askill
hunt-ioc

hunt-iocSafety 100Repository

Hunt for specific IOCs across your environment. Use when you have a list of IPs, domains, hashes, or URLs from threat intel and want to check if they appear in your SIEM. Systematic searching with enrichment and documentation.

hunt-iocdandye
85 stars
1.7k downloads
Updated 2/4/2026

Package Files

Loading files...
SKILL.md

IOC Threat Hunt Skill

Proactively hunt for specific Indicators of Compromise (IOCs) across the environment based on threat intelligence feeds, recent incidents, or emerging threats.

Inputs

  • IOC_LIST - Comma-separated list of IOC values to hunt
  • IOC_TYPES - Corresponding types (e.g., "IP Address, Domain, File Hash")
  • HUNT_TIMEFRAME_HOURS - Lookback period (default: 96)
  • (Optional) HUNT_CASE_ID - SOAR case for tracking
  • (Optional) REASON_FOR_HUNT - Why these IOCs are being hunted

Workflow

Step 1: Parse and Validate IOCs

Parse IOC_LIST and IOC_TYPES into structured list. Validate IOC formats (IP regex, hash length, etc.).

Step 2: Initial IOC Match Check

secops-mcp.get_ioc_matches(hours_back=HUNT_TIMEFRAME_HOURS)

Check if any IOCs appear in integrated threat feeds.

Step 3: Iterative SIEM Search

For each IOC, construct appropriate UDM query:

IP Address:

(principal.ip = "IOC" OR target.ip = "IOC" OR network.ip = "IOC")

Domain:

(principal.hostname = "IOC" OR target.hostname = "IOC" OR network.dns.questions.name = "IOC")

File Hash:

(target.file.sha256 = "IOC" OR target.file.md5 = "IOC" OR target.file.sha1 = "IOC")

URL:

target.url = "IOC"

Execute each search:

secops-mcp.search_security_events(text=query, hours_back=HUNT_TIMEFRAME_HOURS)

Step 4: Analyze Results

For each search result:

  • Identify affected hosts, users, processes
  • Note event types (login, network connection, file execution)
  • Assess if activity is suspicious or expected

Step 5: Enrich Hits

If hits found for an IOC:

Use /enrich-ioc for the IOC itself.

For involved entities (hosts, users):

secops-mcp.lookup_entity(entity_value=ENTITY)

Step 6: Document Hunt

Use /document-in-case (if HUNT_CASE_ID provided):

IOC Hunt Summary:
- IOCs Hunted: [list]
- Timeframe: [hours]
- Queries Used: [list with results summary]
- IOCs with Hits: [list with details]
- IOCs with No Hits: [list - confirms environment is clean]
- Enrichment: [for hits]
- Recommendations: [next steps]

Step 7: Escalate or Conclude

Confirmed malicious activity: → Create/update incident case → Trigger appropriate response runbook

No significant findings: → Document hunt completion → Note clean IOCs for future reference

Output Summary Template

# IOC Hunt Results

**Hunt Date:** [timestamp]
**Timeframe:** Last [X] hours
**Reason:** [REASON_FOR_HUNT]

## IOCs Searched
| IOC | Type | Result | Notes |
|-----|------|--------|-------|
| 198.51.100.10 | IP | NO HITS | Clean |
| evil.com | Domain | 3 HITS | DNS lookups from HOST1 |

## Hits Analysis
[Details for each IOC with hits]

## Recommendations
[Actions to take]

Required Outputs

After completing this skill, you MUST report these outputs:

OutputDescription
MATCHESIOCs found in SIEM (list of IOCs with hits)
MATCH_CONTEXTContext for each match (events, assets, users affected)
MATCHES_FOUNDBoolean: true if any IOCs found in environment, false otherwise

Critical Requirements

  • Search ALL provided IOCs (don't skip any)
  • Use correct timeframe (not 1 hour instead of 72)
  • Document negative results (confirms environment is clean)
  • Don't declare "clean" if there were obvious hits

Install

Download ZIP
Requires askill CLI v1.0+

AI Quality Score

95/100Analyzed 2/13/2026

An excellent, highly structured skill for threat hunting IOCs. It provides clear inputs, specific UDM queries for different IOC types, a step-by-step workflow, and explicit output requirements. The inclusion of a markdown template and required output variables makes it extremely actionable for an AI agent.

100
95
85
95
95

Metadata

Licenseunknown
Version-
Updated2/4/2026
Publisherdandye

Tags

github-actions