mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 21:54:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2.3 KiB
2.3 KiB
Authentication Anomaly Detection API Reference
Azure AD Sign-In Logs (Microsoft Graph)
# Query sign-in logs
GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime ge 2024-01-01
Authorization: Bearer <token>
# Risky sign-ins
GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers
Okta System Log API
# Query authentication events
curl "https://your-org.okta.com/api/v1/logs?filter=eventType+eq+%22user.session.start%22&since=2024-01-01" \
-H "Authorization: SSWS <api_token>"
# Filter failed logins
curl "https://your-org.okta.com/api/v1/logs?filter=outcome.result+eq+%22FAILURE%22" \
-H "Authorization: SSWS <api_token>"
Windows Event IDs for Auth Monitoring
| Event ID | Description |
|---|---|
| 4624 | Successful logon |
| 4625 | Failed logon |
| 4648 | Logon with explicit credentials |
| 4672 | Special privileges assigned |
| 4768 | Kerberos TGT request |
| 4769 | Kerberos service ticket request |
| 4771 | Kerberos pre-auth failed |
| 4776 | NTLM credential validation |
Splunk SPL Detection Queries
# Brute force detection
index=auth result="failure"
| bin _time span=10m
| stats count by user src_ip _time
| where count >= 10
# Password spray detection
index=auth result="failure"
| bin _time span=30m
| stats dc(user) as targets count by src_ip _time
| where targets >= 10
# Impossible travel
index=auth result="success"
| iplocation src_ip
| sort user _time
| streamstats last(lat) as prev_lat last(lon) as prev_lon last(_time) as prev_time by user
| eval dist=6371*2*asin(sqrt(pow(sin((lat-prev_lat)*pi()/360),2)+cos(prev_lat*pi()/180)*cos(lat*pi()/180)*pow(sin((lon-prev_lon)*pi()/360),2)))
| eval speed=dist/((_time-prev_time)/3600)
| where speed > 900 AND dist > 100
GeoIP with MaxMind (Python)
import geoip2.database
reader = geoip2.database.Reader('/opt/geoip/GeoLite2-City.mmdb')
response = reader.city('203.0.113.50')
print(response.city.name, response.location.latitude, response.location.longitude)
reader.close()
Isolation Forest (scikit-learn)
from sklearn.ensemble import IsolationForest
model = IsolationForest(n_estimators=200, contamination=0.01, random_state=42)
model.fit(X)
predictions = model.predict(X) # -1 = anomaly, 1 = normal
scores = model.score_samples(X) # lower = more anomalous