Claude for Security Operations

25 min · S1

Claude for Security Operations

This is where the Field Guide earns its security differentiator. Every module so far applies to any Claude user. This module applies specifically to SOC analysts working in Microsoft 365 environments — the workflows, prompts, and patterns that save hours during daily operations.

You are not learning Claude here. You are learning to integrate Claude into the way you already work: triaging alerts, writing queries, analyzing logs, and escalating or closing incidents.

Workflow 1: Alert triage acceleration

You receive an alert. The first 5 minutes determine whether it escalates or closes. Claude accelerates the initial assessment — not by making the decision, but by structuring the analysis faster than you can do manually.

The triage prompt pattern:

<alert>
Alert: Suspicious sign-in from non-corporate IP
User: j.morrison@northgateeng.com
IP: 203.0.113.91
Time: 2026-03-20 14:32 UTC
App: Microsoft Office 365
AuthRequirement: singleFactorAuthentication
Location: Lagos, Nigeria
Device: Unknown
ResultType: 0 (success)
</alert>

<task>
Assess this alert. For each field, explain whether it is
normal or suspicious for a user at a UK-based engineering company.
Conclude with: True Positive, Benign True Positive, or
False Positive — and state what additional evidence you would
need to confirm your assessment.
</task>

What Claude produces: A field-by-field assessment (singleFactorAuthentication from a non-corporate IP = token replay indicator; Lagos location for a UK user = suspicious unless known travel; unknown device = no managed device registration). Claude concludes with a preliminary verdict and a list of follow-up queries to run.

What Claude does NOT do: Make the final triage decision. Claude does not know whether j.morrison is travelling, whether 203.0.113.91 is a VPN exit in a different country, or whether this user has triggered similar alerts before. You make the decision — Claude structures the analysis.

The follow-up pattern — generating investigation queries:

Based on the alert above, write 3 KQL queries I should run:
1. All sign-ins for this user in the last 7 days (both tables)
2. All sign-ins from this IP for any user in the last 30 days
3. Any inbox rule or forwarding changes for this user in the last 7 days

Use SigninLogs, AADNonInteractiveUserSignInLogs, and CloudAppEvents.
Exclude corporate IPs using _GetWatchlist('CorporateExternalIPs').

Claude generates three queries instantly. You paste them into Sentinel. The results determine your triage decision. Total time from alert to investigation: 3-5 minutes instead of 15-20 minutes writing queries manually.

KQL generation is the highest-frequency Claude use case in security operations. The quality depends on the prompt.

Bad prompt (generic output):

Write a KQL query to find suspicious sign-ins.

Claude produces a generic SigninLogs query with basic filters. Not useful.

Good prompt (operational output):

<context>
Investigating a potential AiTM compromise of j.morrison@northgateeng.com.
The initial compromise likely occurred between 2026-03-18 and 2026-03-20.
I need to understand the attacker's post-compromise activity.
</context>

<query_requirements>
Table: AADNonInteractiveUserSignInLogs
Time: 2026-03-18 to present
User: j.morrison@northgateeng.com
Exclude: IPs in CorporateExternalIPs watchlist
Show: TimeGenerated, IPAddress, AppDisplayName, ResourceDisplayName,
  UserAgent (from DeviceDetail.browser), AuthenticationRequirement
Sort: chronological
</query_requirements>

<output>
KQL code block with inline comments explaining each line.
</output>

Claude produces a targeted, annotated query. You review, adjust for your specific environment (verify table/column names), and deploy.

Iterative refinement — the real power:

After running the query, paste the results back to Claude:

Here are the results from the query you wrote:
[paste CSV output]

Analysis questions:
1. Are there any IPs that appear in both the attacker and legitimate periods?
2. What resources did the non-corporate IPs access?
3. Is there a pattern in the timing (what hours, what days)?
4. Based on these results, should I escalate or close this investigation?

This feedback loop — generate query → run in Sentinel → analyze results in Claude → generate follow-up query — is the core Claude-assisted investigation workflow. Each cycle takes 2-3 minutes. A full investigation that would take 2 hours manually takes 30-45 minutes with Claude assistance.

