P
AI for Cybersecurity Analyst

Prompt Chain: Multi-Step Security Incident Investigation

Tools:Claude Pro
Time to build:1 hour
Difficulty:Intermediate
Prerequisites:Comfortable using Claude for security analysis (Level 3) — see Level 3 guide: "Build an Incident Reporting Workflow with Claude Pro"

What This Builds

A structured prompt chain — a sequence of connected AI prompts where each step's output feeds into the next — for investigating a security incident from first alert to final report. Instead of one giant prompt that produces a generic response, you work through five focused steps: initial triage, evidence collection guidance, attack timeline reconstruction, threat actor attribution, and final incident report. Each step builds on the last, producing a complete, documented investigation.

Prerequisites

  • Claude Pro at claude.ai ($20/month) — needed for the longer context to hold the full chain
  • A real or simulated incident to practice on
  • Your investigation notes from a current or past alert

The Concept

A prompt chain is like a recipe — you follow steps in order, and each step produces an ingredient that the next step uses. A single prompt asking "analyze this incident" produces surface-level output. A chain of five specific prompts — where step 3 knows what step 2 found — produces deep, connected analysis. Think of each prompt as a different specialist handing off their findings to the next person on the team.

Build It Step by Step

Part 1: Set Up Your Investigation Chain Document

Create a template you'll reuse for every investigation. Open Claude Pro and paste this setup at the start of every investigation session:

Copy and paste this
I'm going to walk through a security incident investigation using a 5-step chain. Each step will build on the previous one. Please be specific, reference what you've already established, and don't repeat yourself between steps. Ask me for more information if something critical is missing.

My environment:
- SIEM: [your SIEM]
- EDR: [your EDR]
- Industry: [your industry]
- Compliance: [your frameworks]

Part 2: Step 1 — Initial Triage

Paste this prompt with your alert details:

Copy and paste this
STEP 1 — INITIAL TRIAGE

Alert details:
[Paste the raw alert or SIEM notification — rule name, triggering events, timestamp, source/destination, user, severity]

Assess this alert. Tell me:
1. Is this likely a true positive, false positive, or ambiguous? Give a confidence level.
2. What attack technique does this alert suggest? Map to MITRE ATT&CK if applicable.
3. What is the potential business impact if this is real?
4. What are the 3 most important things I should investigate next to confirm or deny?
5. What's my recommended immediate action right now — investigate, contain, escalate, or dismiss?

Label your response: TRIAGE ASSESSMENT

Part 3: Step 2 — Evidence Collection Guidance

After Claude gives you the triage assessment, run this prompt:

Copy and paste this
STEP 2 — EVIDENCE COLLECTION

Based on your triage assessment above, tell me specifically what evidence to collect. For each evidence source, tell me exactly what to look for:

1. SIEM/Log evidence: What specific queries should I run? What time window? What fields matter?
2. Endpoint evidence (EDR): What process tree details, network connections, or file artifacts should I examine on [affected system name]?
3. Identity/AD evidence: What authentication events, group membership changes, or token activities should I check for [affected user]?
4. Network evidence: What outbound connections, DNS queries, or firewall logs are relevant?
5. Email evidence: Is email a likely initial access vector? What to check?

Write the queries in [Splunk SPL / Sentinel KQL] where applicable.

Label your response: EVIDENCE COLLECTION PLAN

At this point, actually go collect the evidence. Paste what you find into step 3.

Part 4: Step 3 — Attack Timeline Reconstruction

Copy and paste this
STEP 3 — TIMELINE RECONSTRUCTION

Here is the evidence I collected based on your guidance:

[Paste your collected log excerpts, EDR findings, and other evidence here]

Based on this evidence and your previous analysis, reconstruct the attack timeline in chronological order. For each event:
- Timestamp
- What happened (in plain language)
- Significance (why does this matter?)
- MITRE ATT&CK technique if applicable (tactic: technique)
- Confidence level (confirmed / likely / suspected)

Then tell me: What is still unknown? What evidence gaps do I have?

