Sign In

Claude for Security Operations

25 min · S1
Module Objective
This is where Claude Essentials earns its security differentiator. Every Foundation module applies to any Claude user. This module applies specifically to SOC analysts — the workflows, prompts, and patterns that save hours during daily operations. You are not learning Claude here. You are learning to integrate Claude into the way you already work: triaging alerts, writing queries, analyzing logs, and escalating or closing incidents.
Deliverable: Four production-ready Claude workflows — alert triage acceleration, KQL query generation, log analysis, and Connector-powered investigation — with the specific prompt patterns that produce professional output for each.
⏱ Estimated completion: 25 minutes
FOUR SOC WORKFLOWS ACCELERATED BY CLAUDEALERT TRIAGEPaste alert → structuredassessment in 60 secondsKQL GENERATIONDescribe intent → deployablequery. Always verify in lab.LOG ANALYSISUpload sanitized CSV →anomaly identificationCONNECTORSGmail, Drive, Calendarintegrated into investigationClaude accelerates the analysis. The analyst makes the decision. Every output is verified before action.

Workflow 1: Alert triage acceleration

You receive an alert. The first five minutes determine whether it escalates or closes. Claude accelerates the initial assessment — not by making the triage decision, but by structuring the analysis faster than manual review.

The triage prompt pattern follows the three-component structure from F3. Paste the alert details into a <alert> tag, define the assessment task, and specify the output format. Claude produces a field-by-field assessment that identifies which elements are normal and which are suspicious for your environment.

Worked artifact — alert triage prompt template:

<alert>
Alert: Suspicious sign-in from non-corporate IP
User: j.morrison@northgateeng.com
IP: 203.0.113.91
Time: 2026-03-20 14:32 UTC
App: Microsoft Office 365
AuthRequirement: singleFactorAuthentication
Location: Lagos, Nigeria
Device: Unknown
ResultType: 0 (success)
</alert>

<task>
Assess this alert for a UK-based engineering company. For each
field, state whether it is normal or suspicious and why. Then
provide an overall risk assessment (High/Medium/Low) and
recommended next steps.
</task>

<output_format>
Field-by-field assessment, then overall risk rating with
recommended investigation steps. Be direct — no caveats.
</output_format>

Claude will flag the singleFactorAuthentication value (indicates token replay — MFA was not re-challenged), the Nigerian IP for a UK company, the unknown device, and the successful result. The overall assessment will be High risk with a recommendation to investigate as a potential AiTM compromise. Adapt the company context for your organization.

The key to effective triage prompts is including your organizational context. “A UK-based engineering company” tells Claude what is normal (UK IPs, corporate devices) and what is not (Nigerian IPs, unknown devices). Without this context, Claude cannot distinguish a true positive from a legitimate travel scenario.

For recurring alert types, create a Skill (F3) that defines your standard triage format. When you paste an alert and ask Claude to assess it, the Skill applies automatically — producing consistently formatted triage notes that match your SOC’s documentation standard.

Workflow 2: KQL query generation

Claude generates KQL queries from natural language descriptions. The quality depends entirely on the constraints you provide — the tables to use, the watchlists to reference, the time range, the fields to include, and the output format.

Worked artifact — KQL generation prompt template:

<task>
Write a KQL query for Microsoft Sentinel that identifies inbox
rules created with financial keyword targeting from non-corporate
IP addresses.
</task>

<constraints>
- Use the OfficeActivity table
- Filter for Operation == "New-InboxRule"
- Search rule parameters for keywords: invoice, payment, wire,
  bank, transfer, remittance
- Exclude IPs in the CorporateExternalIPs watchlist
- Include: TimeGenerated, UserId, ClientIP, Parameters
- Time range: last 30 days
- Add inline comments explaining each operator
- Include MITRE ATT&CK mapping in the header comment
</constraints>

<output_format>
KQL code block only. No prose explanation.
</output_format>

This prompt produces a deployable detection query on the first attempt because every constraint is explicit. Verify the table name and column names against your Sentinel schema before deploying.

The verification step is non-negotiable. Claude may generate a syntactically perfect query that references a column name that does not exist in your OfficeActivity table, or uses a KQL function with incorrect parameter ordering. Run every Claude-generated query in your lab workspace before deploying to production. The speed advantage comes from Claude writing the first draft in 30 seconds — not from skipping the 2-minute verification step.

If you have a Security Operations project (F2) with your Sentinel table schema uploaded as a reference document, Claude’s query accuracy improves significantly because it can reference your actual table and column names rather than guessing from training data.

Workflow 3: Log analysis

Upload a sanitized CSV export of sign-in logs, email events, or device activity. Ask Claude to identify patterns, anomalies, or specific indicators. Claude reads the column headers, understands the data structure, and produces categorized findings.

The analysis prompt should specify what you are looking for. “Analyze this data” produces a vague summary. “Identify sign-in events from non-corporate IPs that succeeded without MFA challenge, group them by user and IP, and flag any that occurred outside business hours (08:00-18:00 UTC)” produces specific, actionable findings.

For large datasets, pre-filter in Sentinel before uploading (F4). Upload the 200-500 most relevant rows, not the entire 50,000-row export. Claude analyzes focused datasets more effectively than large, unfocused ones.

After Claude identifies anomalies, verify each finding against the original data. Claude may misinterpret timestamp formats, miscalculate time differences, or misidentify a field value. The analysis is the starting point for your investigation — not the conclusion.

Workflow 4: Connector-powered investigation

With MCP Connectors enabled (F2), Claude can access external tools during the investigation without you switching applications.

