“Classify this alert using MITRE ATT&CK and assign an escalation tier based on IOC matches.”
“Handle alert.” (Too vague—what does handling involve?)
risk evaluation
ability (workflow) to determine the risk level.”“Escalate only if alert.priority
is ‘High’ and the asset is tagged production
.”
“Decide based on priority.” (Unclear what defines priority)
Examples of Strong Prompts
Prompt | Why It Works |
---|---|
“Classify the incoming alert using MITRE ATT&CK and tag it with tactic/technique IDs.” | Outcome is precise; uses a known framework. |
“Determine whether to approve access based on risk score, department, and recent activity.” | Offers multi-dimensional logic. |
“Summarize threat details, including affected systems, IOC matches, and remediation status.” | Clear structure expected in response. |
Examples of Weak Prompts
Prompt | Issue |
---|---|
“Handle this alert.” | Too general—unclear what handling involves. |
“Decide based on risk.” | Doesn’t define how risk is measured or which data is used. |
“Check logs.” | No clarity on purpose or expected outcome. |
Good: “Evaluate if the user’s access to production servers is valid based on location, time, and group membership.”
Bad: “Review access.”
risk_level
, decision_justification
, or policy_violation
.ticket_id
, incident_id
, or requestor
.Aspect | Agent Roles & Constraints | Agent Tasks |
---|---|---|
Defined In | Agent Configuration | Workflow step |
Scope | Broad, persistent function | Narrow, situational instruction |
Granularity | General purpose (e.g., “triage alerts”) | Execution-specific (e.g., “classify alert if risk > 80”) |
Reuse | Reused across workflows | Defined per workflow |