Security monitoring and incident response prompts

Design a SIEM architecture for [organization size] using [Splunk/ELK/Azure Sentinel/Chronicle/QRadar]. Include:
- Log sources and collection strategy (endpoints, network, cloud, applications, identity)
- Log forwarding architecture (agents, syslog, API)
- Data retention policy (90 days hot, 1 year warm, 7 years cold for compliance)
- Parsing and normalization rules
- Correlation rules for threat detection
- Dashboard design (SOC, executive, compliance)
- User access controls (analyst, admin, auditor roles)
- High availability and disaster recovery
- Sizing and cost estimation
- Integration with SOAR and ticketing

Map to ISO 27001 A.12.4, SOC 2 CC7.2, NIST SP 800-92.

Create a SOC implementation plan for [organization type]. Include:
- SOC model (in-house, outsourced, hybrid, virtual)
- Team structure and roles (Tier 1/2/3 analysts, manager, threat intel)
- Technology stack (SIEM, EDR, SOAR, threat intel, case management)
- Operating procedures (shift schedule, escalation, handoffs)
- Playbooks for common scenarios
- Metrics and KPIs (MTTD, MTTR, false positive rate, coverage)
- Training and skill development plan
- Integration with incident response and IT operations
- Continuous improvement process
- Compliance requirements (ISO 27001 A.16.1, SOC 2 CC7.3)

Output as implementation roadmap and budget estimate.

Design a log management strategy for [environment]. Include:
- Log sources inventory (by criticality and compliance requirement)
- Collection methods (native logging, agents, forwarders)
- Log format standardization (JSON, CEF, syslog)
- Centralized storage architecture
- Retention policy by log type (security: 1 year, compliance: 7 years, operational: 90 days)
- Access controls and encryption
- Backup and disaster recovery for logs
- Search and analysis capabilities
- Cost optimization (tiered storage, compression)
- Compliance mapping (ISO 27001 A.12.4.1, SOC 2 CC7.2, GDPR Art. 30)

Include storage sizing calculator and retention matrix.

Create security alert rules for [SIEM platform] covering [environment type]. Include rules for:
- Failed authentication (threshold-based, account lockout)
- Privilege escalation and sudo usage
- Anomalous network traffic (data exfiltration, C2 communication)
- Malware and ransomware indicators
- Insider threat behaviors (unusual file access, after-hours activity)
- Cloud misconfigurations (public S3, disabled logging)
- Vulnerability exploitation attempts
- DDoS and denial of service
- Data breach indicators
- Compliance violations

For each rule, specify: severity, condition, threshold, correlation logic, and response action. Map to MITRE ATT&CK framework.

Design User and Entity Behavior Analytics (UEBA) for [organization]. Include:
- Baseline behavior modeling (per user, per system)
- Anomaly detection algorithms (statistical, machine learning)
- Risk scoring methodology
- Use cases (compromised account, insider threat, lateral movement)
- Integration with SIEM and identity systems
- Alert tuning and false positive reduction
- Investigation workflow for anomalies
- Continuous model training and improvement
- Privacy considerations (anonymization, data minimization)
- Compliance alignment (ISO 27001 A.16.1, SOC 2 CC7.3)

Output as technical specification and deployment plan.

Create threat intelligence program for [organization]. Include:
- Intelligence sources (commercial feeds, open source, ISACs, government)
- Indicators of Compromise (IOC) types (IP, domain, hash, URL, email)
- Integration with security tools (SIEM, firewall, EDR, email gateway)
- Automated IOC enrichment and contextualization
- Threat actor and campaign tracking
- Intelligence sharing participation (anonymized contribution)
- Analyst workflow for intelligence consumption
- Metrics (IOC hit rate, threat coverage, MTTD improvement)
- Platform selection ([MISP/ThreatConnect/Anomali/commercial])
- STIX/TAXII implementation

Align with ISO 27001 A.16.1.4, SOC 2 CC7.3.

