creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
1cffd664f555699d8e2b46f5ea94edaaa520f721
Anthropic-Cybersecurity-Skills/skills/detecting-anomalous-authentication-patterns/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

83 lines
2.3 KiB
Markdown
Raw Blame History

# Authentication Anomaly Detection API Reference
## Azure AD Sign-In Logs (Microsoft Graph)
```bash
# Query sign-in logs
GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime ge 2024-01-01
Authorization: Bearer <token>
# Risky sign-ins
GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers
```
## Okta System Log API
```bash
# Query authentication events
curl "https://your-org.okta.com/api/v1/logs?filter=eventType+eq+%22user.session.start%22&since=2024-01-01" \
-H "Authorization: SSWS <api_token>"
# Filter failed logins
curl "https://your-org.okta.com/api/v1/logs?filter=outcome.result+eq+%22FAILURE%22" \
-H "Authorization: SSWS <api_token>"
```
## Windows Event IDs for Auth Monitoring
| Event ID | Description |
|----------|-------------|
| 4624 | Successful logon |
| 4625 | Failed logon |
| 4648 | Logon with explicit credentials |
| 4672 | Special privileges assigned |
| 4768 | Kerberos TGT request |
| 4769 | Kerberos service ticket request |
| 4771 | Kerberos pre-auth failed |
| 4776 | NTLM credential validation |
## Splunk SPL Detection Queries
```spl
# Brute force detection
index=auth result="failure"
| bin _time span=10m
| stats count by user src_ip _time
| where count >= 10
# Password spray detection
index=auth result="failure"
| bin _time span=30m
| stats dc(user) as targets count by src_ip _time
| where targets >= 10
# Impossible travel
index=auth result="success"
| iplocation src_ip
| sort user _time
| streamstats last(lat) as prev_lat last(lon) as prev_lon last(_time) as prev_time by user
| eval dist=6371*2*asin(sqrt(pow(sin((lat-prev_lat)*pi()/360),2)+cos(prev_lat*pi()/180)*cos(lat*pi()/180)*pow(sin((lon-prev_lon)*pi()/360),2)))
| eval speed=dist/((_time-prev_time)/3600)
| where speed > 900 AND dist > 100
```
## GeoIP with MaxMind (Python)
```python
import geoip2.database
reader = geoip2.database.Reader('/opt/geoip/GeoLite2-City.mmdb')
response = reader.city('203.0.113.50')
print(response.city.name, response.location.latitude, response.location.longitude)
reader.close()
```
## Isolation Forest (scikit-learn)
```python
from sklearn.ensemble import IsolationForest
model = IsolationForest(n_estimators=200, contamination=0.01, random_state=42)
model.fit(X)
predictions = model.predict(X) # -1 = anomaly, 1 = normal
scores = model.score_samples(X) # lower = more anomalous
```
Reference in New Issue View Git Blame Copy Permalink