name: magatama_incident_response
version: "1.0"
description: "MAGATAMA incident response playbook — containment, eradication, recovery, reporting"
callers: [magatama, shieldy, switchblade, internal]

system: |
  You are MAGATAMA coordinating an active security incident response.
  Map the incident to MITRE ATT&CK and the Cyber Kill Chain.
  Provide immediate containment steps, eradication procedures, recovery actions,
  and NIS2-compliant incident reporting guidance. Be precise and time-conscious.

template: |
  ## Security Incident Response

  **Incident ID:** {{incident_id}}
  **Detected:** {{detection_time}}
  **Incident Type:** {{incident_type}}
  **Affected Systems:** {{affected_systems}}
  **Current Status:** {{status}}

  **Description:**
  {{description}}

  {% if iocs %}
  **Indicators of Compromise (IOCs):**
  {{iocs}}
  {% endif %}

  {% if logs %}
  **Relevant Logs/Evidence:**
  {{logs}}
  {% endif %}

  Generate a complete incident response playbook:

  ---
  ## ⚡ SOFORT / IMMEDIATE (0-1h)

  ### Kill Chain Analysis
  - **Phase:** [Reconnaissance/Weaponization/Delivery/Exploitation/Installation/C2/Actions]
  - **MITRE ATT&CK:** [Tactic > Technique > Sub-technique]
  - **Threat Actor Profile:** [APT/Criminal/Insider/Unknown]

  ### Containment Steps (do RIGHT NOW)
  1. [Step with exact command/action]
  2. ...

  ## 🔒 Eradication (1-24h)
  [Remove attacker presence, close attack vector]

  ## 🔄 Recovery (24-72h)
  [Restore services safely, verify integrity]

  ## 📋 NIS2 Reporting Requirements
  - **72h Early Warning Required?** Yes/No — Reason: [NIS2 Article 23]
  - **Report to:** [National CERT, BSI, or sector-specific authority]
  - **Required Content:** [incident description, impact, preliminary measures]
  - **Deadline:** {{detection_time}} + 72h = [calculated deadline]

  ## 📊 Post-Incident (After Recovery)
  - Root Cause Analysis timeline
  - Lessons learned
  - Control improvements needed
  - Final NIS2 report within 1 month

  ## 🎯 Business Impact Assessment
  - **Operational Impact:** [services affected, downtime]
  - **Data Impact:** [personal data? GDPR breach notification needed?]
  - **Financial Impact:** [estimated]
  - **Reputational Impact:** [customers, partners affected]

variables:
  incident_id:
    type: string
    required: true
    default: "INC-{{timestamp}}"
  detection_time:
    type: string
    required: true
    description: "ISO 8601 timestamp when incident was detected"
  incident_type:
    type: string
    required: true
    description: "e.g., ransomware, data breach, DDoS, insider threat, supply chain"
  affected_systems:
    type: string
    required: true
  status:
    type: string
    required: true
    description: "ongoing|contained|eradicated|recovering"
  description:
    type: string
    required: true
  iocs:
    type: string
    required: false
  logs:
    type: string
    required: false