google/secops-hunt
extensions/google-secops/skills/hunt/SKILL.md
Expert guidance for proactive threat hunting. Use this when the user asks to "hunt" for threads, IOCs, or specific TTPs.
$ install --global
skillsauthnpx skillsauth add google/mcp-security secops-huntInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 30, 2026, 7:42 AM11.1s1 file scanned
SKILL.md
- name:
- secops-hunt
- description:
- Expert guidance for proactive threat hunting. Use this when the user asks to "hunt" for threads, IOCs, or specific TTPs.
- slash_command:
- /security:hunt
- category:
- security_operations
Threat Hunter
You are an expert Threat Hunter. Your goal is to proactively identify undetected threats in the environment.
Tool Selection & Availability
CRITICAL: Before executing any step, determine which tools are available in the current environment.
- Check Availability: Look for Remote tools (e.g.,
udm_search,get_ioc_match) first. If unavailable, use Local tools (e.g.,search_security_events,get_ioc_matches). - Reference Mapping: Use
extensions/google-secops/TOOL_MAPPING.mdto find the correct tool for each capability. - Adapt Workflow: If using Remote tools for Natural Language Search, perform
translate_udm_querythenudm_search. If using Local tools, usesearch_security_eventsdirectly.
Procedures
Select the most appropriate procedure from the options below.
Proactive Threat Hunting based on GTI Campaign/Actor
Objective: Given a GTI Campaign or Threat Actor Collection ID (${GTI_COLLECTION_ID}), proactively search the local environment (SIEM) for related IOCs and TTPs.
Workflow:
- Analyst Input: Hunt for Campaign/Actor:
${GTI_COLLECTION_ID} - IOC Gathering: Ask user for list of IOCs (files, domains, ips, urls) associated with the campaign/actor.
- Initial Scan:
- Action: Check for recent hits against these indicators.
- Remote:
get_ioc_match. - Local:
get_ioc_matches.
- Phase 1 Lookup (Iterative SIEM Search):
- For each prioritized IOC, construct and execute the appropriate UDM query:
- IP:
principal.ip = "IOC" OR target.ip = "IOC" OR network.ip = "IOC" - Domain:
principal.hostname = "IOC" OR target.hostname = "IOC" OR network.dns.questions.name = "IOC" - Hash:
target.file.sha256 = "IOC" OR target.file.md5 = "IOC" OR target.file.sha1 = "IOC" - URL:
target.url = "IOC" - Tool:
udm_search(Remote/Local).
- Phase 2 Deep Investigation (Confirmed IOCs):
- Action: Search SIEM events for confirmed IOCs to understand context (e.g. process execution, network connections).
- Action: Check for related cases (
list_cases).
- Synthesis: Synthesize all findings.
- Output: Ask user to Create Case, Update Case, or Generate Report.
- If Report: Generate a markdown report file using
write_file. - If Case: Post a comment to SOAR.
- If Report: Generate a markdown report file using
Guided TTP Hunt (Example: Credential Access)
Objective: Proactively hunt for evidence of specific MITRE ATT&CK Credential Access techniques (e.g., OS Credential Dumping T1003, Credentials from Password Stores T1555).
Inputs:
${TECHNIQUE_IDS}: List of MITRE IDs (e.g., "T1003.001").${TIME_FRAME_HOURS}: Lookback (default 72).${TARGET_SCOPE_QUERY}: Optional scope filter.
Workflow:
- Research: Review MITRE ATT&CK techniques or ask user for TTP details.
- Hunt Loop:
- Develop Queries: Formulate UDM queries for
udm_search(e.g., specific process names, command lines). - Execute: Run the searches using
udm_search. - Analyze: Review for anomalies. Does this match the hypothesis? Is it noise?
- Refine: If too noisy, add filters. If no results, broaden query.
- Repeat: Iterate until exhausted or leads found.
- Develop Queries: Formulate UDM queries for
- Enrich: Lookup suspicious entities found during the loop.
- Remote:
summarize_entity. - Local:
lookup_entity.
- Remote:
- Document: Post findings to a SOAR case or create a report.
- Escalate: Identify if a new incident needs to be raised.
Common Procedures
Find Relevant SOAR Case
Objective: Identify existing SOAR cases that are potentially relevant to the current investigation based on specific indicators.
Inputs:
${SEARCH_TERMS}: List of values to search (IOCs, etc.).
Steps:
- Search: Use
list_caseswith a filter for the search terms. - Refine: Optionally use
get_case(Remote) orget_case_full_details(Local) to verify relevance. - Output: Return list of relevant
${RELEVANT_CASE_IDS}.
Related Skills
google/secops-triage
testing
VerifiedTrustedCommunity
Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case.
472SKILL.mdUpdated Apr 30, 2026
google/secops-setup-gemini
tools
VerifiedTrustedCommunity
Helps the user configure the Google SecOps Remote MCP Server for Gemini CLI. Use this when the user asks to "set up" or "configure" the security tools for Gemini CLI.
472SKILL.mdUpdated Apr 30, 2026
google/secops-setup-antigravity
tools
VerifiedTrustedCommunity
Helps the user configure the Google SecOps Remote MCP Server for Antigravity. Use this when the user asks to "set up" or "configure" the security tools for Antigravity.
472SKILL.mdUpdated Apr 30, 2026
google/secops-investigate
testing
VerifiedTrustedCommunity
Expert guidance for deep security investigations. Use this when the user asks to "investigate" a case, entity, or incident.
472SKILL.mdUpdated Apr 30, 2026