creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 14:44:58 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add 5 new cybersecurity skills with full implementations

Browse Source 
- implementing-vulnerability-management-with-greenbone: python-gvm GMP API, scan task creation, XML report parsing
- detecting-email-account-compromise: Microsoft Graph inbox rules, impossible travel detection, OAuth grant analysis
- performing-threat-intelligence-sharing-with-misp: PyMISP event creation, attribute management, sharing validation
- analyzing-cobaltstrike-malleable-c2-profiles: dissect.cobaltstrike C2Profile parsing, Suricata rule generation
- hunting-for-registry-run-key-persistence: Sysmon Event 13 analysis, T1547.001 detection, Sigma rule generation
This commit is contained in:
mukul975
2026-03-11 00:40:23 +01:00
parent e77d55ad50
commit 757f1c8eae
16 changed files with 1439 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
skills/implementing-siem-use-case-tuning/references/api-reference.md
+82
View File
@@ -0,0 +1,82 @@
# SIEM Use Case Tuning API Reference
## Splunk Notable Event Export
### Export Notables via SPL
```spl
| inputlookup notable_events
| search status_label IN ("New", "In Progress", "Resolved")
| table rule_name, _time, status_label, src, dest, user, urgency
| rename status_label as disposition, _time as timestamp
| outputlookup alert_export.csv
```
### Splunk ES Correlation Search Tuning
```spl
# Measure FP rate per correlation search over 30 days
| inputlookup notable_events where earliest=-30d
| eval is_fp=if(status_label="Resolved" AND disposition="False Positive", 1, 0)
| stats count as total, sum(is_fp) as fp_count by rule_name
| eval fp_rate=round(fp_count/total, 4)
| sort -fp_rate
```
### Update Correlation Search Threshold
```
POST /servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{search_name}
Content-Type: application/x-www-form-urlencoded
search=<updated_spl_with_new_threshold>
```
## Elastic Detection Rule Tuning
### List Detection Rules
```
GET /_security/detection_engine/rules/_find?per_page=100
Authorization: ApiKey <base64_api_key>
```
### Add Exception to Rule
```json
POST /_security/detection_engine/rules/exceptions
{
"rule_id": "rule-uuid",
"name": "Whitelist scanner IPs",
"entries": [
{
"field": "source.ip",
"operator": "is_one_of",
"value": ["10.0.1.50", "10.0.1.51"],
"type": "match_any"
}
]
}
```
### Query Rule Execution Stats (Kibana)
```kql
event.kind: "signal" AND kibana.alert.rule.name: "Brute Force Detection"
| stats count by kibana.alert.workflow_status
```
## Alert Tuning Metrics
| Metric | Formula | Target |
|---|---|---|
| False Positive Rate | FP / (FP + TP) | < 30% |
| Precision | TP / (TP + FP) | > 70% |
| Alert-to-Incident Ratio | Incidents / Total Alerts | > 20% |
| Mean Time to Triage | avg(triage_end - alert_time) | < 15 min |
## CLI Usage
```bash
# Analyze alert CSV export
python agent.py --alert-csv notable_export.csv --output tuning.json
# Adjust FP threshold for whitelist candidates
python agent.py --alert-csv alerts.csv --fp-threshold 0.9 --top-rules 10
# CSV format: rule_name,timestamp,disposition,source,user,severity
```