Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=ai-prompts

How to write AI prompts

When you use AI features, you use natural-language questions or commands to ask for information. We call these prompts.

The way you write your prompts affects the relevance of the AI's response. This page tells you how to write prompts that get the best results.

Essentials of a good prompt

Here are the essential features of a good prompt.

Clarity and focus

  • Specify exactly what you want. Include names, IDs, or timestamps if known.
  • Avoid vague phrases, such as "Tell me everything about threats."

Context

  • Tie your question to your current objectives, such as investigating a detection.
  • Mention relevant data, such as IP addresses, file hashes, and case IDs.

Action-oriented language

Start prompts with verbs like Analyze, Summarize, Compare, or Generate.

Example

"Generate an executive summary of the suspicious activity from the last 24 hours."

Appropriate scope

Narrow or broaden the time range, data source, or endpoint set, depending on your needs. Queries that are too broad might produce too much data of limited relevance.

Example

"List detections with high or critical severity on endpoints in sub-estate x within the last 3 days."

Specify a format

Clearly state the format you prefer, such as bullet points, short summary, or step-by-step instructions.

Example

"List each detection in bullet points with threat severity and recommended action."

Tips for effective prompts

Use these tips to give your prompts even more detail and context.

Give specific time frames

A time frame limits the amount of output and makes it more manageable.

Example

"Last 24 hours," "Between June 1 and June 3," or "Past 10 days."

Use known identifiers

Include hostnames, IP addresses, user accounts, process names, or detection references.

Example

"Analyze suspicious processes for the endpoint with ID ENDPOINT-01."

Specify the output you want

Include the format so that the response will be in a ready-to-use format.

Examples

  • "Create an investigation timeline"
  • "Generate a final summary in bullet points"

Use follow-up prompts

If the initial response lacks detail, follow up with more specific prompts.

Examples

  • "Expand on the file hashes or network indicators."
  • "Show process lineage in a hierarchical format."

Refer to earlier discussion for context

You can refer back to points discussed earlier in the chat.

Example

"Using the triage data from earlier in this thread, list all potentially malicious URLs."

Refining prompts

Below are examples demonstrating how you can reshape a simple prompt into a more robust, context-rich query.

Example: Investigate a suspicious process

Find malicious processes.

Why this prompt is weak:

  • It's too broad. The AI Assistant doesn't know what time period, which devices, or how to interpret "malicious."

Analyze all processes running on device ENDPOINT-01 over the last 24 hours and identify any processes flagged as malicious. Include process IDs, command lines, and hashes.

Why this prompt is stronger:

  • Focuses on a specific device.
  • Targets a 24-hour period.
  • Requests specific details, such as malicious status, process IDs, command lines, and file hashes.

Example: Generate a case summary

Summarize this case.

Why this prompt is weak:

  • It doesn't specify the case ID, focus area, or desired details.

Generate a business-focused summary for this case covering the detections, root cause, impacted endpoints, and recommended remediation steps. Present the findings in bullet points.

Why this prompt is stronger:

  • Clarifies the content: detections, root cause, impacted endpoints.
  • Requests a specific type of summary: business-focused, not technical.
  • Requests a specific format: bullet points.

Advanced prompt techniques

Try these advanced techniques to enhance your results.

Chaining Prompts

Ask a broad question first and then refine the scope with a follow-up question.

Example

  • First prompt: "What suspicious processes were found?"
  • Second prompt: "Which of those processes had network activity connecting to external IP addresses?"

Multiple data points

Combine known data points in one prompt.

Example

"Check the reputation of these file hashes [abc123…, xyz789…] and correlate with any detected malicious network activity on endpoint ENDPOINT-01 in the last 48 hours."

Specify output length or level of detail

Set limits on the output from your prompt.

Examples

  • "Limit your response to five bullet points."
  • "Output the final analysis as a short paragraph."