From 2fb0992c71abbd6a5995f3566d55f2236f2ccc29 Mon Sep 17 00:00:00 2001 From: Rene Fichtmueller Date: Thu, 16 Apr 2026 14:31:17 +0200 Subject: [PATCH] =?UTF-8?q?feat:=20add=20MAGATAMA=20=E3=81=BE=E3=81=8C?= =?UTF-8?q?=E3=81=9F=E3=81=BE=20security=20intelligence=20model=20to=20LLM?= =?UTF-8?q?=20Gateway?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add magatama:32b to models.yaml (large tier, 131k context, security strengths) - Add 6 MAGATAMA routing rules: threat_analysis, ciso_report, compliance_gap, incident_response, bgp_security, vuln_triage - Add 6 MAGATAMA prompt templates with full TEPPEKI doctrine: MITRE ATT&CK, Kill Chain, CIA Triad, NIS2, ISO 27001, CVSS v3.1 - Fine-tuned on Qwen2.5-32B-Instruct with 22831 MAGATAMA security samples LoRA adapter: r=8, alpha=16 --- .../templates/magatama_bgp_security.yaml | 97 +++++++++++++++++ .../templates/magatama_ciso_report.yaml | 84 +++++++++++++++ .../templates/magatama_compliance_gap.yaml | 90 ++++++++++++++++ .../templates/magatama_incident_response.yaml | 100 ++++++++++++++++++ .../templates/magatama_threat_analysis.yaml | 69 ++++++++++++ .../templates/magatama_vuln_triage.yaml | 94 ++++++++++++++++ packages/gateway/src/config/models.yaml | 8 ++ .../gateway/src/config/routing-rules.yaml | 67 ++++++++++++ 8 files changed, 609 insertions(+) create mode 100644 packages/gateway/prompts/templates/magatama_bgp_security.yaml create mode 100644 packages/gateway/prompts/templates/magatama_ciso_report.yaml create mode 100644 packages/gateway/prompts/templates/magatama_compliance_gap.yaml create mode 100644 packages/gateway/prompts/templates/magatama_incident_response.yaml create mode 100644 packages/gateway/prompts/templates/magatama_threat_analysis.yaml create mode 100644 packages/gateway/prompts/templates/magatama_vuln_triage.yaml diff --git a/packages/gateway/prompts/templates/magatama_bgp_security.yaml b/packages/gateway/prompts/templates/magatama_bgp_security.yaml new file mode 100644 index 0000000..f768779 --- /dev/null +++ b/packages/gateway/prompts/templates/magatama_bgp_security.yaml @@ -0,0 +1,97 @@ +name: magatama_bgp_security +version: "1.0" +description: "MAGATAMA BGP routing security analysis β€” RPKI, route leaks, hijacks, peering hardening" +callers: [magatama, peercortex, switchblade, internal] + +system: | + You are MAGATAMA, an expert in BGP routing security, RPKI, route leak detection, + and AS-path hardening. Apply MITRE ATT&CK for ICS and network infrastructure TTPs. + Reference RFC 7454 (BGP Operations and Security), RFC 8205 (BGPsec), MANRS requirements. + Provide actionable router configuration examples (Cisco IOS, Juniper JunOS, or FRR/BIRD). + +template: | + ## BGP Security Analysis + + **ASN:** {{asn}} + **Network:** {{network}} + {% if peers %}**Peers/Upstreams:** {{peers}}{% endif %} + + **Issue / Query:** + {{issue}} + + {% if bgp_data %} + **BGP Data / Route Table Excerpt:** + ``` + {{bgp_data}} + ``` + {% endif %} + + {% if rpki_status %}**RPKI Status:** {{rpki_status}}{% endif %} + + Analyze BGP security posture: + + ### 🌐 Routing Security Assessment + + **RPKI Validation:** + - ROA Status: [valid/invalid/not-found] + - Recommendation: [create/fix ROAs, enable origin validation] + + **Route Leak / Hijack Analysis:** + - Leak Type: [Type 1-6 per RFC 7908 / N/A] + - MITRE ATT&CK ICS: [Technique] + - Impact: [affected prefixes, affected ASes] + + **AS-Path Hardening:** + - Max prefix limits configured? [Yes/No] + - Bogon ASN filtering? [Yes/No] + - RPKI origin validation enforced? [Yes/No] + + ### πŸ› οΈ Router Configuration ({{router_os}}) + ``` + [Specific