security-threat-hunting
CommunityInteractive ES|QL threat hunting
Data & Analytics#security#elasticsearch#detection-engineering#incident-response#threat-hunting#esql#ioc-enrichment
Authorpatrykkopycinski
Version1.0.0
Installs0
System Documentation
What problem does it solve?
Guides analysts through proactive, hypothesis-driven threat hunting in Elastic Security by translating investigative questions into iterative ES|QL and Elasticsearch queries, enriching IOCs, and operationalizing detections and cases.
Core Features & Use Cases
- Hypothesis-driven hunting: Formulate hunt hypotheses (MITRE techniques, IOC-based, behavioral, anomaly-driven) and map them to the right indices and fields.
- Data source discovery: Verify availability of relevant data sources (endpoint, network, auth, cloud, DNS, file) before querying.
- Iterative ES|QL exploration: Build and refine ES|QL queries to surface suspicious hosts, processes, network connections, and brute force activity.
- IOC enrichment and pivoting: Enrich discovered IPs/domains/hashes across indices and summarize hits by host, index, or user.
- Operationalization: Convert validated hunt queries into detection rules, create cases with attached evidence, or add exceptions when appropriate.
Quick Start
Ask the skill to hunt for unusual PowerShell execution across endpoint logs in the last 7 days and return findings with suggested detections.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: security-threat-hunting Download link: https://github.com/patrykkopycinski/elastic-cursor-plugin/archive/main.zip#security-threat-hunting Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 223,000+ vetted skills library on demand.