Label your response: ATTACK TIMELINE

Part 5: Step 4 — Threat Actor and Attribution Analysis

Copy and paste this
STEP 4 — THREAT ACTOR CONTEXT

Based on the attack timeline and techniques identified:

1. What threat actor profiles match this pattern? (Nation-state, financially motivated, insider, opportunistic)
2. Are there TTPs that suggest a specific known group or malware family?
3. Is this targeted (against our specific organization) or opportunistic (mass scanning)?
4. What is the most likely initial access vector based on evidence?
5. What is the attacker's likely objective — ransomware, data theft, espionage, persistence, disruption?
6. What would the attacker's next logical step be if we don't contain now?

Label your response: THREAT CONTEXT

Part 6: Step 5 — Incident Report Generation

Copy and paste this
STEP 5 — FINAL INCIDENT REPORT

Using everything established in steps 1-4 above, write a complete formal incident report.

Sections required:
1. Incident ID: INC-[today's date]-[assign a number]
2. Classification: Severity [1-4], Type [ransomware/phishing/unauthorized access/etc]
3. Executive Summary (3 sentences, non-technical, suitable for CISO)
4. Timeline of Events (use the reconstructed timeline from step 3)
5. Affected Systems and Users
6. Root Cause
7. Attack Technique Summary (MITRE ATT&CK mapping)
8. Actions Taken (I will fill this in — write [PLACEHOLDER: CONTAINMENT ACTIONS] and [PLACEHOLDER: RECOVERY ACTIONS])
9. Gaps and Detection Failures (what could we have caught earlier?)
10. Recommendations (3-5 specific, actionable items)
11. Lessons Learned

Write in formal, third-person, professional tone.

Label your response: INCIDENT REPORT

Real Example: Phishing to Credential Theft Investigation

Setup: Alert fires — suspicious Azure AD sign-in for finance employee from unfamiliar location.

What you input to Step 1:

Copy and paste this
Alert: Azure AD Conditional Access blocked sign-in for mwilliams@company.com from IP 45.139.122.8 (geolocation: Ukraine). User's normal location: Chicago, IL. Time: 2026-03-20 02:17 UTC. MFA was not prompted (suggests legacy auth bypass or session token).

Step 1 output (Claude): True positive, high confidence. Technique: T1078 (Valid Accounts) + T1550.001 (Application Access Token). Business impact: finance employee with access to accounts payable system. Immediate action: disable account and revoke all active sessions.

Step 2 output (Claude): Queries for the 48 hours before the suspicious login — what was this user doing? Check for phishing emails received 2-3 days before. Check if a token was issued via OAuth to a third-party app.

You collect: Found phishing email 2 days ago, user clicked, found OAuth app consent to a malicious app, token was stolen via the app.

Step 3 output: Complete timeline from phishing receipt → click → OAuth consent → token theft → attacker access.

Step 4 output: Financially motivated, likely targeting accounts payable for Business Email Compromise. Next step would be changing payment details in AP system.

Step 5 output: Complete incident report, ready for CISO review, with [PLACEHOLDER] markers for the two actions you're still completing.

Time saved: A full investigation that would take 3 hours of writing and documentation is completed in 45 minutes of investigation + 15 minutes of prompt execution.

What to Do When It Breaks

  • Claude loses context from early steps → Add "Based on everything established above in Steps 1-3, specifically [key finding]..." at the start of later prompts to re-anchor context.
  • Step 5 report is too generic → Go back and add more specific evidence in steps 2-3. The report quality is directly proportional to the evidence you feed in.
  • Claude makes up evidence not in your notes → Add to your step 1 prompt: "Do not invent facts. Use [PLACEHOLDER] if information is missing." If Claude continues, add: "I will fact-check every claim against my actual investigation data."

Variations

  • Simpler version: Use only Steps 1, 3, and 5 — triage, timeline, and report. Skip the evidence guidance and attribution for low-severity incidents.
  • Extended version: Add a Step 6: "Write a 5-minute verbal briefing I can give to my CISO right now." Produces a structured talking track for real-time executive communication during active incidents.

What to Do Next

  • This week: Practice the full chain on a past incident where you already know the answers — compare Claude's output to what actually happened
  • This month: Customize the prompts for your 3-5 most common incident types (phishing, ransomware, insider threat, cloud misconfiguration) — the more specific the prompt, the better the output
  • Advanced: Combine this prompt chain with your Claude Project (Level 4, Guide 1) — your Project's organizational context plus this structured chain gives you the best of both approaches

Advanced guide for cybersecurity analyst professionals. These techniques use more sophisticated AI features that may require paid subscriptions.