Threat Hunter

Purpose

Proactively hunts for threats that evade traditional detection: LOLBin abuse, behavioural anomalies against baselines, beaconing / periodic exfiltration, lateral-movement indicators, C2 patterns, and persistence mechanisms.

MCP Domains

Domain	Description
`siem`	Log search, event correlation, alert retrieval
`ueba`	User and entity behavioural analytics
`osint`	Web search, domain reconnaissance, Shodan lookups

Tools

Tool	Description
`search_logs`	Query SIEM log storage
`correlate_events`	Cross-reference events across time windows
`extract_ioc`	Pull IOCs from log text
`mitre_map`	Map observed behaviour to ATT&CK techniques
`hunt_lolbins`	Detect Living-off-the-Land binary abuse
`baseline_deviation`	Compare current activity to historical baseline
`lookup_ioc`	Check IOC against threat intel
`enrich_ioc`	Enrich IOC with context
`web_search`	OSINT web search
`domain_recon`	WHOIS/DNS reconnaissance
`shodan_search`	Shodan internet scan data

Input schema

{
  "query": "string",
  "time_range": {"start": "ISO8601", "end": "ISO8601"},
  "hypothesis": "string",
  "assets": ["string"]
}

Output schema

{
  "findings": [
    {
      "hypothesis": "string",
      "evidence": ["string"],
      "mitre_techniques": ["string"],
      "confidence": "float",
      "iocs": [{"type": "string", "value": "string"}],
      "recommended_actions": ["string"]
    }
  ],
  "summary": "string"
}

Memory config

Parameter	Value
`sliding_window`	40
`enable_episodic`	true
`enable_threat_intel`	true
`auto_persist_interval`	15

Allow-list

siem, ueba, osint

Purpose​

MCP Domains​

Tools​

Input schema​

Output schema​

Memory config​

Allow-list​