UNPKG

aiwg

Version:

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

aiwg.io

jmagly/aiwg

243 lines (218 loc) 7.25 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
# Schema: Indicator of Compromise (IOC) Entry # # Defines the structure for a single IOC entry aligned with STIX 2.1 # Cyber Observable Objects (SCOs). Each entry represents one distinct # indicator observed or inferred during an investigation. # # STIX 2.1 reference: https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html # ATT&CK reference: https://attack.mitre.org/ # # Required fields are marked "(required)". # Optional fields are marked "(optional)". --- schema_version: "1.0.0" schema_name: ioc-entry # --- Identification --- id: # (required) Unique IOC identifier within the case. # Format: IOC-NNN (e.g., IOC-001, IOC-042) type: string pattern: "^IOC-[0-9]{3,}$" example: "IOC-001" case_id: # (required) Case identifier linking this IOC to an investigation. type: string example: "2026-02-27-001" # --- Observable --- type: # (required) IOC observable type, aligned with STIX 2.1 SCO type names. # Select the most specific type that applies. type: string allowed: - ipv4-addr # IPv4 address (e.g., "185.220.101.42") - ipv6-addr # IPv6 address - domain-name # DNS domain (e.g., "malware.example.net") - url # Full URL (e.g., "http://185.220.101.42/shell.php") - file # File identified by path, name, or hash - email-addr # Email address used by threat actor - user-account # User account name or UID - process # Process name, PID, or command line pattern - network-traffic # Specific connection pattern (src/dst/port combination) - windows-registry-key # Windows registry key path - artifact # Raw bytes, encoded content, or binary pattern - autonomous-system # BGP autonomous system number - mac-addr # MAC address example: "ipv4-addr" value: # (required) The observable value. # Format depends on type: # ipv4-addr: "185.220.101.42" # domain-name: "c2.malware-example.net" # url: "http://185.220.101.42/shell.php" # file: "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" # or "/tmp/.hidden/backdoor" for path-based # email-addr: "attacker@protonmail.com" # user-account: "backdoor_user" or "uid:1337" # process: "nc -e /bin/bash" or process name # mac-addr: "00:11:22:33:44:55" type: string example: "185.220.101.42" context: # (required) Explanation of where and how this IOC was observed. # Describe the log source, file, or artifact and what the IOC's presence indicates. # Example: "Source IP observed in SSH authentication logs making 847 failed login # attempts against root over 3 minutes before a successful login." type: string # --- Temporal --- first_seen: # (optional) Earliest timestamp this IOC was observed in evidence. ISO 8601. type: string format: datetime example: "2026-02-25T03:14:00Z" last_seen: # (optional) Latest timestamp this IOC was observed in evidence. ISO 8601. type: string format: datetime example: "2026-02-27T08:57:22Z" # --- Assessment --- confidence: # (required) Confidence that this value is malicious and not a false positive. # high: Directly observed in evidence; corroborated by multiple independent sources. # medium: Observed but admits benign explanation; or confirmed by a single source. # low: Inferred or circumstantial; requires additional corroboration. type: string allowed: - high - medium - low example: "high" source: # (optional) The evidence source from which this IOC was extracted. # Reference an evidence item ID if applicable (e.g., "E-003: auth.log"). type: string example: "E-003: /var/log/auth.log" # --- STIX alignment --- stix_type: # (optional) The STIX 2.1 Cyber Observable Object type name. # This is the canonical STIX SCO type for tooling integration. # Often matches `type` directly but may differ for complex observables. type: string example: "ipv4-addr" # Common mappings: # ipv4-addr -> ipv4-addr # domain-name -> domain-name # url -> url # file (hash) -> file with hashes property # file (path) -> file with name property # email-addr -> email-addr # user-account -> user-account # process -> process stix_id: # (optional) Full STIX 2.1 object ID if this IOC has been formalized in a STIX bundle. # Format: "{type}--{UUID4}" type: string example: "ipv4-addr--a440da74-7e46-4e33-bd7a-c0f8b3addf5f" # --- ATT&CK --- attack_technique: # (optional) MITRE ATT&CK technique or sub-technique ID associated with this IOC. # Format: T followed by 4 digits, optional period and 3-digit sub-technique. # Example: "T1078" (Valid Accounts) or "T1078.001" (Default Accounts) type: string pattern: "^T[0-9]{4}(\\.[0-9]{3})?$" example: "T1110.001" attack_tactic: # (optional) MITRE ATT&CK tactic associated with this IOC. type: string allowed: - reconnaissance - resource-development - initial-access - execution - persistence - privilege-escalation - defense-evasion - credential-access - discovery - lateral-movement - collection - command-and-control - exfiltration - impact example: "credential-access" # --- Enrichment --- enrichment: # (optional) Results from threat intelligence enrichment queries. type: object properties: virustotal: # (optional) VirusTotal lookup results summary. type: object properties: malicious_count: # Number of VT engines reporting this value as malicious. type: integer total_engines: type: integer permalink: type: string queried_at: type: string format: datetime abuseipdb: # (optional) AbuseIPDB results (IP addresses only). type: object properties: abuse_confidence_score: # AbuseIPDB confidence score 0-100. type: integer minimum: 0 maximum: 100 total_reports: type: integer last_reported_at: type: string format: datetime shodan: # (optional) Shodan host information summary (IP addresses only). type: object properties: org: type: string isp: type: string country: type: string ports: type: array items: type: integer tags: type: array items: type: string threat_intel_feeds: # (optional) Matches in threat intelligence feeds. type: array items: feed_name: type: string example: "Tor Exit Nodes" match: type: boolean details: type: string notes: # (optional) Analyst notes from enrichment review. type: string # --- Detection --- detection_rules: # (optional) Sigma rules or other detection content covering this IOC. type: array items: rule_id: type: string rule_file: type: string platform: type: string example: "SIEM"