Incident Response with Claude

25 min · S2

Incident Response with Claude

Incident response has a documentation problem. The investigation takes 4 hours. The report takes 6. The CISO needs the report by end of business. You are simultaneously investigating, containing, and writing — and the writing is the bottleneck. Claude does not investigate for you. It drafts the report while you investigate.

The IR documentation bottleneck

An average M365 security incident produces: an executive summary, a technical timeline, evidence appendices, containment and eradication records, a recommendations section, and post-incident review notes. Writing this from scratch — in executive-readable prose while maintaining technical accuracy — takes an experienced analyst 4-8 hours.

Claude compresses the documentation phase to 1-2 hours. The investigation still takes the same time. But the report is ready when the investigation finishes — not 6 hours later.

Workflow 1: Timeline reconstruction

You have raw investigation notes — timestamps, IP addresses, actions, and findings scattered across your notepad, Sentinel queries, and email threads. Claude organises them into a structured timeline.

<role>You are drafting the technical timeline section of an IR report.</role>

<raw_notes>
- 2026-03-18 08:42 UTC: Phishing email delivered to 23 users. Subject: "Voicemail notification." Sender: notifications@northgate-voicemail.com
- 2026-03-18 09:15 UTC: 6 users clicked Safe Links URL. Safe Links allowed (URL behind CAPTCHA)
- 2026-03-18 09:18-09:34 UTC: 5 of 6 users entered credentials on AiTM proxy at hxxps://login-northgate[.]com/auth
- 2026-03-18 09:35 UTC: First token replay detected — j.morrison signed in from 198.51.100.44 (VPS, AS-CHOOPA)
- 2026-03-18 09:40 UTC: Inbox rule created on j.morrison's mailbox. Forward emails containing "invoice" to external address
- 2026-03-18 10:00 UTC: SOC notified via Sentinel alert P1-AiTM-PhishingClick
- 2026-03-18 10:15 UTC: Containment initiated — tokens revoked for all 5 compromised users
- 2026-03-18 10:30 UTC: Passwords reset, MFA re-registration forced
- 2026-03-18 11:00 UTC: Inbox rules removed from 3 affected mailboxes
</raw_notes>

<output_format>
Chronological table with columns: Time (UTC) | Event | Actor | Evidence Source | Severity
Then a narrative summary (3-4 sentences) suitable for the executive summary of the IR report.
</output_format>

Claude produces both: a clean table that goes into the technical appendix and a narrative summary that goes into the executive summary. Both from your raw notes in one prompt.

Claude infers. IR reports state facts.

Claude routinely escalates findings beyond what the evidence supports: "47 emails accessed" becomes "47 emails containing sensitive financial data accessed." The first is a log entry. The second is an inference. IR reports must separate facts (timestamped, evidence-referenced) from inferences (conclusions drawn from facts). Review every Claude-drafted statement and ask: "Is this a fact from the logs, or an inference Claude added?" Remove or explicitly label all inferences.

Workflow 2: Executive summary drafting

The executive summary is the hardest section to write — it must be technically accurate, jargon-free, and convey business impact to non-technical leadership.

<task>Draft the executive summary for an IR report.</task>

<incident_facts>
- Incident type: AiTM credential phishing campaign
- Date range: 18-20 March 2026
- Accounts compromised: 5 of 23 targeted
- Attack vector: Phishing email impersonating voicemail notification
- Attacker objective: BEC / vendor payment diversion
- Financial impact: £47,000 payment diverted (recall attempted)
- Containment time: 1 hour 15 minutes from first SOC notification
- Data exposure: Attacker read 47 emails from 3 mailboxes
- Current status: Contained, eradication complete, monitoring active
</incident_facts>

<audience>CISO and non-technical board members</audience>

<constraints>
- 250-300 words maximum
- No technical jargon (no "AiTM," "KQL," "token replay" — translate to business language)
- Must include: what happened, business impact, what we did, current status, next steps
- Factual tone — no minimisation, no dramatisation
</constraints>

Claude produces a CISO-ready paragraph. Review for accuracy (every fact must match your evidence), adjust tone if needed, and it goes into the report. What would take 45 minutes of careful writing takes 5 minutes of review and refinement.

Workflow 3: Evidence analysis documentation

You have a stack of KQL query outputs, screenshots, and log exports. Each needs to be documented in the evidence appendix with: what the evidence shows, why it is significant, and how it supports the investigation conclusions.

