mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
8cae0648ec
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):
- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
invocation, guardrails, model/data poisoning, system-prompt leakage,
embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration
Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
79 lines
3.1 KiB
Markdown
79 lines
3.1 KiB
Markdown
# API Reference — OpenCTI / pycti
|
|
|
|
## Client initialization
|
|
|
|
```python
|
|
from pycti import OpenCTIApiClient
|
|
opencti = OpenCTIApiClient("http://localhost:8080", "API_TOKEN")
|
|
```
|
|
|
|
| Constructor arg | Purpose |
|
|
|-----------------|---------|
|
|
| url | Base URL of the OpenCTI platform |
|
|
| token | API token (Profile > API access) |
|
|
| ssl_verify | Verify TLS (default False for self-hosted dev) |
|
|
| log_level | `info`, `debug`, etc. |
|
|
|
|
## Core entity creators (upsert with `update=True`)
|
|
|
|
| Method | STIX type | Key arguments |
|
|
|--------|-----------|---------------|
|
|
| `opencti.threat_actor_group.create(...)` | threat-actor | name, description, threat_actor_types |
|
|
| `opencti.intrusion_set.create(...)` | intrusion-set | name, description, first_seen, last_seen |
|
|
| `opencti.campaign.create(...)` | campaign | name, description, objective |
|
|
| `opencti.attack_pattern.create(...)` | attack-pattern | name, x_mitre_id |
|
|
| `opencti.malware.create(...)` | malware | name, is_family, malware_types |
|
|
| `opencti.indicator.create(...)` | indicator | name, pattern, pattern_type, x_opencti_main_observable_type, valid_from |
|
|
| `opencti.vulnerability.create(...)` | vulnerability | name (CVE id), description |
|
|
| `opencti.identity.create(...)` | identity | name, type (organization/individual/sector) |
|
|
|
|
## Relationships
|
|
|
|
```python
|
|
opencti.stix_core_relationship.create(
|
|
fromId=..., toId=..., relationship_type="uses")
|
|
```
|
|
|
|
| relationship_type | Meaning |
|
|
|-------------------|---------|
|
|
| uses | Actor/set/campaign uses a technique, tool, or malware |
|
|
| attributed-to | Campaign -> intrusion-set -> threat-actor |
|
|
| targets | Adversary targets an identity/sector/location |
|
|
| indicates | Indicator indicates a malware/intrusion-set/campaign |
|
|
| based-on | Indicator based-on an observable |
|
|
|
|
## Reading / listing
|
|
|
|
| Method | Purpose |
|
|
|--------|---------|
|
|
| `opencti.intrusion_set.read(filters=...)` | Read a single object by filter |
|
|
| `opencti.stix_core_relationship.list(fromId=..., relationship_type=...)` | List relationships from an object |
|
|
| `opencti.stix_domain_object.list(types=[...])` | List SDOs by type |
|
|
|
|
## Bundle ingestion
|
|
|
|
| Method | Purpose |
|
|
|--------|---------|
|
|
| `opencti.stix2.import_bundle_from_json(json_str, update=True)` | Import a STIX 2.1 bundle (JSON string) |
|
|
| `opencti.stix2.import_bundle_from_file(path, update=True)` | Import a bundle from a file |
|
|
| `connector_helper.send_stix2_bundle(bundle)` | Connector path to send a bundle to workers |
|
|
|
|
## Connector environment variables (compose)
|
|
|
|
| Variable | Purpose |
|
|
|----------|---------|
|
|
| OPENCTI_URL | Platform URL reachable by the connector |
|
|
| OPENCTI_TOKEN | Connector-specific API token |
|
|
| CONNECTOR_ID | UUID v4 unique per connector |
|
|
| CONNECTOR_TYPE | EXTERNAL_IMPORT / INTERNAL_ENRICHMENT / STREAM |
|
|
| CONNECTOR_SCOPE | STIX types the connector handles |
|
|
| CONNECTOR_NAME | Display name |
|
|
|
|
## Deployment quick reference
|
|
|
|
| Command | Purpose |
|
|
|---------|---------|
|
|
| `docker compose up -d` | Start platform, workers, dependencies |
|
|
| `sysctl -w vm.max_map_count=1048575` | Required for Elasticsearch |
|
|
| `cat /proc/sys/kernel/random/uuid` | Generate UUID v4 tokens |
|