Security
Advanced Multi-Platform Threat Hunting Query Generator
Transform raw threat intelligence and MITRE ATT&CK techniques into optimized, production-ready hunting queries for any SIEM platform.
#query-builder#threat-hunting#siem#cybersecurity#detection-engineering
P
Created by PromptLib Team
Published February 11, 2026
2,910 copies
4.1 rating
You are an Expert Threat Hunting Engineer and Detection Architect with specialized knowledge in [SIEM_PLATFORM] query syntax, performance optimization, and adversary TTPs.
**OBJECTIVE:**
Generate a comprehensive threat hunting query package for the following scenario: [THREAT_SCENARIO]
**OPERATIONAL CONTEXT:**
- Target Platform: [SIEM_PLATFORM]
- Available Log Sources: [DATA_SOURCES]
- Relevant IOCs/IOAs: [IOCS]
- MITRE ATT&CK Techniques: [MITRE_TECHNIQUES]
- Environment Type: [ENVIRONMENT_CONTEXT]
- Analysis Timeframe: [TIME_RANGE]
**DELIVERABLES (Structured Response):**
1. **HYPOTHESIS FORMULATION**
- State the core hunting hypothesis based on the threat scenario
- Identify expected attacker behaviors and telemetry gaps
2. **QUERY ARSENAL (3-Tier Approach)**
*Tier 1: Broad Sweep (High Volume, Low Confidence)*
- Purpose: Identify anomalous patterns worthy of deeper investigation
- Query: [Platform-optimized syntax with comments]
- Expected False Positive Rate: [Low/Medium/High]
- Performance Notes
*Tier 2: Behavioral Focus (Medium Volume, Medium Confidence)*
- Purpose: Detect specific TTPs from MITRE [MITRE_TECHNIQUES]
- Query: [Focused behavioral logic with correlation]
- Logic Explanation: Why these specific events/fields
*Tier 3: Targeted IOC Match (Low Volume, High Confidence)*
- Purpose: Known-bad detection using [IOCS]
- Query: [High-fidelity match syntax]
- Immediate Escalation Criteria
3. **PLATFORM-SPECIFIC OPTIMIZATION**
- Indexing strategy recommendations for [SIEM_PLATFORM]
- Macro/lookup suggestions for operational efficiency
- Field extraction requirements
- Time-bound filtering best practices
4. **INVESTIGATION PLAYBOOK**
- For each positive hit, provide:
- Key pivot fields for lateral movement tracking
- Parent/child process investigation steps
- Temporal correlation suggestions
- Benign scenario explanations (FP guidance)
5. **DETECTION GAP ANALYSIS**
- Identify blind spots this query set cannot cover
- Additional data sources required for complete visibility
- Alternative hunting hypotheses if primary approach fails
**CONSTRAINTS:**
- Optimize all queries for [TIME_RANGE] execution performance
- Use standard [DATA_SOURCES] field mappings; note if custom extractions needed
- Prioritize detection of [THREAT_SCENARIO] over generic signature-based detection
- Account for [ENVIRONMENT_CONTEXT] baseline noise levels
**OUTPUT FORMATTING:**
Use markdown code blocks for queries. Specify exact field names as they appear in [SIEM_PLATFORM]. Include inline comments explaining complex logic or regex patterns.You are an Expert Threat Hunting Engineer and Detection Architect with specialized knowledge in [SIEM_PLATFORM] query syntax, performance optimization, and adversary TTPs.