<task>Document this evidence for an IR report appendix.</task>

<evidence>
Query: SigninLogs for j.morrison, 18-20 March 2026
Results: [paste the CSV or table output]
</evidence>

<document_format>
Evidence ID: [I will assign]
Evidence Type: Sign-in log analysis
Source: Microsoft Sentinel — SigninLogs table
Collection Time: [current time]
Analyst: [I will add]

Summary of Findings:
[Claude writes this — what the evidence shows, key indicators,
significant entries highlighted]

Significance:
[Claude writes this — how this evidence supports the investigation
timeline and conclusions]
</document_format>

Claude produces the documentation for each evidence item. You review, assign the evidence ID, add your name, and append to the report. An evidence appendix that normally takes 2-3 hours takes 30-40 minutes.

Workflow 4: Communication templates

During an incident, you send multiple communications: to affected users, to management, to legal, potentially to regulators. Each audience needs a different message at a different technical level.

<task>Draft 3 incident communications for the AiTM incident.</task>

<incident>AiTM phishing, 5 compromised accounts, contained.</incident>

<communications>
1. Affected users (j.morrison, a.patel, s.khan, r.williams, d.thompson):
   - What happened to their account
   - What we did (password reset, MFA re-registration required)
   - What they need to do (re-register MFA, report any suspicious activity)
   - Reassurance without minimising

2. All-staff security notice:
   - General awareness (phishing campaign targeted the company)
   - What to watch for (similar emails)
   - What to do if they clicked (report immediately)
   - No technical details, no names of compromised users

3. CISO briefing (internal, not for wider distribution):
   - Technical summary (attack vector, scope, containment timeline)
   - Financial impact
   - Gaps identified (Safe Links did not block, inbox rules not detected)
   - Recommended hardening actions with estimated cost
</communications>

Three communications, three audiences, three tones — drafted in a single prompt. Review each for accuracy and organisational tone, then send. The communications that normally take an hour (because you are writing them between investigation steps) take 10 minutes.

Workflow 5: Post-incident review (PIR) preparation

After the incident is closed, the PIR identifies what went well, what failed, and what changes to make. Claude structures the PIR from your notes.

<task>Draft a post-incident review document.</task>

<incident_summary>AiTM phishing, 5 accounts compromised, BEC attempt, £47K payment diverted.</incident_summary>

<what_went_well>
- SOC detected within 18 minutes of first compromise
- Containment completed in 1 hour 15 minutes
- No lateral movement beyond initial compromised accounts
- Evidence preserved correctly (litigation hold, eDiscovery export)
</what_went_well>

<what_failed>
- Safe Links allowed phishing URL (CAPTCHA bypass)
- Inbox rule not detected for 3 weeks (no detection rule for financial keywords)
- Token revocation missed OAuth app consent on r.williams
- Payment processed before detection
</what_failed>

<output_format>
Structured PIR with: Summary, Timeline, What Worked, What Failed,
Root Cause Analysis (for each failure: why it failed and what fix prevents recurrence),
Recommendations (prioritised by impact, with estimated cost and timeline),
Action items (assigned owner, due date — leave owner blank for me to fill)
</output_format>

Claude produces a comprehensive PIR document. You fill in the action item owners and due dates, review the root cause analysis for accuracy, and present to leadership. The PIR that normally takes a full day to write takes 2 hours of review and refinement.

The IR Project setup

Create a Project dedicated to incident response:

Project name: Incident Response

System prompt:

You are assisting a SOC analyst with incident response documentation
for a Microsoft 365 environment. All output must be:
- Factual and evidence-based (no speculation about attacker intent)
- Written for dual audience: technical appendix + executive summary
- UK English
- Structured using the standard IR report format:
  Executive Summary → Timeline → Technical Findings →
  Impact Assessment → Containment & Eradication →
  Recommendations → Evidence Appendix
- For CISO communications: no jargon, business impact focus
- For technical sections: precise, timestamped, evidence-referenced

Project Knowledge: Upload your IR report template, your PIR template, and a sample completed IR report (sanitised) as a style reference. Claude will mirror the style of your existing reports.

The most common mistake with Claude-assisted IR documentation is trying to generate the complete report in a single prompt. This produces shallow, generic output. The effective pattern is iterative:

Pass 1: Structure. “Based on these raw notes, produce the report outline with section headings and 2-3 key points per section.” Review the structure — is anything missing? Are the sections in the right order?

Pass 2: Expand. “Expand the Technical Findings section with the full timeline. Here is the evidence: [paste data].” Review for accuracy — are timestamps correct? Are facts supported by the evidence?

Pass 3: Tone. “Rewrite the Executive Summary for a non-technical board audience. No jargon. Focus on business impact.” Review for clarity — would a non-technical reader understand the business impact?