Design EDR/XDR deployment for [organization] using [CrowdStrike/SentinelOne/Microsoft Defender/Carbon Black]. Include:
- Deployment scope (workstations, servers, cloud workloads, containers)
- Agent deployment method (GPO, SCCM, Intune, cloud init scripts)
- Configuration and policy settings
- Detection and prevention mode strategy
- Integration with SIEM and SOAR
- Alert triage and investigation workflow
- Threat hunting capabilities
- Automated response actions (isolate, quarantine, kill process)
- Performance impact assessment and tuning
- Compliance evidence collection (ISO 27001 A.12.2, SOC 2 CC7.2)

Include deployment timeline and success criteria.

Create endpoint monitoring and hardening strategy for [OS types]. Include:
- Security baseline configuration (CIS Benchmarks)
- Monitoring requirements (process execution, network connections, file changes, registry modifications)
- Application allowlisting/blocklisting
- Removable media controls
- Full disk encryption enforcement
- Antivirus/antimalware configuration
- Firewall rules
- Patch management integration
- Configuration drift detection
- Audit logging and forwarding to SIEM

Map to ISO 27001 A.8.9, A.12.2, A.12.6, SOC 2 CC6.8.

Create a comprehensive incident response plan for [organization] compliant with [ISO 27001/SOC 2/GDPR/NIST]. Include:
- Incident response team structure (CIRT/CSIRT) and roles
- Incident classification and severity levels
- Response phases (Preparation, Detection, Analysis, Containment, Eradication, Recovery, Post-Incident)
- Communication plan (internal escalation, external notification, media)
- Decision trees for common incident types
- Evidence preservation and chain of custody
- Legal and regulatory notification requirements (GDPR 72 hours)
- Business continuity integration
- Tabletop exercise schedule (quarterly)
- Continuous improvement process
- Compliance documentation (ISO 27001 A.17.1, SOC 2 CC7.4-CC7.5)

Output as plan document and quick reference guide.

Generate incident response playbooks for [incident types]. For each, include:

1. Ransomware attack
2. Data breach/exfiltration
3. Phishing/Business Email Compromise
4. DDoS attack
5. Insider threat
6. Malware infection
7. Compromised credentials
8. Cloud account takeover
9. Supply chain compromise
10. Zero-day exploitation

Each playbook should cover: detection indicators, immediate containment steps, investigation procedures, eradication actions, recovery process, stakeholder communication, and lessons learned template.

Map to ISO 27001 A.17.1, SOC 2 CC7.4, NIST SP 800-61.

Design incident ticketing system for security events using [Jira/ServiceNow/TheHive/custom]. Include:
- Ticket fields (severity, category, affected systems, timeline, actions taken)
- Workflow states (New → Assigned → Investigating → Contained → Resolved → Closed)
- SLA by severity (Critical: 1 hour response, High: 4 hours, etc.)
- Assignment rules and escalation
- Integration with SIEM and SOAR (auto-ticket creation)
- Evidence attachment and documentation
- Reporting and metrics dashboard
- Audit trail for compliance
- Post-incident review tracking
- Knowledge base integration

Align with ISO 27001 A.17.1, SOC 2 CC7.4.

Create digital forensics procedures for [organization]. Include:
- Forensic readiness program (logging, retention, tools)
- Evidence identification and preservation
- Chain of custody documentation
- Forensic imaging (disk, memory, network)
- Analysis tools and techniques
- Legal and regulatory considerations
- Reporting format and findings documentation
- Third-party forensic firm engagement criteria
- Training requirements for IR team
- Lab setup (physical or cloud-based)
- Compliance requirements (ISO 27001 A.17.1.3)

Output as procedure document and evidence collection kit checklist.

