From eb9ddb0485f174a87e0ca4fb53672c3c2de5df45 Mon Sep 17 00:00:00 2001
From: Joas A Santos <34966120+CyberSecurityUP@users.noreply.github.com>
Date: Tue, 16 Dec 2025 21:04:25 -0300
Subject: [PATCH] Create prompt-01.md

---
 Blue Team/prompt-01.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 Blue Team/prompt-01.md

diff --git a/Blue Team/prompt-01.md b/Blue Team/prompt-01.md
new file mode 100644
index 0000000..9210cb2
--- /dev/null
+++ b/Blue Team/prompt-01.md	
@@ -0,0 +1,14 @@
+Triage this URL as a SOC Threat Hunter: <URL>
+
+Context (if any): <HOW_IT_WAS_SEEN: email/proxy/EDR/user_report>
+Time observed: <UTC_TIME>
+Source host/user: <HOSTNAME>/<USERNAME>
+
+Deliver:
+1) Normalization (final URL after redirects if known, domain, path, params)
+2) Immediate risk signals (brand impersonation, unusual TLD, punycode, URL shortener, auth bait, file download, tracking params)
+3) What internal logs to check next (DNS, proxy, firewall, EDR, email gateway)
+4) Hypotheses (phishing / malware delivery / C2 / benign)
+5) Severity + confidence (with brief justification)
+6) Recommended actions (block/allow, isolate host, reset creds, user comms)
+Format: bullet points + a small table of “Signal | Why it matters | Evidence needed”.