Write effective prompts - Tips for creating effective AI prompts. - Administrator Guide - Cortex XDR - Cortex

Write effective prompts - Tips for creating effective AI prompts. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-04

Category

Administrator Guide

Abstract

Tips for creating effective AI prompts.

AI prompts enhance your playbooks with the reasoning capabilities of a Large Language Model (LLM). By adding an AI prompt, you can automate complex cognitive work such as summarizing massive raw logs, normalizing disparate data types into standard formats, and performing deep-dive threat feasibility analysis. These tasks transform raw incident data into actionable intelligence in seconds.

While highly capable at processing information, an AI prompt is a focused, single-step instruction. It is designed to work with the data already available in your issue context JSON. Unlike an autonomous AI Agent, a prompt task is not self-executing; it cannot independently browse the live internet, search for external issues, or trigger outgoing actions such as sending emails. Instead, it processes and interprets data within your playbook, generating high-quality outputs that you then use to drive subsequent automated actions and decision branches.

AI prompt capabilities and limitations

Understanding what an AI prompt can and cannot do is essential for building effective automations. While the following table provides some common examples, you can use AI prompts for various other functions as well.

What AI Prompts can do	What AI Prompts cannot do
Summarize and report For example: Write emails or create structured reports.	Take action For example: Cannot send emails or independently search for new issues.
Extract and normalize For example: Pull specific data (like IOCs) from raw text.	Access the internet For example: Cannot access URLs or live websites; you must provide the content.
Analyze context For example: Evaluate high-severity cases or analyze threats.	Create logic For example: Cannot create conditional branches on its own; it requires a follow-up logic step.

What AI Prompts can do

What AI Prompts cannot do

Summarize and report

For example: Write emails or create structured reports.

Take action

For example: Cannot send emails or independently search for new issues.

Extract and normalize

For example: Pull specific data (like IOCs) from raw text.

Access the internet

For example: Cannot access URLs or live websites; you must provide the content.

Analyze context

For example: Evaluate high-severity cases or analyze threats.

Create logic

For example: Cannot create conditional branches on its own; it requires a follow-up logic step.

Best practices for prompt construction

To ensure the LLM provides reliable, accurate, and cost-effective results, use these strategies:

Provide clear instructions: Explicitly state the task, such as extracting Indicators of Compromise (IOCs) or analyzing a post.
Use precise context keys: To save on costs and prevent errors, map inputs to specific keys (for example, ${issue.creation_date}) instead of passing the entire issue object.
Use the optimizer: Click the Optimize button in the prompt editor to refine wording and improve consistency using research-backed logic.

Bring live data to your prompts

Connect your prompts to live playbook data to make them dynamic and contextual by doing the following.

Weave variables inline: Add variables to your prompt text to provide context for the data, such as "Which issues were created before ${date}?" or Analyze the following post: ${PostKey}.
Map to context: The placeholders appear in the Extracted Inputs list. Click the { } icon to map them to a specific existing playbook data path (for example, mapping ${PostKey} to ${incident.raw_log_content}).
Note
An AI prompt cannot create new context keys; it can only refer to existing ones. The only key an AI prompt can create is the output key. Therefore, if a variable like ${PostKey} is not already mapped to existing context data, it cannot be used in the prompt.

Follow up with logic

Because an AI prompt cannot make decisions or execute tasks autonomously, it should be followed by a logic step in a playbook.

Note

The LLM's response is always returned in a text format, even if you explicitly ask the LLM to return a structured format such as JSON. Therefore, the subsequent task in your playbook will have to parse the response to extract the relevant data.

For example, add a conditional task or parsing script immediately after the prompt to check the AI's text output. Once the response is parsed, if the AI's verdict is Malicious, the playbook can then branch to trigger a script that blocks an indicator or escalates a ticket to Critical.

Use built-in prompts

To get started quickly, you can use these out-of-the-box example prompts designed to handle common security workflows, which can be used as-is or customized to fit your specific needs.

