creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 19:54:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
768ca51c8d331ab0bdcea8ffb31c9b99bb2c1839
Anthropic-Cybersecurity-Skills/skills/detecting-container-runtime-threats-with-falco/references/api-reference.md
T
mukul975 8cae0648ec Add 55 new skills across 3 new domains + 6 undercovered areas (762 -> 817) 
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):

- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
  prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
  invocation, guardrails, model/data poisoning, system-prompt leakage,
  embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
  malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
  Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
  shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
  Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration

Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
2026-06-22 19:08:16 +02:00

73 lines
2.6 KiB
Markdown
Raw Blame History

# Falco — Rule Schema & CLI Reference
## Rule Object Fields
| Field | Required | Purpose |
|-------|----------|---------|
| `rule` | yes | Unique rule name |
| `desc` | yes | Human description |
| `condition` | yes | Falco filter expression that triggers the rule |
| `output` | yes | Alert message (supports `%field` interpolation) |
| `priority` | yes | EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG |
| `tags` | no | Categorization (e.g. MITRE IDs) |
| `enabled` | no | Toggle a rule (true/false) |
| `source` | no | Event source (syscall, k8s_audit) |
## Macro and List Objects
| Object | Keys | Purpose |
|--------|------|---------|
| `macro` | `condition` | Reusable condition fragment |
| `list` | `items` | Named value set used with `in (...)` |
## Key CLI Commands
| Command | Purpose |
|---------|---------|
| `falco --validate <file>` | Validate rule syntax without running |
| `falco -r <file>` | Run with a specific rules file |
| `falco -L` | List loaded rules |
| `falco -l <rule>` | Describe a single rule |
| `falco --list` | List supported fields |
| `falcoctl driver config --type modern_ebpf` | Set driver type |
| `falcoctl artifact install <name>` | Install a rules/plugin artifact |
| `falcoctl artifact list` | List available artifacts |
## Driver Types
| Driver | `driver.kind` | Notes |
|--------|---------------|-------|
| Modern eBPF | `modern_ebpf` | Default; built into binary; kernel >= 5.8 |
| Legacy eBPF | `ebpf` | CO-RE eBPF probe |
| Kernel module | `kmod` | Loadable kernel module |
| Auto | `auto` | falcoctl picks best available |
## Important Filter Fields
| Field | Description |
|-------|-------------|
| `evt.type` | Syscall name |
| `evt.dir` | `>` enter, `<` exit |
| `evt.is_open_read` / `evt.is_open_write` | open() intent |
| `proc.name` / `proc.cmdline` / `proc.pname` | Process / cmdline / parent |
| `container.id` / `container.name` / `container.image.repository` | Container identity |
| `container.privileged` | Privileged flag |
| `fd.name` / `fd.type` / `fd.num` | FD path / type / number |
| `user.name` / `user.uid` | Acting user |
| `k8s.pod.name` / `k8s.ns.name` | Kubernetes context |
## Configuration (falco.yaml)
| Key | Purpose |
|-----|---------|
| `rules_files` | List of rule files / dirs to load |
| `json_output` | Emit JSON for SIEM ingest |
| `priority` | Minimum priority to log |
| `outputs` / `http_output` / `program_output` | Alert sinks |
## External References
- Supported fields: https://falco.org/docs/reference/rules/supported-fields/
- Rule examples: https://falco.org/docs/reference/rules/examples/
- Configuration: https://falco.org/docs/reference/daemon/config-options/
Reference in New Issue View Git Blame Copy Permalink