[docs]class Prompts:
"""
Class with string constants related to LLM-prompting
"""
INCIDENT_PROMPT_TEMPLATE = (
"Below is a system description, a sequence of network logs (e.g., from an intrusion detection system), "
"and an instruction that describes a task.\n"
"Write a response that appropriately completes the request.\nBefore generating the response, "
"think carefully about the system, the logs, and the instruction, then create a step-by-step "
"chain of thoughts to ensure a logical and accurate response.\n\n"
"### System:\n{}\n\n"
"### Logs:\n{}\n\n"
"### Instruction:\n"
"You are a security operator with advanced knowledge in cybersecurity "
"and IT systems.\nYou have been given information about a system and some logs generated by it, "
"e.g., security alerts.\n"
"Your task is to determine if the logs indicate a cyber incident (i.e., attack) "
"that requires recovery actions.\n"
"If the logs are just indicative of normal system activity or if they are unrelated to security, then you "
"should classify the logs/system as not being an incident that requires recovery.\n"
"Similarly, if the logs contain very minor security alerts that do not warrant any recovery action, "
"then you should classify the logs/system as not being an incident that requires recovery.\n"
"If there is an incident that requires action, you should concisely describe the incident and explain "
"why it is an incident, i.e., you should indicate which parts of the logs or system description indicate "
"an incident that requires immediate action.\n"
"It is important that any conclusions you make in the incident description are supported by the "
"logs/system description, don't make guesses.\n"
"You should also associate the incident with tactics and techniques from the MITRE ATT&CK taxonomy. "
"You should also identify entities involved in the incident.\n"
"Return a JSON object with five fields: 'Incident', 'Incident description', 'MITRE ATT&CK Tactics', "
"'MITRE ATT&CK Techniques', and 'Entities'.\n"
"'Incident' should be a string that is either 'Yes' or 'No'.\n"
"'Incident description' should be a string with a concise summary of the incident and explanation of "
"why the logs/system description indicate that there is a incident.\n"
"'MITRE ATT&CK Tactics' should be an array of strings, each of which corresponds to one tactic used by "
"the attacker in the incident.\n"
"'MITRE ATT&CK Techniques' should be an array of strings, each of which corresponds to one technique used "
"by the attacker in the incident.\n"
"'Entities' should be a JSON object with three properties: 'Attacker', 'System', and 'Targeted', where "
"'Attacker' should be an array of strings, each of which is either an IP or a hostname that is related to "
"the attacker/adversary, 'System' should be an array of strings, each of which is either an IP or a hostname "
"that corresponds to some component in the system, and 'Targeted' should be an array of strings, each of which "
"is either an IP or a hostname that corresponds to some component in the system that is under attack.\n"
"If the 'Incident' field is set to 'No', then 'Incident description' should be 'No incident can be inferred "
"from the logs because they contain no substantial information.', 'MITRE ATT&CK Tactics' should be an empty "
"array, 'MITRE ATT&CK Techniques' should be an empty array, and 'Entities' should be an empty JSON object.\n"
"Return only the JSON with the above five fields, nothing else.\n\n"
"### Response:\n<think>")
ACTION_PROMPT_TEMPLATE = (
"Below is a system description, a sequence of network logs (e.g., from an intrusion detection system), "
"a description of a cybersecurity incident, the current state of the recovery from the incident, "
"a list of previously executed recovery actions, "
"and an instruction that describes a task.\n"
"Write a response that appropriately completes the request.\nBefore generating the response, "
"think carefully about the system, the logs, and the instruction, then create a step-by-step "
"chain of thoughts to ensure a logical and accurate response.\n\n"
"### System:\n{}\n\n"
"### Logs:\n{}\n\n"
"### Incident:\n{}\n\n"
"### State:\n{}\n"
"The meaning of the state fields are as follows.\n"
"is_attack_contained: Has the immediate threat been stopped from spreading?\n"
"is_knowledge_sufficient: Have we gathered enough data to effectively contain and eradicate the attack?\n"
"are_forensics_preserved: Has evidence been captured and stored in a forensically sound manner?\n"
"is_eradicated: Is the adversary completely removed from the system?\n"
