rodriguez_skill

This skill helps you build threat hunting programs by applying Roberto Rodriguez's playbook with reproducible notebooks, data-driven tests, and open-source
  • Python

3

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill copyleftdev/sk1llz --skill rodriguez

  • SKILL.md17.5 KB

Overview

This skill applies Roberto Rodriguez's threat hunting methodology using the Threat Hunter Playbook and HELK patterns. It emphasizes documented, reproducible hunts, open-source infrastructure, and data-driven hypotheses to build scalable hunting programs. Use it to create playbooks, run interactive notebook hunts, and validate analytics with Mordor datasets.

How this skill works

The skill encodes a playbook structure that captures metadata, ATT&CK mapping, hypothesis, required data sources, analytic steps, and validation artifacts. It provides HELK-style primitives for querying Elasticsearch, executing Spark SQL, running interactive Jupyter hunts, filtering noise, pivoting investigations, and exporting reproducible notebooks and reports. Validation routines outline steps to test detections using curated Mordor datasets.

When to use it

  • Building or maturing a threat hunting program and standardizing hunt documentation
  • Authoring reproducible hunt playbooks mapped to MITRE ATT&CK
  • Running interactive investigations in Jupyter against HELK-like infrastructure
  • Validating detections and tuning searches with Mordor or similar test datasets
  • Teaching hunters to develop data-driven hypotheses and repeatable analytics

Best practices

  • Start every hunt with a clear, testable hypothesis mapped to ATT&CK
  • Record each analytic step, queries, expected outputs, and interpretation
  • Prefer interactive notebooks for reproducibility and sharing
  • Validate hunts against known attack datasets before production deployment
  • Use community playbooks as templates and contribute improvements back

Example use cases

  • Detect credential dumping by monitoring processes that access LSASS memory using Sysmon Event ID 10
  • Create a Jupyter notebook that executes Spark SQL analytics and documents interpretation for each step
  • Filter known benign sources (AV, system processes) and pivot on suspicious source processes found in Elasticsearch
  • Export a playbook to a notebook, run it against Mordor datasets, and produce a hunt report for the SOC
  • Standardize a cross-platform hunt template that lists data sources, required fields, and validation instructions

FAQ

No. HELK is an opinionated open-source stack used for interactive hunting, but the methodology and playbook structure can be applied to any SIEM or analytics platform that supports queries and notebooks.

How do I validate a playbook before deployment?

Use curated attack datasets like Mordor to run the analytic steps, verify expected outputs, tune thresholds, and document any false positives before enabling production alerts.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational