Engagement Memory Template

Use this template to write your CLAUDE.md and AGENTS.md engagement memory files. Each section captures a different type of constraint that AI should follow from its first prompt in every session.

Engagement Scope

Define scope boundaries and authorised targets. Include specific container IPs, ports, and service names. List what is explicitly out of scope.

SIEM Architecture

Document why both Loki and Wazuh exist in this environment. What role does each serve? What data does each collect? This section helps AI understand the infrastructure when writing detection rules or querying logs.

Detection Rule Conventions

Naming convention for detection rules (see the naming guide). Field mappings for both platforms -- Loki uses different field names from Wazuh. AI that "knows" the field names generates rules that work on the first attempt.

Authorised Targets

Container names, IP addresses, ports, and service descriptions. AI should not scan or test anything not listed here.

Known False Positives

Document expected alert sources during assessment. Wazuh default rules that fire on normal operations. Known benign traffic patterns. This prevents AI from reporting routine alerts as findings.