creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
c60cb4aa7b06faca439e4335b4eb9727570072db
Anthropic-Cybersecurity-Skills/skills/detecting-shadow-it-cloud-usage/references/api-reference.md
T
mukul975 4d6d585285 Add 10 new cybersecurity skills with full folder anatomy 
Skills added:
- implementing-privileged-access-workstation (IAM, PAW hardening)
- detecting-suspicious-oauth-application-consent (cloud security, Graph API)
- performing-hardware-security-module-integration (cryptography, PKCS#11)
- analyzing-android-malware-with-apktool (malware analysis, androguard)
- hunting-for-unusual-service-installations (threat hunting, T1543.003)
- detecting-shadow-it-cloud-usage (cloud security, proxy/DNS log analysis)
- performing-active-directory-forest-trust-attack (red team, impacket)
- implementing-deception-based-detection-with-canarytoken (deception, Canary API)
- analyzing-office365-audit-logs-for-compromise (cloud security, BEC detection)
- hunting-for-startup-folder-persistence (threat hunting, T1547.001)

Each skill includes SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:47:03 +01:00

2.3 KiB
Raw Blame History

API Reference — Detecting Shadow IT Cloud Usage

Libraries Used

  • pandas: DataFrame aggregation for traffic analysis — groupby, agg, nunique
  • tldextract: Accurate registered domain extraction from URLs/hostnames
  • csv: CSV log parsing with DictReader
  • re: Regex parsing for Squid proxy and BIND DNS query log formats

CLI Interface

python agent.py access.log --type proxy parse
python agent.py access.log --type proxy analyze
python agent.py dns-queries.log --type dns full
python agent.py traffic.csv --type csv --approved approved.txt full

Core Functions

parse_proxy_log(filepath) — Parse Squid/common proxy access logs

Regex pattern matches Squid format: timestamp duration client_ip status bytes method url. Falls back to Apache Common Log Format parsing.

parse_dns_log(filepath) — Parse BIND/named DNS query logs

Extracts query name and type from query: DOMAIN IN TYPE patterns. Strips trailing dots from FQDNs.

parse_csv_log(filepath) — Parse generic CSV traffic logs

Expects columns: timestamp, src_ip, dst_domain, bytes_out, bytes_in.

analyze_traffic(records) — Aggregate and classify traffic

Uses pandas groupby on domain: total_bytes (sum), request_count (count), unique_users (nunique). Falls back to collections.defaultdict if pandas unavailable.

classify_domain(domain) — Categorize against SaaS database

Categories: storage, email, dev_tools, ai_ml, messaging, file_sharing, vpn_proxy.

full_audit(log_path, log_type, approved_list) — Complete shadow IT audit

Risk Scoring

Factor Points
Unapproved domain +30
Storage/file-sharing/VPN category +25
Email category +15
Data volume (per 10 MB) +1 (max 20)
Unique users (per user) +3 (max 15)

SaaS Category Database

Category Example Domains
storage dropbox.com, box.com, mega.nz, wetransfer.com
email protonmail.com, tutanota.com, guerrillamail.com
dev_tools github.com, gitlab.com, replit.com
ai_ml chat.openai.com, claude.ai, huggingface.co
messaging telegram.org, discord.com, signal.org
file_sharing pastebin.com, file.io, gofile.io
vpn_proxy nordvpn.com, expressvpn.com, protonvpn.com

Dependencies

  • pandas >= 1.5.0
  • tldextract >= 3.4.0 (optional, improves domain extraction accuracy)
Reference in New Issue View Git Blame Copy Permalink