// Blue Team

Claude for the SOC: AI-Assisted Detection, Triage & IR

Most AI-security content is offensive. The defensive use case is bigger and quieter: SOC analysts use Claude every day for log triage, detection authoring, and IR write-ups. This guide is the practical playbook — what works, what to lock down, and what to keep humans on.

Updated 2026-06-1010 min readVendor-neutral · primary sources

High-leverage SOC use cases

  1. Alert triage: summarize a noisy alert + related logs into 'what happened, who, scope, recommended next step'.
  2. Detection-as-code: write & lint Sigma, KQL, Splunk SPL, Elastic EQL queries.
  3. Log explanation: explain unfamiliar process command lines, registry keys, JA3/JA4 fingerprints.
  4. IR timelines: turn raw EDR exports into chronological narratives.
  5. Phishing analysis: classify email + extract IOCs (URLs, hashes, headers).
  6. Threat-intel summarization: convert long reports into IOC lists and TTP mappings.
  7. Tabletop generation: produce realistic incident scenarios for exercises.
  8. Postmortem drafts: convert IR notes into a postmortem skeleton for the analyst to review.

Three battle-tested SOC prompts

Alert triage

You are a Tier-2 SOC analyst. Given this alert + last 60s of logs, output:
1. One-line summary (asset, user, behavior)
2. Likely benign? (yes/no/needs-investigation) with reasoning
3. Suggested next 3 actions, ranked
4. IOCs to pivot on
Do not invent fields not present in the data. Cite log line numbers.

Detection authoring

Write a Sigma rule that detects: <behavior>. Constraints:
- Tested against false-positive examples I will paste
- Map to MITRE ATT&CK technique ID
- Include level + tags + a one-sentence description
- Output only the YAML

Phishing triage

Given this raw .eml, extract:
- Sender, reply-to, return-path mismatch?
- SPF/DKIM/DMARC verdicts
- All URLs (decoded if Safe-Links wrapped)
- All attachments + SHA256
- A verdict: malicious / suspicious / benign + 2-sentence reasoning
Format as JSON.

How to not get burned

  • Never send raw PII or regulated data to a public API tier — use the enterprise tier with no-training agreement, or self-host.
  • Treat Claude's verdicts as advisory; the analyst signs off.
  • Pin model version per detection rule; a model upgrade can silently change false-positive rates.
  • Log every prompt + completion for IR forensics.
  • Don't let Claude write to ticketing or fire response actions autonomously; keep it on read + suggest.
  • Red-team your own SOC pipeline: a malicious alert payload can prompt-inject the triage prompt.

Don't use Claude for these

  • Statistical baselining (use a real anomaly-detection model).
  • Determining ground-truth verdict in the absence of evidence — it will confabulate.
  • Memory-resident malware analysis at byte level.
  • Anything legally privileged without your counsel's signoff.

FAQ

Cloud Claude or self-hosted?

For most SOCs the Anthropic API with the no-training / zero-retention enterprise terms is sufficient. Defense industrial base or HIPAA workloads typically need self-hosted via AWS Bedrock or GCP Vertex.

Does Claude beat GPT-5 for detection engineering?

It depends on the language. Claude tends to produce cleaner KQL and Sigma; GPT-5 sometimes wins on raw SPL. Test both on your corpus.

// keep reading

Browse 300+ cybersecurity prompts, 40+ Claude-compatible tools, and daily AI-security intel.

Cybersecurity Prompts →Tool DirectoryMethodology