configuration to fix the issue] + ``` + + ### πŸ“‹ MANRS Compliance + - Action 1 (Filtering): [status] + - Action 2 (Anti-spoofing): [status] + - Action 3 (Coordination): [status] + - Action 4 (Global Validation): [status] + + ### ⚑ Priority Actions + 1. [Immediate: within 1h] + 2. [Short-term: within 24h] + 3. [Long-term: within 1 week] + + ### πŸ”— Relevant Resources + - [RFC references, RIPE NCC tools, IRR databases] + +variables: + asn: + type: string + required: true + description: "Autonomous System Number (e.g., AS12345)" + network: + type: string + required: true + description: "IP prefix(es) or network description" + issue: + type: string + required: true + description: "BGP security issue, query, or finding to analyze" + peers: + type: string + required: false + description: "Upstream providers and peering partners" + bgp_data: + type: string + required: false + description: "BGP show output, route table, or looking glass data" + rpki_status: + type: string + required: false + description: "Current RPKI/ROA validation status" + router_os: + type: string + required: false + default: "Cisco IOS" + description: "Router OS for config examples: Cisco IOS, Juniper JunOS, FRR, BIRD" diff --git a/packages/gateway/prompts/templates/magatama_ciso_report.yaml b/packages/gateway/prompts/templates/magatama_ciso_report.yaml new file mode 100644 index 0000000..d1382a2 --- /dev/null +++ b/packages/gateway/prompts/templates/magatama_ciso_report.yaml @@ -0,0 +1,84 @@ +name: magatama_ciso_report +version: "1.0" +description: "MAGATAMA CISO executive + technical security report with doctrine context" +callers: [magatama, switchblade, internal] + +system: | + You are MAGATAMA, generating a CISO-grade security report for the TEPPEKI platform. + Every finding must include: why it is dangerous, business impact, doctrine context + (CIA/Zero Trust/NIST CSF/MITRE), and actionable remediation. + German for executive summary, English for technical appendix. + +template: | + ## TEPPEKI Security Report β€” {{report_date}} + + **Organisation:** {{organization}} + **Scope:** {{scope}} + **Berichtszeitraum / Period:** {{period}} + + {% if findings %} + **Findings to analyze:** + {{findings}} + {% endif %} + + {% if metrics %} + **Security Metrics:** + {{metrics}} + {% endif %} + + Generate a complete CISO report with these sections: + + --- + ## πŸ“Š Executive Summary (Deutsch) + [3-5 SΓ€tze: Gesamtlage, kritische Risiken, Top-3-PrioritΓ€ten fΓΌr Vorstand] + + ## πŸ”΄ Kritische Befunde / Critical Findings + [For each CRITICAL/HIGH finding:] + ### Finding: [Name] + - **Severity:** CRITICAL/HIGH | **CVSS:** X.X + - **MITRE ATT&CK:** [Tactic > Technique] + - **Warum gefΓ€hrlich (DE):** [Business risk explanation for board] + - **Technical Detail (EN):** [Root cause, exploitation] + - **Doctrine:** CIA=[C/I/A impact] | Zero Trust=[violation] | Kill Chain=[phase] + - **Remediation:** [Concrete steps, timeline] + + ## πŸ“ˆ Security Posture + - TEPPEKI Coverage: S1-S7 status + - NIST CSF 2.0 Maturity: [Govern/Identify/Protect/Detect/Respond/Recover] + + ## πŸ“‹ Compliance Status + - NIS2: [compliant items + gaps] + - ISO 27001: [relevant controls] + - BSI IT-Grundschutz: [status] + + ## 🎯 Empfehlungen / Recommendations (Top 5) + [Prioritized by risk reduction impact] + + --- + ## Technical Appendix (English) + [Full technical details for security team] + +variables: + organization: + type: string + required: true + scope: + type: string + required: true + description: "Systems/networks/applications in scope" + period: + type: string + required: true + description: "Reporting