creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/implementing-deception-based-detection-with-canarytoken/references/api-reference.md
T
mukul975 915ea611e5 Add 10 new cybersecurity skills with full folder anatomy 
Skills added:
- implementing-privileged-access-workstation (IAM, PAW hardening)
- detecting-suspicious-oauth-application-consent (cloud security, Graph API)
- performing-hardware-security-module-integration (cryptography, PKCS#11)
- analyzing-android-malware-with-apktool (malware analysis, androguard)
- hunting-for-unusual-service-installations (threat hunting, T1543.003)
- detecting-shadow-it-cloud-usage (cloud security, proxy/DNS log analysis)
- performing-active-directory-forest-trust-attack (red team, impacket)
- implementing-deception-based-detection-with-canarytoken (deception, Canary API)
- analyzing-office365-audit-logs-for-compromise (cloud security, BEC detection)
- hunting-for-startup-folder-persistence (threat hunting, T1547.001)

Each skill includes SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:47:03 +01:00

74 lines
2.9 KiB
Markdown
Raw Blame History

# API Reference — Implementing Deception-Based Detection with Canarytoken
## Libraries Used
- **requests**: HTTP client for Thinkst Canary Console REST API
- **json**: JSON serialization for audit reports
## CLI Interface
```
python agent.py --console abc123 --auth-token TOKEN ping
python agent.py --console abc123 --auth-token TOKEN list
python agent.py --console abc123 --auth-token TOKEN alerts
python agent.py --console abc123 --auth-token TOKEN create --kind http --memo "Web server token"
python agent.py --console abc123 --auth-token TOKEN create --kind dns --memo "DNS honeypot"
python agent.py --console abc123 --auth-token TOKEN coverage
python agent.py --console abc123 --auth-token TOKEN full
```
## Core Functions
### `CanaryClient(console_domain, auth_token)` — API client
Base URL: `https://{console_domain}.canary.tools/api/v1`
Auth: `auth_token` parameter on every request.
### `create_token(kind, memo, **kwargs)` — Create Canarytoken
POST `/canarytoken/create` with `kind`, `memo`, `auth_token`.
For doc-msword: uploads file via multipart form with MIME type
`application/vnd.openxmlformats-officedocument.wordprocessingml.document`.
### `list_tokens()` — List all deployed tokens
GET `/canarytokens/fetch`. Returns array of token objects with kind, memo, url, enabled.
### `get_alerts(newer_than)` — Fetch triggered token alerts
GET `/incidents/all`. Optional `newer_than` timestamp filter.
Returns src_host (source IP), description, timestamp, acknowledged status.
### `ack_alert(incident_id)` — Acknowledge an alert
POST `/incident/acknowledge` with incident ID.
### `audit_token_coverage(client)` — Coverage analysis
Calculates: tokens by kind, triggered vs untriggered, missing token types,
coverage score as percentage of TOKEN_KINDS deployed.
### `full_audit(client)` — Comprehensive deception audit
## Canary Console API Endpoints
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/ping` | GET | Test API connectivity |
| `/canarytoken/create` | POST | Create new token |
| `/canarytokens/fetch` | GET | List all tokens |
| `/canarytoken/fetch` | GET | Get specific token |
| `/canarytoken/delete` | POST | Delete a token |
| `/incidents/all` | GET | Fetch all alerts |
| `/canarytoken/incidents` | GET | Alerts for specific token |
| `/incident/acknowledge` | POST | Acknowledge alert |
## Supported Token Types
| Kind | Description |
|------|-------------|
| http | Web bug — triggers on HTTP request |
| dns | DNS token — triggers on DNS resolution |
| doc-msword | MS Word document with embedded beacon |
| pdf-acrobat-reader | PDF with embedded beacon |
| aws-id | Fake AWS API key pair |
| web-image | Image with tracking pixel |
| cloned-web | Cloned website detection |
| qr-code | QR code with tracking URL |
| sensitive-cmd | Triggers on command execution |
| windows-dir | Windows folder open detection |
## Dependencies
- `requests` >= 2.28.0
- Thinkst Canary Console account with API auth token
Reference in New Issue View Git Blame Copy Permalink