ctipilot.ch

Entry reference templates

Read by the intel-run and weekly routines during their compose phase. It contains the canonical skeleton for an entry file and a run record, plus a worked-good body fragment showing the technical-depth bar. The substantive editorial / verification / state / publishing rules live in prompts/cti-run.md and prompts/weekly-summary.md; the NORMATIVE frontmatter contract is docs/pipeline.md — this file only shows the rendered shape.


Worked-good body fragment (illustrative, not topic guidance)

This is the technical specificity every entry body must carry where the source supports it — exact vulnerable component path, technique class with MITRE ATT&CK IDs, exploitation prerequisites, affected and patched versions to vendor-stated precision, named campaign clusters, behavioural detection and hardening tied to the specificity (no IOCs, no rule code).

A supply-chain compromise injected a malicious post-install script into the fictitious npm @org/x-cli package across versions 4.2.7 → 4.3.1; the script invokes osascript on macOS / powershell.exe -enc on Windows to harvest browser cookie jars from each browser's per-profile cookie store on disk and exfiltrates them via DNS-over-HTTPS to an attacker-operated edge-serverless resolver — TLS-encrypted, blends with normal browser DoH traffic, evades classic egress proxies that don't terminate DoH (Vendor primary, YYYY-MM-DD). Mapped to T1195.002 Supply Chain Compromise: Compromise Software Supply Chain and T1071.004 Application Layer Protocol: DNS. Detection concepts: alert on unsigned osascript / powershell.exe -enc invocations from node / npm / npx parent-process trees (Sysmon EID 1 + parent-image filter); inventory installed @org/* package versions across developer endpoints; block egress DoH resolvers other than the corporate ones. Hardening: pin npm dependencies via lockfile + --ignore-scripts; require signed packages for the affected scope. Affected versions: 4.2.7 through 4.3.1; fixed in 4.3.2.

The example is purely illustrative — actual depth is whatever the linked primary source supports. Better to write less than to fabricate plausible-sounding specifics (PD-1).


Entry skeleton — vulnerability (operational)

entries/<YYYY-MM-DD>/<slug>.md — one Write per file. Field semantics: docs/pipeline.md. Every taxonomy value from site/taxonomy.yaml; every entity key from entities/registry.yaml.

---
schema: 1
kind: vulnerability
horizon: operational
title: "CVE-YYYY-NNNNN — {Vendor} {Product}: {one-line description} (CVSS N.N)"
headline: "{Vendor} patches {an actively-exploited pre-auth RCE} in {Product}"
summary: >
  1–3 self-contained sentences naming the product, versions, exploitation
  status, and who must act. This is the TL;DR bullet, the RSS description,
  and the notification text.
discovered_at: "YYYY-MM-DDTHH:MM:SSZ"
event_date: "YYYY-MM-DD"
run_id: YYYY-MM-DDTHHMMZ-intel
priority: high
immediate_action: null
tags: [vulnerabilities, rce, actively-exploited, cisa-kev]
regions: [global]
sectors: [technology]
entities: []
cves:
  - id: CVE-YYYY-NNNNN
    cvss: "9.8"
    epss: null
    type: rce
    vector: zero-click
    auth: pre-auth
    status: [exploited, cisa-kev, patch-available]
    affected: "≤ N.N.N"
    fixed: "N.N.N+1"
sources:
  - url: "https://vendor.example/psirt/advisory-id"
    publisher: "Vendor PSIRT"
    date: "YYYY-MM-DD"
    role: primary
  - url: "https://lab.example/blog/exploitation-analysis"
    publisher: "Research Lab"
    date: "YYYY-MM-DD"
    role: corroborating
closed_sources: []
evidence:
  - quote: "verbatim exploitation-status quote from a fetched page"
    publisher: "Vendor PSIRT"
verification: multi-source
sourcing_note: null
confidence: high
update_of: null
references: []
deep_dive: false
deep_dive_category: null
org_triage: null
watchlist_hit: false
actions:
  - "Patch {Product} to ≥ {version} now; {rotation / isolation / hunt step tied to this entry's facts}."
migrated_from: null
---

{2–5 sentence body: what it is, prerequisites, exploitation status, who it
affects, detection + hardening — inline links at point of claim, worked-good
depth. No metadata footer line — frontmatter carries all metadata.}

Variants:

  • threat / incident — same skeleton with kind: threat (campaign / actor activity) or kind: incident (breach / disclosure), usually cves: [], body ends with a **Defender takeaway:** line.
  • critical entrypriority: critical plus:
  immediate_action:
    title: "{short imperative title}"
    action: >
      2–4 sentences: what is happening, why it is critical right now, and
      the specific time-critical defender action.
  • update noteupdate_of: <YYYY-MM-DD/slug>; body opens **UPDATE (originally covered YYYY-MM-DD):** and carries only the delta.
  • deep divedeep_dive: true + deep_dive_category: <rotation slug>; body is the full deep-dive narrative (Background paragraph when PD-10 applies, kill chain with ATT&CK links, hunt concepts, hardening).
  • weekly strategichorizon: strategic + weekly_section: <weekly-*> + references: [<entry ids>]; a weekly-top-stories body opens with **If you did nothing this week:**. The weekly-looking-ahead entry is kind: outlook with the justified watch list as its body.
  • closed-source entryclosed_sources: [{title, provider, date, tlp, ref}], inline attribution in the body as plain text (Provider, YYYY-MM-DD — closed source), never a fabricated URL.

Run-record skeleton

runs/<YYYY-MM-DD>/<run-id>.md — frontmatter telemetry per docs/pipeline.md § Run records (schema, run_id, kind, timing, models, window/gap hours, entry counters, sub_agents blocks, fetch_failures, bridge_uses, sources_changed, entities_added, verification iterations). Body:

## Verification & coverage notes

- {borderline-drop: <title> — <reason>}
- {Single-source: <entry id> — <carve-out or [SINGLE-SOURCE] note>}
- {Contradiction: <topic> — A says X; B says Y; entries report <framing>.}
- {out-of-window: <title> — primary source <date>, window_hours=<N>}
- Coverage gaps: source-id (reason); source-id (reason); source-a, source-b — not fetched in this run.
- Watchlist: products checked=N, hits=N; suppliers checked=M, hits=M   *(only when configured)*
- Closed-source intake: files=N, items=M, leads-only=K (TLP-restricted)  *(only when intel present)*
- Essential-coverage: missed=source-id (reason)                          *(only on a miss)*