period (e.g., 2026-04-01 to 2026-04-30)" + report_date: + type: string + required: false + default: "{{today}}" + findings: + type: string + required: false + description: "Raw security findings/alerts to include" + metrics: + type: string + required: false + description: "Security metrics, KPIs, SLA data" diff --git a/packages/gateway/prompts/templates/magatama_compliance_gap.yaml b/packages/gateway/prompts/templates/magatama_compliance_gap.yaml new file mode 100644 index 0000000..cb62681 --- /dev/null +++ b/packages/gateway/prompts/templates/magatama_compliance_gap.yaml @@ -0,0 +1,90 @@ +name: magatama_compliance_gap +version: "1.0" +description: "MAGATAMA NIS2/ISO27001/DORA/BSI compliance gap analysis with remediation roadmap" +callers: [magatama, switchblade, internal] + +system: | + You are MAGATAMA, a compliance and governance expert across NIS2, ISO 27001, DORA, GDPR, + and BSI IT-Grundschutz. Produce structured gap analysis with specific article references, + risk scoring, and a prioritized remediation roadmap. Output as JSON. + +template: | + ## Compliance Gap Analysis Request + + **Organization:** {{organization}} + **Frameworks:** {{frameworks}} + **Sector:** {{sector}} + **Current Controls Documented:** {{controls}} + + {% if evidence %} + **Evidence/Existing Documentation:** + {{evidence}} + {% endif %} + + Perform a comprehensive gap analysis. Return as JSON: + + ```json + { + "summary": { + "overall_compliance_score": 0-100, + "critical_gaps": 0, + "high_gaps": 0, + "medium_gaps": 0, + "estimated_remediation_weeks": 0 + }, + "framework_scores": { + "NIS2": { "score": 0-100, "status": "compliant|partial|non-compliant" }, + "ISO_27001": { "score": 0-100, "status": "..." }, + "DORA": { "score": 0-100, "status": "..." }, + "BSI_Grundschutz": { "score": 0-100, "status": "..." } + }, + "gaps": [ + { + "id": "GAP-001", + "framework": "NIS2", + "article": "Article 21(2)(a)", + "requirement": "Risk analysis and information system security policies", + "current_state": "...", + "gap_description": "...", + "severity": "CRITICAL|HIGH|MEDIUM|LOW", + "risk_score": 0-10, + "remediation": "...", + "effort_weeks": 0, + "responsible": "CISO|IT|Legal|Management" + } + ], + "roadmap": [ + { + "phase": 1, + "title": "...", + "duration_weeks": 0, + "actions": [], + "cost_estimate": "low|medium|high" + } + ], + "executive_summary_de": "German executive summary for board...", + "nis2_fines_risk": "Estimated fine exposure under NIS2 Article 34..." + } + ``` + +variables: + organization: + type: string + required: true + frameworks: + type: string + required: true + description: "Comma-separated: NIS2, ISO27001, DORA, BSI, GDPR" + default: "NIS2, ISO27001, BSI" + sector: + type: string + required: true + description: "Industry sector (e.g., financial, healthcare, energy, digital infrastructure)" + controls: + type: string + required: true + description: "Description of currently implemented security controls" + evidence: + type: string + required: false + description: "Existing policy docs, audit findings, or evidence" diff --git a/packages/gateway/prompts/templates/magatama_incident_response.yaml b/packages/gateway/prompts/templates/magatama_incident_response.yaml new file mode 100644 index 0000000..c0e2df9 --- /dev/null +++ b/packages/gateway/prompts/templates/magatama_incident_response.yaml @@ -0,0 +1,100 @@ +name: magatama_incident_response +version: "1.0" +description: "MAGATAMA incident response playbook β€” containment, eradication, recovery, reporting" +callers: [magatama, shieldy, switchblade, internal] + +system: | + You are MAGATAMA