mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 04:35:18 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,197 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
SIEM Log Source Onboarding Manager
|
||||
|
||||
Tracks log source onboarding progress, validates data quality,
|
||||
and generates configuration templates for common SIEM platforms.
|
||||
"""
|
||||
|
||||
import json
|
||||
from datetime import datetime
|
||||
from typing import Optional
|
||||
|
||||
|
||||
class LogSource:
|
||||
"""Represents a log source to be onboarded into a SIEM."""
|
||||
|
||||
def __init__(self, name: str, source_type: str, log_format: str,
|
||||
estimated_eps: int, avg_event_size_bytes: int = 500,
|
||||
security_tier: str = "medium", collection_method: str = "syslog"):
|
||||
self.name = name
|
||||
self.source_type = source_type
|
||||
self.log_format = log_format
|
||||
self.estimated_eps = estimated_eps
|
||||
self.avg_event_size_bytes = avg_event_size_bytes
|
||||
self.security_tier = security_tier
|
||||
self.collection_method = collection_method
|
||||
self.status = "pending"
|
||||
self.cim_fields_mapped = []
|
||||
self.validation_results = {}
|
||||
|
||||
def estimate_daily_volume_gb(self) -> float:
|
||||
return round(self.estimated_eps * self.avg_event_size_bytes * 86400 / 1_073_741_824, 2)
|
||||
|
||||
def estimate_monthly_volume_gb(self) -> float:
|
||||
return round(self.estimate_daily_volume_gb() * 30, 2)
|
||||
|
||||
def validate_cim_compliance(self, required_fields: list) -> dict:
|
||||
mapped = set(self.cim_fields_mapped)
|
||||
required = set(required_fields)
|
||||
missing = required - mapped
|
||||
coverage = round(len(mapped & required) / max(1, len(required)) * 100, 1)
|
||||
self.validation_results["cim_compliance"] = {
|
||||
"coverage_pct": coverage,
|
||||
"mapped_fields": list(mapped & required),
|
||||
"missing_fields": list(missing),
|
||||
"compliant": coverage >= 80,
|
||||
}
|
||||
return self.validation_results["cim_compliance"]
|
||||
|
||||
def generate_splunk_inputs_conf(self) -> str:
|
||||
templates = {
|
||||
"syslog": f"""[udp://514]
|
||||
connection_host = ip
|
||||
sourcetype = {self.source_type}
|
||||
index = main
|
||||
disabled = false""",
|
||||
"windows_event": f"""[WinEventLog://Security]
|
||||
disabled = 0
|
||||
index = wineventlog
|
||||
sourcetype = {self.source_type}
|
||||
evt_resolve_ad_obj = 1
|
||||
checkpointInterval = 5""",
|
||||
"file_monitor": f"""[monitor:///var/log/{self.name}/*.log]
|
||||
disabled = false
|
||||
sourcetype = {self.source_type}
|
||||
index = main
|
||||
crcSalt = <SOURCE>""",
|
||||
"http_event_collector": f"""# Configure via Splunk HEC
|
||||
# POST to https://splunk:8088/services/collector/event
|
||||
# Headers: Authorization: Splunk <HEC_TOKEN>
|
||||
# Body: {{"event": "<log_data>", "sourcetype": "{self.source_type}", "index": "main"}}""",
|
||||
}
|
||||
return templates.get(self.collection_method, "# Unknown collection method")
|
||||
|
||||
|
||||
class OnboardingTracker:
|
||||
"""Tracks the onboarding status of multiple log sources."""
|
||||
|
||||
ONBOARDING_STEPS = [
|
||||
"discovery",
|
||||
"planning",
|
||||
"collection_configured",
|
||||
"parser_built",
|
||||
"cim_mapped",
|
||||
"validation_passed",
|
||||
"detection_rules_enabled",
|
||||
"documentation_complete",
|
||||
"production_released",
|
||||
]
|
||||
|
||||
def __init__(self):
|
||||
self.sources = []
|
||||
self.step_completion = {}
|
||||
|
||||
def add_source(self, source: LogSource):
|
||||
self.sources.append(source)
|
||||
self.step_completion[source.name] = {step: False for step in self.ONBOARDING_STEPS}
|
||||
|
||||
def complete_step(self, source_name: str, step: str):
|
||||
if source_name in self.step_completion and step in self.step_completion[source_name]:
|
||||
self.step_completion[source_name][step] = True
|
||||
# Update status
|
||||
for src in self.sources:
|
||||
if src.name == source_name:
|
||||
completed = sum(1 for v in self.step_completion[source_name].values() if v)
|
||||
total = len(self.ONBOARDING_STEPS)
|
||||
if completed == total:
|
||||
src.status = "completed"
|
||||
elif completed > 0:
|
||||
src.status = "in_progress"
|
||||
|
||||
def get_progress_report(self) -> dict:
