Skill

Threat Hunt

Conducts threat hunts on Clawdstrike events: timelines, filtered queries, pattern correlations, IOC checks, MITRE ATT&CK mapping, and incident reports.

security

npx claudepluginhub backbay-labs/clawdstrike --plugin clawdstrike

Popularity

Parent stars

279

Parent forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/clawdstrike:threat-hunt

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

SKILL.md

106 lines · ~1.3k tokens

Similar Skills

SentinelOne Purple AI

Guides use of SentinelOne Purple AI for natural language cybersecurity investigations, threat hunting, behavioral anomaly analysis, MITRE ATT&CK TTP mapping, and PowerQuery generation via purple_ai tool.

sentinelone

threat-hunting

Autonomous threat hunting using the PEAK framework (Prepare → Execute → Act). Executes hypothesis-driven, intelligence-driven, and baseline hunts against CrowdStrike NG-SIEM. Produces hunt reports, detection backlogs, and visibility gap reports. Use when proactively hunting for threats, validating detection coverage, or responding to new threat intelligence.

3 files

crowdstrike-threat-hunting

sysdig-runtime-investigate

Investigate a runtime threat detected by Sysdig end-to-end. Surfaces the highest-priority threat, enumerates affected images, scores vulnerability vs runtime correlations on a 1-5 confidence scale, deep-dives into network blast radius or suspicious-binary VT lookups depending on the event class, and hands the case off to Jira or PagerDuty. Triggers on: "investigate runtime threat", "what is this Falco alert", runtime incident triage, SOC investigation, Falco alert analysis.

9 files

headless-cloud-security

Stats

LanguageTypeScript

Parent stars279

Parent forks33

MaintenanceGood

Last CommitMar 3, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

Threat Hunt

This skill activates when the user or conversation involves: - Investigating security events or suspicious activity - Breach investigation or incident response - Threat hunting across audit logs or event streams - Indicators of Compromise (IOCs) such as suspicious IPs, domains, hashes, or file paths - Correlating security events across multiple sources - MITRE ATT&CK technique references - "BLOCKED by Clawdstrike" or similar denial messages appearing in conversation output - Repeated policy denials or unexpected security enforcement behavior

Investigation Workflow

Follow this structured approach when investigating security events:

1. Establish Timeline

Call clawdstrike_timeline to get a chronological view of recent events:

Start with a broad time range, then narrow down
Look for clusters of activity that indicate automated or coordinated actions
Note any gaps that might indicate log tampering

2. Query and Filter

Use clawdstrike_query to drill into specific criteria:

Filter by verdict (allow/deny/audit) to find blocked actions
Filter by action_type (file/shell/egress/mcp_tool) to focus investigation
Filter by guard name to see which security controls were triggered
Search for specific paths, commands, or domains

3. Correlate Events

Run clawdstrike_correlate to detect patterns across events:

Use built-in correlation rules to identify attack sequences
Look for lateral movement patterns (multiple targets from one source)
Detect privilege escalation attempts (sequence of increasingly sensitive operations)
Identify data exfiltration patterns (sensitive file reads followed by egress)

4. Check IOCs

Use clawdstrike_ioc to check indicators against threat intelligence:

Submit suspicious domains, IPs, file hashes, or paths
Cross-reference with known threat actor TTPs
Check if IOCs appear in multiple events (indicating persistence)

5. Generate Report

Call clawdstrike_report to produce a structured investigation summary:

Include timeline of events, findings, and recommended actions
Reference specific events by ID for traceability
Map findings to MITRE ATT&CK techniques where applicable

MITRE ATT&CK Quick Reference

Common techniques to look for in agent security events:

Technique	ID	Indicators
Command and Scripting Interpreter	T1059	Shell commands with encoded payloads, eval/exec usage
File and Directory Discovery	T1083	Enumeration of sensitive directories
Exfiltration Over Web Service	T1567	Egress to uncommon domains after file reads
Credential Access	T1552	Access to .env, .ssh, credential files
Defense Evasion	T1562	Attempts to modify security config or disable guards
Persistence	T1546	Modifications to shell profiles, cron, startup files
Privilege Escalation	T1548	sudo/chmod/chown commands, setuid changes

MITRE Technique to MCP Tool Mapping

Use this table to select the right investigation tool for each technique:

MITRE Technique	ID	Primary MCP Tool	Investigation Approach
Command and Scripting Interpreter	T1059	`clawdstrike_query`	Filter by `action_type=shell`, look for encoded payloads or eval/exec
File and Directory Discovery	T1083	`clawdstrike_timeline`	Broad timeline scan for sequential file reads across sensitive dirs
Exfiltration Over Web Service	T1567	`clawdstrike_correlate`	Correlate file reads followed by egress to uncommon domains
Credential Access	T1552	`clawdstrike_query`	Filter by `action_type=file` targeting .env, .ssh, credential paths
Defense Evasion	T1562	`clawdstrike_query`	Filter for policy modification attempts or guard config changes
Persistence	T1546	`clawdstrike_ioc`	Check shell profile, cron, and startup file modifications
Privilege Escalation	T1548	`clawdstrike_query`	Filter by `action_type=shell` for sudo, chmod, chown, setuid

Incident Classification

Classify incidents using these severity levels:

Classification	Criteria	Response
P1 - Critical	Active exploitation, data exfiltration confirmed, credential compromise	Immediate remediation, revoke credentials, isolate affected sessions
P2 - High	Blocked exploit attempt, repeated policy violations, suspicious lateral movement	Investigate within current session, tighten policy, monitor for recurrence
P3 - Medium	Single denied action matching known TTP, anomalous but unconfirmed activity	Log for review, verify policy coverage, check for related events
P4 - Low	Informational anomaly, policy audit events, benign tool misuse	Document in report, no immediate action required

Response Guidelines

When this skill is active:

Present findings in order of severity and confidence
Always provide specific event IDs and timestamps
Recommend concrete remediation steps for each finding
Distinguish between confirmed threats and suspicious activity requiring further investigation

Threat Hunt

Popularity

Invocation

Context Preview

SKILL.md

Similar Skills

Help us improve

Help us improve

Find plugins for your project

Threat Hunt

Popularity

Invocation

Context Preview

SKILL.md

Threat Hunt

Investigation Workflow

1. Establish Timeline

2. Query and Filter

3. Correlate Events

4. Check IOCs

5. Generate Report

MITRE ATT&CK Quick Reference

MITRE Technique to MCP Tool Mapping

Incident Classification

Response Guidelines

Similar Skills

Help us improve

Threat Hunt

Investigation Workflow

1. Establish Timeline

2. Query and Filter

3. Correlate Events

4. Check IOCs

5. Generate Report

MITRE ATT&CK Quick Reference

MITRE Technique to MCP Tool Mapping

Incident Classification

Response Guidelines