mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
1.9 KiB
1.9 KiB
API Reference: Insider Threat Investigation
Data Sources
| Source | Log Type | Key Fields |
|---|---|---|
| DLP System | File transfers, USB connections | user, action, file_path, bytes, device_id |
| Email Gateway | Sent/received/forwarded emails | sender, recipient, subject, attachment_size |
| VPN / Auth Logs | Authentication events | user, timestamp, source_ip, result |
| Cloud Access Broker | SaaS application activity | user, app, action, data_volume |
| Badge Access | Physical access events | user, location, timestamp, direction |
Microsoft Graph API (for Microsoft 365 environments)
| Endpoint | Method | Description |
|---|---|---|
/auditLogs/signIns |
GET | User sign-in activity logs |
/security/alerts |
GET | Security alerts including DLP |
/users/{id}/activities |
GET | User activity feed |
/users/{id}/mailFolders/{id}/messages |
GET | Email messages (eDiscovery) |
Exabeam UEBA API
| Endpoint | Description |
|---|---|
/api/users/{user}/timeline |
User activity timeline with risk scores |
/api/users/{user}/risk |
Current risk score and contributing factors |
Python Libraries
| Library | Version | Purpose |
|---|---|---|
csv |
stdlib | Parse exported log files |
json |
stdlib | Report generation and data exchange |
datetime |
stdlib | Timestamp parsing and time-window analysis |
requests |
>=2.28 | API access for UEBA and SIEM platforms |
References
- CISA Insider Threat Guide: https://www.cisa.gov/topics/physical-security/insider-threat-mitigation
- NIST SP 800-53 (PS-6 Access Agreements): https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
- Microsoft Purview Insider Risk: https://learn.microsoft.com/en-us/purview/insider-risk-management
- MITRE Insider Threat: https://attack.mitre.org/techniques/T1078/