Pass 4: Quality control. “Review this complete report draft. Identify: any statements not supported by the evidence I provided, any technical jargon in the executive summary, and any recommendations that are vague rather than specific.”

This four-pass approach takes 30-40 minutes and produces a report that would take 4-6 hours to write from scratch. Each pass is focused — Claude does one thing well rather than everything at once.

The quality control pass is the most valuable

Pass 4 — asking Claude to critique its own output — is counterintuitive but effective. Claude's self-critique is more reliable than its self-verification (Module F5). When you ask "is this correct?" Claude says yes. When you ask "what is wrong with this?" Claude identifies genuine issues: unsupported claims, inconsistent timelines, vague recommendations. The critical frame produces better review output than the confirmatory frame.

Try it yourself

Take a real (sanitised) incident you have previously investigated. Write the raw notes in bullet form — timestamps, findings, actions. Run the four-pass workflow above. Compare the final output to the report you actually wrote. Is the Claude-assisted version comparable in quality? Where does it fall short? This calibrates your expectations for Claude-assisted IR documentation and identifies which sections need the most human refinement.

The structure and timeline will be excellent — Claude organises raw notes into a clean chronological narrative effectively. The executive summary will be 80-90% usable — you may need to add business context Claude does not have. The technical findings will be accurate to the data you provided but may include inferences that need removal. The recommendations will be relevant but may be too generic — add specifics for your environment. Overall: the four-pass approach produces a report draft in 30-40 minutes that needs 30-60 minutes of human refinement.

Try it yourself

Take a past incident you have worked (sanitise the details). Write raw investigation notes — timestamps, findings, actions — in bullet form. Paste them into Claude with the timeline reconstruction prompt from Workflow 1. Compare Claude's structured timeline and narrative summary against the report you actually wrote. Is Claude's output usable? What would you change? This calibrates your expectations for Claude-assisted IR documentation.

Claude's timeline will be structurally clean and chronologically accurate (it is reorganising your notes, not inventing information). The narrative summary will be 80-90% usable — you may need to adjust tone, add business context Claude does not have, or correct a technical detail. The time saving: the structured timeline takes 5 minutes with Claude vs 30 minutes manually. The narrative summary takes 5 minutes of review vs 20 minutes of drafting.

Knowledge checks

Check your understanding

1. Claude drafts an executive summary that states "the attacker accessed 47 emails containing sensitive financial data." Your evidence shows 47 MailItemsAccessed events — but you have not verified the content of those emails. Should you include Claude's statement in the report?

No — revise to match the evidence. Your evidence shows 47 email access events. You do not know the content of those emails unless you reviewed them individually. The accurate statement is: "The attacker accessed 47 emails from the compromised mailbox. A content review of the accessed emails is recommended to determine the sensitivity of exposed data." Claude escalated the finding beyond what the evidence supports. This is a common pattern — Claude infers plausible details that sound right but are not verified.

Yes — 47 accessed emails likely contain financial data

Remove the number — just say "several emails"

Revise to match evidence. "47 emails accessed" is a fact. "Containing sensitive financial data" is an inference. IR reports must separate facts from inferences.

2. You are writing an IR report and the CISO needs it in 3 hours. You have raw investigation notes but have not started the report. What is the fastest Claude-assisted approach?

Paste all raw notes into Claude with the timeline reconstruction prompt (Workflow 1). Then use separate prompts for: executive summary (Workflow 2), evidence documentation (Workflow 3), and recommendations. Review each section for accuracy. Assemble the sections into your report template. Total time: 1.5-2 hours — within the 3-hour deadline. The key: do not try to write the report in one prompt. Break it into sections and use specialised prompts for each.

Write the report manually — Claude is too slow

Ask Claude to write the entire report in one prompt

Section-by-section with specialised prompts. Timeline → Executive Summary → Evidence → Recommendations. Review each. Assemble. 1.5-2 hours total.

Key takeaways

Claude is an IR documentation co-pilot, not an investigator. It drafts reports while you investigate. The investigation remains human-driven.

Section-by-section prompting beats single-prompt reports. Break the report into: timeline, executive summary, evidence, recommendations. Specialised prompts produce better output than “write me an IR report.”

Every Claude-drafted statement must be verified against evidence. Claude infers plausible details that may not be supported by your actual evidence. The verification step is non-negotiable for official reports.

Set up an IR Project with your templates. Claude mirrors the style of your existing reports when given examples. One-time setup, permanent time savings.

← Threat Intelligence & Detection Engineering Claude for Security Operations →

Incident Response with Claude