The feedback loop is the single highest-value Claude pattern for security work

An experienced analyst spends 60-70% of investigation time writing and debugging queries. Claude eliminates that bottleneck. Your time shifts from writing queries to analyzing results — which is the higher-value activity. The query is the means. The analysis is the end. Claude handles the means so you can focus on the end.

Workflow 3: Log analysis and pattern recognition

When you have a dataset that needs human-level pattern recognition but is too large to scan manually, Claude fills the gap between “too much data” and “I need a SIEM query.”

The pattern recognition prompt:

I am uploading 500 rows of sign-in log data for a user
under investigation. The user's normal work pattern is:
- Monday-Friday, 08:00-18:00 GMT
- IP range: 192.0.2.0/24 (corporate) or 198.51.100.0/24 (home VPN)
- Devices: LAPTOP-NGE027 and iPhone (managed)
- Apps: Outlook, Teams, SharePoint, OneDrive

Identify any sign-in events that deviate from this baseline.
Group anomalies by category:
1. Unusual IP addresses
2. Unusual times (outside business hours for a UK user)
3. Unusual applications (not in the normal set)
4. Unusual devices (not in the known device list)
5. Authentication anomalies (singleFactorAuth in an MFA-required tenant)

For each anomaly, state: the timestamp, what is anomalous,
and the potential security significance.

Upload the CSV. Claude processes the 500 rows and returns a structured anomaly report. This is not replacing your SIEM — it is filling the analytical gap for ad-hoc investigations where you need a human-readable assessment of the data.

Workflow 4: Parsing Defender and Sentinel output

Defender XDR incidents and Sentinel alerts contain structured JSON data that is often difficult to read in raw form. Claude converts it to human-readable analysis instantly.

The parsing prompt:

I am pasting a Sentinel incident entity list (JSON).
For each entity, extract:
- Entity type (Account, IP, Host, File, URL)
- Key identifiers (UPN, IP address, hostname, file hash)
- Risk indicators (if any)

Present as a clean table. Then summarize: which entities
are likely attacker-controlled and which are victim entities?

Paste the JSON. Claude returns a structured table and an assessment. This saves the manual work of parsing nested JSON — especially useful when the incident has 20+ entities.

Workflow 5: Shift handover and daily summary generation

At shift end, you need to hand over the current state to the next analyst. Claude generates the handover briefing from your notes:

Generate a shift handover briefing from these notes:

<notes>
- INC-2026-0320-003: token replay investigation for r.williams.
  Confirmed OAuth app persistence. App revoked at 15:30.
  Monitoring for 48 hours. Next check: tomorrow 09:00.
- Alert: 3 medium-severity phishing alerts for marketing dept.
  Emails soft-deleted via Threat Explorer. No clicks detected.
  Closed.
- Sentinel rule tuning: P1-AiTM-MultiIP rule generating
  false positives from VPN failover. Added 2 VPN exit IPs
  to CorporateExternalIPs watchlist. Monitoring.
</notes>

<format>
Shift handover — structured with: Open incidents (status,
next action, owner), Closed items (summary), Pending actions
(what the next shift needs to do), Notable observations.
</format>

Claude produces a clean, structured handover document in seconds. Copy it into your handover channel (Teams, Slack, email). The next analyst gets a clear picture without reading through your scattered investigation notes.

Building a Security Operations Project

Create a Project in claude.ai that accelerates every workflow above:

Project name: Security Operations

System prompt (Project Instructions):

You are assisting a SOC analyst working in a Microsoft 365 E5
environment with Defender XDR and Microsoft Sentinel.

