92 lines
2.8 KiB
Markdown
92 lines
2.8 KiB
Markdown
# Hermes Demo Prompts
|
|
|
|
## Recommended: Raw Email / Freeform Alert
|
|
|
|
Use this when you want to show that Hermes does not need a rigid input schema. The `soc-memory-poc` skill should route the content through `triage_email.py`, extract useful fields, retrieve memory, search Obsidian, and return the fixed SOC triage sections.
|
|
|
|
```text
|
|
Use the soc-memory-poc skill. Triage this email alert and include Memory Retrieval and Obsidian references.
|
|
|
|
From: billing@vendor-payments.com
|
|
To: alice@corp.example
|
|
Subject: Invoice overdue notice
|
|
Attachment: invoice_review.html
|
|
|
|
User clicked the link after opening the HTML attachment. DMARC failed. Review at https://vendor-payments-login.com/review from IP 198.51.100.20 on host FIN-LAPTOP-12.
|
|
|
|
Return exactly these sections:
|
|
研判结果
|
|
关键证据
|
|
关联 Memory Retrieval
|
|
关联 Obsidian 文档
|
|
建议动作
|
|
```
|
|
|
|
Equivalent direct script check:
|
|
|
|
```bash
|
|
python /home/tom/.hermes/skills/soc-memory-poc/scripts/triage_email.py --text "From: billing@vendor-payments.com
|
|
To: alice@corp.example
|
|
Subject: Invoice overdue notice
|
|
Attachment: invoice_review.html
|
|
User clicked the link after opening the HTML attachment. DMARC failed. Review at https://vendor-payments-login.com/review from IP 198.51.100.20 on host FIN-LAPTOP-12."
|
|
```
|
|
|
|
## Structured Phishing Alert
|
|
|
|
Use this when you want maximum repeatability with explicit fields.
|
|
|
|
```text
|
|
Use the soc-memory-poc skill. Treat the following as a structured SOC alert and use the preferred Scheme A path.
|
|
|
|
Scenario: phishing
|
|
Alert type: mail_suspicious_attachment
|
|
User: alice@corp.example
|
|
Host: FIN-LAPTOP-12
|
|
Sender: billing@vendor-payments.com
|
|
Subject: Invoice overdue notice
|
|
Attachment: invoice_review.html
|
|
URL: https://vendor-payments-login.com/review
|
|
IP: 198.51.100.20
|
|
Known facts:
|
|
- DMARC failed
|
|
- User may have clicked the link
|
|
|
|
Return exactly these sections:
|
|
研判结果
|
|
关键证据
|
|
关联 Memory Retrieval
|
|
关联 Obsidian 文档
|
|
建议动作
|
|
```
|
|
|
|
## Structured O365 Alert
|
|
|
|
```text
|
|
Use the soc-memory-poc skill. Treat the following as a structured SOC alert and use the preferred Scheme A path.
|
|
|
|
Scenario: o365_suspicious_login
|
|
Alert type: azuread_impossible_travel
|
|
User: david@corp.example
|
|
Host: WS-DAVID-01
|
|
IP: 203.0.113.150
|
|
Known facts:
|
|
- Impossible travel observed between Shanghai and Amsterdam within 15 minutes
|
|
- MFA fatigue occurred before final success
|
|
- User denied initiating the overseas login
|
|
- Inbox rule creation was observed after login
|
|
|
|
Return exactly these sections:
|
|
研判结果
|
|
关键证据
|
|
关联 Memory Retrieval
|
|
关联 Obsidian 文档
|
|
建议动作
|
|
```
|
|
|
|
## Generate Case Note
|
|
|
|
```text
|
|
Use the soc-memory-poc skill. Generate an Obsidian case note for /home/tom/soc_memory_poc/evaluation/datasets/normalized_cases/CASE-2026-0003.json with OpenViking enrichment, then tell me the output path and confirm whether the note was written successfully.
|
|
```
|