Practitioner-built · Free · No account needed
The Digital Sentinel
AI Prompt Library for Blue Teamers
50 prompts  ·  0 community-submitted
Prompt required · min 20 chars
0 / 1500
Handle optional
Description optional
Evaluation takes 15-30 seconds.
Submissions are rate limited.
// Scoring Dimensions
Structure · 0–5
Does the prompt define a role, provide operational context, set explicit constraints, and specify an output format? All four for a 5.
Relevance · 0–5
Is this genuinely useful to a practitioner in IR, detection engineering, threat hunting, or threat intelligence? Generic prompts score 1-2.
Actionability · 0–5
Would the output be immediately usable in a real ticket, rule, hunting query, or intel report without significant editing? Output ready to paste into a live investigation scores 5. Requires heavy editing or missing key context scores 1–2.
// After submission

Pass — your prompt enters the moderation queue. If approved, it appears in the library credited to your handle.

Fail — you get an instant score breakdown and feedback on what to improve. Revise and resubmit.

FAIL  S:2 · R:3 · A:2 = 7/15
Role defined but no output format. Generic scenario. Output would need significant editing.
PASS  S:5 · R:4 · A:4 = 13/15
Clear role, constrained scope, specific output structure. Immediately usable in an active investigation.
// Early access

Actively developed. The scoring, scenarios, and evaluation criteria evolve based on practitioner feedback.

If something doesn't work as expected — wrong verdict, confusing feedback, anything — tell us. Your feedback directly shapes what this becomes.

// Example — a real submission that passed

This is what your score receipt looks like. Real prompt, real scenario, real output — permanently attached to the submission.

PASS Persistence Mechanism Sweep @kieran  ·  Hunting
4
Structure
/5
5
Relevance
/5
3
Actionability
/5
12
Total
/15
// Submitted prompt
You are an incident responder hunting persistence across a compromised Windows environment.

Write SPL to detect the following persistence techniques:
- Scheduled tasks created by non-admin users or from unusual paths (Event ID 4698)
- New services with suspicious binary paths — unsigned, temp dirs, user profiles (Event ID 7045)
- Registry run key writes (Sysmon Event ID 13: HKLM\Software\Microsoft\Windows\CurrentVersion\Run and equivalent)
- Files dropped in startup folders (Sysmon Event ID 11)
- WMI event subscription creation (Sysmon Event ID 19, 20, 21)

Filter known management tools: {{known_baselines}}
IOCs to cross-reference: {{ioc_list}}
Time window: {{time_range}}

Output: host, user, technique, artifact_name, artifact_path, created_at, parent_process, signed
// Scenario

Windows IR engagement: analyst hunting persistence across 3 endpoints after a phishing compromise. Baselines exclude SCCM/Intune. IOCs include two suspicious hashes and a C2 domain. Time window: last 72 hours.

T1053.005 T1543.003 T1547.001 T1547.009 T1546.003
// Prompt in Action
**Scenario:** Hosts: WS-FINOPS01, WS-DEVBOX03, SRV-JUMP02 | User: jharper, svc_deploy | Baselines: SCCM, Intune | IOCs: hash=4a3b...f91c, domain=update-cdn[.]xyz | Window: last 72h

```spl
index=wineventlog OR index=sysmon earliest=-72h
| eval technique=case(
    source="WinEventLog:Security" AND EventCode=4698, "T1053.005 - Scheduled Task",
    source="WinEventLog:System"   AND EventCode=7045, "T1543.003 - New Service",
    source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=13, "T1547.001 - Registry Run Key",
    source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=11, "T1547.009 - Startup Folder",
    source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode IN (19,20,21), "T1546.003 - WMI Subscription",
    true(), null()
  )
| where isnotnull(technique)
| where NOT match(coalesce(ParentImage,ServiceFileName,Image,""), "(?i)(sccm|ccmexec|intunemanagement)")
| eval ioc_hit=if(match(coalesce(Hashes,TargetFilename,ImagePath,""), "4a3bf91c") OR
                  match(coalesce(CommandLine,ServiceFileName,""), "update-cdn\[?\.\]?xyz"), "YES", "NO")
| where technique!="T1053.005 - Scheduled Task" OR
        match(coalesce(TaskContent,CommandLine,""), "(?i)(\\temp\\|\\appdata\\|\\users\\|\.ps1|\.vbs|\.bat)")
| where technique!="T1543.003 - New Service" OR
        match(ServiceFileName, "(?i)(\\temp\\|\\appdata\\|\\users\\)")
| eval signed=coalesce(Signed, "unknown")
| table _time host user technique
        coalesce(TaskName,ServiceName,TargetObject,TargetFilename,Name) AS artifact_name
        coalesce(CommandLine,ServiceFileName,Details,TargetFilename,Query) AS artifact_path
        ParentImage AS parent_process signed ioc_hit
| rename _time AS created_at
| sort -ioc_hit created_at
```
**Note:** Replace placeholder IOC values and baseline strings before deployment. Validate field names against your Sysmon schema version.
// Prompt Library
Practitioner-vetted prompts
IR, Detection Engineering, Threat Hunting, and Threat Intel. Copy-paste ready.
Browse the Library