creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 03:34:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Browse Source 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
This commit is contained in:
mukul975
2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
skills/implementing-siem-use-cases-for-detection/references/api-reference.md
+55
View File
@@ -0,0 +1,55 @@
# API Reference: Implementing SIEM Use Cases for Detection
## Libraries
### attackcti (MITRE ATT&CK)
- **Install**: `pip install attackcti`
- `attack_client()` -- Initialize ATT&CK data client
- `get_techniques()` -- All techniques for coverage calculation
- `get_groups()` -- Threat groups for threat-informed use cases
### splunk-sdk (Splunk Integration)
- **Install**: `pip install splunk-sdk`
- `splunklib.client.connect()` -- Connect to Splunk instance
- `service.jobs.create(query)` -- Execute detection rule SPL
## Use Case Lifecycle
| Phase | Activities |
|-------|-----------|
| Design | Map to ATT&CK, define data sources, write detection logic |
| Test | Validate with Atomic Red Team, measure FP/TP rates |
| Deploy | Push to SIEM with alerting and SLA configuration |
| Tune | Refine based on FP feedback, add exclusions |
| Retire | Deprecate when superseded or no longer relevant |
## Key ATT&CK Techniques for Use Cases
| ID | Name | Tactic |
|----|------|--------|
| T1110 | Brute Force | Credential Access |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1059.001 | PowerShell | Execution |
| T1048.003 | Exfiltration over DNS | Exfiltration |
| T1003.001 | LSASS Memory | Credential Access |
| T1098 | Account Manipulation | Persistence |
| T1486 | Data Encrypted for Impact | Impact |
## Sigma Rule Format
- **Spec**: https://sigmahq.io/docs/basics/rules.html
- Fields: `title`, `logsource`, `detection`, `level`, `tags`
- Tools: `sigma-cli` for converting to Splunk SPL, Elastic EQL, Sentinel KQL
- Repository: https://github.com/SigmaHQ/sigma
## Detection Quality Metrics
- True Positive Rate: Target >70%
- False Positive Rate: Target <30%
- Mean Time to Detect (MTTD): Varies by severity
- Coverage: Percentage of ATT&CK techniques with detections
## External References
- ATT&CK Techniques: https://attack.mitre.org/techniques/enterprise/
- Sigma Rules: https://github.com/SigmaHQ/sigma
- Atomic Red Team: https://github.com/redcanaryco/atomic-red-team
- Splunk ES Detections: https://research.splunk.com/detections/
- Elastic Detection Rules: https://github.com/elastic/detection-rules