Prompt Name	Use Case	Prompt Text
Vulnerability Report Summary	Analyze scan results to prioritize remediation.	You are analyzing vulnerability scan report `${report_id}`. Please analyze the provided vulnerability scan results in detail. For each identified vulnerability: Describe the vulnerability clearly, including its type, affected service/component, and any relevant technical details. Assess severity based on industry-standard metrics (e.g., CVSS score or equivalent). Evaluate exploitability, noting whether known public exploits exist and how easily the vulnerability could be leveraged in practice. Recommend remediation or mitigation steps to address the issue (e.g., patching, configuration changes, compensating controls). Then, prioritize all vulnerabilities based on a combination of: Exploitability (known exploits, attack complexity, likelihood of exploitation). Severity (potential impact if exploited). Exposure level (e.g., internet-facing systems, critical internal services). Provide a ranked list of vulnerabilities with a clear explanation of why each one should be prioritized. If applicable, highlight quick wins — high-risk vulnerabilities that can be easily fixed.
Malware Report Summary	Transform sandbox execution logs into a structured IR report.	Analyze the following malware sandbox execution report `${report_id}` and provide a comprehensive, structured analysis: Summarize the malware behavior across the entire attack kill chain (Initial Access -> Execution -> Persistence -> Privilege Escalation -> Defense Evasion -> Credential Access -> Discovery -> Lateral Movement -> Collection -> Exfiltration -> C2). Map relevant behaviors and activities to the MITRE ATT&CK framework where applicable. Highlight any notable techniques, unusual behaviors, or key insights from the malware execution. List any IOCs observed (domains, IPs, hashes, file paths, etc.). Provide remediation recommendations based on observed behavior. Suggest additional investigation steps or telemetry to collect if needed. The final output should be detailed, well-structured, and actionable for incident response teams.
Issue Summary and Remediation	Provide clear steps for resolving a security alert.	Provide detailed remediation steps for the security alert `${issue}` in a professional, well-structured format.

Prompt Name

Use Case

Prompt Text

Vulnerability Report Summary

Analyze scan results to prioritize remediation.

You are analyzing vulnerability scan report ${report_id}. Please analyze the provided vulnerability scan results in detail.

For each identified vulnerability:

Describe the vulnerability clearly, including its type, affected service/component, and any relevant technical details.
Assess severity based on industry-standard metrics (e.g., CVSS score or equivalent).
Evaluate exploitability, noting whether known public exploits exist and how easily the vulnerability could be leveraged in practice.
Recommend remediation or mitigation steps to address the issue (e.g., patching, configuration changes, compensating controls).
Then, prioritize all vulnerabilities based on a combination of:
1. Exploitability (known exploits, attack complexity, likelihood of exploitation).
2. Severity (potential impact if exploited).
3. Exposure level (e.g., internet-facing systems, critical internal services).
4. Provide a ranked list of vulnerabilities with a clear explanation of why each one should be prioritized. If applicable, highlight quick wins — high-risk vulnerabilities that can be easily fixed.

Malware Report Summary

Transform sandbox execution logs into a structured IR report.

Analyze the following malware sandbox execution report ${report_id} and provide a comprehensive, structured analysis:

Summarize the malware behavior across the entire attack kill chain (Initial Access -> Execution -> Persistence -> Privilege Escalation -> Defense Evasion -> Credential Access -> Discovery -> Lateral Movement -> Collection -> Exfiltration -> C2).
Map relevant behaviors and activities to the MITRE ATT&CK framework where applicable.
Highlight any notable techniques, unusual behaviors, or key insights from the malware execution.
List any IOCs observed (domains, IPs, hashes, file paths, etc.).
Provide remediation recommendations based on observed behavior.
Suggest additional investigation steps or telemetry to collect if needed.
The final output should be detailed, well-structured, and actionable for incident response teams.

Issue Summary and Remediation

Provide clear steps for resolving a security alert.

Provide detailed remediation steps for the security alert ${issue} in a professional, well-structured format.