mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 20:55:17 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
57 lines
2.0 KiB
Markdown
57 lines
2.0 KiB
Markdown
# API Reference: Phishing Incident Response Agent
|
|
|
|
## Overview
|
|
|
|
Analyzes phishing emails: parses EML files, extracts URLs and attachment hashes, checks reputation via VirusTotal and urlscan.io, assesses SPF/DKIM/DMARC authentication, and generates severity-rated IR reports.
|
|
|
|
## Dependencies
|
|
|
|
| Package | Version | Purpose |
|
|
|---------|---------|---------|
|
|
| requests | >=2.28 | VirusTotal and urlscan.io API calls |
|
|
|
|
## CLI Usage
|
|
|
|
```bash
|
|
python agent.py --eml suspicious_email.eml --vt-key <key> --output report.json
|
|
```
|
|
|
|
## Key Functions
|
|
|
|
### `parse_email_file(eml_path)`
|
|
Parses EML file extracting Subject, From, To, Received headers, and SPF/DKIM/DMARC authentication results.
|
|
|
|
### `extract_urls(msg)`
|
|
Extracts all URLs from email body (plain text and HTML parts) using regex.
|
|
|
|
### `extract_attachments(msg)`
|
|
Extracts attachment filenames, content types, sizes, and computes SHA-256/MD5 hashes.
|
|
|
|
### `check_url_virustotal(url, api_key)`
|
|
Checks URL reputation on VirusTotal v3 API (malicious, suspicious, harmless counts).
|
|
|
|
### `check_url_urlscan(url)`
|
|
Submits URL to urlscan.io for visual and behavioral analysis.
|
|
|
|
### `check_hash_virustotal(file_hash, api_key)`
|
|
Checks attachment hash reputation on VirusTotal for malware detection.
|
|
|
|
### `assess_phishing_severity(parsed_email, url_results, attachment_results)`
|
|
Rates phishing severity (Low/Medium/Critical) based on auth failures and malicious content.
|
|
|
|
## External APIs Used
|
|
|
|
| API | Endpoint | Auth | Purpose |
|
|
|-----|----------|------|---------|
|
|
| VirusTotal v3 | `/api/v3/urls/{id}` | API key | URL reputation |
|
|
| VirusTotal v3 | `/api/v3/files/{hash}` | API key | File hash reputation |
|
|
| urlscan.io | `/api/v1/scan/` | None | URL visual analysis |
|
|
|
|
## Email Authentication Checks
|
|
|
|
| Check | Pass | Fail | Impact |
|
|
|-------|------|------|--------|
|
|
| SPF | Sender IP authorized | Possible spoofing | Severity +1 |
|
|
| DKIM | Signature valid | Message may be tampered | Severity +1 |
|
|
| DMARC | Policy enforced | SPF+DKIM alignment failed | Severity +1 |
|