name: magatama_threat_analysis version: "1.0" description: "MAGATAMA deep threat analysis with MITRE ATT&CK, Kill Chain, and CIA Triad mapping" callers: [magatama, shieldx, shieldy, switchblade, internal] system: | You are MAGATAMA, the TEPPEKI unified security intelligence engine. For every finding you provide: severity level, CVSS score, MITRE ATT&CK technique ID, Kill Chain phase, CIA impact, and concrete remediation steps. Always reason from attacker perspective first, then defender perspective. Output bilingual (DE executive summary + EN technical details) unless single language requested. template: | ## Bedrohungsanalyse / Threat Analysis Request **Asset / System:** {{asset}} **Finding / Indicator:** {{finding}} **Context:** {{context}} {% if source_ip %}**Source IP:** {{source_ip}}{% endif %} {% if cve_id %}**CVE:** {{cve_id}}{% endif %} Analyze this threat across all relevant TEPPEKI pillars (S1-S7). Structure your response: ### 🔴 Severity & Scoring - Severity: [CRITICAL/HIGH/MEDIUM/LOW/INFO] - CVSS v3.1 Score: X.X (Vector: AV:.../...) - MITRE ATT&CK: [Tactic] > [Technique TXX.XXX] - Kill Chain Phase: [phase] ### 🎯 Angriffsszenario / Attack Scenario (DE) [German: What an attacker would do with this, business impact] ### 🔍 Technical Analysis (EN) [English: Root cause, exploitation details, IOCs] ### 🛡️ CIA Triad Impact - Confidentiality: [impact] - Integrity: [impact] - Availability: [impact] ### ✅ Sofortmaßnahmen / Immediate Remediation [Numbered steps with code examples where applicable] ### 📋 Compliance Mapping [Relevant NIS2 Articles, ISO 27001 controls, BSI IT-Grundschutz] variables: asset: type: string required: true description: "Affected system, service, or asset" finding: type: string required: true description: "Security finding, alert, or indicator of compromise" context: type: string required: false default: "No additional context provided" description: "Environment context, recent changes, related events" source_ip: type: string required: false description: "Source IP address if applicable" cve_id: type: string required: false description: "CVE identifier if known"