UNPKG

aiwg

Version:

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

aiwg.io

jmagly/aiwg

203 lines (159 loc) 6.86 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
# Sigma Rule Template > Use this template to create custom Sigma detection rules from IOCs and TTPs identified > during an investigation. Each rule should cover one specific detection scenario. > Rules generated from investigations must be reviewed and tested before deployment to production. > > Reference: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide > ATT&CK Techniques: https://attack.mitre.org/techniques/ --- ## Rule Documentation Before writing the rule, answer these questions to ensure clarity and testability: **What activity does this rule detect?** ``` {{detection_description}} ``` **What is the false positive risk?** ``` {{false_positive_assessment}} ``` **What log source is required?** ``` {{log_source_description}} ``` **Has this rule been tested against real log data?** ``` {{test_status}} ``` --- ## Sigma Rule ```yaml title: {{rule_title}} # Human-readable title describing what the rule detects. # Be specific: "SSH Login from Known Malicious IP" not "Suspicious SSH" id: {{rule_uuid}} # Unique identifier in UUID format (generate with: python3 -c "import uuid; print(uuid.uuid4())") # Once assigned, never change the ID. Create a new rule instead. status: {{status}} # One of: stable | test | experimental | deprecated | unsupported # Use 'experimental' for new rules; promote to 'test' after validation; 'stable' after production use description: | {{rule_description}} # Detailed description of what the rule detects, why it is significant, # and the context in which malicious activity would trigger it. # Reference the investigation case if this rule was derived from a specific incident. references: - {{reference_url_1}} - {{reference_url_2}} # Links to relevant documentation, CVEs, blog posts, or threat intelligence reports. # At minimum, link to the relevant ATT&CK technique page. author: {{author_name}} # Name of the person or team that authored this rule. date: {{creation_date}} # Date the rule was created, format YYYY/MM/DD modified: {{modified_date}} # Date the rule was last modified, format YYYY/MM/DD tags: - attack.{{tactic_name}} # ATT&CK tactic in lowercase with underscores, e.g.: attack.initial_access # Full list: https://attack.mitre.org/tactics/ - attack.{{technique_id}} # ATT&CK technique ID, e.g.: attack.t1078 (Valid Accounts) # Sub-technique format: attack.t1078.001 - attack.{{sub_technique_id}} # Include sub-technique if applicable - {{case_id}} # Optional: tag with case ID to trace rule back to investigation logsource: product: {{product}} # The product generating the logs. Common values: # linux, windows, macos, aws, azure, gcp, kubernetes, nginx, apache, zeek category: {{category}} # Log category within the product. Common values: # process_creation, network_connection, file_event, registry_event, # authentication, dns, webserver, firewall service: {{service}} # Specific service or log file. Examples: # sshd, sudo, audit, syslog, security (Windows Event Log) # Leave blank if category is sufficient detection: selection: # Define what to match. Use field: value pairs. # Field names depend on the log source and your SIEM normalization. # Examples shown below — replace with actual fields for your environment. {{field_1}}: {{value_1}} # Example: CommandLine|contains: '/bin/bash -i' # Example: dst_ip|cidr: '185.220.0.0/16' # Example: User: 'root' # For multiple values matching any (OR logic within a field): # {{field_2}}|contains: # - '{{value_2a}}' # - '{{value_2b}}' # For substring matching: # {{field_3}}|contains: '{{substring}}' # {{field_3}}|startswith: '{{prefix}}' # {{field_3}}|endswith: '{{suffix}}' # For regex matching: # {{field_4}}|re: '{{regex_pattern}}' filter_main_{{filter_name}}: # Define legitimate activity to exclude (reduce false positives). # Use specific, narrow filters — overly broad filters create detection gaps. {{filter_field_1}}: {{filter_value_1}} # Example: ParentImage|endswith: '/cron' # Example: User: 'deploy-bot' condition: selection and not filter_main_{{filter_name}} # Condition language: # 'selection' — match the selection block # 'not filter_main_*' — exclude items matching any filter block # '1 of selection*' — match any selection block starting with 'selection' # 'all of them' — all defined blocks must match # 'selection | count(field) > 5' — aggregate: more than 5 unique values timeframe: {{timeframe}} # Optional. Use for aggregate conditions only. # Format: 30s, 5m, 1h, 1d # Example: 5m (useful for brute force: count(src_ip) > 10 within 5 minutes) falsepositives: - {{false_positive_1}} # Describe specific, realistic scenarios where legitimate activity triggers this rule. # Be concrete: "Automated deployment scripts running as root" not "legitimate admin activity" - {{false_positive_2}} level: {{level}} # Severity level of alerts generated by this rule. One of: # informational — contextual data, low signal # low — suspicious but commonly benign # medium — suspicious with moderate confidence of malicious activity # high — strong indicator of malicious activity # critical — confirmed malicious activity or active compromise ``` --- ## Usage Notes ### Testing the Rule Before deploying this rule to production, verify it against: 1. **Known-good logs** Confirm the rule does not trigger on normal system activity from your environment. 2. **Synthetic malicious activity** Replay the original IOCs or TTPs in a test environment and confirm the rule fires. 3. **False positive scenarios** Confirm documented false positives are handled by the filter blocks. ```bash # Sigma CLI rule validation (requires sigma-cli installed) sigma check {{rule_file_path}} # Convert to target SIEM query (example: Splunk) sigma convert -t splunk {{rule_file_path}} # Convert to Elasticsearch/OpenSearch sigma convert -t es-ql {{rule_file_path}} # Convert to syslog-ng pattern sigma convert -t syslog-ng {{rule_file_path}} ``` ### Investigation Reference | Field | Value | |-------|-------| | Source Case ID | `{{case_id}}` | | IOC References | `{{ioc_references}}` | | Finding References | `{{finding_references}}` | | Reviewed By | `{{reviewed_by}}` | | Approved for Production | `{{approved}}` | | Deployed To | `{{deployed_to}}` | | Deployment Date | `{{deployment_date}}` | ### ATT&CK Coverage Map This rule covers the following ATT&CK matrix positions: | Tactic | Technique | Sub-technique | Description | |--------|-----------|--------------|-------------| | `{{tactic_1}}` | `{{technique_id_1}}` | `{{subtechnique_1}}` | `{{coverage_description_1}}` | | `{{tactic_2}}` | `{{technique_id_2}}` | `{{subtechnique_2}}` | `{{coverage_description_2}}` |