mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 05:29:40 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,21 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2025 Anthropic Agent Skills Contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
@@ -0,0 +1,99 @@
|
||||
# Threat Intelligence Platform Evaluation API Reference
|
||||
|
||||
## MISP REST API
|
||||
|
||||
```bash
|
||||
# Get version
|
||||
curl "https://misp.example.com/servers/getVersion.json" \
|
||||
-H "Authorization: YOUR_API_KEY" -H "Accept: application/json"
|
||||
|
||||
# Search events
|
||||
curl -X POST "https://misp.example.com/events/restSearch" \
|
||||
-H "Authorization: YOUR_API_KEY" -H "Content-Type: application/json" \
|
||||
-d '{"tags": ["apt28"], "limit": 50}'
|
||||
|
||||
# Export STIX 2.1
|
||||
curl "https://misp.example.com/events/restSearch" \
|
||||
-H "Authorization: YOUR_API_KEY" -H "Accept: application/json" \
|
||||
-d '{"returnFormat": "stix2"}'
|
||||
|
||||
# Feed management
|
||||
curl "https://misp.example.com/feeds/index.json" -H "Authorization: YOUR_API_KEY"
|
||||
```
|
||||
|
||||
## OpenCTI GraphQL API
|
||||
|
||||
```graphql
|
||||
# Get platform version
|
||||
query { about { version } }
|
||||
|
||||
# Search indicators
|
||||
query {
|
||||
indicators(filters: { key: "pattern_type", values: ["stix"] }) {
|
||||
edges { node { name pattern valid_from valid_until } }
|
||||
}
|
||||
}
|
||||
|
||||
# Get campaigns
|
||||
query {
|
||||
campaigns(first: 20, orderBy: created_at, orderMode: desc) {
|
||||
edges { node { name first_seen last_seen objectLabel { value } } }
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## ThreatConnect REST API
|
||||
|
||||
```bash
|
||||
# List indicators
|
||||
curl "https://api.threatconnect.com/v3/indicators" \
|
||||
-H "Authorization: TC <ACCESS_ID>:<HMAC_SIGNATURE>"
|
||||
|
||||
# Create indicator
|
||||
curl -X POST "https://api.threatconnect.com/v3/indicators" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d '{"type":"Host","hostName":"evil.example.com","rating":5,"confidence":80}'
|
||||
```
|
||||
|
||||
## TAXII 2.1 API
|
||||
|
||||
```bash
|
||||
# Discovery
|
||||
curl https://taxii.example.com/taxii2/ -H "Accept: application/taxii+json;version=2.1"
|
||||
|
||||
# Get API roots
|
||||
curl https://taxii.example.com/api1/ -H "Accept: application/taxii+json;version=2.1"
|
||||
|
||||
# List collections
|
||||
curl https://taxii.example.com/api1/collections/ -H "Accept: application/taxii+json;version=2.1"
|
||||
|
||||
# Get objects from collection
|
||||
curl "https://taxii.example.com/api1/collections/{id}/objects/" \
|
||||
-H "Accept: application/stix+json;version=2.1"
|
||||
```
|
||||
|
||||
## TIP Evaluation Criteria Weights
|
||||
|
||||
| Category | Criterion | Weight |
|
||||
|----------|-----------|--------|
|
||||
| Core | STIX 2.1 support | 10 |
|
||||
| Core | REST API | 9 |
|
||||
| Core | TAXII server | 8 |
|
||||
| Core | TLP enforcement | 8 |
|
||||
| Integration | SIEM integration | 9 |
|
||||
| Integration | Feed ingestion | 8 |
|
||||
| Integration | EDR integration | 7 |
|
||||
| Operations | Sharing (ISAC) | 7 |
|
||||
| Operations | Analyst workflow | 7 |
|
||||
| Operations | Reporting | 6 |
|
||||
|
||||
## Platform Comparison Matrix
|
||||
|
||||
| Feature | MISP | OpenCTI | ThreatConnect |
|
||||
|---------|------|---------|---------------|
|
||||
| License | Open Source | Open Source | Commercial |
|
||||
| STIX 2.1 | Native | Native | Import/Export |
|
||||
| TAXII 2.1 | Yes | Yes | Yes |
|
||||
| ATT&CK | Plugin | Native | Module |
|
||||
| Graph Viz | Basic | Advanced | Advanced |
|
||||
| SOAR | API | Connectors | Playbooks |
|
||||
@@ -0,0 +1,231 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Threat Intelligence Platform evaluation agent for MISP, OpenCTI, and ThreatConnect."""
