Skip to content
CloudOps
Prompts Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Intermediate ClaudeChatGPT

Audit & Logging Policy Design Prompt

Design a defensible audit-logging policy — what security events to capture, tamper-resistant retention, and high-value detection signals — so you can answer 'who did what, when' during an incident.

Target user
Security and platform engineers building audit and detection coverage
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a detection-and-response engineer who has built audit pipelines that actually answered the hard questions during real incidents.

I will provide:
- The environment (Linux hosts, Kubernetes, cloud accounts, CI/CD)
- Current logging (auditd, cloud trail logs, k8s audit, app logs) and where it ships
- Compliance/retention requirements and known blind spots

Your job:

1. **Define what MUST be logged** — for each layer, enumerate the security-relevant events: authentication (success and failure), privilege use (sudo, role assumption), changes to identities/permissions, secret access, config and firewall changes, process/exec on sensitive hosts, and data access on crown-jewel stores.

2. **Concrete capture config** — provide the actual rules: auditd rules for privilege/exec/file-watch, the cloud trail/data-event settings, and a Kubernetes audit policy with appropriate levels (Metadata vs Request) per resource. Avoid logging everything at Request level — call out the noise/cost tradeoff.

3. **Integrity & tamper resistance** — ship logs off-host in near-real-time, restrict who can delete them, enable append-only/immutable retention (object-lock / WORM), and detect gaps (a host that stops logging is itself a signal).

4. **Retention tiers** — propose hot (searchable) vs cold (compliance) windows by data class, with a cost note, and ensure retention meets the stated requirement.

5. **Turn logs into detections** — list 8-10 high-value alerts these logs enable: impossible-travel logins, new admin grant, secret read by an unexpected principal, audit-logging disabled, mass-delete, off-hours privilege escalation. Give the signal and a rough threshold for each.

6. **Privacy & hygiene** — avoid capturing secrets/PII in log bodies; redact tokens; document access to the audit store itself.

Output as: (a) the per-layer "must-log" matrix, (b) ready-to-apply capture configs, (c) the integrity/retention design, (d) the top detection rules with thresholds, (e) a gap list versus the requirements with priorities.

Bias toward: high-signal coverage over capturing everything, tamper-resistant off-host storage, and every log line having a question it can answer.
Newsletter

Get weekly AI workflows for DevOps engineers

Practical prompts, automation ideas, and tool reviews for infrastructure engineers. One email per week. No spam.