mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 21:49:40 +03:00
feat: add 5 new cybersecurity skills - secrets scanning CI/CD, Bluetooth assessment, DNS exfil Zeek, SOAR phishing, AD ACL abuse
This commit is contained in:
@@ -0,0 +1,122 @@
|
||||
# SOAR Phishing Playbook API Reference
|
||||
|
||||
## Splunk SOAR REST API
|
||||
|
||||
### Authentication
|
||||
All requests require the `ph-auth-token` header:
|
||||
```
|
||||
ph-auth-token: <your-api-token>
|
||||
```
|
||||
|
||||
### Create Container (Incident)
|
||||
```
|
||||
POST /rest/container
|
||||
```
|
||||
```json
|
||||
{
|
||||
"name": "Phishing: Suspicious invoice email",
|
||||
"description": "User reported phishing email",
|
||||
"label": "phishing",
|
||||
"severity": "high",
|
||||
"status": "new",
|
||||
"sensitivity": "amber",
|
||||
"owner_id": 1,
|
||||
"tags": ["phishing", "email"]
|
||||
}
|
||||
```
|
||||
Response: `{"success": true, "id": 1542}`
|
||||
|
||||
### Create Artifact
|
||||
```
|
||||
POST /rest/artifact
|
||||
```
|
||||
```json
|
||||
{
|
||||
"container_id": 1542,
|
||||
"name": "Sender Email",
|
||||
"label": "email",
|
||||
"type": "email",
|
||||
"severity": "high",
|
||||
"cef": {
|
||||
"fromAddress": "attacker@evil.com",
|
||||
"toAddress": "victim@company.com",
|
||||
"emailSubject": "Urgent Invoice #9921",
|
||||
"sourceAddress": "198.51.100.23",
|
||||
"requestURL": "https://evil-phish.com/login"
|
||||
},
|
||||
"run_automation": true
|
||||
}
|
||||
```
|
||||
Response: `{"success": true, "id": 8834}`
|
||||
|
||||
### Trigger Playbook
|
||||
```
|
||||
POST /rest/playbook_run
|
||||
```
|
||||
```json
|
||||
{
|
||||
"container_id": 1542,
|
||||
"playbook_id": "local/phishing_investigate",
|
||||
"scope": "new",
|
||||
"run": true
|
||||
}
|
||||
```
|
||||
|
||||
### List Action Runs
|
||||
```
|
||||
GET /rest/action_run?_filter_container=1542&page_size=100
|
||||
```
|
||||
|
||||
### Get Container Details
|
||||
```
|
||||
GET /rest/container/{container_id}
|
||||
GET /rest/container/{container_id}/artifacts
|
||||
GET /rest/container/{container_id}/actions
|
||||
```
|
||||
|
||||
### Update Container Status
|
||||
```
|
||||
POST /rest/container/{container_id}
|
||||
```
|
||||
```json
|
||||
{"status": "closed", "close_reason": "resolved"}
|
||||
```
|
||||
|
||||
## XSOAR (Cortex XSOAR) API Comparison
|
||||
|
||||
### Create Incident
|
||||
```
|
||||
POST /incident
|
||||
```
|
||||
```json
|
||||
{
|
||||
"name": "Phishing Report",
|
||||
"type": "Phishing",
|
||||
"severity": 3,
|
||||
"labels": [
|
||||
{"type": "Email/from", "value": "attacker@evil.com"},
|
||||
{"type": "Email/subject", "value": "Urgent Invoice"}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
### Run Playbook on Incident
|
||||
```
|
||||
POST /incident/investigate
|
||||
```
|
||||
```json
|
||||
{"id": "1542", "playbookId": "phishing_investigation"}
|
||||
```
|
||||
|
||||
## Common Phishing Playbook Actions
|
||||
|
||||
| Action | App | Description |
|
||||
|--------|-----|-------------|
|
||||
| `url reputation` | VirusTotal | Check URL against VT database |
|
||||
| `domain reputation` | VirusTotal | Check sender domain reputation |
|
||||
| `ip reputation` | AbuseIPDB | Check originating IP reputation |
|
||||
| `whois domain` | WHOIS | Domain registration lookup |
|
||||
| `detonate url` | URLScan.io | Sandbox URL detonation |
|
||||
| `get email headers` | IMAP | Retrieve full email headers |
|
||||
| `block sender` | Exchange | Block sender at email gateway |
|
||||
| `quarantine email` | O365 | Remove email from all mailboxes |
|
||||
Reference in New Issue
Block a user