mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-06 15:58:56 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,21 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2025 Anthropic Agent Skills Contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
@@ -0,0 +1,38 @@
|
||||
---
|
||||
name: implementing-threat-intelligence-platform
|
||||
description: >-
|
||||
Build a MISP-backed threat intelligence platform that ingests IOCs from multiple feeds,
|
||||
correlates events with galaxy clusters, and enriches indicators via VirusTotal and AbuseIPDB.
|
||||
Uses PyMISP to create events, add attributes with IDS flags, tag with MITRE ATT&CK techniques,
|
||||
and export STIX 2.1 bundles for downstream SIEM consumption.
|
||||
---
|
||||
|
||||
## Instructions
|
||||
|
||||
1. Install dependencies: `pip install pymisp requests stix2`
|
||||
2. Deploy MISP instance and generate an API key from Administration > Auth Keys.
|
||||
3. Use PyMISP to connect and create threat intelligence events:
|
||||
- Create events with threat level, distribution, and analysis status
|
||||
- Add attributes (ip-dst, domain, sha256, url) with to_ids flags
|
||||
- Tag events with MITRE ATT&CK technique identifiers
|
||||
- Correlate events across organizations
|
||||
4. Ingest from external feeds: URLhaus, Feodo Tracker, MalwareBazaar.
|
||||
5. Enrich IOCs via VirusTotal and AbuseIPDB APIs.
|
||||
6. Export correlated events as STIX 2.1 bundles.
|
||||
|
||||
```bash
|
||||
python scripts/agent.py --misp-url https://misp.local --misp-key <api_key> --ingest-feeds --output misp_report.json
|
||||
```
|
||||
|
||||
## Examples
|
||||
|
||||
### Create MISP Event with IOCs
|
||||
```python
|
||||
from pymisp import PyMISP, MISPEvent, MISPAttribute
|
||||
misp = PyMISP("https://misp.local", "api_key")
|
||||
event = MISPEvent()
|
||||
event.info = "Phishing Campaign - 2024-Q1"
|
||||
event.threat_level_id = 2
|
||||
event.add_attribute("ip-dst", "185.143.223.47", to_ids=True)
|
||||
misp.add_event(event)
|
||||
```
|
||||
@@ -0,0 +1,56 @@
|
||||
# API Reference: MISP Threat Intelligence Platform
|
||||
|
||||
## PyMISP Constructor
|
||||
```python
|
||||
from pymisp import PyMISP, MISPEvent, MISPAttribute, MISPTag
|
||||
misp = PyMISP(url, key, ssl=True, debug=False, proxies=None,
|
||||
cert=None, auth=None, tool='', timeout=None)
|
||||
```
|
||||
|
||||
## Core Methods
|
||||
```python
|
||||
misp.add_event(event, pythonify=False, metadata=False)
|
||||
misp.get_event(event_id, pythonify=False)
|
||||
misp.update_event(event, pythonify=False)
|
||||
misp.add_attribute(event_id, attribute, pythonify=False)
|
||||
misp.update_attribute(attribute, pythonify=False)
|
||||
misp.search(value=None, type_attribute=None, category=None,
|
||||
org=None, tags=None, pythonify=False)
|
||||
misp.add_tag(tag, pythonify=False)
|
||||
misp.get_stix_event(event_id)
|
||||
```
|
||||
|
||||
## MISPEvent Object
|
||||
```python
|
||||
event = MISPEvent()
|
||||
event.info = "Event description"
|
||||
event.threat_level_id = 2 # 1=High, 2=Medium, 3=Low, 4=Undefined
|
||||
event.distribution = 1 # 0=Org, 1=Community, 2=Connected, 3=All
|
||||
event.analysis = 0 # 0=Initial, 1=Ongoing, 2=Complete
|
||||
event.add_attribute("ip-dst", "1.2.3.4", to_ids=True)
|
||||
event.add_tag(tag)
|
||||
```
|
||||
|
||||
## MISPAttribute Object
|
||||
```python
|
||||
attr = MISPAttribute()
|
||||
attr.type = "ip-dst" # ip-dst, domain, url, sha256, md5, email-src
|
||||
attr.value = "1.2.3.4"
|
||||
attr.to_ids = True
|
||||
attr.category = "Network activity"
|
||||
attr.comment = "C2 server"
|
||||
```
|
||||
|
||||
## Feed APIs
|
||||
| Feed | Endpoint | Method |
|
||||
|------|----------|--------|
|
||||
| URLhaus | `https://urlhaus-api.abuse.ch/api/v1/urls/recent/limit/N/` | POST |
|
||||
| Feodo Tracker | `https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.json` | GET |
|
||||
| MalwareBazaar | `https://mb-api.abuse.ch/api/v1/` | POST (query=get_info) |
|
||||
|
||||
## VirusTotal v3 - IP Enrichment
|
||||
```
|
||||
GET /api/v3/ip_addresses/{ip}
|
||||
Header: x-apikey: <key>
|
||||
Response: data.attributes.last_analysis_stats.malicious
|
||||
```
|
||||
@@ -0,0 +1,213 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Threat Intelligence Platform Agent - Manages MISP events, IOC ingestion, and enrichment via PyMISP."""
