hunt-analytics-generation

otrf/hunt-analytics-generation

Security

4,472

2 installs

About

SKILL.md

hunt-analytics-generation

otrf/hunt-analytics-generation

Security

4,472

2 installs

About

Generate query-agnostic analytics that model adversary behavior by translating hunt investigative intent into analytic definitions grounded in schema semantics...

SKILL.md

Generating Analytics

This skill translates hunt investigative intent into a small set of analytics that describe how adversary behavior should manifest in data.

It is executed during hunt planning, after sufficient context has been established, and before queries are executed or detections are validated.

This skill focuses on behavior modeling, not determining what is suspicious or anomalous, which requires broader environmental context beyond adversary descriptions or schema inspection.

Workflow

You MUST complete each step in order and MUST NOT proceed until the current step is complete.
You MUST NOT read reference documents unless the current step explicitly instructs you to do so.
You MUST NOT execute queries or validate results in this skill.
You MUST NOT introduce new research about system internals or adversary tradecraft.
You MAY retrieve table schemas using platform tools when explicitly instructed.

Step 1: Interpret and Normalize Input

Establish the context required to generate analytics.

Use the available inputs, which may include:
- System internals context
- Adversary tradecraft context
- The structured hunt hypothesis
- Suggested or identified data sources
Confirm the specific adversary behavior to be modeled.
If critical context is missing, request minimal clarification before proceeding.

This step is complete when the behavior to be modeled is clearly understood. Do NOT read reference documents during this step.

Step 2: Generate Analytic Candidates (repeat up to 5 times)

For each analytic candidate:

Select the most relevant data source or sources from the available list.
Use MS Sentinel.search_tables to retrieve schema details for the selected tables.
Review schemas to understand available fields and attributes.
Identify the key entities involved (e.g., process, user, host, registry key, IP).
Model the behavior as relationships or sequences between entities, using a graph-like view to represent how the activity unfolds and the conditions that matter.
Ground the logic by mapping entities and conditions to schema fields.
Capture a query-style representation, using SQL-like logic, that expresses analytic intent without execution.

Do NOT determine whether the behavior is suspicious or anomalous. Do NOT write executable queries. Do NOT read reference documents during this step.

Step 3: Produce Analytics Summary

Produce a final summary of the generated analytics.

Structure the output using references/analytic-template.md.
Repeat the template for each analytic.
Clearly separate:
- Behavioral reasoning
- Schema grounding
- Query-style representation

Do NOT include execution logic, thresholds, or validation steps.

About

SKILL.md

About

Generate query-agnostic analytics that model adversary behavior by translating hunt investigative intent into analytic definitions grounded in schema semantics...

SKILL.md

Generating Analytics

This skill translates hunt investigative intent into a small set of analytics that describe how adversary behavior should manifest in data.

It is executed during hunt planning, after sufficient context has been established, and before queries are executed or detections are validated.

This skill focuses on behavior modeling, not determining what is suspicious or anomalous, which requires broader environmental context beyond adversary descriptions or schema inspection.

Workflow

You MUST complete each step in order and MUST NOT proceed until the current step is complete.
You MUST NOT read reference documents unless the current step explicitly instructs you to do so.
You MUST NOT execute queries or validate results in this skill.
You MUST NOT introduce new research about system internals or adversary tradecraft.
You MAY retrieve table schemas using platform tools when explicitly instructed.

Step 1: Interpret and Normalize Input

Establish the context required to generate analytics.

Use the available inputs, which may include:
- System internals context
- Adversary tradecraft context
- The structured hunt hypothesis
- Suggested or identified data sources
Confirm the specific adversary behavior to be modeled.
If critical context is missing, request minimal clarification before proceeding.

This step is complete when the behavior to be modeled is clearly understood. Do NOT read reference documents during this step.

Step 2: Generate Analytic Candidates (repeat up to 5 times)

For each analytic candidate:

Select the most relevant data source or sources from the available list.
Use MS Sentinel.search_tables to retrieve schema details for the selected tables.
Review schemas to understand available fields and attributes.
Identify the key entities involved (e.g., process, user, host, registry key, IP).
Model the behavior as relationships or sequences between entities, using a graph-like view to represent how the activity unfolds and the conditions that matter.
Ground the logic by mapping entities and conditions to schema fields.
Capture a query-style representation, using SQL-like logic, that expresses analytic intent without execution.

Do NOT determine whether the behavior is suspicious or anomalous. Do NOT write executable queries. Do NOT read reference documents during this step.

Step 3: Produce Analytics Summary

Produce a final summary of the generated analytics.

Structure the output using references/analytic-template.md.
Repeat the template for each analytic.
Clearly separate:
- Behavioral reasoning
- Schema grounding
- Query-style representation

Do NOT include execution logic, thresholds, or validation steps.