performing-threat-hunting-with-elastic-siem
Installation
SKILL.md
Performing Threat Hunting with Elastic SIEM
When to Use
Use this skill when:
- SOC teams need to proactively search for threats not caught by existing detection rules
- Threat intelligence reports describe new TTPs requiring validation against historical data
- Red team exercises reveal detection gaps that need hunting query development
- Periodic hunting cadence requires structured hypothesis-driven investigations
Do not use for real-time alert triage — that belongs in the Elastic Security Alerts queue with automated detection rules.
Prerequisites
- Elastic Security 8.x+ with Security app enabled in Kibana
- Data ingestion via Elastic Agent (Endpoint Security integration) or Beats (Winlogbeat, Filebeat, Packetbeat)
- Data normalized to Elastic Common Schema (ECS) field mappings
- User role with
kibana_security_solutionandreadaccess to relevant indices - MITRE ATT&CK framework knowledge for hypothesis generation