"is_hardened: Has the root cause of the attack been remediated? i.e., are future attacks of the same "
"type prevented?\n"
"is_recovered: Are primary services restored for users?\n\n"
"### Previous recovery actions:\n{}\n\n"
"### Instruction:\n"
"You are a security operator with advanced knowledge in cybersecurity "
"and IT systems. You have been given information about a security incident and should"
" generate the next suitable action for recovering the system from the incident. "
"Your suggested action should be based on the logs, the system description only, the current state, and the "
"previous recovery actions.\n"
"Make sure that the suggested recovery action is consistent with the system description and the logs and that "
"you do not repeat any action that has already been performed.\n"
"The goal when selecting the recovery action is to change the state so that one of the state-properties that "
"is currently 'false' "
"becomes 'true'. The ideal recovery action sequence is: 1. contain the attack 2. gather information 3. "
"preserve evidence "
"4. eradicate the attacker 5. harden the system 6. recover operational services.\n"
"When selecting the recovery action, make sure that it is concrete and actionable and minimizes unnecessary "
"service disruptions. "
"Vague or unnecessary actions will not change the state and should be avoided.\n"
"Return a JSON object with two properties: 'Action' and 'Explanation', both of which should be strings.\n"
"The property 'Action' should be a string that concisely describes the concrete recovery action.\n"
"The property 'Explanation' should be a string that concisely explains why you selected the recovery action "
"and motivates why the action is needed.\n\n"
"### Response:\n<think>")
STATE_PROMPT_TEMPLATE = (
"Below is a system description, a sequence of network logs (e.g., from an intrusion detection system), "
"a description of a cybersecurity incident, the current state of the recovery from the incident, "
"a proposed recovery action, and an instruction that describes a task.\n"
"Write a response that appropriately completes the request.\nBefore generating the response, "
"think carefully about the system, the logs, and the instruction, then create a step-by-step "
"chain of thoughts to ensure a logical and accurate response.\n\n"
"### System:\n{}\n\n"
"### Logs:\n{}\n\n"
"### Incident:\n{}\n\n"
"### State:\n{}\n"
"The meaning of the state fields are as follows.\n"
"is_attack_contained: Has the immediate threat been stopped from spreading?\n"
"is_knowledge_sufficient: Have we gathered enough data to effectively contain and eradicate the attack?\n"
"are_forensics_preserved: Has evidence been captured and stored in a forensically sound manner?\n"
"is_eradicated: Is the adversary completely removed from the system?\n"
"is_hardened: Has the root cause of the attack been remediated? i.e., are future attacks of the same "
"type prevented?\n"
"is_recovered: Are primary services restored for users?\n\n"
"### Recovery action:\n{}\n\n"
"### Instruction:\n"
"You are a security operator with advanced knowledge in cybersecurity "
"and IT systems.\nYou have been given information about a security incident, the state of recovery from "
"the incident, "
"and a recovery action.\nYour task is to predict what the next state of the recovery will be after applying "
"the recovery action.\n"
"For example, if the given recovery action effectively contains the attack and 'is_attack_contained' is "
"'false' in the "
"current state, then the next state should have 'is_attack_contained' set to 'true'.\nSimilarly, if "
"'is_recovered' is 'false' "
"in the current state and the given recovery action effectively recovers operational services of the system,"
" then the next state "
"should have 'is_recovered' set to 'true', etc.\nIt is also possible that multiple state properties change "
"values from false to true. "
"It is also possible that the state remains the same, i.e., no property changes.\nIt is important that the "
"state only changes if the "
"action is effective in achieving one of the recovery goals: containment, information gathering, preserving "
"evidence, eradication, "
"hardening, or recovery.\nA state variable can only change from 'false' to 'true', it cannot be changed from "
"'true' to 'false'.\n"
"Return a JSON object that defines the next state and contains the Boolean fields 'is_attack_contained', "
"'is_knowledge_sufficient', 'are_forensics_preserved', 'is_eradicated', 'is_hardened', 'is_recovered'.\n\n"
"### Response:\n<think>")
