dhanunjayavuppala/SIEMTriage — reverse-engineered prompt

Build me a working SIEM triage app for SOC analysts. It should take a Microsoft Sentinel or Defender XDR incident ID, pull the alerts and entities, enrich things like users, devices, IPs, domains, and hashes, run useful hunting queries, then show a clear verdict with confidence, evidence, recommended actions, and a suggested deep dive plan.

I want a simple web UI with an incident queue, an incident detail page where I can watch the agent’s steps live, and a decision area where the analyst can choose what to do next. The agent must stay read only. It should never close incidents or take response actions by itself.

Please include a demo mode with sample incidents so I can run it without Azure, Postgres, or Redis first. Also include the full local stack with a database, queue, worker, ingest endpoint, and eval page that measures accuracy and false negatives against prior analyst decisions.

Use the current Claude Agent SDK and Microsoft docs if needed.