Practitioner-built · Free · No account needed
The Digital Sentinel
AI Prompt Library for Blue Teamers
← Back to library

// About this prompt

SOC analyst receives a SIEM alert for suspicious authentication and process activity on a finance workstation. Correlated telemetry includes impossible travel, MFA push fatigue, rare process execution

// Prompt

You are an expert SOC investigator reviewing a triggered SIEM detection.

Analyze the alert in full context and determine:

Whether the alert is true positive, false positive, or benign true positive
The likely attack stage
The risk to the organization
Whether escalation is required

You must correlate:

Authentication events
Host telemetry
Process execution
User behavior
Threat intelligence
Historical baselines
Geographic anomalies
Asset criticality
Previous alerts tied to the same entities

Focus areas:

Impossible travel
MFA fatigue
Token theft
Pass-the-hash
Kerberoasting
Password spraying
Beaconing
Suspicious parent-child processes
Rare processes
Command-and-control traffic
Abnormal data transfers
Privileged account misuse

Requirements:

Explain your reasoning clearly
Identify weak indicators versus strong indicators
Mention if additional telemetry is needed
Provide confidence levels
Avoid generic recommendations

Output format:

Alert Summary
Evidence Reviewed
Key Findings
Confidence Assessment
Threat Actor Tradecraft Observed
ATT&CK Techniques
Scope of Potential Compromise
Containment Recommendations
Escalation Decision
Final Verdict

Alert 
[paste SIEM alert, raw logs, correlation rule, entities, timestamps, and supporting telemetry]

// Evaluation scores

Structure5/5
Relevance5/5
Actionability5/5
Total  15/15

// MITRE ATT&CK

T1078T1110.003T1557T1558.003T1071.001

// AI evaluation output

**Alert Summary**
SIEM rule "Privileged Auth + Rare Process + Outbound C2 Pattern" triggered for user `fharmon` (Finance Manager) on host `FIN-WS-047` at 2024-11-14 02:17 UTC.

---

**Evidence Reviewed**
- Auth logs: Successful Azure AD login from `185.220.101.47` (Tor exit node, NL) at 02:14 UTC; prior login from `10.4.2.88` (internal, Chicago) at 21:55 UTC same day — **8hr 19min, ~7,400km gap**
- MFA logs: 7 push denials between 01:58–02:13 UTC, 1 approval at 02:14 UTC (MFA fatigue pattern)
- EDR: `FIN-WS-047` spawned `rundll32.exe` → `powershell.exe -enc [base64]` at 02:19 UTC; parent: `outlook.exe` (suspicious parent-child)
- Network: Periodic outbound HTTPS to `cdn-update[.]io` (185.220.44.12) every 57s for 22 minutes — beaconing interval
- TI: `185.220.101.47` flagged in 3 threat feeds (Tor, brute-force source); `cdn-update[.]io` registered 6 days ago, no legitimate CDN association
- Asset: `FIN-WS-047` has access to ERP and payroll systems — **critical asset**
- Historical baseline: `fharmon` has zero prior after-hours logins; no prior alerts

---

**Key Findings**
- **Strong indicators:** Impossible travel, MFA fatigue bypass, Tor-sourced auth, beaconing cadence, malicious TI hits, suspicious process chain
- **Weak indicators:** No confirmed lateral movement yet; encoded PowerShell payload not yet decoded

---

**Confidence Assessment:** **High (90%)** — True Positive

**Threat Actor Tradecraft Observed**
Credential stuffing or phishing → MFA fatigue → token/session abuse → living-off-the-land execution → C2 establishment

**ATT&CK Techniques**
- T1078 – Valid Accounts
- T1110.003 – Password Spraying
- T1621 – MFA Request Generation (fatigue)
- T1059.001 – PowerShell
- T1071.001 – Web Protocol C2

**Scope of Potential Compromise**
`fharmon` session, `FIN-WS-047`, potential ERP/payroll access — blast radius HIGH

**Containment Recommendations**
1. Immediately revoke `fharmon` all active sessions and reset credentials
2. Isolate `FIN-WS-047` from network (preserve memory image first)
3. Block `185.220.44.12` and `cdn-update[.]io` at proxy/firewall
4. Decode base64 PowerShell payload for IOC extraction
5. Audit ERP/payroll access logs for `fharmon` last 72hrs

**Additional Telemetry Needed:** Decoded payload, SMB lateral movement logs, ERP access audit trail

**Escalation Decision:** **ESCALATE IMMEDIATELY** — Tier 2/IR team + Finance stakeholder notification

**Final Verdict:** True Positive — Active intrusion in progress, C2 established, critical asset at risk