|
||||
|
||||
import json
|
||||
import sys
|
||||
import urllib.request
|
||||
import urllib.parse
|
||||
import ssl
|
||||
from datetime import datetime
|
||||
|
||||
|
||||
class TIPEvaluator:
|
||||
"""Evaluate and test TIP platform capabilities."""
|
||||
|
||||
EVALUATION_CRITERIA = {
|
||||
"core_functions": {
|
||||
"stix_support": {"weight": 10, "description": "STIX 2.1 import/export support"},
|
||||
"taxii_server": {"weight": 8, "description": "TAXII 2.1 server capability"},
|
||||
"rest_api": {"weight": 9, "description": "RESTful API for automation"},
|
||||
"deduplication": {"weight": 7, "description": "Indicator deduplication and TTL management"},
|
||||
"tlp_enforcement": {"weight": 8, "description": "TLP classification enforcement"},
|
||||
"attack_mapping": {"weight": 6, "description": "MITRE ATT&CK integration"},
|
||||
"graph_viz": {"weight": 5, "description": "Graph visualization of relationships"},
|
||||
},
|
||||
"integrations": {
|
||||
"siem_integration": {"weight": 9, "description": "SIEM bi-directional integration"},
|
||||
"edr_integration": {"weight": 7, "description": "EDR IOC push capability"},
|
||||
"soar_integration": {"weight": 7, "description": "SOAR playbook integration"},
|
||||
"firewall_integration": {"weight": 6, "description": "Firewall blocklist export"},
|
||||
"feed_ingestion": {"weight": 8, "description": "Multiple feed source support"},
|
||||
},
|
||||
"operations": {
|
||||
"analyst_workflow": {"weight": 7, "description": "Investigation workflow tools"},
|
||||
"reporting": {"weight": 6, "description": "Report generation and export"},
|
||||
"sharing": {"weight": 7, "description": "Community/ISAC sharing support"},
|
||||
"rbac": {"weight": 5, "description": "Role-based access control"},
|
||||
"audit_logging": {"weight": 4, "description": "Audit trail for compliance"},
|
||||
},
|
||||
}
|
||||
|
||||
def score_platform(self, platform_name, scores):
|
||||
"""Calculate weighted score for a TIP platform.
|
||||
|
||||
scores: dict of criterion_name -> score (0-10)
|
||||
"""
|
||||
total_weight = 0
|
||||
weighted_score = 0
|
||||
details = []
|
||||
|
||||
for category, criteria in self.EVALUATION_CRITERIA.items():
|
||||
for criterion, info in criteria.items():
|
||||
score = scores.get(criterion, 0)
|
||||
weight = info["weight"]
|
||||
total_weight += weight
|
||||
weighted_score += score * weight
|
||||
details.append({
|
||||
"category": category,
|
||||
"criterion": criterion,
|
||||
"description": info["description"],
|
||||
"score": score,
|
||||
"weight": weight,
|
||||
"weighted": score * weight,
|
||||
})
|
||||
|
||||
final_score = round(weighted_score / total_weight, 1) if total_weight > 0 else 0
|
||||
return {
|
||||
"platform": platform_name,
|
||||
"overall_score": final_score,
|
||||
"max_possible": 10,
|
||||
"total_weight": total_weight,
|
||||
"details": sorted(details, key=lambda x: x["weighted"], reverse=True),
|
||||
"evaluation_date": datetime.utcnow().isoformat() + "Z",
|
||||
}
|
||||
|
||||
def compare_platforms(self, evaluations):
|
||||
"""Compare multiple TIP platform evaluations side by side."""
