‹ 首页

hunt-new-case

@backbay-labs · 收录于 1 周前

Initialize a threat hunting case from a signal, detection, intel lead, or analyst suspicion

适合你,如果需要在安全运营中快速创建并跟踪威胁狩猎案件

/ 下载安装
hunt-new-case.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add backbay-labs/thrunt-god/hunt-new-case
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- backbay-labs/thrunt-god/hunt-new-case
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify backbay-labs/thrunt-god/hunt-new-case
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
34GitHub stars
~739上下文体积 · 单文件
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · MIT · 1e21b3d

<context> Flags:

  • --auto - Use the supplied signal brief as the starting point and ask only for missing critical facts.
  • --pack <id> - Bootstrap the case from a built-in or local hunt pack. Use thrunt-tools pack bootstrap <id> to inspect the generated mission, hypothesis, and phase seed content.

</context>

<objective> Initialize a threat hunting case.

These hunt-native artifacts are the source of truth for the case.

Creates:

  • .planning/config.json
  • .planning/MISSION.md
  • .planning/HYPOTHESES.md
  • .planning/SUCCESS_CRITERIA.md
  • .planning/HUNTMAP.md
  • .planning/STATE.md
  • .planning/QUERIES/
  • .planning/RECEIPTS/

Bootstrap should only scaffold the case. Do not seed sample queries, sample receipts, or completed phases. Unknown scope details, data sources, operators, and constraints must remain TBD unless the operator confirms them. Confirmed bootstrap facts such as the case name, mode, opened date, and initial phase/status must be filled immediately.

After this command: Run /hunt-shape-hypothesis or /hunt-plan 1. </objective>

<execution_context> @.github/thrunt-god/workflows/hunt-bootstrap.md @.github/thrunt-god/templates/config.json @.github/thrunt-god/templates/mission.md @.github/thrunt-god/templates/hypotheses.md @.github/thrunt-god/templates/success-criteria.md @.github/thrunt-god/templates/huntmap.md @.github/thrunt-god/templates/hunt-state.md </execution_context>

<process> Execute the bootstrap workflow from @.github/thrunt-god/workflows/hunt-bootstrap.md in case mode. Focus on turning the input signal into a scoped case with explicit hypotheses, data sources, and evidence requirements. When --pack <id> is present, use the pack bootstrap output as the default case skeleton and ask only for the missing pack parameters or signal-specific overrides. Create .planning/QUERIES/ and .planning/RECEIPTS/ as empty directories only. Do not load query-log or receipt templates during bootstrap; those belong to /hunt-run after real execution begins. Default behavior is scaffold-first: write confirmed facts only and leave unknown values as TBD instead of inventing sample content. Create .planning/config.json during bootstrap if it does not already exist so runtime, settings, and connector commands are immediately usable. Never hand-write .planning/config.json; use thrunt-tools config-new-program and thrunt-tools config-set so the file stays valid THRUNT config. Use built-in connector ids exactly as the runtime registers them, for example splunk and elastic; do not substitute elasticsearch. When writing connector profiles, use base_url for the runtime URL field; do not invent or substitute endpoint. Only configure connector profiles when auth type and secret ref names are confirmed. Never invent placeholder env vars or placeholder secrets for blocked connectors. When writing secret_refs, each confirmed secret must use the THRUNT object shape { "type": "env", "value": "ENV_VAR_NAME" } rather than a raw string. Keep connector narrative, status notes, and access commentary in ENVIRONMENT.md, not in ad hoc config keys. Do not leave bootstrap-known fields as TBD after writing the files. Write the hunt artifacts directly. </process>

按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。