Documentation

Prompt library

This prompt library provides ready-to-use prompts for querying your BeyondTrust environment through the Pathfinder MCP gateway. These prompts work with any MCP-compatible AI agent. Each prompt is organized by task, tagged with the products it queries, and includes practical tips for getting the best results.

ℹ️

Note:

This library includes prompts for Privileged Remote Access (PRA), EPM Win/Mac, EPM Linux, Entitle, Password Safe, and Identity Security Insights. The same patterns apply to any product available through your MCP gateway.

How to use this library

  • Prompts are organized by what you want to accomplish (identity risk, session activity, policy review, etc.)
  • Each prompt shows which BeyondTrust products it queries
  • See Best practices for tips on dates, multi-step prompts, and handling missing data

Quick reference

PromptProductsCategory
Multi-product identity risk briefPRA, EPM Win/Mac, InsightsIdentity and risk analysis
Insights prioritized risk top-5InsightsIdentity and risk analysis
High-risk entitlement listingEPM LinuxIdentity and risk analysis
PRA session summaryPRASession and access activity
EPM JIT anomaly detectionEPM Win/MacSession and access activity
EPM admin access request summaryEPM Win/MacSession and access activity
EPM session lookup with no-results handlingEPM Win/MacSession and access activity
Policy structured summaryEntitlePolicy and configuration review
Policy search by keywordEntitlePolicy and configuration review
Managed account lookupPassword SafeCredential and account management
Insights recommendations with fallback valuesInsightsCredential and account management

Identity and risk analysis

Use these prompts to assess identity risk, review security recommendations, and identify high-risk entitlements across your BeyondTrust environment.

Multi-product identity risk brief

Products: PRA, EPM Win/Mac, Insights

Paste this prompt into your AI agent, replacing the <placeholders> with your values.

Create an identity risk brief for <user_upn> for 2026-02-01..2026-02-07. Pull: (1) PRA session summaries, (2) EPM JIT admin session summaries, (3) Identity Security Insights recommendations. Return a 1-page narrative + all session IDs, recommendation IDs referenced.

What this does: Pulls data from three products (PRA sessions, EPM admin sessions, and Insights recommendations) and combines them into a single identity risk narrative for a specific user and time range.

Tips:

  • Numbering your data sources (1, 2, 3) prevents the agent from skipping one
  • Requesting specific IDs (session IDs, recommendation IDs) anchors the output to real data and lets you verify the results
  • This prompt requires the agent to orchestrate multiple tool calls in sequence. If your model struggles, break it into three separate prompts instead

Insights prioritized risk top-5

Products: Insights

Pull Identity Security Insights recommendations. Return top 5 ordered by highest severity/priority field available. For each: ID, 1-sentence risk, 1-sentence remediation, suggested owner (IAM/SecOps/IT).

What this does: Retrieves Insights recommendations and returns the five highest-severity items with a consistent structure you can act on or forward to the right team.

Tips:

  • Specifying exact output fields (ID, risk, remediation, owner) ensures the response follows a consistent structure
  • Ordering by severity forces the agent to rank rather than list, surfacing the most critical items first

High-risk entitlement listing

Products: EPM Linux

From EPM Linux entitlements, list high-risk entitlements ONLY if risk fields exist in the returned data. Return IDs + which specific fields indicate risk.

What this does: Queries EPM Linux entitlement reports and identifies entries that contain risk indicators, citing the specific fields that signal risk.

Tips:

  • The phrase "ONLY if risk fields exist in the returned data" prevents the agent from inventing risk scores when the data doesn't include them
  • Always ask the agent to cite which specific fields indicate risk, so you can verify the assessment against the raw data

Session and access activity

Use these prompts to review session history, investigate access patterns, and detect anomalous behavior in PRA and EPM.

PRA session summary

Products: PRA

Paste this prompt into your AI agent, replacing the <placeholders> with your values.

Show PRA session summaries for user <user_upn> over 2026-02-01..2026-02-07. Group by target system and session purpose if present. Return session IDs.

What this does: Retrieves PRA session records for a specific user and time range, grouped by which systems were accessed and why.

Tips:

  • Adding "if present" for optional fields like session purpose prevents errors when the data doesn't include them
  • This is a single-tool retrieval. It works reliably across any MCP-compatible agent

EPM JIT anomaly detection

Products: EPM Win/Mac

Retrieve EPM JIT admin session summaries for 2026-02-01..2026-02-07. Identify: (1) endpoints with most JIT elevations, (2) repeated elevations by same identity, (3) sessions with unusual durations. Include all session IDs used.

What this does: Retrieves EPM admin session summaries and analyzes them for three specific anomaly patterns: hot endpoints, repeat elevators, and unusual session durations.

Tips:

  • Naming three specific anomaly dimensions prevents the agent from producing a vague narrative
  • Requiring session IDs ensures every claim is traceable to a real record

EPM admin access request summary

Products: EPM Win/Mac

List all admin access requests in EPM for 2026-02-01..2026-02-07. Summarize: approved count, denied count, pending count if available. Note common reasons and any possible break-glass activity. Return request IDs and linked ticket refs if present.

