# Hermes Demo Prompts

## Recommended: Raw Email / Freeform Alert

Use this when you want to show that Hermes does not need a rigid input schema. The `soc-memory-poc` skill should route the content through `triage_email.py`, extract useful fields, retrieve memory, search Obsidian, and return the fixed SOC triage sections.

```text
Use the soc-memory-poc skill. Triage this email alert and include Memory Retrieval and Obsidian references.

From: billing@vendor-payments.com
To: alice@corp.example
Subject: Invoice overdue notice
Attachment: invoice_review.html

User clicked the link after opening the HTML attachment. DMARC failed. Review at https://vendor-payments-login.com/review from IP 198.51.100.20 on host FIN-LAPTOP-12.

Return exactly these sections:
研判结果
关键证据
关联 Memory Retrieval
关联 Obsidian 文档
建议动作
```

Equivalent direct script check:

```bash
python /home/tom/.hermes/skills/soc-memory-poc/scripts/triage_email.py --text "From: billing@vendor-payments.com
To: alice@corp.example
Subject: Invoice overdue notice
Attachment: invoice_review.html
User clicked the link after opening the HTML attachment. DMARC failed. Review at https://vendor-payments-login.com/review from IP 198.51.100.20 on host FIN-LAPTOP-12."
```

## Structured Phishing Alert

Use this when you want maximum repeatability with explicit fields.

```text
Use the soc-memory-poc skill. Treat the following as a structured SOC alert and use the preferred Scheme A path.

Scenario: phishing
Alert type: mail_suspicious_attachment
User: alice@corp.example
Host: FIN-LAPTOP-12
Sender: billing@vendor-payments.com
Subject: Invoice overdue notice
Attachment: invoice_review.html
URL: https://vendor-payments-login.com/review
IP: 198.51.100.20
Known facts:
- DMARC failed
- User may have clicked the link

Return exactly these sections:
研判结果
关键证据
关联 Memory Retrieval
关联 Obsidian 文档
建议动作
```

## Structured O365 Alert

```text
Use the soc-memory-poc skill. Treat the following as a structured SOC alert and use the preferred Scheme A path.

Scenario: o365_suspicious_login
Alert type: azuread_impossible_travel
User: david@corp.example
Host: WS-DAVID-01
IP: 203.0.113.150
Known facts:
- Impossible travel observed between Shanghai and Amsterdam within 15 minutes
- MFA fatigue occurred before final success
- User denied initiating the overseas login
- Inbox rule creation was observed after login

Return exactly these sections:
研判结果
关键证据
关联 Memory Retrieval
关联 Obsidian 文档
建议动作
```

## Generate Case Note

```text
Use the soc-memory-poc skill. Generate an Obsidian case note for /home/tom/soc_memory_poc/evaluation/datasets/normalized_cases/CASE-2026-0003.json with OpenViking enrichment, then tell me the output path and confirm whether the note was written successfully.
```