|
||||
|
||||
import json
|
||||
import logging
|
||||
import argparse
|
||||
from datetime import datetime
|
||||
|
||||
import requests
|
||||
from pymisp import PyMISP, MISPEvent, MISPAttribute, MISPTag
|
||||
|
||||
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def connect_misp(url, key, ssl=True):
|
||||
"""Connect to MISP instance via PyMISP."""
|
||||
misp = PyMISP(url, key, ssl=ssl)
|
||||
logger.info("Connected to MISP at %s", url)
|
||||
return misp
|
||||
|
||||
|
||||
def create_threat_event(misp, info, threat_level=2, distribution=1, analysis=0, tags=None):
|
||||
"""Create a new MISP event for a threat campaign."""
|
||||
event = MISPEvent()
|
||||
event.info = info
|
||||
event.threat_level_id = threat_level
|
||||
event.distribution = distribution
|
||||
event.analysis = analysis
|
||||
if tags:
|
||||
for tag_name in tags:
|
||||
tag = MISPTag()
|
||||
tag.name = tag_name
|
||||
event.add_tag(tag)
|
||||
result = misp.add_event(event, pythonify=True)
|
||||
logger.info("Created MISP event: %s (ID: %s)", info, result.id)
|
||||
return result
|
||||
|
||||
|
||||
def add_iocs_to_event(misp, event_id, iocs):
|
||||
"""Add IOC attributes to an existing MISP event."""
|
||||
type_map = {
|
||||
"ipv4": "ip-dst",
|
||||
"domain": "domain",
|
||||
"url": "url",
|
||||
"sha256": "sha256",
|
||||
"md5": "md5",
|
||||
"email": "email-src",
|
||||
}
|
||||
added = 0
|
||||
for ioc in iocs:
|
||||
ioc_type = type_map.get(ioc["type"], ioc["type"])
|
||||
attr = MISPAttribute()
|
||||
attr.type = ioc_type
|
||||
attr.value = ioc["value"]
|
||||
attr.to_ids = ioc.get("to_ids", True)
|
||||
attr.comment = ioc.get("comment", "")
|
||||
attr.category = ioc.get("category", "Network activity")
|
||||
misp.add_attribute(event_id, attr, pythonify=True)
|
||||
added += 1
|
||||
logger.info("Added %d IOCs to event %s", added, event_id)
|
||||
return added
|
||||
|
||||
|
||||
def ingest_urlhaus_feed(misp, event_id):
|
||||
"""Ingest recent malicious URLs from URLhaus into a MISP event."""
|
||||
url = "https://urlhaus-api.abuse.ch/v1/urls/recent/limit/50/"
|
||||
resp = requests.post(url, timeout=30)
|
||||
data = resp.json()
|
||||
iocs = []
|
||||
for entry in data.get("urls", []):
|
||||
iocs.append({
|
||||
"type": "url",
|
||||
"value": entry["url"],
|
||||
"comment": f"URLhaus: {entry.get('threat', 'unknown')}",
|
||||
"to_ids": True,
|
||||
"category": "Network activity",
|
||||
})
|
||||
if iocs:
|
||||
add_iocs_to_event(misp, event_id, iocs)
|
||||
logger.info("Ingested %d URLs from URLhaus", len(iocs))
|
||||
return len(iocs)
|
||||
|
||||
|
||||
def ingest_feodotracker_feed(misp, event_id):
|
||||
"""Ingest C2 IPs from Feodo Tracker into a MISP event."""
|
||||
url = "https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.json"
|
||||
resp = requests.get(url, timeout=30)
|
||||
iocs = []
|
||||
for entry in resp.json():
|
||||
iocs.append({
|
||||
"type": "ipv4",
|
||||
"value": entry["ip_address"],
|
||||
"comment": f"Feodo: {entry.get('malware', 'unknown')} port {entry.get('port', '')}",
|
||||
"to_ids": True,
|
||||
"category": "Network activity",
|
||||
})
|
||||
if iocs:
|
||||
add_iocs_to_event(misp, event_id, iocs)
|
||||
logger.info("Ingested %d C2 IPs from Feodo Tracker", len(iocs))
|
||||
return len(iocs)
|
||||
|
||||
|
||||
def enrich_ip_virustotal(ip_address, api_key):
|
||||
"""Enrich an IP address via VirusTotal API v3."""
|
||||
url = f"https://www.virustotal.com/api/v3/ip_addresses/{ip_address}"
|
||||
resp = requests.get(url, headers={"x-apikey": api_key}, timeout=30)
|
||||
if resp.status_code == 200:
|
||||
attrs = resp.json()["data"]["attributes"]
|
||||
return {
|
||||
"ip": ip_address,
|
||||
"malicious": attrs.get("last_analysis_stats", {}).get("malicious", 0),
|
||||
"as_owner": attrs.get("as_owner", ""),
|
||||
"country": attrs.get("country", ""),
|
||||
}
|
||||
return {"ip": ip_address, "error": resp.status_code}
|
||||
|
||||
|
||||
def enrich_event_iocs(misp, event_id, vt_api_key):
|
||||
"""Enrich all IP attributes in a MISP event via VirusTotal."""
