Threat Hunter — SecOps Hunt

What it does

Acts as a playbook and guided operator for proactive threat hunting. It instructs the agent to detect available tools, construct appropriate queries (UDM or local SIEM), iterate searches for IOCs/TTPs, enrich suspicious entities, and document findings into cases or reports. The skill maps high-level hunt objectives to concrete steps and tool calls.

When to use it

Use when an analyst asks to hunt for indicators, investigate suspected TTPs, or run a focused search (e.g., specific MITRE ATT&CK techniques, campaign IDs, or IOC lists). Appropriate for environments with remote search tools (udm_search/get_ioc_match) or local SIEM functions. Trigger phrases include "hunt", "threat hunt", "search for IOCs", or "investigate TTP".

What's included

• Scripts: Procedural hunt loops and example query patterns for IPs, domains, file hashes, and URLs; guidance for phase 1 (initial scan) and phase 2 (deep investigation).
• References: Tool mapping guidance (extensions/google-secops/TOOL_MAPPING.md) and recommendations for reporting/escalation.
• Instructions: Stepwise workflows for GTI campaign/actor hunts, guided TTP hunts (e.g., credential access techniques), and locating relevant SOAR cases.

Compatible agents

Designed for SecOps-capable agents that can call remote search tools or local SIEM connectors (Google SecOps integrations, UDM-capable agents).