|
||||
report = {
|
||||
"total_sources": len(self.sources),
|
||||
"completed": sum(1 for s in self.sources if s.status == "completed"),
|
||||
"in_progress": sum(1 for s in self.sources if s.status == "in_progress"),
|
||||
"pending": sum(1 for s in self.sources if s.status == "pending"),
|
||||
"total_daily_volume_gb": sum(s.estimate_daily_volume_gb() for s in self.sources),
|
||||
"total_monthly_volume_gb": sum(s.estimate_monthly_volume_gb() for s in self.sources),
|
||||
"sources": [],
|
||||
}
|
||||
for source in self.sources:
|
||||
steps = self.step_completion.get(source.name, {})
|
||||
completed_steps = sum(1 for v in steps.values() if v)
|
||||
report["sources"].append({
|
||||
"name": source.name,
|
||||
"type": source.source_type,
|
||||
"status": source.status,
|
||||
"progress": f"{completed_steps}/{len(self.ONBOARDING_STEPS)}",
|
||||
"daily_volume_gb": source.estimate_daily_volume_gb(),
|
||||
"security_tier": source.security_tier,
|
||||
"next_step": next((s for s, v in steps.items() if not v), "complete"),
|
||||
})
|
||||
return report
|
||||
|
||||
|
||||
CIM_REQUIRED_FIELDS = {
|
||||
"Network_Traffic": ["src_ip", "dest_ip", "dest_port", "action", "bytes", "protocol", "transport"],
|
||||
"Authentication": ["src_ip", "user", "action", "app", "dest"],
|
||||
"Endpoint": ["dest", "process", "process_id", "user", "action"],
|
||||
"Web": ["url", "http_method", "status", "src_ip", "dest_ip", "http_user_agent"],
|
||||
"Email": ["src_user", "recipient", "subject", "action", "file_name"],
|
||||
}
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
tracker = OnboardingTracker()
|
||||
|
||||
sources = [
|
||||
LogSource("Palo Alto Firewall", "pan:traffic", "syslog-CEF", 500, 600, "critical", "syslog"),
|
||||
LogSource("Windows Domain Controllers", "WinEventLog:Security", "windows-xml", 200, 800, "critical", "windows_event"),
|
||||
LogSource("Squid Web Proxy", "squid:access", "squid-native", 1000, 400, "high", "file_monitor"),
|
||||
LogSource("Custom App Server", "app:custom", "json", 50, 300, "medium", "http_event_collector"),
|
||||
]
|
||||
|
||||
for src in sources:
|
||||
tracker.add_source(src)
|
||||
|
||||
# Simulate progress
|
||||
tracker.complete_step("Palo Alto Firewall", "discovery")
|
||||
tracker.complete_step("Palo Alto Firewall", "planning")
|
||||
tracker.complete_step("Palo Alto Firewall", "collection_configured")
|
||||
tracker.complete_step("Palo Alto Firewall", "parser_built")
|
||||
tracker.complete_step("Palo Alto Firewall", "cim_mapped")
|
||||
|
||||
tracker.complete_step("Windows Domain Controllers", "discovery")
|
||||
tracker.complete_step("Windows Domain Controllers", "planning")
|
||||
tracker.complete_step("Windows Domain Controllers", "collection_configured")
|
||||
|
||||
tracker.complete_step("Squid Web Proxy", "discovery")
|
||||
|
||||
# CIM validation
|
||||
sources[0].cim_fields_mapped = ["src_ip", "dest_ip", "dest_port", "action", "bytes", "protocol"]
|
||||
cim_result = sources[0].validate_cim_compliance(CIM_REQUIRED_FIELDS["Network_Traffic"])
|
||||
|
||||
print("=" * 70)
|
||||
print("SIEM LOG SOURCE ONBOARDING TRACKER")
|
||||
print("=" * 70)
|
||||
|
||||
report = tracker.get_progress_report()
|
||||
print(f"\nTotal Sources: {report['total_sources']}")
|
||||
print(f"Completed: {report['completed']} | In Progress: {report['in_progress']} | Pending: {report['pending']}")
|
||||
print(f"Total Daily Volume: {report['total_daily_volume_gb']} GB")
|
||||
print(f"Total Monthly Volume: {report['total_monthly_volume_gb']} GB")
|
||||
|
||||
print(f"\n{'Source':<30} {'Status':<15} {'Progress':<10} {'Volume/Day':<12} {'Next Step'}")
|
||||
print("-" * 85)
|
||||
for s in report["sources"]:
|
||||
print(f"{s['name']:<30} {s['status']:<15} {s['progress']:<10} {s['daily_volume_gb']:<12} {s['next_step']}")
|
||||
|
||||
print(f"\nCIM Compliance - Palo Alto Firewall:")
|
||||
print(f" Coverage: {cim_result['coverage_pct']}%")
|
||||
print(f" Compliant: {cim_result['compliant']}")
|
||||
print(f" Missing: {cim_result['missing_fields']}")
|
||||
|
||||
print(f"\nSample inputs.conf for Palo Alto Firewall:")
|
||||
print(sources[0].generate_splunk_inputs_conf())
|
||||
Reference in New Issue
Block a user