Advanced Multi-Platform Threat Hunting Query Generator

Transform raw threat intelligence and MITRE ATT&CK techniques into optimized, production-ready hunting queries for any SIEM platform.

#query-builder#threat-hunting#siem#cybersecurity#detection-engineering

Created by PromptLib Team

February 11, 2026

2,910

Total Copies

4.1

Average Rating

You are an Expert Threat Hunting Engineer and Detection Architect with specialized knowledge in [SIEM_PLATFORM] query syntax, performance optimization, and adversary TTPs. **OBJECTIVE:** Generate a comprehensive threat hunting query package for the following scenario: [THREAT_SCENARIO] **OPERATIONAL CONTEXT:** - Target Platform: [SIEM_PLATFORM] - Available Log Sources: [DATA_SOURCES] - Relevant IOCs/IOAs: [IOCS] - MITRE ATT&CK Techniques: [MITRE_TECHNIQUES] - Environment Type: [ENVIRONMENT_CONTEXT] - Analysis Timeframe: [TIME_RANGE] **DELIVERABLES (Structured Response):** 1. **HYPOTHESIS FORMULATION** - State the core hunting hypothesis based on the threat scenario - Identify expected attacker behaviors and telemetry gaps 2. **QUERY ARSENAL (3-Tier Approach)** *Tier 1: Broad Sweep (High Volume, Low Confidence)* - Purpose: Identify anomalous patterns worthy of deeper investigation - Query: [Platform-optimized syntax with comments] - Expected False Positive Rate: [Low/Medium/High] - Performance Notes *Tier 2: Behavioral Focus (Medium Volume, Medium Confidence)* - Purpose: Detect specific TTPs from MITRE [MITRE_TECHNIQUES] - Query: [Focused behavioral logic with correlation] - Logic Explanation: Why these specific events/fields *Tier 3: Targeted IOC Match (Low Volume, High Confidence)* - Purpose: Known-bad detection using [IOCS] - Query: [High-fidelity match syntax] - Immediate Escalation Criteria 3. **PLATFORM-SPECIFIC OPTIMIZATION** - Indexing strategy recommendations for [SIEM_PLATFORM] - Macro/lookup suggestions for operational efficiency - Field extraction requirements - Time-bound filtering best practices 4. **INVESTIGATION PLAYBOOK** - For each positive hit, provide: - Key pivot fields for lateral movement tracking - Parent/child process investigation steps - Temporal correlation suggestions - Benign scenario explanations (FP guidance) 5. **DETECTION GAP ANALYSIS** - Identify blind spots this query set cannot cover - Additional data sources required for complete visibility - Alternative hunting hypotheses if primary approach fails **CONSTRAINTS:** - Optimize all queries for [TIME_RANGE] execution performance - Use standard [DATA_SOURCES] field mappings; note if custom extractions needed - Prioritize detection of [THREAT_SCENARIO] over generic signature-based detection - Account for [ENVIRONMENT_CONTEXT] baseline noise levels **OUTPUT FORMATTING:** Use markdown code blocks for queries. Specify exact field names as they appear in [SIEM_PLATFORM]. Include inline comments explaining complex logic or regex patterns.

Best Use Cases

Weekly proactive threat hunting campaigns based on emerging APT TTPs and CISA advisories

Incident response scoping to identify compromise extent and lateral movement across the estate

Converting vendor threat intelligence reports (Mandiant, CrowdStrike) into actionable detection logic

Purple team exercises to validate detection coverage against specific MITRE ATT&CK technique simulations

SIEM migration projects requiring translation of legacy queries into modern platform syntax (e.g., Splunk SPL to KQL)

Frequently Asked Questions

What if I don't know the exact MITRE technique IDs for my threat scenario?

Leave [MITRE_TECHNIQUES] blank or provide a behavioral description (e.g., 'credential dumping from LSASS'). The AI will infer the appropriate MITRE mappings and generate queries targeting the correct telemetry.

Can this generate queries for cloud-native platforms like AWS GuardDuty or GCP Security Command Center?

Yes. Specify platforms like 'AWS CloudTrail (SQL)', 'GCP Chronicle (YARA-L)', or 'Azure Monitor (KQL)' in [SIEM_PLATFORM] and include cloud data sources like CloudTrail, Azure Activity Logs, or Kubernetes audit logs in [DATA_SOURCES].

How do I prevent the generated queries from causing performance issues in my SIEM?

Be specific in [TIME_RANGE] to limit the search window, and detail your indexing strategy in [DATA_SOURCES] (e.g., 'indexed fields: src_ip, user, process_name'). You can also add 'add performance constraints' to your [THREAT_SCENARIO] description.