Gmail Connector allows Claude to search your email for phishing reports, user complaints, or security notifications relevant to an active investigation. Ask Claude to “search my email for messages from j.morrison@northgateeng.com in the last 7 days” and it retrieves the results within the conversation.

Google Drive Connector allows Claude to pull documents — IR report templates, detection rule libraries, investigation checklists — from your shared drive without you downloading and uploading them separately.

Google Calendar Connector allows Claude to check schedules — incident bridge times, on-call rotations, or meeting conflicts — relevant to investigation coordination.

Slack Connector allows Claude to search channel messages for context — previous discussions about the affected user, related alerts mentioned by other analysts, or SOC channel updates about the incident.

The Connectors do not replace your investigation tools. They reduce the context-switching overhead — the time spent tabbing between email, drive, calendar, Slack, and the investigation workspace. When every tool is accessible within the conversation, the investigation flow is uninterrupted.

Permission controls matter. Configure each Connector with the minimum necessary permissions. Allow search and read access. Block send, delete, and modify actions. You want Claude to retrieve information — not take actions in your external systems during an investigation.

Compliance Myth
"Claude can replace the L1 SOC analyst for alert triage."
Production reality: Claude accelerates triage — it does not perform triage. The structured assessment Claude produces is a first-pass analysis that identifies the fields worth investigating. But the triage decision (escalate, investigate, or close) requires judgment that accounts for organizational context Claude cannot access: is this user a VIP? Did the IT team just migrate this user to a new device? Is this alert part of a known false positive pattern from last week's configuration change? Claude provides the analysis. The analyst provides the judgment. Replacing the analyst with Claude for triage decisions means replacing judgment with pattern matching — and pattern matching fails precisely on the novel threats that matter most.

Try it: Run the complete triage workflow

Open your Security Operations project. Copy the alert triage prompt template from the worked artifact above. Replace the alert details with a real (sanitized) alert from your environment — a recent sign-in alert, an email alert, or a device alert. Run the prompt and evaluate Claude's assessment. Is the field-by-field analysis accurate? Does the risk rating match your own assessment? Are the recommended next steps actionable? This exercise calibrates your sense of where Claude's triage analysis adds value and where your judgment must override it.

Try it: Generate and verify a KQL query

Using the KQL generation prompt template, ask Claude to write a query for a detection scenario relevant to your environment — failed MFA attempts from unusual locations, inbox rule creation from external IPs, or sign-ins using legacy authentication protocols. Copy the generated query into your Sentinel lab workspace and run it. Does it execute without errors? Do the table and column names match your schema? Does the output contain the expected fields? If the query fails, identify what Claude got wrong (table name, column name, function syntax) and correct it. This exercise builds the verification habit that makes Claude-generated queries trustworthy.

Knowledge checks

Check your understanding

1. You paste an alert into Claude and it produces a triage assessment rating the alert as Low risk. The alert shows a successful sign-in from an IP in a country where your organization has no operations, with AuthenticationRequirement showing singleFactorAuthentication. What should you do?

Override Claude's assessment. SingleFactorAuthentication from a foreign IP for an organization with no presence in that country is a high-confidence indicator of token replay (the session token was already MFA-authenticated when the attacker captured it). Claude may have rated it Low because the prompt lacked organizational context — it did not know your company has no operations in that country. Add organizational context to the triage prompt (or to your Project system prompt) for future assessments.
Accept the Low rating — Claude analyzed the evidence
Ask Claude to re-analyze with Extended Thinking

2. Claude generates a KQL query that references "AADUserRiskEvents" — a table you have never seen in your Sentinel workspace. What is the most likely explanation?

The table name is hallucinated. Claude generates statistically probable table names that follow Microsoft's naming conventions but may not correspond to real tables. Check your Sentinel workspace schema for the actual table name (it may be AADRiskyUsers, IdentityInfo, or another table depending on your data connectors). This is the most common hallucination pattern in KQL generation — syntactically perfect queries with fabricated references.
You need to enable a new data connector
The table was renamed in a recent Sentinel update

3. You want Claude to search your Gmail for phishing report emails during an investigation, without leaving the Claude conversation. What feature enables this?

Web search — Claude searches the internet
The Gmail MCP Connector. With the Gmail Connector enabled in Claude.ai, Claude can search your email directly within the conversation. Configure it with read/search permissions (allow) and send/delete permissions (block) to maintain security. The Connector eliminates the context-switching overhead of tabbing to Gmail during an investigation.
Upload your emails as files

Key takeaways

Alert triage is accelerated, not automated. Claude produces a structured field-by-field assessment in seconds. The triage decision (escalate, investigate, close) remains with the analyst.

KQL generation requires verification. Claude writes the first draft in 30 seconds. You verify table names, column names, and logic in 2 minutes. The combination is faster than writing from scratch.

Log analysis needs focused data. Pre-filter to the relevant subset. Specify what you are looking for. Verify findings against the original data.

Connectors reduce context-switching. Gmail, Drive, Calendar, Slack — accessible within the investigation conversation. Configure with minimum necessary permissions.

Module Complete
SOC workflows operational: You have four Claude-assisted workflows ready for daily use — alert triage, KQL generation, log analysis, and Connector-powered investigation. Each includes the verification step that makes the output trustworthy. These workflows integrate Claude into your existing operations without replacing your judgment.
Next module → S2: Incident Response Documentation
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Incident Response Documentation with Claude

Claude Essentials complete

You have finished Claude Essentials for Security Professionals. Ready to go deeper?

Explore Claude for Security Professionals →