UNPKG

aiwg

Version:

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

aiwg.io

jmagly/aiwg

165 lines (129 loc) 7.22 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
--- namespace: aiwg name: forensics-timeline platforms: [all] description: Build correlated event timeline from multiple sources commandHint: argumentHint: "<findings-path> [--window start/end] [--sources logs|network|process|all] [--mitre]" category: forensics-timeline --- # /forensics-timeline Correlate events from multiple forensic sources into a unified chronological timeline. Normalizes timestamps across log files, network captures, process events, and file system artifacts. Reconstructs the attack chain and maps events to MITRE ATT&CK techniques. ## Usage `/forensics-timeline <findings-path> [options]` ## Arguments | Argument | Required | Description | |----------|----------|-------------| | findings-path | Yes | Path to findings directory (e.g., `.aiwg/forensics/findings/web01-2026-02-27/`) | | --window | No | Time window filter: `start/end` in ISO 8601 (e.g., `2026-02-26T18:00:00Z/2026-02-27T06:00:00Z`) | | --sources | No | Event sources to include: `logs`, `network`, `process`, `filesystem`, `all` (default: `all`) | | --mitre | No | Annotate events with MITRE ATT&CK technique IDs | | --output | No | Output path (default: `.aiwg/forensics/timeline/incident-timeline.md`) | | --granularity | No | Minimum event significance level: `all`, `medium`, `high` (default: `medium`) | | --format | No | Output format: `markdown` (default), `json`, `csv` | ## Behavior When invoked, this command: 1. **Discover Evidence Sources** - Scan findings directory for all log files, captures, and analysis outputs - Identify available sources: auth logs, syslog, journal, audit, network, process lists - Record source timestamps and timezone/offset metadata - Note any gaps in log coverage 2. **Normalize Timestamps** - Convert all timestamps to UTC - Detect and compensate for clock skew between sources - Handle timezone-naive log entries using system timezone from profile - Flag entries with ambiguous or inconsistent timestamps 3. **Event Extraction** - Parse authentication events: logins, logouts, sudo, su, failed attempts - Extract network events: connections established, DNS queries, port scans - Extract process events: spawns, exits, executions from unusual paths - Extract filesystem events: file modifications, creations, deletions (if auditd active) - Extract privilege events: uid changes, capability grants, SUID executions - Extract persistence events: cron modifications, service installs, key changes 4. **Correlation and Deduplication** - Match related events across sources (e.g., SSH login + process spawn) - Deduplicate events appearing in multiple log sources - Link network connections to responsible processes via PID correlation - Group events into logical attack phases 5. **Attack Chain Reconstruction** - Identify initial access vector (brute force, key use, web exploit, etc.) - Map progression: initial access, execution, persistence, lateral movement - Identify patient zero: first compromised account or process - Estimate attacker dwell time from first to last activity - Determine data exfiltration indicators 6. **MITRE ATT&CK Mapping** (when `--mitre` specified) - Map each significant event to ATT&CK technique IDs - Label tactics: TA0001 Initial Access, TA0002 Execution, TA0003 Persistence, etc. - Note relevant sub-techniques where applicable 7. **Timeline Output** - Write chronological event table - Include severity, source, raw event, and interpretation for each entry - Highlight critical events (red flags, attack milestones) - Generate attack chain narrative summary - Save `incident-timeline.md` ## Examples ### Example 1: Standard timeline ```bash /forensics-timeline .aiwg/forensics/findings/web01-2026-02-27/ ``` ### Example 2: Filtered time window ```bash /forensics-timeline .aiwg/forensics/findings/ --window 2026-02-26T20:00:00Z/2026-02-27T04:00:00Z ``` ### Example 3: Network and process sources with MITRE mapping ```bash /forensics-timeline .aiwg/forensics/ --sources network,process --mitre ``` ### Example 4: High-significance events only, JSON output ```bash /forensics-timeline .aiwg/forensics/ --granularity high --format json ``` ## Output Artifacts are saved to `.aiwg/forensics/timeline/`: ``` .aiwg/forensics/timeline/ ├── incident-timeline.md # Full chronological timeline ├── attack-chain.md # Attack progression narrative ├── timeline.json # Machine-readable event list └── mitre-mapping.yaml # ATT&CK technique annotations (if --mitre) ``` ### Sample Output ``` Building Timeline ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Sources discovered: auth.log (72h, 14,832 entries) journal (72h, 187,441 entries) audit.log (72h, 92,318 entries) network captures (triage snapshot) process list (triage snapshot) Timestamps normalized to UTC Clock skew: 0s (synchronized) Events extracted: 1,247 raw -> 312 significant Correlations found: 48 Timeline window: 2026-02-26T22:00:00Z to 2026-02-27T02:15:00Z (4h 15m) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ | Time (UTC) | Sev | Source | Event | |---------------------|----------|----------|----------------------------------------------------| | 2026-02-26 22:14:33 | HIGH | auth.log | 847 failed SSH attempts from 185.220.101.42 | | 2026-02-26 22:29:01 | CRITICAL | auth.log | Successful SSH login for 'deploy' from 185.220.101.42 | | 2026-02-26 22:29:04 | HIGH | journal | Process spawn: /bin/bash (child of sshd PID 3821) | | 2026-02-26 22:31:18 | HIGH | audit | Privilege escalation: sudo -l (deploy -> root) | | 2026-02-26 22:33:45 | CRITICAL | audit | New cron entry: * * * * * /tmp/.update | | 2026-02-26 22:34:01 | CRITICAL | journal | File created: /tmp/.update (executable) | | 2026-02-27 00:00:00 | HIGH | journal | Cron executed: /tmp/.update | | 2026-02-27 00:00:02 | CRITICAL | journal | Outbound connection: 185.220.101.42:4444 | Attack Chain Summary: Initial Access: 22:14Z - SSH brute force (T1110.001) Execution: 22:29Z - Interactive shell via compromised credentials (T1059.004) Persistence: 22:33Z - Cron job installation (T1053.003) C2: 00:00Z - Reverse shell beaconing (T1071.001) Dwell time: 1h 46m (first access to C2 beacon) Patient zero: account 'deploy' Output: .aiwg/forensics/timeline/incident-timeline.md ``` ## References - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/timeline-builder.md - Timeline Builder - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/templates/timeline-template.md - Timeline format - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-ioc.md - IOC extraction - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-report.md - Report generation