coordinating an active security incident response. + Map the incident to MITRE ATT&CK and the Cyber Kill Chain. + Provide immediate containment steps, eradication procedures, recovery actions, + and NIS2-compliant incident reporting guidance. Be precise and time-conscious. + +template: | + ## Security Incident Response + + **Incident ID:** {{incident_id}} + **Detected:** {{detection_time}} + **Incident Type:** {{incident_type}} + **Affected Systems:** {{affected_systems}} + **Current Status:** {{status}} + + **Description:** + {{description}} + + {% if iocs %} + **Indicators of Compromise (IOCs):** + {{iocs}} + {% endif %} + + {% if logs %} + **Relevant Logs/Evidence:** + {{logs}} + {% endif %} + + Generate a complete incident response playbook: + + --- + ## ⚑ SOFORT / IMMEDIATE (0-1h) + + ### Kill Chain Analysis + - **Phase:** [Reconnaissance/Weaponization/Delivery/Exploitation/Installation/C2/Actions] + - **MITRE ATT&CK:** [Tactic > Technique > Sub-technique] + - **Threat Actor Profile:** [APT/Criminal/Insider/Unknown] + + ### Containment Steps (do RIGHT NOW) + 1. [Step with exact command/action] + 2. ... + + ## πŸ”’ Eradication (1-24h) + [Remove attacker presence, close attack vector] + + ## πŸ”„ Recovery (24-72h) + [Restore services safely, verify integrity] + + ## πŸ“‹ NIS2 Reporting Requirements + - **72h Early Warning Required?** Yes/No β€” Reason: [NIS2 Article 23] + - **Report to:** [National CERT, BSI, or sector-specific authority] + - **Required Content:** [incident description, impact, preliminary measures] + - **Deadline:** {{detection_time}} + 72h = [calculated deadline] + + ## πŸ“Š Post-Incident (After Recovery) + - Root Cause Analysis timeline + - Lessons learned + - Control improvements needed + - Final NIS2 report within 1 month + + ## 🎯 Business Impact Assessment + - **Operational Impact:** [services affected, downtime] + - **Data Impact:** [personal data? GDPR breach notification needed?] + - **Financial Impact:** [estimated] + - **Reputational Impact:** [customers, partners affected] + +variables: + incident_id: + type: string + required: true + default: "INC-{{timestamp}}" + detection_time: + type: string + required: true + description: "ISO 8601 timestamp when incident was detected" + incident_type: + type: string + required: true + description: "e.g., ransomware, data breach, DDoS, insider threat, supply chain" + affected_systems: + type: string + required: true + status: + type: string + required: true + description: "ongoing|contained|eradicated|recovering" + description: + type: string + required: true + iocs: + type: string + required: false + logs: + type: string + required: false diff --git a/packages/gateway/prompts/templates/magatama_threat_analysis.yaml b/packages/gateway/prompts/templates/magatama_threat_analysis.yaml new file mode 100644 index 0000000..676beb6 --- /dev/null +++ b/packages/gateway/prompts/templates/magatama_threat_analysis.yaml @@ -0,0 +1,69 @@ +name: magatama_threat_analysis +version: "1.0" +description: "MAGATAMA deep threat analysis with MITRE ATT&CK, Kill Chain, and CIA Triad mapping" +callers: [magatama, shieldx, shieldy, switchblade, internal] + +system: | + You are MAGATAMA, the TEPPEKI unified security intelligence engine. + For every finding you provide: severity level, CVSS score, MITRE ATT&CK technique ID, + Kill Chain phase, CIA impact, and concrete remediation steps. + Always reason from attacker perspective first, then defender perspective. + Output bilingual (DE executive summary + EN technical details) unless single language requested. + +template: | + ## Bedrohungsanalyse / Threat Analysis Request + + **Asset / System:** {{asset}} + **Finding / Indicator:** {{finding}} + **Context:** {{context}} + {% if source_ip %}**Source IP:** {{source_ip}}{% endif %} + {% if cve_id %}**CVE:** {{cve_id}}{% endif %} + + Analyze this threat across all relevant TEPPEKI pillars (S1-S7). + Structure your response: + + ### πŸ”΄ Severity & Scoring + - Severity: [CRITICAL/HIGH/MEDIUM/LOW/INFO] + - CVSS v3.1 Score: X.X (Vector: AV:.../...) + - MITRE ATT&CK: [Tactic] > [Technique TXX.XXX] + - Kill Chain Phase: [phase] + + ### 🎯 Angriffsszenario / Attack Scenario (DE) + [German: What an attacker would do with this, business impact] + + ### πŸ” Technical Analysis (EN) + [English: Root cause, exploitation details, IOCs] + + ### πŸ›‘οΈ CIA Triad Impact + - Confidentiality: [impact] + - Integrity: [impact] + - Availability: [impact] + + ### βœ… Sofortmaßnahmen / Immediate Remediation + [Numbered steps with code examples where applicable] + + ### πŸ“‹ Compliance Mapping + [Relevant NIS2 Articles, ISO 27001 controls, BSI IT-Grundschutz] + +variables: + asset: + type: string + required: true + description: "Affected system, service, or asset" + finding: + type: string + required: true + description: "Security finding, alert, or indicator of compromise" + context: + type: string + required: false + default: "No additional context provided" + description: "Environment context, recent changes, related events" + source_ip: + type: string + required: false + description: "Source IP address if applicable" + cve_id: + type: string + required: false + description: "CVE identifier if known" diff --git a/packages/gateway/prompts/templates/magatama_vuln_triage.yaml b/packages/gateway/prompts/templates/magatama_vuln_triage.yaml new file mode 100644 index 0000000..b005386 --- /dev/null +++ b/packages/gateway/prompts/templates/magatama_vuln_triage.yaml @@ -0,0 +1,94 @@ +name: magatama_vuln_triage +version: "1.0" +description: "MAGATAMA vulnerability triage with CVSS scoring, EPSS, and exploit availability" +callers: [magatama, shieldx, shieldy, internal] + +system: | + You are MAGATAMA, performing vulnerability triage for the TEPPEKI security platform. + Score vulnerabilities using CVSS v3.1 and EPSS (Exploit Prediction Scoring System). + Check for active exploitation in the wild. Prioritize based on asset criticality + and business impact. Output as structured JSON for automated processing. + +template: | + ## Vulnerability Triage Request + + **Asset:** {{asset}} + **Asset Criticality:** {{criticality}} + + **Vulnerabilities to triage:** + {{vulnerabilities}} + + {% if environment %} + **Environment context:** {{environment}} + {% endif %} + + Triage each vulnerability and return JSON: + + ```json + { + "triage_timestamp": "{{timestamp}}", + "asset": "{{asset}}", + "asset_criticality": "{{criticality}}", + "summary": { + "total": 0, + "critical": 0, + "high": 0, + "medium": 0, + "low": 0, + "patch_immediately": [], + "estimated_total_effort_hours": 0 + }, + "vulnerabilities": [ + { + "id": "CVE-XXXX-XXXXX or internal ID", + "title": "...", + "cvss_v31_score": 0.0, + "cvss_vector": "AV:.../...", + "epss_score": 0.0, + "epss_percentile": 0, + "exploited_in_wild": true, + "exploit_available": true, + "mitre_technique": "TXXXX", + "severity": "CRITICAL|HIGH|MEDIUM|LOW", + "adjusted_priority": "P1|P2|P3|P4", + "patch_deadline": "immediate|24h|7d|30d|90d", + "remediation": "...", + "workaround": "...", + "affected_component": "...", + "nis2_reportable": true, + "business_impact": "...", + "effort_hours": 0 + } + ], + "patch_schedule": [ + { + "deadline": "...", + "vulnerabilities": [], + "responsible_team": "..." + } + ], + "executive_summary_de": "..." + } + ``` + +variables: + asset: + type: string + required: true + description: "System or application being triaged" + criticality: + type: string + required: true + description: "critical|high|medium|low β€” business criticality of the asset" + vulnerabilities: + type: string + required: true + description: "List of CVEs, scanner output, or vulnerability descriptions" + environment: + type: string + required: false + description: "Production/staging, internet-facing, internal, cloud, on-prem" + timestamp: + type: string + required: false + default: "{{now}}" diff --git a/packages/gateway/src/config/models.yaml b/packages/gateway/src/config/models.yaml index ab04a54..bbcf2f2 100644 --- a/packages/gateway/src/config/models.yaml +++ b/packages/gateway/src/config/models.yaml @@ -37,6 +37,14 @@ models: strengths: [classification, summarization] max_tokens_default: 512 + # ─── MAGATAMA β€” Fine-tuned Security Intelligence (Context X) ───────────────── + magatama:32b: + tier: large + context_length: 131072 + strengths: [security_analysis, threat_intelligence, compliance, bgp_security, incident_response, nis2, ciso_reporting] + max_tokens_default: 4096 + description: "MAGATAMA まがたま β€” TEPPEKI 7-pillar security AI, fine-tuned on Qwen2.5-32B" + # Custom fine-tuned models (Context X) ctxhealer:latest: tier: medium diff --git a/packages/gateway/src/config/routing-rules.yaml b/packages/gateway/src/config/routing-rules.yaml index c3a89d0..7defb1e 100644 --- a/packages/gateway/src/config/routing-rules.yaml +++ b/packages/gateway/src/config/routing-rules.yaml @@ -15,6 +15,73 @@ routing_rules: validators: [] callers: [all] + # ─── MAGATAMA β€” TEPPEKI Security Intelligence ───────────────────────────── + magatama_threat_analysis: + model: magatama:32b + tier: large + prompt_template: magatama_threat_analysis + temperature: 0.1 + max_tokens: 4096 + output_format: text + requires_fact_check: false + validators: [banlist, length] + callers: [magatama, shieldx, shieldy, switchblade, internal] + + magatama_ciso_report: + model: magatama:32b + tier: large + prompt_template: magatama_ciso_report + temperature: 0.2 + max_tokens: 4096 + output_format: text + requires_fact_check: false + validators: [banlist, length] + callers: [magatama, switchblade, internal] + + magatama_compliance_gap: + model: magatama:32b + tier: large + prompt_template: magatama_compliance_gap + temperature: 0.1 + max_tokens: 4096 + output_format: json + requires_fact_check: false + validators: [schema, length] + callers: [magatama, switchblade, internal] + + magatama_incident_response: + model: magatama:32b + tier: large + prompt_template: magatama_incident_response + temperature: 0.1 + max_tokens: 4096 + output_format: text + requires_fact_check: false + validators: [banlist, length] + callers: [magatama, shieldy, internal] + + magatama_bgp_security: + model: magatama:32b + tier: large + prompt_template: magatama_bgp_security + temperature: 0.1 + max_tokens: 2048 + output_format: text + requires_fact_check: true + validators: [fact_checker, length] + callers: [magatama, peercortex, switchblade, internal] + + magatama_vuln_triage: + model: magatama:32b + tier: large + prompt_template: magatama_vuln_triage + temperature: 0.1 + max_tokens: 2048 + output_format: json + requires_fact_check: false + validators: [schema, length] + callers: [magatama, shieldx, shieldy, internal] + # ─── CTX-REPORT MORNING BRIEFING ────────────────────────────────────────── ctx_morning_briefing: model: qwen2.5:32b