RAG_PROMPT_TEMPLATE = ("Below is a sequenc of logs and an instruction. Complete the instruction.\n\n"
"### Logs:\n{}\n\n"
"### Instruction:\n"
"Extract a list of threat identifiers, e.g., cve-identifiers, cwe-identifiers, identifiers "
"for alerts (e.g., snort SIDs), or simply names of known vulnerabilities that occur in the "
"logs. It can be any identifier that you think it is possible to "
"use to fetch more relevant information about a potential incident.\n"
"For each of the identifiers that you extract, fetch brief and concise "
"information/context about what it means.\n"
"Return a JSON object with two properties:\n"
"'Identifiers', which is a list of strings with the identifiers.\n"
"'Context', which is a list of strings with the context/description of each identifier.\n"
"These two lists should have the same length. Return only the valid JSON, nothing else.\n"
"It is important that each string in the 'Identifiers' list appears verbatim in the "
"logs. Moreover, the context about each identifier should be "
"maximum 2 sentences.\n\n"
"### Response: ")
GEMINI_ACTION_EVAL = ("Below is a system description, logs, an incident description, a recovery state, and a "
"recovery action, and an instruction. Complete the instruction.\n\n"
"### System:\n{}\n\n"
"### Logs:\n{}\n\n"
"### Incident:\n{}\n\n"
"### State:\n{}\n"
"The meaning of the state fields are as follows.\n"
"is_attack_contained: Has the immediate threat been stopped from spreading?\n"
"is_knowledge_sufficient: Have we gathered enough data to effectively contain and "
"eradicate the attack?\n"
"are_forensics_preserved: Has evidence been captured and stored in a forensically "
"sound manner?\n"
"is_eradicated: Is the adversary completely removed from the system?\n"
"is_hardened: Has the root cause of the attack been remediated? i.e., are future attacks "
"of the same type prevented?\n"
"is_recovered: Are primary services restored for users?\n\n"
"### Recovery action:\n{}\n\n"
"### Instruction:\n"
"Give a score between 0 and 1 that quantifies how good the recovery action is. These "
"are the goals of "
"the recovery action:\n"
"- It should be concrete and actionable, i.e., it should clearly explain what the security "
"operator should do, ideally with details like specific "
"IP addresses/hostnames/configurations/"
"vulnerabilities.\n"
"- It should avoid unnecessary recovery measures (e.g., shutting down services that are not "
"affected by the incident or blocking unnecessary IPs).\n"
"- It should cause the recovery state to change so that at least one state-property "
"that is currently False becomes True.\n"
"Return just the score between 0 and 1 that indicates how well the action meets the "
"above criteria.\n\n"
"### Response: ")
GEMINI_INCIDENT_EVAL = ("Below is a system description, logs, a suggested incident classification, "
"and an instruction. Complete the instruction.\n\n"
"### System:\n{}\n\n"
"### Logs:\n{}\n\n"
"### Incident classification:\n{}\n\n"
"### Instruction:\n"
"Give a score between 0 and 1 that quantifies how good the incident classification is "
"based on the logs and the system description. "
"These are the goals of the incident classification: \n"
"- The logs/system description should be classified as an incident only if some recovery "
"action is needed, if it is not severe enough to warrant any action at all, then it should "
"be classified as 'No incident'.\n"
"- If all of the logs are just indicate of normal system activity (e.g., false positives) "
"or the logs are indicating alerts with low severity, then it should *not* be classified "
"as an incident. \n"
"- If the logs contain some false alerts or alerts that are indicative of "
"normal operation but contains at least 1 severe alert that is unusual, then it should be "
"classified as an incident based on the severe alerts. \n"
"- The incident report should focus on the important (severe) alerts. \n"
"Return just the score between 0 and 1 that indicates how well the incident classification "
"meets the above criteria.\n\n"
"### Response: ")
INCIDENT = "Incident"
INCIDENT_YES = "Yes"
INCIDENT_DESCRIPTION = "Incident description"
MITRE_ATTACK_TACTICS = "MITRE ATT&CK Tactics"
MITRE_ATTACK_TECHNIQUES = "MITRE ATT&CK Techniques"
ENTITIES = "Entities"
ATTACKER = "Attacker"
TARGETED = "Targeted"
SYSTEM = "System"
ACTION = "Action"
EXPLANATION = "Explanation"
IS_ATTACK_CONTAINED = "is_attack_contained"
IS_KNOWLEDGE_SUFFICIENT = "is_knowledge_sufficient"
ARE_FORENSICS_PRESERVED = "are_forensics_preserved"
IS_ERADICATED = "is_eradicated"
IS_HARDENED = "is_hardened"
IS_RECOVERED = "is_recovered"