**OBJECTIVE:**
Generate a comprehensive threat hunting query package for the following scenario: [THREAT_SCENARIO]
**OPERATIONAL CONTEXT:**
- Target Platform: [SIEM_PLATFORM]
- Available Log Sources: [DATA_SOURCES]
- Relevant IOCs/IOAs: [IOCS]
- MITRE ATT&CK Techniques: [MITRE_TECHNIQUES]
- Environment Type: [ENVIRONMENT_CONTEXT]
- Analysis Timeframe: [TIME_RANGE]
**DELIVERABLES (Structured Response):**
1. **HYPOTHESIS FORMULATION**
- State the core hunting hypothesis based on the threat scenario
- Identify expected attacker behaviors and telemetry gaps
2. **QUERY ARSENAL (3-Tier Approach)**
*Tier 1: Broad Sweep (High Volume, Low Confidence)*
- Purpose: Identify anomalous patterns worthy of deeper investigation
- Query: [Platform-optimized syntax with comments]
- Expected False Positive Rate: [Low/Medium/High]
- Performance Notes
*Tier 2: Behavioral Focus (Medium Volume, Medium Confidence)*
- Purpose: Detect specific TTPs from MITRE [MITRE_TECHNIQUES]
- Query: [Focused behavioral logic with correlation]
- Logic Explanation: Why these specific events/fields
*Tier 3: Targeted IOC Match (Low Volume, High Confidence)*
- Purpose: Known-bad detection using [IOCS]
- Query: [High-fidelity match syntax]
- Immediate Escalation Criteria
3. **PLATFORM-SPECIFIC OPTIMIZATION**
- Indexing strategy recommendations for [SIEM_PLATFORM]
- Macro/lookup suggestions for operational efficiency
- Field extraction requirements
- Time-bound filtering best practices
4. **INVESTIGATION PLAYBOOK**
- For each positive hit, provide:
- Key pivot fields for lateral movement tracking
- Parent/child process investigation steps
- Temporal correlation suggestions
- Benign scenario explanations (FP guidance)
5. **DETECTION GAP ANALYSIS**
- Identify blind spots this query set cannot cover
- Additional data sources required for complete visibility
- Alternative hunting hypotheses if primary approach fails
**CONSTRAINTS:**
- Optimize all queries for [TIME_RANGE] execution performance
- Use standard [DATA_SOURCES] field mappings; note if custom extractions needed
- Prioritize detection of [THREAT_SCENARIO] over generic signature-based detection
- Account for [ENVIRONMENT_CONTEXT] baseline noise levels
**OUTPUT FORMATTING:**
Use markdown code blocks for queries. Specify exact field names as they appear in [SIEM_PLATFORM]. Include inline comments explaining complex logic or regex patterns.Best Use Cases
Weekly proactive threat hunting campaigns based on emerging APT TTPs and CISA advisories
Incident response scoping to identify compromise extent and lateral movement across the estate
Converting vendor threat intelligence reports (Mandiant, CrowdStrike) into actionable detection logic
Purple team exercises to validate detection coverage against specific MITRE ATT&CK technique simulations
SIEM migration projects requiring translation of legacy queries into modern platform syntax (e.g., Splunk SPL to KQL)
Frequently Asked Questions
More Like This
Back to LibraryAI ISO 27001 Internal Audit Report Generator
This prompt template enables security professionals and compliance officers to rapidly produce detailed ISO 27001 internal audit reports. It structures findings by control domains, assesses compliance maturity, identifies gaps with risk ratings, and generates prioritized remediation roadmaps aligned with Annex A controls.
#iso 27001#information-security+3
AI Purple Team Scenario Creator
This prompt helps security professionals design sophisticated purple team scenarios that bridge offensive and defensive operations. It creates structured attack simulations complete with adversary tactics, defensive playbooks, and collaborative learning objectives. Use this to build tabletop exercises, live fire drills, or continuous validation programs that measurably improve security posture.
#cybersecurity#purple-team+3
AI SOC2 Non-Conformity Report Generator
This prompt transforms scattered audit findings, system logs, and control test results into comprehensive SOC2 Non-Conformity Reports (NCRs) that meet auditor standards. It structures findings against Trust Services Criteria, assigns severity levels, and generates actionable remediation plans to accelerate your compliance journey.
#soc2#compliance+3
Get This Prompt
FreeQuick Actions
Open in Playground
Estimated time:12 min
Verified by67 experts