Generate query-agnostic analytics that model adversary behavior by translating hunt investigative intent into analytic definitions grounded in schema semantics. This skill is used to define how behavior should manifest in data before query execution or validation, and works best when informed by system internals, adversary tradecraft, a structured hunt focus, and suggested data sources.
Assemble a complete hunt blueprint by consolidating outputs from prior hunt planning skills into a single, structured plan for execution. Use this skill after system and tradecraft research, hunt focus definition, data source identification, and analytics generation have been completed. This skill is synthesis and packaging only and must not introduce new research, assumptions, or analytics.
Identify relevant security data sources that could capture the behavior defined in a structured hunt hypothesis. Use this skill after the hunt focus has been defined to translate investigative intent into candidate telemetry sources using existing platform catalogs. This skill supports hunt planning by reasoning over available schemas and metadata before analytics development or query execution.
Define a focused hunt hypothesis by synthesizing completed system internals and adversary tradecraft research. Use this skill after research has been completed to narrow a high-level hunt topic into a single, concrete attack pattern with clear investigative intent. This skill produces a structured, testable hypothesis and should be used before selecting data sources, defining environment scope, or developing analytics.
Research system internals and adversary tradecraft to ground a threat hunt in real system behavior and realistic abuse patterns. Use this skill at the start of hunt planning, when you are given a high-level hunt topic but lack a clear understanding of how the system normally operates or how adversaries are known to abuse it. This skill informs early hunt direction by producing candidate abuse patterns, key assumptions, and cited sources, and should be used before defining a concrete hunt hypothesis or selecting data sources.