creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-15 07:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add 10 new cybersecurity skills with full folder anatomy

Browse Source 
Skills added:
- implementing-privileged-access-workstation (IAM, PAW hardening)
- detecting-suspicious-oauth-application-consent (cloud security, Graph API)
- performing-hardware-security-module-integration (cryptography, PKCS#11)
- analyzing-android-malware-with-apktool (malware analysis, androguard)
- hunting-for-unusual-service-installations (threat hunting, T1543.003)
- detecting-shadow-it-cloud-usage (cloud security, proxy/DNS log analysis)
- performing-active-directory-forest-trust-attack (red team, impacket)
- implementing-deception-based-detection-with-canarytoken (deception, Canary API)
- analyzing-office365-audit-logs-for-compromise (cloud security, BEC detection)
- hunting-for-startup-folder-persistence (threat hunting, T1547.001)

Each skill includes SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
This commit is contained in:
mukul975
2026-03-11 00:46:49 +01:00
parent b6c7ac9d82
commit 4d6d585285
40 changed files with 3578 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
skills/detecting-shadow-it-cloud-usage/references/api-reference.md
+61
View File
@@ -0,0 +1,61 @@
# API Reference — Detecting Shadow IT Cloud Usage
## Libraries Used
- **pandas**: DataFrame aggregation for traffic analysis — groupby, agg, nunique
- **tldextract**: Accurate registered domain extraction from URLs/hostnames
- **csv**: CSV log parsing with DictReader
- **re**: Regex parsing for Squid proxy and BIND DNS query log formats
## CLI Interface
```
python agent.py access.log --type proxy parse
python agent.py access.log --type proxy analyze
python agent.py dns-queries.log --type dns full
python agent.py traffic.csv --type csv --approved approved.txt full
```
## Core Functions
### `parse_proxy_log(filepath)` — Parse Squid/common proxy access logs
Regex pattern matches Squid format: `timestamp duration client_ip status bytes method url`.
Falls back to Apache Common Log Format parsing.
### `parse_dns_log(filepath)` — Parse BIND/named DNS query logs
Extracts query name and type from `query: DOMAIN IN TYPE` patterns.
Strips trailing dots from FQDNs.
### `parse_csv_log(filepath)` — Parse generic CSV traffic logs
Expects columns: timestamp, src_ip, dst_domain, bytes_out, bytes_in.
### `analyze_traffic(records)` — Aggregate and classify traffic
Uses pandas groupby on domain: total_bytes (sum), request_count (count),
unique_users (nunique). Falls back to collections.defaultdict if pandas unavailable.
### `classify_domain(domain)` — Categorize against SaaS database
Categories: storage, email, dev_tools, ai_ml, messaging, file_sharing, vpn_proxy.
### `full_audit(log_path, log_type, approved_list)` — Complete shadow IT audit
## Risk Scoring
| Factor | Points |
|--------|--------|
| Unapproved domain | +30 |
| Storage/file-sharing/VPN category | +25 |
| Email category | +15 |
| Data volume (per 10 MB) | +1 (max 20) |
| Unique users (per user) | +3 (max 15) |
## SaaS Category Database
| Category | Example Domains |
|----------|----------------|
| storage | dropbox.com, box.com, mega.nz, wetransfer.com |
| email | protonmail.com, tutanota.com, guerrillamail.com |
| dev_tools | github.com, gitlab.com, replit.com |
| ai_ml | chat.openai.com, claude.ai, huggingface.co |
| messaging | telegram.org, discord.com, signal.org |
| file_sharing | pastebin.com, file.io, gofile.io |
| vpn_proxy | nordvpn.com, expressvpn.com, protonvpn.com |
## Dependencies
- `pandas` >= 1.5.0
- `tldextract` >= 3.4.0 (optional, improves domain extraction accuracy)