example 5: List available rules ```bash /forensics-hunt --list-rules ``` ### Example 6: JSON output for SIEM import ```bash /forensics-hunt --severity high --format json ``` ## Output Artifacts are saved to `.aiwg/forensics/analysis/`: ``` .aiwg/forensics/analysis/ ├── hunt-findings.md # Human-readable detection results ├── hunt-findings.json # Machine-readable results └── rule-execution-log.yaml # Which rules ran, match counts, errors ``` ### Sample Output ``` Threat Hunt: web01-2026-02-27 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Log sources: auth.log, syslog, journal, audit.log (140.6 MB) Rules loaded: 47 applicable (of 63 total, 16 skipped: missing sources) Executing rules... [HIGH ] ssh-brute-force-success MATCH (1 event) [HIGH ] sudo-to-root MATCH (2 events) [CRITICAL] cron-modification MATCH (1 event) [HIGH ] reverse-shell-indicators MATCH (1 event) [MEDIUM] invalid-user-spikes MATCH (847 events) [MEDIUM] curl-to-external MATCH (3 events) [LOW ] failed-su-attempts no match [LOW ] password-spray no match ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Detection Summary: CRITICAL: 1 HIGH: 3 MEDIUM: 2 LOW: 0 Total detections: 6 rules matched across 855 events --- ssh-brute-force-success (HIGH, T1110.001) --- Match: 2026-02-26 22:29:01 Accepted publickey for deploy from 185.220.101.42 port 51823 Context: Following 847 failed attempts (22:14:33-22:29:00) from same IP Confidence: HIGH --- cron-modification (CRITICAL, T1053.003) --- Match: 2026-02-26 22:33:45 crontab: deploy modified crontab for root Context: 4 minutes after successful SSH login from attacker IP Confidence: HIGH Hunt complete. Output: .aiwg/forensics/analysis/hunt-findings.md ``` ### Available Rules List (--list-rules) ``` ID Severity Category Description ──────────────────────────────────────────────────────────────────── ssh-brute-force-success HIGH Authentication Successful login after brute force password-spray MEDIUM Authentication Many failed logins across accounts sudo-to-root HIGH Privilege Esc. User obtained root via sudo new-root-session HIGH Privilege Esc. Root shell opened (non-login) cron-modification CRITICAL Persistence Crontab file modified new-systemd-unit HIGH Persistence New systemd unit installed authorized-key-added HIGH Persistence New SSH authorized key added log-deletion HIGH Defense Evasion Log file deleted or truncated reverse-shell-indicators HIGH C2 Bash/nc/python reverse shell pattern beaconing-intervals MEDIUM C2 Regular outbound connection pattern large-outbound-transfer HIGH Exfiltration Unusually large outbound data transfer ``` ## References - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/log-analyst.md - Log Analyst - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/sigma/ - Sigma rule library - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-ioc.md - IOC extraction from findings - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-timeline.md - Timeline correlation
Related Skills
supply-chain-forensics
104
from jmagly/aiwg
SBOM analysis, build pipeline forensics, and dependency verification covering package integrity, build reproducibility, and CI/CD pipeline tampering
Codex
sigma-hunting
104
from jmagly/aiwg
Apply Sigma rules against log sources for threat hunting; convert rules to Elasticsearch, Splunk, and grep queries
Codex
memory-forensics
104
from jmagly/aiwg
Volatility 3 memory forensics workflows covering acquisition with LiME and WinPmem, and structured analysis using Volatility 3 plugin reference
Codex
linux-forensics
104
from jmagly/aiwg
Generalized Linux incident response and forensic analysis covering Debian/Ubuntu, RHEL/CentOS/Rocky, and SUSE families
Codex
forensics-triage
104
from jmagly/aiwg
Quick triage investigation following RFC 3227 volatility order
Codex
forensics-timeline
104
from jmagly/aiwg
Build correlated event timeline from multiple sources
Codex
forensics-status
104
from jmagly/aiwg
Show investigation status dashboard
Codex
forensics-report
104
from jmagly/aiwg
Generate forensic investigation report
Codex
forensics-profile
104
from jmagly/aiwg
Build target system profile via SSH or cloud API enumeration
Codex
forensics-ioc
104
from jmagly/aiwg
Extract and enrich indicators of compromise
Codex
forensics-investigate
104
from jmagly/aiwg
Full multi-agent investigation workflow
Codex
forensics-acquire
104
from jmagly/aiwg
Evidence acquisition with chain of custody and hash verification
Codex