Files
Anthropic-Cybersecurity-Skills/skills/detecting-insider-data-exfiltration-via-dlp/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

1.7 KiB

API Reference: Detecting Insider Data Exfiltration via DLP

Pandas Behavioral Analytics

import pandas as pd

df = pd.read_csv("activity.csv", parse_dates=["timestamp"])
# Columns: timestamp, user, action, file_path, bytes_transferred, destination

# Daily volume baseline per user
daily = df.groupby(["user", df["timestamp"].dt.date])["bytes_transferred"].sum()
baseline = daily.groupby("user").agg(["mean", "std"])

# Off-hours detection
df["hour"] = df["timestamp"].dt.hour
off_hours = df[(df["hour"] < 6) | (df["hour"] >= 22)]

# Bulk download detection
df.set_index("timestamp").groupby("user").resample("1h").size()

Exfiltration Indicators

Indicator Threshold Severity
Volume > 3x baseline Per user daily avg HIGH
Volume > 5x baseline Per user daily avg CRITICAL
Off-hours events > 10 per user HIGH
Bulk downloads > 50 files/hour CRITICAL
USB transfers Any volume HIGH
Sensitive file access Pattern match HIGH

Sensitive File Patterns

patterns = [
    r"\.pem$", r"\.key$", r"\.env$",
    r"credentials", r"password", r"\.kdbx$",
    r"financial", r"payroll", r"customer.*data"
]

Microsoft Purview DLP API

import requests
headers = {"Authorization": "Bearer <token>"}
resp = requests.get(
    "https://graph.microsoft.com/v1.0/security/alerts_v2",
    headers=headers,
    params={"$filter": "category eq 'DataLossPrevention'"}
)

References