mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 05:05:16 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,70 @@
|
||||
# API Reference: Building Cloud SIEM with Sentinel
|
||||
|
||||
## azure-monitor-query (KQL Queries)
|
||||
|
||||
```python
|
||||
from azure.identity import DefaultAzureCredential
|
||||
from azure.monitor.query import LogsQueryClient
|
||||
from datetime import timedelta
|
||||
|
||||
credential = DefaultAzureCredential()
|
||||
client = LogsQueryClient(credential)
|
||||
|
||||
response = client.query_workspace(
|
||||
workspace_id="WORKSPACE_ID",
|
||||
query="SigninLogs | where ResultType == 0 | take 10",
|
||||
timespan=timedelta(hours=24),
|
||||
)
|
||||
for table in response.tables:
|
||||
for row in table.rows:
|
||||
print(row)
|
||||
```
|
||||
|
||||
## azure-mgmt-securityinsight
|
||||
|
||||
```python
|
||||
from azure.mgmt.securityinsight import SecurityInsights
|
||||
|
||||
client = SecurityInsights(credential, subscription_id)
|
||||
|
||||
# List analytics rules
|
||||
for rule in client.alert_rules.list(rg, workspace):
|
||||
print(rule.display_name, rule.severity)
|
||||
|
||||
# List incidents
|
||||
for incident in client.incidents.list(rg, workspace):
|
||||
print(incident.title, incident.severity)
|
||||
```
|
||||
|
||||
## Key KQL Patterns for Sentinel
|
||||
|
||||
```kql
|
||||
// Impossible travel
|
||||
SigninLogs | where ResultType == 0
|
||||
| extend Distance = geo_distance_2points(...)
|
||||
|
||||
// AWS credential abuse
|
||||
AWSCloudTrail | where EventName == "AssumeRole"
|
||||
| summarize dcount(SourceIpAddress) by UserIdentityArn
|
||||
|
||||
// Threat intelligence matching
|
||||
let TI = ThreatIntelligenceIndicator | distinct NetworkIP;
|
||||
CommonSecurityLog | where DestinationIP in (TI)
|
||||
```
|
||||
|
||||
## Sentinel Data Connectors
|
||||
|
||||
| Connector | Data Table |
|
||||
|-----------|-----------|
|
||||
| Azure AD | `SigninLogs`, `AuditLogs` |
|
||||
| AWS CloudTrail | `AWSCloudTrail` |
|
||||
| Microsoft 365 | `OfficeActivity` |
|
||||
| Defender for Cloud | `SecurityAlert` |
|
||||
| Syslog | `Syslog` |
|
||||
| CEF | `CommonSecurityLog` |
|
||||
|
||||
### References
|
||||
|
||||
- azure-monitor-query: https://pypi.org/project/azure-monitor-query/
|
||||
- azure-mgmt-securityinsight: https://pypi.org/project/azure-mgmt-securityinsight/
|
||||
- KQL reference: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/
|
||||
Reference in New Issue
Block a user