IOC Threat Hunt Skill
Proactively hunt for specific Indicators of Compromise (IOCs) across the environment based on threat intelligence feeds, recent incidents, or emerging threats.
Inputs
- •
IOC_LIST- Comma-separated list of IOC values to hunt - •
IOC_TYPES- Corresponding types (e.g., "IP Address, Domain, File Hash") - •
HUNT_TIMEFRAME_HOURS- Lookback period (default: 96) - •(Optional)
HUNT_CASE_ID- SOAR case for tracking - •(Optional)
REASON_FOR_HUNT- Why these IOCs are being hunted
Workflow
Step 1: Parse and Validate IOCs
Parse IOC_LIST and IOC_TYPES into structured list.
Validate IOC formats (IP regex, hash length, etc.).
Step 2: Initial IOC Match Check
secops-mcp.get_ioc_matches(hours_back=HUNT_TIMEFRAME_HOURS)
Check if any IOCs appear in integrated threat feeds.
Step 3: Iterative SIEM Search
For each IOC, construct appropriate UDM query:
IP Address:
(principal.ip = "IOC" OR target.ip = "IOC" OR network.ip = "IOC")
Domain:
(principal.hostname = "IOC" OR target.hostname = "IOC" OR network.dns.questions.name = "IOC")
File Hash:
(target.file.sha256 = "IOC" OR target.file.md5 = "IOC" OR target.file.sha1 = "IOC")
URL:
target.url = "IOC"
Execute each search:
secops-mcp.search_security_events(text=query, hours_back=HUNT_TIMEFRAME_HOURS)
Step 4: Analyze Results
For each search result:
- •Identify affected hosts, users, processes
- •Note event types (login, network connection, file execution)
- •Assess if activity is suspicious or expected
Step 5: Enrich Hits
If hits found for an IOC:
Use /enrich-ioc for the IOC itself.
For involved entities (hosts, users):
secops-mcp.lookup_entity(entity_value=ENTITY)
Step 6: Document Hunt
Use /document-in-soar (if HUNT_CASE_ID provided):
IOC Hunt Summary: - IOCs Hunted: [list] - Timeframe: [hours] - Queries Used: [list with results summary] - IOCs with Hits: [list with details] - IOCs with No Hits: [list - confirms environment is clean] - Enrichment: [for hits] - Recommendations: [next steps]
Step 7: Escalate or Conclude
Confirmed malicious activity: → Create/update incident case → Trigger appropriate response runbook
No significant findings: → Document hunt completion → Note clean IOCs for future reference
Output Summary Template
# IOC Hunt Results **Hunt Date:** [timestamp] **Timeframe:** Last [X] hours **Reason:** [REASON_FOR_HUNT] ## IOCs Searched | IOC | Type | Result | Notes | |-----|------|--------|-------| | 198.51.100.10 | IP | NO HITS | Clean | | evil.com | Domain | 3 HITS | DNS lookups from HOST1 | ## Hits Analysis [Details for each IOC with hits] ## Recommendations [Actions to take]
Required Outputs
After completing this skill, you MUST report these outputs:
| Output | Description |
|---|---|
MATCHES | IOCs found in SIEM (list of IOCs with hits) |
MATCH_CONTEXT | Context for each match (events, assets, users affected) |
MATCHES_FOUND | Boolean: true if any IOCs found in environment, false otherwise |
Critical Requirements
- •Search ALL provided IOCs (don't skip any)
- •Use correct timeframe (not 1 hour instead of 72)
- •Document negative results (confirms environment is clean)
- •Don't declare "clean" if there were obvious hits