hunt-ioc

Hunt for specific IOCs across your environment. Use when you have a list of IPs, domains, hashes, or URLs from threat intel and want to check if they appear in your SIEM. Systematic searching with enrichment and documentation.

Install with Tessl CLI

npx tessl i github:dandye/ai-runbooks --skill hunt-ioc

What are skills?

Review — 91%

Does it follow best practices?

Validation — 10 / 11 Passed

Validation for skill structure

SKILL.md

Review

Evals

IOC Threat Hunt Skill

Proactively hunt for specific Indicators of Compromise (IOCs) across the environment based on threat intelligence feeds, recent incidents, or emerging threats.

Inputs

IOC_LIST - Comma-separated list of IOC values to hunt
IOC_TYPES - Corresponding types (e.g., "IP Address, Domain, File Hash")
HUNT_TIMEFRAME_HOURS - Lookback period (default: 96)
(Optional) HUNT_CASE_ID - SOAR case for tracking
(Optional) REASON_FOR_HUNT - Why these IOCs are being hunted

Workflow

Step 1: Parse and Validate IOCs

Parse IOC_LIST and IOC_TYPES into structured list. Validate IOC formats (IP regex, hash length, etc.).

Step 2: Initial IOC Match Check

secops-mcp.get_ioc_matches(hours_back=HUNT_TIMEFRAME_HOURS)

Check if any IOCs appear in integrated threat feeds.

Step 3: Iterative SIEM Search

For each IOC, construct appropriate UDM query:

IP Address:

(principal.ip = "IOC" OR target.ip = "IOC" OR network.ip = "IOC")

Domain:

(principal.hostname = "IOC" OR target.hostname = "IOC" OR network.dns.questions.name = "IOC")

File Hash:

(target.file.sha256 = "IOC" OR target.file.md5 = "IOC" OR target.file.sha1 = "IOC")

URL:

target.url = "IOC"

Execute each search:

secops-mcp.search_security_events(text=query, hours_back=HUNT_TIMEFRAME_HOURS)

Step 4: Analyze Results

For each search result:

Identify affected hosts, users, processes
Note event types (login, network connection, file execution)
Assess if activity is suspicious or expected

Step 5: Enrich Hits

If hits found for an IOC:

Use /enrich-ioc for the IOC itself.

For involved entities (hosts, users):

secops-mcp.lookup_entity(entity_value=ENTITY)

Step 6: Document Hunt

Use /document-in-case (if HUNT_CASE_ID provided):

IOC Hunt Summary:
- IOCs Hunted: [list]
- Timeframe: [hours]
- Queries Used: [list with results summary]
- IOCs with Hits: [list with details]
- IOCs with No Hits: [list - confirms environment is clean]
- Enrichment: [for hits]
- Recommendations: [next steps]

Step 7: Escalate or Conclude

Confirmed malicious activity: → Create/update incident case → Trigger appropriate response runbook

No significant findings: → Document hunt completion → Note clean IOCs for future reference

Output Summary Template

# IOC Hunt Results

**Hunt Date:** [timestamp]
**Timeframe:** Last [X] hours
**Reason:** [REASON_FOR_HUNT]

## IOCs Searched
| IOC | Type | Result | Notes |
|-----|------|--------|-------|
| 198.51.100.10 | IP | NO HITS | Clean |
| evil.com | Domain | 3 HITS | DNS lookups from HOST1 |

## Hits Analysis
[Details for each IOC with hits]

## Recommendations
[Actions to take]

Required Outputs

After completing this skill, you MUST report these outputs:

Output	Description
`MATCHES`	IOCs found in SIEM (list of IOCs with hits)
`MATCH_CONTEXT`	Context for each match (events, assets, users affected)
`MATCHES_FOUND`	Boolean: `true` if any IOCs found in environment, `false` otherwise

Critical Requirements

Search ALL provided IOCs (don't skip any)
Use correct timeframe (not 1 hour instead of 72)
Document negative results (confirms environment is clean)
Don't declare "clean" if there were obvious hits

Repository: dandye/ai-runbooks
Commit: 67a00be
Last updated: 14 days ago
Created: 14 days ago

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.