mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 20:55:17 +03:00
8cae0648ec
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):
- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
invocation, guardrails, model/data poisoning, system-prompt leakage,
embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration
Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
2.5 KiB
2.5 KiB
Graph Activity Logs — Schema & KQL Reference
Tables
| Table | Covers | Key fields |
|---|---|---|
MicrosoftGraphActivityLogs |
graph.microsoft.com requests | RequestUri, RequestMethod, UserAgent, UserId, AppId, IPAddress/CallerIpAddress, ResponseStatusCode, SignInActivityId, TimeGenerated |
AADGraphActivityLogs |
legacy graph.windows.net requests | RequestUri, RequestMethod, UserAgent, UserId, AppId, CallerIpAddress, SignInActivityId, TimeGenerated |
Correlation keys
| Field | Joins to | Note |
|---|---|---|
SignInActivityId |
SigninLogs.UniqueTokenIdentifier |
AADGraphActivityLogs value may carry == padding; trim before join |
SessionId |
SigninLogs / MicrosoftGraphActivityLogs / Unified Audit Log | Cross-source session correlation |
UserId |
SigninLogs.UserId |
Account entity |
AppId |
SigninLogs.AppId |
Calling application |
Reusable KQL building blocks
// Confirm ingestion
union withsource=Tbl MicrosoftGraphActivityLogs, AADGraphActivityLogs
| where TimeGenerated > ago(1d)
| summarize count() by Tbl
// aiohttp / python UA (ROADtools)
AADGraphActivityLogs
| where UserAgent contains "python" and UserAgent contains "aiohttp"
// Toolkit UA strings
union MicrosoftGraphActivityLogs, AADGraphActivityLogs
| where UserAgent has_any ("AADInternals","azurehound","BloodHound","Go-http-client")
// Extract top-level Graph resource from RequestUri
| extend TopLevelResource = tolower(tostring(split(split(RequestUri,"?")[0],"/")[3]))
// Trim SignInActivityId padding for correlation
| extend TokenId = trim_end("=", tostring(SignInActivityId))
Enabling the diagnostic settings (Azure CLI)
az monitor diagnostic-settings create \
--name entra-graph-logs \
--resource "/providers/microsoft.aadiam/diagnosticSettings" \
--logs '[{"category":"MicrosoftGraphActivityLogs","enabled":true},{"category":"AADGraphActivityLogs","enabled":true}]' \
--workspace "<log-analytics-workspace-id>"
Sentinel analytics rule (REST API) — outline
| Method | Endpoint | Purpose |
|---|---|---|
| PUT | /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.OperationalInsights/workspaces/{ws}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}?api-version=2023-02-01 |
Create/update a Scheduled analytics rule (body holds the KQL query, queryFrequency, queryPeriod, tactics, techniques: ["T1078.004"], and entityMappings) |