Generate query-agnostic analytics that model adversary behavior by translating hunt investigative intent into analytic definitions grounded in schema semantics. This skill is used to define how behavior should manifest in data before query execution or validation, and works best when informed by system internals, adversary tradecraft, a structured hunt focus, and suggested data sources.
Data & Analytics
4.4K Stars
852 Forks
Updated Jan 12, 2026, 12:17 AM
Why Use This
This skill provides specialized capabilities for OTRF's codebase.
Use Cases
Developing new features in the OTRF repository
Refactoring existing code to follow OTRF standards
Understanding and working with OTRF's codebase structure
---
name: hunt-analytics-generation
description: Generate query-agnostic analytics that model adversary behavior by translating hunt investigative intent into analytic definitions grounded in schema semantics. This skill is used to define how behavior should manifest in data before query execution or validation, and works best when informed by system internals, adversary tradecraft, a structured hunt focus, and suggested data sources.
metadata:
short-description: Generate analytics for hunt planning
---
# Generating Analytics
This skill translates hunt investigative intent into a small set of analytics that
describe how adversary behavior should manifest in data.
It is executed during hunt planning, after sufficient context has been established,
and before queries are executed or detections are validated.
This skill focuses on **behavior modeling**, not determining what is suspicious or
anomalous, which requires broader environmental context beyond adversary descriptions
or schema inspection.
## Workflow
- You MUST complete each step in order and MUST NOT proceed until the current step is complete.
- You MUST NOT read reference documents unless the current step explicitly instructs you to do so.
- You MUST NOT execute queries or validate results in this skill.
- You MUST NOT introduce new research about system internals or adversary tradecraft.
- You MAY retrieve table schemas using platform tools when explicitly instructed.
### Step 1: Interpret and Normalize Input
Establish the context required to generate analytics.
- Use the available inputs, which may include:
- System internals context
- Adversary tradecraft context
- The structured hunt hypothesis
- Suggested or identified data sources
- Confirm the specific adversary behavior to be modeled.
- If critical context is missing, request minimal clarification before proceeding.
This step is complete when the behavior to be modeled is clearly understood. Do NOT read reference documents during this step.
### Step 2: Generate Analytic Candidates (repeat up to 5 times)
For each analytic candidate:
- Select the most relevant data source or sources from the available list.
- Use `MS Sentinel.search_tables` to retrieve schema details for the selected tables.
- Review schemas to understand available fields and attributes.
- Identify the key entities involved (e.g., process, user, host, registry key, IP).
- Model the behavior as relationships or sequences between entities, using a graph-like
view to represent how the activity unfolds and the conditions that matter.
- Ground the logic by mapping entities and conditions to schema fields.
- Capture a query-style representation, using SQL-like logic, that expresses analytic
intent without execution.
Do NOT determine whether the behavior is suspicious or anomalous.
Do NOT write executable queries.
Do NOT read reference documents during this step.
### Step 3: Produce Analytics Summary
Produce a final summary of the generated analytics.
- Structure the output using `references/analytic-template.md`.
- Repeat the template for each analytic.
- Clearly separate:
- Behavioral reasoning
- Schema grounding
- Query-style representation
Do NOT include execution logic, thresholds, or validation steps.
