The AI Assistant supports natural language inputs, but the way you phrase your prompt significantly impacts the depth and clarity of the response. This guide outlines best practices for composing prompts that target the right data, ask the right questions, and deliver actionable results.

Essential Elements of a Good Prompt

• Clarity and Focus

  • Specify exactly what you want. Include names, IDs, or timestamps if known.

  • Avoid vague phrases like "tell me everything about threats."

• Contextual Details

  • Tie your question to current objectives (e.g., investigating a detection, running a specific endpoint query).

  • Mention relevant data points (IPs, file hashes, case IDs).

• Action-Oriented Language

  • Start prompts with keywords like "Analyze," "Summarize," "Compare," or "Generate."

  • Example: "Generate an executive summary of the suspicious activity from the last 24 hours."

• Appropriate Scope

  • Narrow or broaden the time window, data source, or endpoint set depending on your needs.

  • Overly broad queries may produce limited or truncated results.

• Outcome or Format

  • Clarify the format you prefer (e.g., bullet points, short summary, step-by-step).

  • Example: "List each detection in bullet points with threat severity and recommended action."

Tips for Writing Effective Prompts

• Be Specific with Time Frames

  • "last 24 hours," "between June 1 and June 3," or "past 7 days."

  • This guides the AI Assistant to the correct data slice.

• Leverage Known Identifiers

  • Hostnames, IPs, user accounts, process names, or detection references.

  • Example: "Analyze suspicious processes for the endpoint with ID ENDPOINT-01.”

• Clarify the Desired Output

  • "Create an investigation timeline," "Determine if this is malicious," or "Generate a final summary in bullet points."

  • This ensures the response arrives in a ready-to-consume format.

• Refine Prompts in Iterations

  • If the initial response lacks detail, follow up with, "Expand on the file hashes or network indicators," or "Show process lineage in a hierarchical format."

• Include Relevant Context

  • If referencing a previous discussion, reaffirm key points: "Using the triage data from earlier in this thread, list all potentially malicious URLs."

Refining Prompts

Below are examples demonstrating how you can reshape a simple prompt into a more robust, context-rich query.

Example 1: Investigating a Suspicious Process

• Basic Prompt:
  "Find malicious processes."

• Why It's Weak:
  It's too broad; the Assistant doesn't know what time period, which devices, or how to interpret "malicious."

• Improved Prompt:
  "Analyze all processes running on device ENDPOINT-01 over the last 24 hours and identify any processes flagged as malicious. Include process IDs, command lines, and hashes."

• Strengths:

  • Focuses on a specific device.

  • Targets a 24-hour period.

  • Requests specific details (malicious status, process ID, command line, file hash).

Example 2: Checking Endpoint Status

• Basic Prompt:
  "What's the endpoint status?"

• Why It's Weak:
  The system needs to know which endpoint, the type of status (health, isolation, licensing?), and time frame.

• Improved Prompt:
  "Retrieve the current health status and isolation state for endpoint 10.0.1.108. Also confirm the last check-in time."

• Strengths:

  • Mentions an exact endpoint (IP address).

  • Asks specifically for health status, isolation state, and last seen.

  • Minimizes guesswork.

Example 3: Generating a Case Summary

• Basic Prompt:
  "Summarize this case."

• Why It's Weak:
  It doesn't specify the case ID, focus area, or desired details (technical vs. executive summary).

• Improved Prompt:
  "Generate an executive summary for this case covering the detections, root cause, impacted endpoints, and recommended remediation steps. Present the findings in bullet points."

• Strengths:

  • Identifies which case.

  • Clarifies the content (detections, root cause, impacted endpoints).

  • Requests a specific format (bullet points).

Advanced Prompt Techniques

• Chaining Prompts

  • Ask a broad question first (e.g., "What suspicious processes were found?").

  • Then refine the scope with a follow-up: "Which of those processes had network activity connecting to external IPs?"

• Multiple Data Dimensions

  • Combine known data points in one prompt:
    "Check the reputation of these file hashes [abc123…, xyz789…] and correlate with any detected malicious network activity on endpoint ENDPOINT-01 in the last 48 hours."

1. Specify Output Format or Length

   • "Limit your response to 5 bullet points."

   • "Output the final analysis as a short paragraph."

2. Iterate as Needed

   • If the response is incomplete or unclear, ask the Assistant to "expand," "clarify," or "modify" the format.

Putting It All Together

Below is a more comprehensive example that demonstrates many of these concepts:

Prompt:
"Review this case for suspicious PowerShell activity between 6/1/2025 and 6/3/2025. Identify all executed PowerShell commands flagged as malicious, their associated hostnames, user accounts, and file hashes. Generate a timeline in chronological order with recommended next steps."

Why It Works:

• Narrow time range (6/1 to 6/3).

• Identifies specific data of interest (malicious PowerShell commands).

• Requests a timeline and actionable next steps.

Conclusion

Designing effective prompts is straightforward once you focus on specificity, context, and clarity. The AI Assistant can handle robust, multi-parameter queries—enabling you to retrieve targeted security intelligence and reduce investigative overhead. By iterating and refining your prompts, you'll continuously hone your ability to extract actionable insights from the Assistant.