Agentic Threat Hunting, Part 2: Starting a Hunt Repo
The first trick to scaling hunting? Give your AI a treat: a repo.
In Part 1, we argued that threat hunting will not scale if it is just human brains chasing anomalies while adversaries automate everything. Agentic systems flip that script.
But let’s be clear about what “agentic” really means. An assistant gives you a one-off answer: a query, a regex, a quick summary. An agent takes a task, breaks it into steps, executes those steps, and learns from the outcome. It adapts. It improves.
The catch: agents only get better if they have memory. If all your hunts live in Slack threads, emails, or someone’s head, there is nothing for an AI to build on. That is not agentic.
The most practical first step is not wiring AI into Splunk. It is giving it a foundation to learn from. One option to start is to put your hunts into a GitHub repository. We chatted about this on September’s Ask-A-Thrunt3r. If you want to hear more, check it out!
Step 1: Treat Hunts Like Code
A hunt starts with a hypothesis (and my all-time favorite one at that - chef’s kiss):
Adversaries are using base64-encoded PowerShell commands to evade detection on Windows servers.
Capture it in a markdown file, not in a chat message. Add the SPL you ran, the results you found, and the notes you took. Now you have a record you can search, fork, and improve.
Step 2: Pick a Simple Structure
Start with a markdown template. Something like this works:
# Hunt: Encoded PowerShell
**Hypothesis**
Adversaries are using base64-encoded PowerShell commands to evade detection on Windows servers.
**Query**
index=winlogs EventCode=4688 process_name=”powershell.exe”
| regex CommandLine=”(?i)([A-Za-z0-9+/]{20,}={0,2})”
| stats count by user, host
| where count > 5
**Results**
- 3 hosts matched
- 1 domain admin account
- Spike after midnight
**Notes**
- Service account noise was excluded
- Next step: correlate with outbound traffic
Keep it simple. The point is not perfect formatting. The point is making your thinking explicit and repeatable.
Step 3: Use GitHub for Versioning
Put your hunts in a GitHub repo (probably private). This gives you:
Version control: Every edit is tracked
Collaboration: Teammates can fork, merge, and review
Searchability: You can grep across all your past hunts
Integration: AI systems can read structured markdown far easier than Slack exports
Here is a sample repo layout to get you started:
hunt-repo/
├── README.md # Overview of what this repo is and how to use it
├── AGENTS.md # AI context and guardrails (see Step 4)
├── templates/
│ └── hunt-template.md # Standard template for documenting hunts
├── hunts/
│ ├── windows/
│ │ └── encoded-powershell.md
│ ├── identity/
│ │ └── suspicious-service-logins.md
│ └── network/
│ └── unusual-dns-queries.md
├── archive/
│ └── deprecated-hunts.md # Old hunts kept for reference
└── docs/
└── contributing.md # Guidelines for adding hunts and reviews
This structure makes hunts easy to add, search, and maintain. It also sets you up for the next step: pairing with AI.
Step 4: Pick an AI Bestie
Before you start throwing context files around, you need to pick the bestie you want whispering in your repo. When we say “AI tool,” we mean coding assistants that can read files and help you work with tools like Claude, Cursor, GitHub Copilot, or Gemini.
Think of them as autocomplete, but for hunts. They won’t run your queries for you (unless you let them…that’s for another time), but they can:
Suggest query variants
Fill in hunt templates
Map your notes to MITRE ATT&CK
Summarize trends across hunts
You don’t need to marry one forever. Pick the one your organization approves. The repo structure will work no matter what you choose.
Step 5: Add AGENTS.md (Not Ten Other Files)
Different AI tools all want their own homework: CLAUDE.md, .cursorrules, copilot-instructions.md, GEMINI.md. Forget that noise. Drop an AGENTS.md in your repo and you’ve got one file to rule them all. Think of it like a README, but for machines.
Some tools (Claude, Cursor, Copilot, Gemini) still look for their “special” file. No problem - just symlink it:
ln -s AGENTS.md CLAUDE.md
ln -s AGENTS.md .cursorrules
ln -s AGENTS.md .github/copilot-instructions.md
ln -s AGENTS.md GEMINI.mdNow you’re universal: one context file, everyone happy.
