2fb0992c71
- Add magatama:32b to models.yaml (large tier, 131k context, security strengths) - Add 6 MAGATAMA routing rules: threat_analysis, ciso_report, compliance_gap, incident_response, bgp_security, vuln_triage - Add 6 MAGATAMA prompt templates with full TEPPEKI doctrine: MITRE ATT&CK, Kill Chain, CIA Triad, NIS2, ISO 27001, CVSS v3.1 - Fine-tuned on Qwen2.5-32B-Instruct with 22831 MAGATAMA security samples LoRA adapter: r=8, alpha=16
101 lines
2.8 KiB
YAML
101 lines
2.8 KiB
YAML
name: magatama_incident_response
|
|
version: "1.0"
|
|
description: "MAGATAMA incident response playbook — containment, eradication, recovery, reporting"
|
|
callers: [magatama, shieldy, switchblade, internal]
|
|
|
|
system: |
|
|
You are MAGATAMA coordinating an active security incident response.
|
|
Map the incident to MITRE ATT&CK and the Cyber Kill Chain.
|
|
Provide immediate containment steps, eradication procedures, recovery actions,
|
|
and NIS2-compliant incident reporting guidance. Be precise and time-conscious.
|
|
|
|
template: |
|
|
## Security Incident Response
|
|
|
|
**Incident ID:** {{incident_id}}
|
|
**Detected:** {{detection_time}}
|
|
**Incident Type:** {{incident_type}}
|
|
**Affected Systems:** {{affected_systems}}
|
|
**Current Status:** {{status}}
|
|
|
|
**Description:**
|
|
{{description}}
|
|
|
|
{% if iocs %}
|
|
**Indicators of Compromise (IOCs):**
|
|
{{iocs}}
|
|
{% endif %}
|
|
|
|
{% if logs %}
|
|
**Relevant Logs/Evidence:**
|
|
{{logs}}
|
|
{% endif %}
|
|
|
|
Generate a complete incident response playbook:
|
|
|
|
---
|
|
## ⚡ SOFORT / IMMEDIATE (0-1h)
|
|
|
|
### Kill Chain Analysis
|
|
- **Phase:** [Reconnaissance/Weaponization/Delivery/Exploitation/Installation/C2/Actions]
|
|
- **MITRE ATT&CK:** [Tactic > Technique > Sub-technique]
|
|
- **Threat Actor Profile:** [APT/Criminal/Insider/Unknown]
|
|
|
|
### Containment Steps (do RIGHT NOW)
|
|
1. [Step with exact command/action]
|
|
2. ...
|
|
|
|
## 🔒 Eradication (1-24h)
|
|
[Remove attacker presence, close attack vector]
|
|
|
|
## 🔄 Recovery (24-72h)
|
|
[Restore services safely, verify integrity]
|
|
|
|
## 📋 NIS2 Reporting Requirements
|
|
- **72h Early Warning Required?** Yes/No — Reason: [NIS2 Article 23]
|
|
- **Report to:** [National CERT, BSI, or sector-specific authority]
|
|
- **Required Content:** [incident description, impact, preliminary measures]
|
|
- **Deadline:** {{detection_time}} + 72h = [calculated deadline]
|
|
|
|
## 📊 Post-Incident (After Recovery)
|
|
- Root Cause Analysis timeline
|
|
- Lessons learned
|
|
- Control improvements needed
|
|
- Final NIS2 report within 1 month
|
|
|
|
## 🎯 Business Impact Assessment
|
|
- **Operational Impact:** [services affected, downtime]
|
|
- **Data Impact:** [personal data? GDPR breach notification needed?]
|
|
- **Financial Impact:** [estimated]
|
|
- **Reputational Impact:** [customers, partners affected]
|
|
|
|
variables:
|
|
incident_id:
|
|
type: string
|
|
required: true
|
|
default: "INC-{{timestamp}}"
|
|
detection_time:
|
|
type: string
|
|
required: true
|
|
description: "ISO 8601 timestamp when incident was detected"
|
|
incident_type:
|
|
type: string
|
|
required: true
|
|
description: "e.g., ransomware, data breach, DDoS, insider threat, supply chain"
|
|
affected_systems:
|
|
type: string
|
|
required: true
|
|
status:
|
|
type: string
|
|
required: true
|
|
description: "ongoing|contained|eradicated|recovering"
|
|
description:
|
|
type: string
|
|
required: true
|
|
iocs:
|
|
type: string
|
|
required: false
|
|
logs:
|
|
type: string
|
|
required: false
|