From 8015edd7e8aac2cfc57b23c4d540bce6b46fab87 Mon Sep 17 00:00:00 2001
From: Joas A Santos <34966120+CyberSecurityUP@users.noreply.github.com>
Date: Tue, 16 Dec 2025 21:04:38 -0300
Subject: [PATCH] Create prompt-02.md

---
 Blue Team/prompt-02.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 Blue Team/prompt-02.md

diff --git a/Blue Team/prompt-02.md b/Blue Team/prompt-02.md
new file mode 100644
index 0000000..32f9a73
--- /dev/null
+++ b/Blue Team/prompt-02.md	
@@ -0,0 +1,15 @@
+Analyze this IP for SOC triage: <IP>
+
+Seen in: <FIREWALL/PROXY/DNS/EDR/SIEM>
+Direction: <INBOUND/OUTBOUND>
+Protocol/port: <PROTO:PORT>
+First seen / last seen: <TIMES>
+Asset involved: <HOSTNAME/IP/OWNER/CRITICALITY>
+
+Deliver:
+- Likely role (CDN/cloud/VPN/residential/hosting) and what that implies
+- High-risk indicators (ASN patterns, uncommon ports, bursty beacons, geo anomalies, TOR/VPN hints)
+- Internal correlation checklist (netflow, DNS, process tree, user activity)
+- Severity + confidence
+- Next steps: contain / monitor / block / escalate
+Output: “Finding Summary”, then “Evidence to Collect”, then “Decision”.