building-threat-hunt-hypothesis-framework
Build a systematic threat hunt hypothesis framework that transforms threat intelligence, attack patterns, and environmental data into testable hunting hypotheses.
Best use case
building-threat-hunt-hypothesis-framework is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Build a systematic threat hunt hypothesis framework that transforms threat intelligence, attack patterns, and environmental data into testable hunting hypotheses.
Teams using building-threat-hunt-hypothesis-framework should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/building-threat-hunt-hypothesis-framework/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How building-threat-hunt-hypothesis-framework Compares
| Feature / Agent | building-threat-hunt-hypothesis-framework | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Build a systematic threat hunt hypothesis framework that transforms threat intelligence, attack patterns, and environmental data into testable hunting hypotheses.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Building Threat Hunt Hypothesis Framework ## When to Use - When proactively hunting for indicators of building threat hunt hypothesis framework in the environment - After threat intelligence indicates active campaigns using these techniques - During incident response to scope compromise related to these techniques - When EDR or SIEM alerts trigger on related indicators - During periodic security assessments and purple team exercises ## Prerequisites - EDR platform with process and network telemetry (CrowdStrike, MDE, SentinelOne) - SIEM with relevant log data ingested (Splunk, Elastic, Sentinel) - Sysmon deployed with comprehensive configuration - Windows Security Event Log forwarding enabled - Threat intelligence feeds for IOC correlation ## Workflow 1. **Formulate Hypothesis**: Define a testable hypothesis based on threat intelligence or ATT&CK gap analysis. 2. **Identify Data Sources**: Determine which logs and telemetry are needed to validate or refute the hypothesis. 3. **Execute Queries**: Run detection queries against SIEM and EDR platforms to collect relevant events. 4. **Analyze Results**: Examine query results for anomalies, correlating across multiple data sources. 5. **Validate Findings**: Distinguish true positives from false positives through contextual analysis. 6. **Correlate Activity**: Link findings to broader attack chains and threat actor TTPs. 7. **Document and Report**: Record findings, update detection rules, and recommend response actions. ## Key Concepts | Concept | Description | |---------|-------------| | TA0001 | Initial Access | | TA0003 | Persistence | | TA0008 | Lateral Movement | | TA0010 | Exfiltration | ## Tools & Systems | Tool | Purpose | |------|---------| | CrowdStrike Falcon | EDR telemetry and threat detection | | Microsoft Defender for Endpoint | Advanced hunting with KQL | | Splunk Enterprise | SIEM log analysis with SPL queries | | Elastic Security | Detection rules and investigation timeline | | Sysmon | Detailed Windows event monitoring | | Velociraptor | Endpoint artifact collection and hunting | | Sigma Rules | Cross-platform detection rule format | ## Common Scenarios 1. **Scenario 1**: Intelligence-driven hunt based on APT campaign report 2. **Scenario 2**: ATT&CK coverage gap analysis driving hypothesis creation 3. **Scenario 3**: Anomaly-driven hypothesis from UEBA alert investigation 4. **Scenario 4**: Situational awareness hunt based on industry sector threats ## Output Format ``` Hunt ID: TH-BUILDI-[DATE]-[SEQ] Technique: TA0001 Host: [Hostname] User: [Account context] Evidence: [Log entries, process trees, network data] Risk Level: [Critical/High/Medium/Low] Confidence: [High/Medium/Low] Recommended Action: [Containment, investigation, monitoring] ```
Related Skills
triaging-vulnerabilities-with-ssvc-framework
Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree framework to produce actionable remediation priorities.
tracking-threat-actor-infrastructure
Threat actor infrastructure tracking involves monitoring and mapping adversary-controlled assets including command-and-control (C2) servers, phishing domains, exploit kit hosts, bulletproof hosting, a
profiling-threat-actor-groups
Develops comprehensive threat actor profiles for APT groups, criminal organizations, and hacktivist collectives by aggregating TTP documentation, historical campaign data, tooling fingerprints, and attribution indicators from multiple intelligence sources. Use when briefing executives on sector-specific threats, updating threat model assumptions, or prioritizing defensive controls against specific adversaries. Activates for requests involving MITRE ATT&CK Groups, Mandiant APT profiles, CrowdStrike adversary naming, or sector-specific threat briefings.
performing-threat-modeling-with-owasp-threat-dragon
Use OWASP Threat Dragon to create data flow diagrams, identify threats using STRIDE and LINDDUN methodologies, and generate threat model reports for secure design review.
performing-threat-landscape-assessment-for-sector
Conduct a sector-specific threat landscape assessment by analyzing threat actor targeting patterns, common attack vectors, and industry-specific vulnerabilities to inform organizational risk management.
performing-threat-intelligence-sharing-with-misp
Use PyMISP to create, enrich, and share threat intelligence events on a MISP platform, including IOC management, feed integration, STIX export, and community sharing workflows.
performing-threat-hunting-with-yara-rules
Use YARA pattern-matching rules to hunt for malware, suspicious files, and indicators of compromise across filesystems and memory dumps. Covers rule authoring, yara-python scanning, and integration with threat intel feeds.
performing-threat-hunting-with-elastic-siem
Performs proactive threat hunting in Elastic Security SIEM using KQL/EQL queries, detection rules, and Timeline investigation to identify threats that evade automated detection. Use when SOC teams need to hunt for specific ATT&CK techniques, investigate anomalous behaviors, or validate detection coverage gaps using Elasticsearch and Kibana Security.
performing-threat-emulation-with-atomic-red-team
Executes Atomic Red Team tests for MITRE ATT&CK technique validation using the atomic-operator Python framework. Loads test definitions from YAML atomics, runs attack simulations, and validates detection coverage. Use when testing SIEM detection rules, validating EDR coverage, or conducting purple team exercises.
performing-insider-threat-investigation
Investigates insider threat incidents involving employees, contractors, or trusted partners who misuse authorized access to steal data, sabotage systems, or violate security policies. Combines digital forensics, user behavior analytics, and HR/legal coordination to build an evidence-based case. Activates for requests involving insider threat investigation, employee data theft, privilege misuse, user behavior anomaly, or internal threat detection.
performing-dark-web-monitoring-for-threats
Dark web monitoring involves systematically scanning Tor hidden services, underground forums, paste sites, and dark web marketplaces to identify threats targeting an organization, including leaked cre
investigating-insider-threat-indicators
Investigates insider threat indicators including data exfiltration attempts, unauthorized access patterns, policy violations, and pre-departure behaviors using SIEM analytics, DLP alerts, and HR data correlation. Use when SOC teams receive insider threat referrals from HR, detect anomalous data movement by employees, or need to build investigation timelines for potential insider threats.