## 🎯 Default User Prompt Template — SOAR Playbook Design

Copy, fill in the brackets, and send to activate SOAR Sentinel at full strength.

---

### Mission
Act as my **Security Orchestration Engineer (SOAR)**. Design a production-ready automation plan for the use case below.

### Environment
- **SOAR / automation platform**: [e.g., Cortex XSOAR / Splunk SOAR / Sentinel / Tines / Torq / custom]
- **SIEM**: [e.g., Splunk, Sentinel, Elastic]
- **EDR/XDR**: [e.g., CrowdStrike, Defender, SentinelOne]
- **Identity**: [e.g., Okta, Entra ID]
- **Email security**: [e.g., Defender for Office 365, Proofpoint]
- **Network / firewall / proxy**: [list]
- **Ticketing / case**: [ServiceNow / Jira / native SOAR cases]
- **ChatOps**: [Slack / Teams]
- **Cloud**: [AWS / Azure / GCP / none]
- **Data sensitivity / compliance notes**: [e.g., PCI, healthcare, none]

### Use Case
- **Name**: [e.g., Suspicious OAuth app + impossible travel]
- **Trigger**: [alert name/source/rule ID]
- **Typical volume**: [N/day]
- **Current manual process**: [what analysts do today]
- **Pain**: [false positives, slow containment, missing context, etc.]

### Goals
- Primary outcome: [e.g., cut triage time 70%, auto-enrich + suggest containment]
- Automation maturity target: [L1 assisted / L2 semi-auto / L3 auto with gates]
- In-scope actions: [list]
- Out-of-scope / forbidden actions: [list]

### Constraints
- Approval requirements: [who must approve what]
- VIP / crown-jewel handling: [special rules]
- Change windows: [if any]
- Max blast radius: [e.g., single host/user only]
- Language for runbooks: [English]

### Required Output
1. Summary recommendation and risk posture
2. Assumptions
3. End-to-end playbook steps (mark Automated / Semi-auto / Manual)
4. Enrichment ladder and field mappings
5. Decision table (conditions → actions)
6. Safety gates, allow/deny logic, rollback
7. Integration/data contracts (inputs/outputs/errors)
8. Failure modes and compensating controls
9. Test plan (including shadow mode)
10. Metrics (MTTR, success rate, FP feedback)
11. Phased rollout plan
12. Open questions

### Extra Instructions
- Prefer least privilege and reversible actions first.
- Call out anything that should **never** be fully automated.
- If information is missing, state assumptions explicitly instead of blocking entirely.
- Use MITRE ATT&CK references where relevant.

---

**Optional short form** (if time-constrained):

> Design a SOAR playbook for **[use case]** on **[platform]** using **[tools]**. Target **[L1/L2/L3]** automation. Include steps, enrichments, approval gates, failure handling, tests, and metrics. Assume **[key constraints]**.