Here’s a short version you can actually use:
# AGENTS.md – Context for AI Assistants
## Purpose
This repo holds threat hunting hypotheses, Splunk queries, and outcomes.
AI assistants use this context to:
- Suggest new hunts
- Optimize queries
- Identify detection gaps
- Map coverage to MITRE ATT&CK
- Support the PEAK threat hunting workflow
## Framework
We use **PEAK (Prepare, Execute, Act with Knowledge)** to structure hunts:
- **Prepare:** Write a clear hypothesis using ABLE (Actor, Behavior, Location, Evidence)
- **Execute:** Build and refine SPL queries against available data sources
- **Act:** Document findings, recommend detections or controls
- **Knowledge:** Archive hunts and lessons learned for reuse
## Data Sources
- `winlogs` - Windows Event Logs (4688, 4624, 7045…)
- `proxy` - Zscaler web proxy logs
- `edr` - CrowdStrike Falcon telemetry
- `netflow` - 5-min aggregated network flow data
- `dns` - Passive DNS (Infoblox)
- Lookups: `assets.csv` (criticality), `privileged_accounts.csv`, `threat_intel.csv`
## Query Standards
- Always add `earliest=` / `latest=` filters
- Prefer `tstats` over raw searches for performance
- No `index=*` unless absolutely scoped
## Hunt Priorities
- Credential Access (lsass dumps, DCSync, mimikatz)
- Lateral Movement (RDP, SMB, WinRM to unusual hosts)
- Command & Control (beaconing, DNS tunneling, odd ports)
- Data Exfiltration (large transfers, cloud storage uploads)
## Guardrails
- AI drafts, humans run
- Test all queries in `index=test` before production
- Pull requests + peer review required
- All escalations follow standard IR workflowsStep 6: Pair With AI Effectively
With AGENTS.md in place, you can ask your assistant for cool stuff:
Generate new hunt ideas based on your existing repo.
Suggest Splunk query variants when you add a new hypothesis.
Summarize your hunt history into trends: “What behaviors do we hunt most often? Which gaps remain?”
This is how you move from assistant mode to agentic. The repo is your agent’s training data.
Just keep tasks small. AI is great at “polish this query,” not “replace my SOC.”
Step 7: Guardrails So Your AI Doesn’t Go Feral
Regardless of which AI tool you use, maintain these guardrails:
AI drafts, humans run: Never let AI execute queries directly in production
Repo is reviewed like code: Use pull requests and peer review
Escalations follow IR workflows: Maintain your existing incident response processes
Test in dev first: Validate all queries in non-production environments
Version everything: Track which AI suggestions were accepted or rejected
Modern AI platforms are increasingly sophisticated at recognizing patterns and declining potentially harmful requests when given proper context. Your context files and review processes are part of this safety framework.
Step 8: Iterate on Your Agent Instructions
Your AGENTS.md file should evolve organically as you work. Update it when you discover new patterns, establish new conventions, or identify common pitfalls. Think of it as living documentation that grows more valuable over time. Consider adding:
Common false positive patterns to avoid
Links to internal wikis or runbooks
Approved data sources and their refresh schedules
Team-specific abbreviations and terminology
Examples of exemplary hunt documentation
PRO TIP: Nested AGENTS.md files in subdirectories for complex repos!!
Why This Matters
Agentic hunting is not about plugging AI straight into your SIEM. It is about building a system that learns from you. A GitHub repo full of hunts with proper context and guardrails is the first memory your agent can use to start acting like an agent, breaking tasks into steps, learning from feedback, and improving over time.
Without that memory and the context, every hunt is one-off. With it, every hunt becomes fuel for your future agents.
Final Thought
The first step toward agentic hunting is not automation everywhere. It is creating the memory and guardrails that your agents will learn from.
Start with one hypothesis. Document it in markdown. Add your AGENTS.md file to guide AI assistants. Commit it to a repo. From there, every hunt becomes part of a system that can finally scale.
Want to dive deeper? Check out:
AGENTS.md Standard - The open format for AI coding agents
Happy thrunting!
Thanks a lot for your work and point of view, its make me think a lot!!!
Just curious...Why talk only from Splunk in terms of SIEM?