APT Threat Hunt Skill

Proactively hunt for TTPs and IOCs associated with a specific Advanced Persistent Threat (APT) group based on threat intelligence.

Inputs

• THREAT_ACTOR_ID - GTI Collection ID or name of the target APT group
• HUNT_TIMEFRAME_HOURS - Lookback period (default: 168 = 7 days)
• (Optional) TARGET_SCOPE_QUERY - UDM query to narrow scope
• (Optional) HUNT_HYPOTHESIS - Specific hypothesis guiding the hunt
• (Optional) HUNT_CASE_ID - SOAR case for tracking

Workflow

Step 1: Identify Actor & Gather Intelligence

If starting with a name:

gti-mcp.search_threat_actors(query="APT_NAME")

Then gather comprehensive intelligence:

gti-mcp.get_collection_report(id=THREAT_ACTOR_ID)
gti-mcp.get_collection_mitre_tree(id=THREAT_ACTOR_ID)
gti-mcp.get_collection_timeline_events(id=THREAT_ACTOR_ID)

Extract associated IOCs:

gti-mcp.get_entities_related_to_a_collection(id=THREAT_ACTOR_ID, relationship_name="files")
gti-mcp.get_entities_related_to_a_collection(id=THREAT_ACTOR_ID, relationship_name="domains")
gti-mcp.get_entities_related_to_a_collection(id=THREAT_ACTOR_ID, relationship_name="urls")

Store as GTI_IOC_LIST.

Step 2: Check SIEM IOC Matches

secops-mcp.get_ioc_matches(hours_back=HUNT_TIMEFRAME_HOURS)

Correlate results with GTI_IOC_LIST.

Step 3: IOC-Based SIEM Search

For each IOC type in GTI_IOC_LIST, construct and execute UDM queries:

secops-mcp.search_security_events(
    text="UDM query for IOC",
    hours_back=HUNT_TIMEFRAME_HOURS
)

Document both positive and negative results → IOC_SEARCH_FINDINGS.

Step 4: TTP-Based SIEM Search

Based on MITRE techniques from Step 1:

• Use gti-mcp.get_threat_intel(query="MITRE technique details") for detection ideas
• Formulate TTP-specific UDM queries
• Execute searches over the timeframe
• Combine with TARGET_SCOPE_QUERY if provided

Document results → TTP_SEARCH_FINDINGS.

Step 5: Enrich Findings

If hits found (IOC_SEARCH_FINDINGS or TTP_SEARCH_FINDINGS):

For each found IOC or entity:

secops-mcp.lookup_entity(entity_value=FOUND_ITEM)
gti-mcp.get_..._report(identifier=FOUND_ITEM)

Step 6: Check Related Cases

Use /find-relevant-case with found IOCs and entities.

Step 7: Document & Report

Use /document-in-case (if HUNT_CASE_ID provided).

Use /generate-report with REPORT_TYPE="apt_hunt":

• Hunt objective and hypothesis
• Threat actor summary
• TTPs investigated
• IOCs searched
• SIEM queries used
• Findings (positive AND negative)
• Recommendations

Step 8: Escalate or Conclude

Confirmed threat found: → Escalate to Incident Response → Create incident case

No threat found: → Document negative findings → Conclude hunt

Required Outputs

After completing this skill, you MUST report these outputs:

Key Intelligence Sources

Critical Requirements

• Document ALL queries used (for reproducibility)
• Report negative findings (no hits is valuable intel)
• Don't report false positives as confirmed threats