mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00

Files

T

mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders

2026-03-10 21:02:12 +01:00

2.2 KiB

Raw Permalink Blame History

API Reference: Implementing CloudTrail Log Analysis

Libraries

boto3 -- AWS CloudTrail

Install: pip install boto3
Docs: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cloudtrail.html

Key Methods

Method	Description
`lookup_events()`	Search recent CloudTrail events with filters
`describe_trails()`	List configured trails
`get_trail_status()`	Check if trail is actively logging
`create_trail()`	Create a new CloudTrail trail
`start_logging()` / `stop_logging()`	Control trail recording
`get_event_selectors()`	View event type configuration
`put_event_selectors()`	Configure management/data event capture

Lookup Attributes

AttributeKey	Description
`EventName`	API action name (e.g., `RunInstances`)
`Username`	IAM user or role name
`ResourceType`	AWS resource type
`ResourceName`	Specific resource identifier
`EventSource`	AWS service (e.g., `ec2.amazonaws.com`)
`ReadOnly`	Filter read vs write events

Suspicious Event Names

Event	Threat Category
`StopLogging` / `DeleteTrail`	Anti-forensics
`CreateUser` / `CreateAccessKey`	Persistence
`AttachUserPolicy` / `PutUserPolicy`	Privilege escalation
`ConsoleLogin` (failed)	Brute force
`RunInstances`	Resource abuse / cryptomining
`AuthorizeSecurityGroupIngress`	Lateral movement
`DisableKey`	Ransomware indicator

Athena Query Integration

Create Athena table from CloudTrail S3 logs
SQL queries for historical analysis beyond 90-day API limit
Partition by region, year, month for performance

CloudWatch Logs Insights

filter eventName = "ConsoleLogin" -- Login analysis
stats count(*) by eventName -- API call frequency
filter errorCode = "AccessDenied" -- Permission issues

External References

CloudTrail User Guide: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/
CloudTrail Log Events: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html
Athena + CloudTrail: https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html

2.2 KiB Raw Permalink Blame History

API Reference: Implementing CloudTrail Log Analysis

Libraries

boto3 -- AWS CloudTrail

Key Methods

Lookup Attributes

Suspicious Event Names

Athena Query Integration

CloudWatch Logs Insights

External References

2.2 KiB

Raw Permalink Blame History