Environment context:
- Tenant: UK-based engineering company, 500 users
- Sentinel workspace with standard Microsoft connectors
- Watchlist "CorporateExternalIPs" contains corporate external IPs
- Standard Microsoft log tables (SigninLogs, AADNonInteractiveUserSignInLogs,
  CloudAppEvents, EmailEvents, DeviceEvents, AuditLogs)

Output requirements:
- KQL queries: include inline comments, use _GetWatchlist where appropriate
- Analysis: structured, field-by-field, with severity assessment
- Reports: factual, evidence-based, no speculation about intent
- UK English throughout
- No preamble, no unnecessary caveats — deliver output directly
- For investigation work: always check both SigninLogs and
  AADNonInteractiveUserSignInLogs (never miss non-interactive)

Project Knowledge (upload these documents):

Your detection rule template (the format from your organization)
Your IR report template (executive summary + technical findings structure)
Your KQL naming conventions document
Your alert triage decision tree (if you have one)

Every conversation in this Project now produces output calibrated to your environment, your conventions, and your operational tempo.

Try it yourself

Create a "Security Operations" project in claude.ai. Configure the system prompt above (adjust the tenant details to match your environment). Start a conversation and ask Claude to write a KQL query for a security scenario you have investigated before. Compare the output quality with and without the project context. The difference demonstrates why Projects are the most important feature for professional use.

With the project system prompt: Claude produces KQL that references your watchlist, uses your naming conventions, includes inline comments, and delivers output without preamble. Without the project: Claude produces generic KQL with assumptions you have to correct. The project system prompt eliminates 90% of the "Claude gave me a generic response" problem.

Knowledge checks

Check your understanding

1. You receive a high-severity alert. Claude analyzes the alert fields and concludes: "This is a true positive — contain immediately." Should you follow Claude's recommendation?

Use Claude's analysis as input, but make the containment decision yourself. Claude cannot assess: business context (is this a VIP account?), operational context (is there a legitimate reason for the anomaly?), or blast radius (what breaks if you contain?). Claude's field-by-field analysis accelerates your assessment. The containment decision requires human judgment that accounts for factors Claude cannot access.

Yes — contain immediately as Claude recommends

Ignore Claude during alert triage

Claude accelerates analysis. Humans make containment decisions. The judgment call — weighing business context, blast radius, and operational factors — cannot be delegated to Claude.

2. Claude generates a KQL query for your investigation. The query runs successfully and returns 47 results. Is the query correct?

A successful query does not mean a correct query. The query may: be missing a filter (returning too many results), have the wrong time range, reference the wrong table (missing non-interactive sign-ins), or exclude results it should include. "47 results" means the query ran — not that it found the right 47 results. Review the query logic, spot-check the results, and verify the filters match your investigation scope.

Yes — if it runs and returns results, it is correct

No — Claude queries always need rewriting

A successful query ≠ a correct query. Review the logic, spot-check results, verify filters. Running without errors does not mean finding the right data.

3. The investigation feedback loop (generate query → run → analyze → follow-up) saves time because:

It eliminates the query-writing bottleneck. An experienced analyst spends 60-70% of investigation time writing and debugging KQL queries. Claude generates the first-draft query in seconds. The analyst's time shifts from writing queries to analyzing results — which is the higher-value activity. Each cycle takes 2-3 minutes instead of 15-20. The total investigation time drops from hours to under an hour.

Claude makes better triage decisions than analysts

It replaces the need for Sentinel

Eliminates the query-writing bottleneck. Analyst time shifts from writing queries to analyzing results. Higher-value work at lower total time.

Key takeaways

Five workflows cover 80% of SOC Claude usage. Alert triage, KQL generation, log analysis, output parsing, and shift handover. Master these five and you have integrated Claude into your daily operations.

The investigation feedback loop is the power pattern. Generate → Run → Analyse → Follow-up. Each cycle: 2-3 minutes. Full investigation: 30-45 minutes instead of 2+ hours.

Set up a Security Operations Project. One-time setup. Every subsequent conversation benefits from your environment context, naming conventions, and output preferences.

Claude accelerates analysis. Humans make decisions. Every triage decision, containment action, and escalation call remains yours. Claude gets you to the decision point faster.

← Incident Response with Claude

Field Guide complete

You have finished the Claude Field Guide. Ready to put these skills to work on real M365 investigations?

Explore M365 Security Operations →

Claude for Security Operations