|
||||
comparison = []
|
||||
for eval_result in evaluations:
|
||||
comparison.append({
|
||||
"platform": eval_result["platform"],
|
||||
"overall_score": eval_result["overall_score"],
|
||||
})
|
||||
comparison.sort(key=lambda x: x["overall_score"], reverse=True)
|
||||
return {"ranking": comparison, "count": len(comparison)}
|
||||
|
||||
|
||||
def test_misp_api(misp_url, api_key, verify_ssl=False):
|
||||
"""Test MISP API connectivity and basic operations."""
|
||||
ctx = ssl.create_default_context()
|
||||
if not verify_ssl:
|
||||
ctx.check_hostname = False
|
||||
ctx.verify_mode = ssl.CERT_NONE
|
||||
|
||||
results = {}
|
||||
endpoints = {
|
||||
"version": "/servers/getVersion.json",
|
||||
"statistics": "/attributes/attributeStatistics/type/percentage.json",
|
||||
"feeds": "/feeds/index.json",
|
||||
}
|
||||
|
||||
for name, path in endpoints.items():
|
||||
url = f"{misp_url.rstrip('/')}{path}"
|
||||
req = urllib.request.Request(url, headers={
|
||||
"Authorization": api_key,
|
||||
"Accept": "application/json",
|
||||
})
|
||||
try:
|
||||
with urllib.request.urlopen(req, context=ctx, timeout=15) as resp:
|
||||
results[name] = {
|
||||
"status": resp.status,
|
||||
"data": json.loads(resp.read().decode()),
|
||||
}
|
||||
except Exception as e:
|
||||
results[name] = {"status": "error", "message": str(e)}
|
||||
|
||||
return {"platform": "MISP", "url": misp_url, "tests": results}
|
||||
|
||||
|
||||
def test_opencti_api(opencti_url, api_token, verify_ssl=False):
|
||||
"""Test OpenCTI GraphQL API connectivity."""
|
||||
ctx = ssl.create_default_context()
|
||||
if not verify_ssl:
|
||||
ctx.check_hostname = False
|
||||
ctx.verify_mode = ssl.CERT_NONE
|
||||
|
||||
query = '{"query": "{ about { version } }"}'
|
||||
url = f"{opencti_url.rstrip('/')}/graphql"
|
||||
req = urllib.request.Request(
|
||||
url,
|
||||
data=query.encode(),
|
||||
headers={
|
||||
"Authorization": f"Bearer {api_token}",
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
method="POST",
|
||||
)
|
||||
try:
|
||||
with urllib.request.urlopen(req, context=ctx, timeout=15) as resp:
|
||||
return {
|
||||
"platform": "OpenCTI",
|
||||
"url": opencti_url,
|
||||
"status": resp.status,
|
||||
"data": json.loads(resp.read().decode()),
|
||||
}
|
||||
except Exception as e:
|
||||
return {"platform": "OpenCTI", "url": opencti_url, "status": "error", "message": str(e)}
|
||||
|
||||
|
||||
def generate_evaluation_template():
|
||||
"""Generate an evaluation scoring template for a TIP assessment."""
|
||||
evaluator = TIPEvaluator()
|
||||
template = {"instructions": "Score each criterion 0-10", "criteria": {}}
|
||||
for category, criteria in evaluator.EVALUATION_CRITERIA.items():
|
||||
template["criteria"][category] = {}
|
||||
for name, info in criteria.items():
|
||||
template["criteria"][category][name] = {
|
||||
"description": info["description"],
|
||||
"weight": info["weight"],
|
||||
"score": 0,
|
||||
}
|
||||
return template
|
||||
|
||||
|
||||
def generate_comparison_report():
|
||||
"""Generate a sample comparison report for common TIP platforms."""
