creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 21:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
757f1c8eae4e288d20f7dfde7f7a42a4d30cffc7
Anthropic-Cybersecurity-Skills/skills/implementing-siem-use-case-tuning/references/api-reference.md
T
mukul975 757f1c8eae Add 5 new cybersecurity skills with full implementations 
- implementing-vulnerability-management-with-greenbone: python-gvm GMP API, scan task creation, XML report parsing
- detecting-email-account-compromise: Microsoft Graph inbox rules, impossible travel detection, OAuth grant analysis
- performing-threat-intelligence-sharing-with-misp: PyMISP event creation, attribute management, sharing validation
- analyzing-cobaltstrike-malleable-c2-profiles: dissect.cobaltstrike C2Profile parsing, Suricata rule generation
- hunting-for-registry-run-key-persistence: Sysmon Event 13 analysis, T1547.001 detection, Sigma rule generation
2026-03-11 00:41:59 +01:00

2.1 KiB
Raw Blame History

SIEM Use Case Tuning API Reference

Splunk Notable Event Export

Export Notables via SPL

| inputlookup notable_events
| search status_label IN ("New", "In Progress", "Resolved")
| table rule_name, _time, status_label, src, dest, user, urgency
| rename status_label as disposition, _time as timestamp
| outputlookup alert_export.csv

Splunk ES Correlation Search Tuning

# Measure FP rate per correlation search over 30 days
| inputlookup notable_events where earliest=-30d
| eval is_fp=if(status_label="Resolved" AND disposition="False Positive", 1, 0)
| stats count as total, sum(is_fp) as fp_count by rule_name
| eval fp_rate=round(fp_count/total, 4)
| sort -fp_rate

Update Correlation Search Threshold

POST /servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{search_name}
Content-Type: application/x-www-form-urlencoded

search=<updated_spl_with_new_threshold>

Elastic Detection Rule Tuning

List Detection Rules

GET /_security/detection_engine/rules/_find?per_page=100
Authorization: ApiKey <base64_api_key>

Add Exception to Rule

POST /_security/detection_engine/rules/exceptions
{
  "rule_id": "rule-uuid",
  "name": "Whitelist scanner IPs",
  "entries": [
    {
      "field": "source.ip",
      "operator": "is_one_of",
      "value": ["10.0.1.50", "10.0.1.51"],
      "type": "match_any"
    }
  ]
}

Query Rule Execution Stats (Kibana)

event.kind: "signal" AND kibana.alert.rule.name: "Brute Force Detection"
| stats count by kibana.alert.workflow_status

Alert Tuning Metrics

Metric Formula Target
False Positive Rate FP / (FP + TP) < 30%
Precision TP / (TP + FP) > 70%
Alert-to-Incident Ratio Incidents / Total Alerts > 20%
Mean Time to Triage avg(triage_end - alert_time) < 15 min

CLI Usage

# Analyze alert CSV export
python agent.py --alert-csv notable_export.csv --output tuning.json

# Adjust FP threshold for whitelist candidates
python agent.py --alert-csv alerts.csv --fp-threshold 0.9 --top-rules 10

# CSV format: rule_name,timestamp,disposition,source,user,severity
Reference in New Issue View Git Blame Copy Permalink