Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
This commit is contained in:
mukul975
2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 Anthropic Agent Skills Contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
@@ -0,0 +1,57 @@
# API Reference: Threat Intelligence Feed Integration Agent
## Overview
Ingests threat intelligence from TAXII 2.1 servers, Abuse.ch URLhaus, and Feodo Tracker. Normalizes all indicators to STIX 2.1 format, deduplicates, and exports as a STIX bundle.
## Dependencies
| Package | Version | Purpose |
|---------|---------|---------|
| requests | >=2.28 | HTTP API calls |
| taxii2-client | >=2.3 | TAXII 2.1 server communication |
| stix2 | >=3.0 | STIX 2.1 object creation and serialization |
## CLI Usage
```bash
# Ingest from multiple sources
python agent.py --urlhaus --feodo --output ti_bundle.json
# Ingest from TAXII feed
python agent.py --taxii-url https://taxii.example.com/taxii2/ \
--taxii-collection https://taxii.example.com/taxii2/collections/abc/ \
--taxii-user user --taxii-pass pass
```
## Key Functions
### `ingest_taxii_feed(taxii_url, collection_url, username, password, hours_back)`
Connects to a TAXII 2.1 collection and retrieves indicators added within the specified time window.
### `ingest_urlhaus_feed()`
Fetches recent malicious URLs from the URLhaus API (`https://urlhaus-api.abuse.ch/v1/urls/recent/`).
### `ingest_feodotracker()`
Downloads the Feodo Tracker recommended C2 IP blocklist in JSON format.
### `normalize_to_stix(indicators)`
Converts raw indicators to STIX 2.1 `Indicator` objects with proper patterns for ipv4, domain, url, and sha256 types.
### `deduplicate(indicators)`
Removes duplicate indicators across feeds using SHA-256 hash of `type:value`.
### `export_stix_bundle(stix_objects, output_path)`
Serializes STIX objects into a `Bundle` and writes to a JSON file.
### `push_to_splunk_ti(splunk_url, session_key, indicators)`
Pushes indicators to the Splunk ES threat intelligence framework via REST API.
## External APIs Used
| API | Endpoint | Auth | Purpose |
|-----|----------|------|---------|
| TAXII 2.1 | Configurable | Basic auth | STIX indicator ingestion |
| URLhaus | `https://urlhaus-api.abuse.ch/v1/` | None | Malicious URL feed |
| Feodo Tracker | `https://feodotracker.abuse.ch/downloads/` | None | C2 IP blocklist |
| Splunk REST | `/services/data/threat_intel/item/ip_intel` | Session key | TI push |
@@ -0,0 +1,167 @@
#!/usr/bin/env python3
"""Threat Intelligence Feed Integration Agent - Ingests STIX/TAXII and open-source TI feeds."""
import json
import logging
import argparse
import hashlib
from datetime import datetime, timedelta
import requests
from taxii2client.v21 import Server, Collection
from stix2 import Indicator, Bundle, parse
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
def ingest_taxii_feed(taxii_url, collection_url, username, password, hours_back=24):
"""Ingest indicators from a TAXII 2.1 server collection."""
added_after = (datetime.utcnow() - timedelta(hours=hours_back)).strftime(
"%Y-%m-%dT%H:%M:%S.000Z"
)
collection = Collection(collection_url, user=username, password=password)
response = collection.get_objects(added_after=added_after, type=["indicator"])
indicators = []
for obj in response.get("objects", []):
indicator = parse(obj)
indicators.append({
"id": str(indicator.id),
"pattern": indicator.pattern,
"valid_from": str(indicator.valid_from),
"source": "taxii",
})
logger.info("Ingested %d indicators from TAXII feed", len(indicators))
return indicators
def ingest_urlhaus_feed():
"""Ingest recent malicious URLs from Abuse.ch URLhaus."""
url = "https://urlhaus-api.abuse.ch/v1/urls/recent/limit/100/"
resp = requests.post(url, timeout=30)
data = resp.json()
indicators = []
for entry in data.get("urls", []):
indicators.append({
"type": "url",
"value": entry["url"],
"threat": entry.get("threat", "unknown"),
"status": entry.get("url_status", "unknown"),
"tags": entry.get("tags", []),
"source": "urlhaus",
})
logger.info("Ingested %d URLs from URLhaus", len(indicators))
return indicators
def ingest_feodotracker():
"""Ingest C2 IP blocklist from Abuse.ch Feodo Tracker."""
