creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 19:54:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
768ca51c8d331ab0bdcea8ffb31c9b99bb2c1839
Anthropic-Cybersecurity-Skills/skills/operationalizing-misp-threat-feeds/references/api-reference.md
T
mukul975 8cae0648ec Add 55 new skills across 3 new domains + 6 undercovered areas (762 -> 817) 
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):

- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
  prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
  invocation, guardrails, model/data poisoning, system-prompt leakage,
  embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
  malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
  Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
  shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
  Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration

Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
2026-06-22 19:08:16 +02:00

68 lines
2.4 KiB
Markdown
Raw Blame History

# MISP / PyMISP API Reference
## PyMISP client
Install: `pip install pymisp`
```python
from pymisp import PyMISP
misp = PyMISP("https://misp.example", "AUTH_KEY", ssl=True)
```
### Feed management
| Method | Description |
|--------|-------------|
| `misp.feeds(pythonify=True)` | List configured feeds. |
| `misp.add_feed(MISPFeed, pythonify=True)` | Register a new feed. |
| `misp.enable_feed(feed_id)` / `misp.disable_feed(feed_id)` | Toggle a feed. |
| `misp.fetch_feed(feed_id)` | Pull a feed's events into the instance. |
| `misp.cache_feeds(scope)` / `misp.cache_all_feeds()` | Cache feed IOCs into Redis for correlation. |
### Searching attributes/events
| Call | Description |
|------|-------------|
| `misp.search(controller="attributes", ...)` | Search attributes (IOCs). |
| `type_attribute=[...]` | Filter by attribute type (`ip-dst`, `domain`, `url`, `md5`, `sha256`). |
| `to_ids=True` | Only IDS-flagged (actionable) attributes. |
| `published=True` | Only attributes in published events. |
| `last="7d"` | Published within a time window. |
| `enforce_warninglist=True` | Drop values matching enabled warninglists. |
| `tags=["tlp:white"]` | Filter by tag/taxonomy. |
### Warninglists
| Method | Description |
|--------|-------------|
| `misp.warninglists(pythonify=True)` | List warninglists. |
| `misp.toggle_warninglist(warninglist_id=ID, force_enable=True)` | Enable a warninglist. |
## REST restSearch return formats
Endpoint: `POST/GET https://<misp>/attributes/restSearch/` with header `Authorization: <AUTH_KEY>`.
Path-style modifiers: `returnFormat:<fmt>/to_ids:1/type:<a%7Cb%7Cc>/last:7d/published:1`
| returnFormat | Output |
|--------------|--------|
| `json` | Native JSON. |
| `suricata` | Suricata IDS rules. |
| `snort` | Snort IDS rules. |
| `csv` | CSV of attributes. |
| `text` | Plain value list (one per line). |
| `stix2` | STIX 2.1 bundle. |
Example:
```bash
curl -s -k -H "Authorization: AUTH_KEY" -H "Accept: application/json" \
"https://misp/attributes/restSearch/returnFormat:suricata/to_ids:1/type:domain%7Cip-dst" \
-o misp.rules
```
## Downstream deployment
| Tool | Command |
|------|---------|
| Suricata validate | `suricata -T -c /etc/suricata/suricata.yaml` |
| Suricata reload | `suricatasc -c reload-rules` |
| Wazuh restart | `/var/ossec/bin/wazuh-control restart` |
| Sigma convert | `sigma convert -t splunk -p splunk_windows rule.yml` |
Reference in New Issue View Git Blame Copy Permalink