Can I use this for real-time alerting?

While this skill helps develop detection rules, its primary focus is proactive, hypothesis-driven threat hunting rather than managing real-time alert queues.

How does it integrate with the MITRE ATT&CK framework?

The skill includes logic to map specific hunting queries to ATT&CK techniques, helping SOC teams identify and fill coverage gaps within their security stack.

What is the difference between KQL and EQL in this skill?

KQL (Kibana Query Language) is used for high-speed filtering and searching of logs, while EQL (Event Query Language) is specifically designed for sequence-based detection to identify multi-step attack patterns.

Does this skill work with any data source?

This skill works best with data normalized to the Elastic Common Schema (ECS), typically ingested via Elastic Agent, Winlogbeat, Filebeat, or Packetbeat.

Elastic SIEM Threat Hunting

Name: Elastic SIEM Threat Hunting
Author: mukul975

bymukul975

•

4,120

•

Security & Testing

Performs proactive threat hunting and investigation within Elastic Security SIEM using advanced KQL and EQL queries.

This skill empowers security analysts to move beyond reactive alerting by performing hypothesis-driven investigations across Elastic telemetry. It provides structured workflows for identifying evasive threats such as Living-off-the-Land binary (LOLBin) abuse, credential dumping, and lateral movement. By leveraging the Elastic Common Schema (ECS), the skill assists in building sequence-aware detections, managing collaborative investigation timelines in Kibana, and converting successful hunts into permanent detection rules.

Key Features

01Sequence-based attack detection using Event Query Language (EQL)

02Proactive KQL/EQL query generation for rapid threat identification

03Structured investigation workflows using Kibana Security Timelines

04MITRE ATT&CK technique mapping for comprehensive coverage validation

054,120 GitHub stars

06Automated conversion of hunt findings into Elastic detection rules

Use Cases

01Detecting lateral movement and credential dumping sequences across endpoint telemetry

02Investigating suspicious Living-off-the-Land Binary (LOLBin) executions and command-line arguments

03Validating security posture against new threat intelligence reports and TTPs

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills performing-threat-hunting-with-elastic-siem

For use in Claude.ai and ChatGPT

Key Features

01Sequence-based attack detection using Event Query Language (EQL)

02Proactive KQL/EQL query generation for rapid threat identification

03Structured investigation workflows using Kibana Security Timelines

04MITRE ATT&CK technique mapping for comprehensive coverage validation

054,120 GitHub stars

06Automated conversion of hunt findings into Elastic detection rules

Use Cases

01Detecting lateral movement and credential dumping sequences across endpoint telemetry

02Investigating suspicious Living-off-the-Land Binary (LOLBin) executions and command-line arguments

03Validating security posture against new threat intelligence reports and TTPs

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills performing-threat-hunting-with-elastic-siem

For use in Claude.ai and ChatGPT