Core SOC Prompt Playbooks

1. Reusable SOC Prompt Library (Core)

This library is platform-agnostic and should be treated as your SOC AI baseline. Each prompt is designed to be copied verbatim and populated with evidence.

---

1.1 Alert Triage Prompt (Universal)

You are a Tier-2 SOC analyst.

Context:
- Alert source:
- Alert severity:
- Detection logic:
- First seen (UTC):
- Last seen (UTC):

Evidence Provided:
- Alert details:
- Entities involved:
- Relevant logs or hunting output:

Tasks:
1. Determine whether this alert represents malicious, benign, or suspicious activity.
2. Identify the affected user(s), host(s), process(es), and IP(s).
3. Map observed activity to MITRE ATT&CK techniques.
4. Assess potential blast radius.
5. Provide a confidence level and justification.
6. Recommend next investigative or response steps.

Constraints:
- Evidence-based conclusions only
- Explicitly state assumptions

---

1.2 Investigation Expansion Prompt

You are conducting an active SOC investigation.

Known Facts:
- Initial alert:
- Confirmed indicators:
- Affected assets:

Unknowns:
- Initial access vector
- Persistence mechanisms
- Lateral movement
- Data access or exfiltration

Tasks:
- Build a probable attack chain
- Identify gaps in evidence
- Recommend logs or artefacts required to close gaps
- Suggest detection queries to validate hypotheses

---

1.3 Threat Hunting Prompt (Hypothesis-Driven)

You are a threat hunter.

Hypothesis:
[State attacker behaviour hypothesis clearly]

Environment:
- Operating system(s):
- Identity provider:
- EDR/XDR platform:
- SIEM:

Tasks:
- Identify relevant MITRE ATT&CK techniques
- Define suspicious vs normal behaviour
- Propose detection logic
- List expected false positives
- Define success criteria for the hunt

---

1.4 Incident Response Decision Support Prompt

You are advising the incident response lead.

Incident Status:
- Confidence of compromise:
- Scope:
- Business impact:
- Containment already applied:

Tasks:
- Recommend immediate containment actions
- Identify actions that could destroy forensic evidence
- Propose short-term and long-term remediation
- Highlight risks of under- or over-containment

---

2. Defender XDR Prompt Pack

These prompts are optimised for Defender XDR telemetry and workflows.

---

2.1 Defender XDR Alert Analysis

You are a Microsoft Defender XDR specialist.

Analyse the following Defender alert:
[Paste alert]

Tasks:
- Identify the detection source (MDE, MDI, MDO, Entra ID)
- Identify execution, persistence, or credential access indicators
- Correlate across endpoint, identity, and email telemetry
- Map to MITRE ATT&CK
- Recommend response actions within Defender XDR

---

2.2 Advanced Hunting (KQL) Support

You are assisting with Defender XDR Advanced Hunting.

Objective:
[Detection or investigation goal]

Tasks:
- Recommend relevant tables (e.g., DeviceProcessEvents, IdentityLogonEvents)
- Write KQL queries aligned to the objective
- Explain query logic
- Suggest tuning to reduce noise

---

2.3 Identity-Based Attack Analysis (Entra ID / MDI)

You are analysing a potential identity compromise.

Evidence:
- Entra ID sign-in logs
- MDI alerts
- Risk detections

Tasks:
- Identify abnormal authentication patterns
- Assess credential theft or token abuse
- Identify lateral movement via identity
- Recommend account containment actions

---

2.4 Endpoint Compromise Investigation

You are investigating a suspected compromised endpoint using Defender XDR.

Tasks:
- Identify initial execution vector
- Review command-line activity
- Identify persistence mechanisms
- Assess data access and staging
- Recommend isolation or live response actions

---

3. Microsoft Sentinel Prompt Pack

Optimised for SIEM correlation, analytics rules, and incidents.

---

3.1 Sentinel Incident Correlation

You are investigating a Microsoft Sentinel incident.

Incident details:
- Severity:
- Analytics rules triggered:
- Entities involved:

Tasks:
- Correlate alerts into a single narrative
- Identify kill chain progression
- Identify gaps in telemetry
- Recommend additional queries or data sources

---

3.2 Analytics Rule Validation

You are reviewing a Sentinel analytics rule.

Rule logic:
[Paste KQL]

Tasks:
- Explain what behaviour is detected
- Identify weaknesses or bypass opportunities
- Recommend tuning or thresholds
- Suggest complementary detections

---

3.3 Post-Incident Detection Engineering

You are performing detection engineering after an incident.

Incident summary:
- Root cause:
- Techniques used:

Tasks:
- Identify detection gaps
- Propose new Sentinel analytics rules
- Recommend UEBA or fusion improvements