mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
cb8d79e068
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct techniques), verified against MITRE ATT&CK v19.1 via the official mitreattack-python library: 0 revoked, deprecated, or invalid IDs - Curate precise per-skill technique IDs for forensics, malware-analysis, threat-intel, and red-team skills (e.g. DCSync -> T1003.006, Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003) - Reconcile v19.1 tactic restructuring: Defense Evasion split into Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.* family and T1070.001/.002 remapped to active equivalents (T1685.*) - Normalize word-split tags across 35 skills (remove filename-derived stopword tags, add semantic cybersecurity tags) - Add api-reference.md for 3 skills that were missing it - Update README ATT&CK section with accurate v19.1 tactic distribution
82 lines
2.3 KiB
Markdown
82 lines
2.3 KiB
Markdown
---
|
|
name: analyzing-api-gateway-access-logs
|
|
description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect
|
|
BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts.
|
|
Uses pandas for statistical analysis of request patterns and anomaly detection.
|
|
Use when investigating API abuse or building API-specific threat detection rules.
|
|
|
|
'
|
|
domain: cybersecurity
|
|
subdomain: security-operations
|
|
tags:
|
|
- api-security
|
|
- access-log-analysis
|
|
- aws-api-gateway
|
|
- kong
|
|
- nginx
|
|
- bola-detection
|
|
- rate-limit-bypass
|
|
- security-operations
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
nist_csf:
|
|
- DE.CM-01
|
|
- RS.MA-01
|
|
- GV.OV-01
|
|
- DE.AE-02
|
|
mitre_attack:
|
|
- T1190
|
|
- T1110.004
|
|
- T1078.004
|
|
- T1119
|
|
---
|
|
|
|
# Analyzing API Gateway Access Logs
|
|
|
|
|
|
## When to Use
|
|
|
|
- When investigating security incidents that require analyzing api gateway access logs
|
|
- When building detection rules or threat hunting queries for this domain
|
|
- When SOC analysts need structured procedures for this analysis type
|
|
- When validating security monitoring coverage for related attack techniques
|
|
|
|
## Prerequisites
|
|
|
|
- Familiarity with security operations concepts and tools
|
|
- Access to a test or lab environment for safe execution
|
|
- Python 3.8+ with required dependencies installed
|
|
- Appropriate authorization for any testing activities
|
|
|
|
## Instructions
|
|
|
|
Parse API gateway access logs to identify attack patterns including broken object
|
|
level authorization (BOLA), excessive data exposure, and injection attempts.
|
|
|
|
```python
|
|
import pandas as pd
|
|
|
|
df = pd.read_json("api_gateway_logs.json", lines=True)
|
|
# Detect BOLA: same user accessing many different resource IDs
|
|
bola = df.groupby(["user_id", "endpoint"]).agg(
|
|
unique_ids=("resource_id", "nunique")).reset_index()
|
|
suspicious = bola[bola["unique_ids"] > 50]
|
|
```
|
|
|
|
Key detection patterns:
|
|
1. BOLA/IDOR: sequential resource ID enumeration
|
|
2. Rate limit bypass via header manipulation
|
|
3. Credential scanning (401 surges from single source)
|
|
4. SQL/NoSQL injection in query parameters
|
|
5. Unusual HTTP methods (DELETE, PATCH) on read-only endpoints
|
|
|
|
## Examples
|
|
|
|
```python
|
|
# Detect 401 surges indicating credential scanning
|
|
auth_failures = df[df["status_code"] == 401]
|
|
scanner_ips = auth_failures.groupby("source_ip").size()
|
|
scanners = scanner_ips[scanner_ips > 100]
|
|
```
|