|
||||
evaluator = TIPEvaluator()
|
||||
|
||||
misp_scores = {
|
||||
"stix_support": 9, "taxii_server": 7, "rest_api": 9, "deduplication": 7,
|
||||
"tlp_enforcement": 9, "attack_mapping": 6, "graph_viz": 5,
|
||||
"siem_integration": 7, "edr_integration": 5, "soar_integration": 6,
|
||||
"firewall_integration": 7, "feed_ingestion": 9,
|
||||
"analyst_workflow": 5, "reporting": 5, "sharing": 10,
|
||||
"rbac": 6, "audit_logging": 5,
|
||||
}
|
||||
|
||||
opencti_scores = {
|
||||
"stix_support": 10, "taxii_server": 9, "rest_api": 9, "deduplication": 8,
|
||||
"tlp_enforcement": 9, "attack_mapping": 10, "graph_viz": 10,
|
||||
"siem_integration": 7, "edr_integration": 6, "soar_integration": 7,
|
||||
"firewall_integration": 6, "feed_ingestion": 8,
|
||||
"analyst_workflow": 8, "reporting": 7, "sharing": 8,
|
||||
"rbac": 8, "audit_logging": 7,
|
||||
}
|
||||
|
||||
threatconnect_scores = {
|
||||
"stix_support": 8, "taxii_server": 8, "rest_api": 9, "deduplication": 9,
|
||||
"tlp_enforcement": 8, "attack_mapping": 8, "graph_viz": 8,
|
||||
"siem_integration": 9, "edr_integration": 8, "soar_integration": 9,
|
||||
"firewall_integration": 8, "feed_ingestion": 9,
|
||||
"analyst_workflow": 9, "reporting": 9, "sharing": 7,
|
||||
"rbac": 9, "audit_logging": 9,
|
||||
}
|
||||
|
||||
results = [
|
||||
evaluator.score_platform("MISP (Open Source)", misp_scores),
|
||||
evaluator.score_platform("OpenCTI (Open Source)", opencti_scores),
|
||||
evaluator.score_platform("ThreatConnect (Commercial)", threatconnect_scores),
|
||||
]
|
||||
|
||||
comparison = evaluator.compare_platforms(results)
|
||||
return {
|
||||
"timestamp": datetime.utcnow().isoformat() + "Z",
|
||||
"comparison": comparison,
|
||||
"detailed_evaluations": results,
|
||||
}
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
import os
|
||||
action = sys.argv[1] if len(sys.argv) > 1 else "compare"
|
||||
if action == "compare":
|
||||
print(json.dumps(generate_comparison_report(), indent=2, default=str))
|
||||
elif action == "template":
|
||||
print(json.dumps(generate_evaluation_template(), indent=2))
|
||||
elif action == "test-misp":
|
||||
url = os.environ.get("MISP_URL", sys.argv[2] if len(sys.argv) > 2 else "")
|
||||
key = os.environ.get("MISP_KEY", sys.argv[3] if len(sys.argv) > 3 else "")
|
||||
if url and key:
|
||||
print(json.dumps(test_misp_api(url, key), indent=2, default=str))
|
||||
else:
|
||||
print("Set MISP_URL and MISP_KEY env vars or pass as arguments")
|
||||
elif action == "test-opencti":
|
||||
url = os.environ.get("OPENCTI_URL", sys.argv[2] if len(sys.argv) > 2 else "")
|
||||
token = os.environ.get("OPENCTI_TOKEN", sys.argv[3] if len(sys.argv) > 3 else "")
|
||||
if url and token:
|
||||
print(json.dumps(test_opencti_api(url, token), indent=2, default=str))
|
||||
else:
|
||||
print("Set OPENCTI_URL and OPENCTI_TOKEN env vars or pass as arguments")
|
||||
else:
|
||||
print("Usage: agent.py [compare|template|test-misp [url key]|test-opencti [url token]]")
|
||||
Reference in New Issue
Block a user