mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
44 lines
1.9 KiB
Markdown
44 lines
1.9 KiB
Markdown
# API Reference: Insider Threat Investigation
|
|
|
|
## Data Sources
|
|
|
|
| Source | Log Type | Key Fields |
|
|
|--------|----------|------------|
|
|
| DLP System | File transfers, USB connections | user, action, file_path, bytes, device_id |
|
|
| Email Gateway | Sent/received/forwarded emails | sender, recipient, subject, attachment_size |
|
|
| VPN / Auth Logs | Authentication events | user, timestamp, source_ip, result |
|
|
| Cloud Access Broker | SaaS application activity | user, app, action, data_volume |
|
|
| Badge Access | Physical access events | user, location, timestamp, direction |
|
|
|
|
## Microsoft Graph API (for Microsoft 365 environments)
|
|
|
|
| Endpoint | Method | Description |
|
|
|----------|--------|-------------|
|
|
| `/auditLogs/signIns` | GET | User sign-in activity logs |
|
|
| `/security/alerts` | GET | Security alerts including DLP |
|
|
| `/users/{id}/activities` | GET | User activity feed |
|
|
| `/users/{id}/mailFolders/{id}/messages` | GET | Email messages (eDiscovery) |
|
|
|
|
## Exabeam UEBA API
|
|
|
|
| Endpoint | Description |
|
|
|----------|-------------|
|
|
| `/api/users/{user}/timeline` | User activity timeline with risk scores |
|
|
| `/api/users/{user}/risk` | Current risk score and contributing factors |
|
|
|
|
## Python Libraries
|
|
|
|
| Library | Version | Purpose |
|
|
|---------|---------|---------|
|
|
| `csv` | stdlib | Parse exported log files |
|
|
| `json` | stdlib | Report generation and data exchange |
|
|
| `datetime` | stdlib | Timestamp parsing and time-window analysis |
|
|
| `requests` | >=2.28 | API access for UEBA and SIEM platforms |
|
|
|
|
## References
|
|
|
|
- CISA Insider Threat Guide: https://www.cisa.gov/topics/physical-security/insider-threat-mitigation
|
|
- NIST SP 800-53 (PS-6 Access Agreements): https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
|
|
- Microsoft Purview Insider Risk: https://learn.microsoft.com/en-us/purview/insider-risk-management
|
|
- MITRE Insider Threat: https://attack.mitre.org/techniques/T1078/
|