creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
780757902b7faeb8d77d034d4faead329cdd6539
Anthropic-Cybersecurity-Skills/skills/performing-user-behavior-analytics/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.0 KiB
Raw Blame History

API Reference: User Behavior Analytics (UEBA) Agent

Overview

Detects anomalous user behavior using Elasticsearch authentication logs: impossible travel via haversine distance, off-hours access against baselines, and composite risk scoring.

Dependencies

Package Version Purpose
elasticsearch >= 8.0 Elasticsearch Python client
math stdlib Haversine distance calculation

Core Functions

build_user_baselines(es, index, days)

Builds 30-day behavioral baselines per user: unique IPs, countries, login hour stats, daily averages.

  • Returns: dict[str, dict] - user to baseline mapping

detect_impossible_travel(es, index, hours)

Detects sequential logins from locations requiring >900 km/h travel speed over >500 km distance.

  • Algorithm: Haversine distance / time between consecutive logins per user
  • Returns: list[dict] - alerts with from/to locations, distance, speed

detect_off_hours_access(es, baselines, index, hours)

Flags logins outside 2 standard deviations from user's average login hour, on weekends, or between midnight-6am / after 10pm.

  • Returns: list[dict] - alerts with user, timestamp, login hour, baseline

calculate_risk_scores(impossible_travel, off_hours, baselines)

Aggregates anomalies into composite risk scores: +40 for impossible travel, +20 for off-hours.

  • Returns: list[tuple] - (user, {risk, anomalies}) sorted descending

haversine(lat1, lon1, lat2, lon2)

Great-circle distance between two geographic coordinates in km.

  • Returns: float - distance in kilometers

Elasticsearch Index Requirements

Index Fields Required
logs-auth-* user.name, source.ip, source.geo.location, @timestamp, event.outcome

Risk Score Weights

Anomaly Type Points
Impossible travel +40
Off-hours access +20
Weekend access +20

Usage

python agent.py https://elastic.corp.local:9200
Reference in New Issue View Git Blame Copy Permalink