Scenario 3: SOC/SIEM Takes in and Summarizes Windows Events (Log Files)

This blog-derived report demonstrates a security weakness where unusually long USERNAME and DOMAIN values in Windows failed-authentication Event ID 4625 can carry prompt-injection payloads; when a SIEM/SOC helper model summarized the log, it honored the injected instructions and changed the reported workstation name and source IP, showing how ML-assisted log parsing can be manipulated to spoof telemetry and mislead analysts.