creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
780757902b7faeb8d77d034d4faead329cdd6539
Anthropic-Cybersecurity-Skills/skills/implementing-siem-correlation-rules-for-apt/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

1.7 KiB
Raw Blame History

API Reference: SIEM Correlation Rules for APT

Splunk REST API

Authentication

POST /services/auth/login
Body: username=<user>&password=<pass>
Returns: { "sessionKey": "<token>" }
Header: Authorization: Splunk <sessionKey>

Saved Searches (Correlation Rules)

POST /services/saved/searches
Parameters: name, search, cron_schedule, dispatch.earliest_time,
  dispatch.latest_time, alert.severity, action.notable (1=enabled),
  action.notable.param.severity, action.notable.param.security_domain
GET /services/saved/searches?output_mode=json&count=0

Search Jobs

POST /services/search/jobs
Body: search=<SPL>, earliest_time, latest_time, output_mode=json
Returns: { "sid": "<job_id>" }
GET /services/search/jobs/<sid>?output_mode=json
GET /services/search/jobs/<sid>/results?output_mode=json&count=<n>

Sigma Rule Format (YAML)

title: <string>
status: experimental|test|stable
logsource:
  product: windows
  service: sysmon|security
detection:
  selection: { EventID: [1,3] }
  condition: selection
level: low|medium|high|critical
tags: [attack.t1021.001]

sigma-cli Conversion

sigma convert -t splunk -p sysmon rule.yml
sigma convert -t elastic-eql -p sysmon rule.yml

Key Windows Event IDs for Lateral Movement

Event ID Source Description
4624 Security Logon event (Type 3=Network, 10=RDP)
4648 Security Explicit credential logon
4688 Security Process creation
7045 System Service installation
1 Sysmon Process creation with hashes
3 Sysmon Network connection
10 Sysmon Process access (LSASS)
17/18 Sysmon Named pipe created/connected
Reference in New Issue View Git Blame Copy Permalink