Design malware analysis capability for [organization]. Include:
- Triage process (automated sandbox analysis)
- Static analysis techniques (strings, PE analysis, decompilation)
- Dynamic analysis (isolated VM, behavior monitoring)
- Reverse engineering tools and skills
- IOC extraction and documentation
- Threat intelligence correlation
- Findings dissemination (internal alert, IOC sharing)
- Safe handling procedures
- Commercial vs. in-house capability decision
- Integration with incident response

Map to ISO 27001 A.16.1, SOC 2 CC7.3.

Create incident communication plan for [organization]. Address:
- Stakeholder identification (executives, legal, PR, customers, regulators, employees)
- Communication triggers and timing by severity
- Message templates (internal notification, customer notification, regulatory report, public statement)
- Approval workflow and authorized spokespersons
- Channel selection (email, portal, press release, social media)
- Escalation criteria
- Legal review requirements
- Translation needs for global organizations
- Post-incident communication (all-clear, lessons learned)
- Compliance with notification laws (GDPR Art. 33-34, state breach laws)

Include templates and contact list.

Design GDPR-compliant data breach notification procedure. Include:
- Breach detection and initial assessment (within hours)
- Severity classification (high risk to rights and freedoms?)
- 72-hour notification to supervisory authority (DPA) requirements
- Individual notification criteria and methods
- Required information in notifications (nature, consequences, measures)
- Documentation requirements (breach register)
- DPO involvement and coordination
- Cross-border breach handling (lead authority)
- Exemptions (encryption, minimal risk)
- Post-notification regulatory interaction

Map to GDPR Articles 33-34, ISO 27001 A.17.1.

Define security operations metrics for [organization]. Include:

Detection metrics:
- Mean Time to Detect (MTTD)
- Alert volume and false positive rate
- Coverage (% of assets monitored)
- Threat detection accuracy

Response metrics:
- Mean Time to Respond (MTTR)
- Mean Time to Contain (MTTC)
- Incident volume by severity
- SLA compliance rate

Operational metrics:
- SIEM uptime and data ingestion rate
- SOC ticket backlog
- Escalation rate
- Staff utilization

Program metrics:
- Tabletop exercise completion
- Playbook coverage
- Training completion
- Audit findings

Include dashboard design and reporting frequency. Map to ISO 27001 A.18.2.3, SOC 2 CC4.1.

Create post-incident review process for [organization]. Include:
- Review trigger criteria (all incidents, severity threshold)
- Meeting participants (IR team, affected teams, management)
- Review template (timeline, root cause, effectiveness of response, gaps)
- Blameless culture principles
- Action item tracking and accountability
- Process improvement recommendations
- Documentation and knowledge base update
- Metrics analysis (MTTD, MTTR trends)
- Scheduled follow-up on actions
- Compliance documentation (ISO 27001 A.17.1.3, SOC 2 CC7.5)

Output as review template and action tracking spreadsheet.

Design proactive threat hunting program for [organization]. Include:
- Hunting team roles and skills
- Hypothesis-driven hunting methodology
- Data sources and hunting platforms
- Hunting scenarios aligned with threat landscape
- Tools and techniques (SIEM queries, EDR, network analysis)
- Cadence (weekly hunts, monthly campaigns)
- Documentation of findings (even if no threats found)
- IOC and TTP library development
- Integration with threat intelligence
- Metrics (threats discovered, dwell time reduction)
- Compliance value (ISO 27001 A.16.1, SOC 2 CC7.3)

Include hunt scenario templates and reporting format.

Create deception technology strategy using [honeypots/honeytokens/canary tokens]. Include:
- Deployment locations (network segments, cloud, endpoints)
- Decoy types (fake servers, databases, credentials, documents)
- Interaction levels (low/medium/high interaction)
- Alert integration with SIEM
- Threat intelligence collection from attacker activity
- Legal and privacy considerations
- Maintenance and updating of decoys
- Differentiation from production (prevent accidental access)
- Analysis of attacker techniques
- ROI justification

Map to ISO 27001 A.16.1, SOC 2 CC7.3.