{ "source": { "vendor": "Palo Alto Networks", "product": "Prisma Cloud", "cloud": "AWS", "new_findings": [ { "resource": "sg-0349e", "issue": "0.0.0.0/0 open on 22" }, { "resource": "alb-public-01", "issue": "HTTP listener without TLS redirect" } ] }, "requests": [ { "field_name": "exposure_summary" }, { "field_name": "risk_classification", "field_type": "categorical", "instructions": "Return one of: Low, Medium, High, Critical" }, { "field_name": "containment_step" } ] }

{ "enrichments": [ { "field_name": "exposure_summary", "value": "Public SSH access on security group sg-0349e; ALB allows plain HTTP without enforced redirect.", "confidence": 0.84, "method": "assessment", "reasoning": "Both findings increase external attack paths with credential and session-hijack risk." }, { "field_name": "risk_classification", "value": "High", "confidence": 0.86, "method": "classification", "reasoning": "SSH open to world plus HTTP listener create exploitable vectors." }, { "field_name": "containment_step", "value": "Restrict SG to bastion CIDRs; add 301 redirect and TLS-only policy on ALB; verify with automated test.", "confidence": 0.8, "method": "reasoning", "reasoning": "Closes immediate exposure and enforces secure defaults." } ] }

{ "source": { "vendor": "CrowdStrike", "product": "Falcon", "alert_type": "Suspicious PowerShell", "host_group": "Finance-Laptops", "observables": ["encoded_command", "network_beacon_attempt"] }, "requests": [ { "field_name": "severity", "field_type": "categorical", "instructions": "Return one of: Low, Medium, High, Critical" }, { "field_name": "likely_root_cause" }, { "field_name": "first_action" } ] }

{ "enrichments": [ { "field_name": "severity", "value": "High", "confidence": 0.86, "method": "classification", "reasoning": "Encoded PowerShell plus outbound beacon attempt on finance endpoints indicates probable hands-on intrusion." }, { "field_name": "likely_root_cause", "value": "Phishing-delivered macro spawning PowerShell with command-and-control bootstrap.", "confidence": 0.78, "method": "assessment", "reasoning": "Behavior matches common initial access plus tooling chain." }, { "field_name": "first_action", "value": "Isolate host in Falcon, kill process tree, quarantine artifact, and rotate creds used in the last 24h.", "confidence": 0.8, "method": "reasoning", "reasoning": "Containment + credential hygiene reduces lateral movement risk." } ] }

{ "source": { "vendor": "Okta", "tenant": "prod-corp", "settings": { "mfa_policy": "email_optional", "password_policy": "lenient", "app_assignments": "broad", "admin_roles": 7 } }, "requests": [ { "field_name": "risk_level", "field_type": "categorical", "instructions": "Return one of: Low, Medium, High" }, { "field_name": "top_fixes" }, { "field_name": "improvement_note" } ] }

{ "enrichments": [ { "field_name": "risk_level", "value": "High", "confidence": 0.85, "method": "classification", "reasoning": "Optional MFA and broad app access materially raise compromise and lateral-movement risk." }, { "field_name": "top_fixes", "value": ["Enforce phishing-resistant MFA for all admins", "Tighten app assignments to least privilege", "Reduce admin roles from 7 to 3 with JIT elevation"], "confidence": 0.82, "method": "reasoning", "reasoning": "These changes mitigate the highest-impact identity threats quickly." }, { "field_name": "improvement_note", "value": "Expect measurable drop in risky sign-ins and token misuse within 2 weeks of policy change.", "confidence": 0.73, "method": "assessment", "reasoning": "Observed outcomes from similar policy shifts in enterprise tenants." } ] }