|
||||
event = misp.get_event(event_id, pythonify=True)
|
||||
enriched = 0
|
||||
for attr in event.attributes:
|
||||
if attr.type == "ip-dst" and vt_api_key:
|
||||
vt_data = enrich_ip_virustotal(attr.value, vt_api_key)
|
||||
if vt_data.get("malicious", 0) > 0:
|
||||
attr.comment = f"{attr.comment} | VT: {vt_data['malicious']} malicious"
|
||||
misp.update_attribute(attr, pythonify=True)
|
||||
enriched += 1
|
||||
logger.info("Enriched %d attributes via VirusTotal", enriched)
|
||||
return enriched
|
||||
|
||||
|
||||
def tag_with_mitre(misp, event_id, techniques):
|
||||
"""Tag a MISP event with MITRE ATT&CK technique identifiers."""
|
||||
event = misp.get_event(event_id, pythonify=True)
|
||||
for technique in techniques:
|
||||
tag = MISPTag()
|
||||
tag.name = f"misp-galaxy:mitre-attack-pattern=\"{technique}\""
|
||||
event.add_tag(tag)
|
||||
misp.update_event(event, pythonify=True)
|
||||
logger.info("Tagged event %s with %d MITRE techniques", event_id, len(techniques))
|
||||
|
||||
|
||||
def search_correlated_events(misp, attribute_value):
|
||||
"""Search MISP for events containing a specific attribute value."""
|
||||
results = misp.search(value=attribute_value, pythonify=True)
|
||||
events = []
|
||||
for event in results:
|
||||
events.append({
|
||||
"event_id": event.id,
|
||||
"info": event.info,
|
||||
"date": str(event.date),
|
||||
"threat_level": event.threat_level_id,
|
||||
})
|
||||
logger.info("Found %d correlated events for %s", len(events), attribute_value)
|
||||
return events
|
||||
|
||||
|
||||
def export_stix_bundle(misp, event_id, output_path):
|
||||
"""Export a MISP event as a STIX 2.1 bundle."""
|
||||
stix_data = misp.get_stix_event(event_id)
|
||||
with open(output_path, "w") as f:
|
||||
json.dump(stix_data, f, indent=2)
|
||||
logger.info("Exported STIX bundle for event %s to %s", event_id, output_path)
|
||||
|
||||
|
||||
def generate_report(event_id, feed_counts, enriched, correlations):
|
||||
"""Generate TI platform operation report."""
|
||||
report = {
|
||||
"timestamp": datetime.utcnow().isoformat(),
|
||||
"event_id": event_id,
|
||||
"feed_ingestion": feed_counts,
|
||||
"enriched_attributes": enriched,
|
||||
"correlations_found": len(correlations),
|
||||
}
|
||||
total_iocs = sum(feed_counts.values())
|
||||
print(f"TI PLATFORM REPORT: Event {event_id}, {total_iocs} IOCs ingested, {enriched} enriched")
|
||||
return report
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description="Threat Intelligence Platform Agent")
|
||||
parser.add_argument("--misp-url", required=True, help="MISP instance URL")
|
||||
parser.add_argument("--misp-key", required=True, help="MISP API key")
|
||||
parser.add_argument("--event-info", default="Automated TI Feed Ingestion")
|
||||
parser.add_argument("--ingest-feeds", action="store_true")
|
||||
parser.add_argument("--vt-key", help="VirusTotal API key for enrichment")
|
||||
parser.add_argument("--no-ssl", action="store_true")
|
||||
parser.add_argument("--output", default="misp_report.json")
|
||||
args = parser.parse_args()
|
||||
|
||||
misp = connect_misp(args.misp_url, args.misp_key, ssl=not args.no_ssl)
|
||||
event = create_threat_event(misp, args.event_info, tags=["tlp:green", "type:osint"])
|
||||
event_id = event.id
|
||||
|
||||
feed_counts = {}
|
||||
if args.ingest_feeds:
|
||||
feed_counts["urlhaus"] = ingest_urlhaus_feed(misp, event_id)
|
||||
feed_counts["feodotracker"] = ingest_feodotracker_feed(misp, event_id)
|
||||
|
||||
enriched = 0
|
||||
if args.vt_key:
|
||||
enriched = enrich_event_iocs(misp, event_id, args.vt_key)
|
||||
|
||||
report = generate_report(event_id, feed_counts, enriched, [])
|
||||
with open(args.output, "w") as f:
|
||||
json.dump(report, f, indent=2)
|
||||
logger.info("Report saved to %s", args.output)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Reference in New Issue
Block a user