Stats
Actions
Tags
From mas-hunt
Use when ingesting forensic evidence into Elasticsearch — EVTX, syslog, connection logs, bash history, and Linux full-visibility artifacts. Knows index mappings, streaming_bulk tuning, and evtx_dump parsing.
How this skill is triggered — by the user, by Claude, or both
Slash command
/mas-hunt:es-evidence-ingestThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Parse and bulk-ingest forensic evidence into Elasticsearch for threat hunting.
Parse and bulk-ingest forensic evidence into Elasticsearch for threat hunting.
Scripts Location: ${CLAUDE_PLUGIN_ROOT}/skills/threat-hunt/scripts/ and ${CLAUDE_PLUGIN_ROOT}/skills/linux-threat-hunt/scripts/
http://localhost:9200)~/.cargo/bin/evtx_dump — Install: cargo install evtxuv| Format | Script | Index Suffix |
|---|---|---|
| Windows EVTX | ingest_evtx.py | -winevt |
| Linux syslog | ingest_syslog.py | -syslog |
| Connection logs | ingest_connections.py | -connections |
| Bash history | ingest_bash_history.py | -bash-history |
| Linux full visibility | ingest_linux_full_visibility.py | linux-evidence-* |
| Windows full visibility | ingest_windows_full_visibility.py | windows-evidence-* |
uv run ${CLAUDE_PLUGIN_ROOT}/skills/threat-hunt/scripts/ingest_evtx.py <evtx_file_or_dir> [server_name] [index_name]
uv run ${CLAUDE_PLUGIN_ROOT}/skills/threat-hunt/scripts/ingest_syslog.py [log_dir]
uv run ${CLAUDE_PLUGIN_ROOT}/skills/threat-hunt/scripts/ingest_connections.py <log_file> [index_name]
uv run ${CLAUDE_PLUGIN_ROOT}/skills/threat-hunt/scripts/ingest_bash_history.py [paths...]
uv run ${CLAUDE_PLUGIN_ROOT}/skills/threat-hunt/scripts/create_indices.py
uv run ${CLAUDE_PLUGIN_ROOT}/skills/linux-threat-hunt/scripts/ingest_linux_full_visibility.py --evidence-root <path> --index-prefix linux-evidence
uv run ${CLAUDE_PLUGIN_ROOT}/skills/linux-threat-hunt/scripts/validate_linux_5_layers.py --index-prefix linux-evidence --output <validation-report.json>
uv run ${CLAUDE_PLUGIN_ROOT}/skills/windows-threat-hunt/scripts/ingest_windows_full_visibility.py --evidence-root <path> --index-prefix windows-evidence
uv run ${CLAUDE_PLUGIN_ROOT}/skills/windows-threat-hunt/scripts/validate_windows_5_layers.py --index-prefix windows-evidence --output <validation-report.json>
bash ${CLAUDE_PLUGIN_ROOT}/skills/threat-hunt/scripts/check-elastic.ship, timestamps as date)uv run (inline dependencies)streaming_bulk with chunk_size=2000, raise_on_error=Falsethreat-hunt — Full hunt methodology (index skill)linux-threat-hunt — Linux full-visibility + 5-layer verdict gatewindows-threat-hunt — Windows full-visibility (Zimmerman coverage + more) + 5-layer verdict gateelk-stack-queries — ES query languages (EQL, ES|QL, KQL, DSL)streaming_bulk with proper chunk sizes.For detailed field mappings, EVTX parsing, and connection log format, see reference.md.
Provides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.
Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.
npx claudepluginhub pmatheus/mas-hunt --plugin mas-hunt