url = "https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.json"
resp = requests.get(url, timeout=30)
indicators = []
for entry in resp.json():
indicators.append({
"type": "ipv4",
"value": entry["ip_address"],
"port": entry.get("port"),
"malware": entry.get("malware", "unknown"),
"first_seen": entry.get("first_seen"),
"source": "feodotracker",
})
logger.info("Ingested %d C2 IPs from Feodo Tracker", len(indicators))
return indicators
def normalize_to_stix(indicators):
"""Convert raw indicators to STIX 2.1 Indicator objects."""
pattern_map = {
"ipv4": lambda v: f"[ipv4-addr:value = '{v}']",
"domain": lambda v: f"[domain-name:value = '{v}']",
"url": lambda v: f"[url:value = '{v}']",
"sha256": lambda v: f"[file:hashes.'SHA-256' = '{v}']",
}
stix_objects = []
for ioc in indicators:
ioc_type = ioc.get("type", "url")
pattern_fn = pattern_map.get(ioc_type, pattern_map["url"])
stix_ind = Indicator(
name=f"{ioc_type}: {ioc['value']}",
pattern=pattern_fn(ioc["value"]),
pattern_type="stix",
valid_from=datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ"),
labels=[ioc.get("source", "unknown")],
)
stix_objects.append(stix_ind)
logger.info("Normalized %d indicators to STIX 2.1", len(stix_objects))
return stix_objects
def deduplicate(indicators):
"""Deduplicate indicators across feeds by type:value hash."""
seen = set()
unique = []
for ioc in indicators:
key = hashlib.sha256(f"{ioc.get('type', '')}:{ioc['value']}".encode()).hexdigest()
if key not in seen:
seen.add(key)
unique.append(ioc)
logger.info("Deduplicated: %d -> %d unique indicators", len(indicators), len(unique))
return unique
def export_stix_bundle(stix_objects, output_path):
"""Export STIX 2.1 bundle to JSON file."""
bundle = Bundle(objects=stix_objects)
with open(output_path, "w") as f:
f.write(bundle.serialize(pretty=True))
logger.info("STIX bundle exported to %s (%d indicators)", output_path, len(stix_objects))
def push_to_splunk_ti(splunk_url, session_key, indicators):
"""Push indicators to Splunk ES threat intelligence framework."""
headers = {"Authorization": f"Splunk {session_key}"}
pushed = 0
for ioc in indicators:
data = {"ip": ioc["value"], "description": f"{ioc.get('source')}: {ioc['value']}"}
resp = requests.post(
f"{splunk_url}/services/data/threat_intel/item/ip_intel",
headers=headers, data=data, verify=False,
)
if resp.status_code == 201:
pushed += 1
logger.info("Pushed %d indicators to Splunk TI", pushed)
def main():
parser = argparse.ArgumentParser(description="Threat Intelligence Feed Integration Agent")
parser.add_argument("--taxii-url", help="TAXII 2.1 server URL")
parser.add_argument("--taxii-collection", help="TAXII collection URL")
parser.add_argument("--taxii-user", help="TAXII username")
parser.add_argument("--taxii-pass", help="TAXII password")
parser.add_argument("--urlhaus", action="store_true", help="Ingest URLhaus feed")
parser.add_argument("--feodo", action="store_true", help="Ingest Feodo Tracker feed")
parser.add_argument("--output", default="ti_bundle.json", help="STIX bundle output")
args = parser.parse_args()
all_indicators = []
if args.taxii_url and args.taxii_collection:
taxii_iocs = ingest_taxii_feed(
args.taxii_url, args.taxii_collection, args.taxii_user, args.taxii_pass
)
all_indicators.extend(taxii_iocs)
if args.urlhaus:
all_indicators.extend(ingest_urlhaus_feed())
if args.feodo:
all_indicators.extend(ingest_feodotracker())
unique = deduplicate(all_indicators)
stix_objects = normalize_to_stix(unique)
export_stix_bundle(stix_objects, args.output)
logger.info("Feed integration complete: %d total indicators", len(unique))
if __name__ == "__main__":
main()