What this does: Pulls the full list of admin access requests for a time range and summarizes approval/denial patterns, common justifications, and potential break-glass activity.

Tips:

  • Using "if available" and "if present" for conditional fields prevents failures when the data doesn't include status breakdowns or ticket references.
  • Break-glass detection depends on what fields the data returns. Review the agent's reasoning to confirm it's grounded in actual data.

EPM session lookup with no-results handling

Products: EPM Win/Mac

Paste this prompt into your AI agent, replacing the <placeholders> with your values.

Find EPM JIT sessions for endpoint <endpoint> over 2026-02-01..2026-02-07. If none found, respond with NO RESULTS and state what identifier I should provide.

What this does: Searches for EPM sessions on a specific endpoint. If nothing is found, the agent responds with a clear "NO RESULTS" message and tells you what to try instead.

Tips:

  • Explicit no-results phrasing ("respond with NO RESULTS") prevents the agent from guessing or fabricating data when there's nothing to return.
  • This pattern works well for any single-tool lookup. Adapt it for PRA, Password Safe, or other products.

Policy and configuration review

Use these prompts to review and search policies in Entitle.

Policy structured summary

Products: Entitle

Paste this prompt into your AI agent, replacing the <placeholders> with your values.

Given policy ID <policy_id>, summarize what it does using only fields returned by the tool. Return policy ID + structured summary covering: scope, targets, key rules if present. If you cannot retrieve it, say NO ACCESS and ask for the correct ID.

What this does: Retrieves a specific Entitle policy by ID and produces a structured summary. If the policy can't be found, the agent tells you rather than guessing.

Tips:

  • "Using only fields returned by the tool" prevents the agent from hallucinating policy details that aren't in the data.
  • The "NO ACCESS" fallback is important. If the agent can't retrieve the policy, you want a clear signal rather than a fabricated summary.

Policy search by keyword

Products: Entitle

Paste this prompt into your AI agent, replacing the <placeholders> with your values.

Find policies mentioning '<keyword>'. If <keyword> is empty or missing, respond NO RESULTS and ask for a keyword.

What this does: Searches for Entitle policies matching a keyword. Handles the edge case where no keyword is provided by prompting you for one.

Tips:

  • The explicit "NO RESULTS" instruction prevents the agent from returning all policies when no keyword is given.
  • This pattern generalizes well. Use it any time a search parameter might be missing.

Credential and account management

Use these prompts to query managed accounts and credentials in Password Safe.

Managed account lookup

Products: Password Safe

Paste this prompt into your AI agent, replacing the <placeholders> with your values.

Retrieve managed accounts for domain '<domain>'. Return account names and managed system associations. Confirm no secrets or credentials are included in the output.

What this does: Queries Password Safe managed accounts for a specific domain and returns account details while confirming that no secrets are exposed in the response.

Tips:

  • The explicit "confirm no secrets or credentials are included" instruction tells the agent to actively verify it isn't surfacing sensitive data.
  • This is a good first prompt to run when connecting Password Safe to your agent for the first time.

Insights recommendations with fallback values

Products: Insights

Pull Insights recommendations. For each top 3, include fields: id, severity, effort, owner. If 'effort' or 'owner' not present, write NOT AVAILABLE exactly.

What this does: Retrieves the top 3 Insights recommendations with specific fields, using a consistent "NOT AVAILABLE" placeholder for any fields the data doesn't include.

Tips:

  • Specifying an exact fallback phrase ("NOT AVAILABLE") ensures consistent formatting even when data is incomplete.
  • This pattern is useful any time you're requesting fields that may or may not exist in the response.

Best practices

These patterns help your agent return accurate, consistent results.

Use absolute dates

Instead ofFor best results, useWhy
...for the last 7 days...for 2026-02-13..2026-02-20. Return session IDs.Absolute date ranges give your agent an exact window to query, producing consistent results every time.
...for 'yesterday'...for 2026-02-19T00:00:00Z to 2026-02-19T23:59:59ZIncluding a timezone ensures your agent queries the correct 24-hour period.

Multi-step prompts

Some prompts in this library ask the agent to chain multiple tool calls together (for example, pulling data from PRA, EPM, and Insights in a single prompt). If your agent returns incomplete results or errors on these prompts, break them into individual queries, one per product, and combine the results yourself. Single-tool prompts work reliably across all MCP-compatible AI models.

Handle missing data gracefully

When requesting fields that may not exist in the response, include fallback instructions in your prompt:

  • Use "if present" or "if available" for optional fields
  • Use "If none found, respond with NO RESULTS" for queries that may return empty results
  • Use "write NOT AVAILABLE exactly" when you need a consistent placeholder for missing values

Ground responses in real data

To prevent your agent from fabricating information:

  • Ask for specific IDs (session IDs, recommendation IDs, request IDs) so you can verify the output
  • Include "using only fields returned by the tool" to keep the agent's response grounded in actual data
  • Ask the agent to cite which specific fields support its conclusions

Updated about 4 hours ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.