Files
Anthropic-Cybersecurity-Skills/skills/performing-insider-threat-investigation/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

44 lines
1.9 KiB
Markdown

# API Reference: Insider Threat Investigation
## Data Sources
| Source | Log Type | Key Fields |
|--------|----------|------------|
| DLP System | File transfers, USB connections | user, action, file_path, bytes, device_id |
| Email Gateway | Sent/received/forwarded emails | sender, recipient, subject, attachment_size |
| VPN / Auth Logs | Authentication events | user, timestamp, source_ip, result |
| Cloud Access Broker | SaaS application activity | user, app, action, data_volume |
| Badge Access | Physical access events | user, location, timestamp, direction |
## Microsoft Graph API (for Microsoft 365 environments)
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/auditLogs/signIns` | GET | User sign-in activity logs |
| `/security/alerts` | GET | Security alerts including DLP |
| `/users/{id}/activities` | GET | User activity feed |
| `/users/{id}/mailFolders/{id}/messages` | GET | Email messages (eDiscovery) |
## Exabeam UEBA API
| Endpoint | Description |
|----------|-------------|
| `/api/users/{user}/timeline` | User activity timeline with risk scores |
| `/api/users/{user}/risk` | Current risk score and contributing factors |
## Python Libraries
| Library | Version | Purpose |
|---------|---------|---------|
| `csv` | stdlib | Parse exported log files |
| `json` | stdlib | Report generation and data exchange |
| `datetime` | stdlib | Timestamp parsing and time-window analysis |
| `requests` | >=2.28 | API access for UEBA and SIEM platforms |
## References
- CISA Insider Threat Guide: https://www.cisa.gov/topics/physical-security/insider-threat-mitigation
- NIST SP 800-53 (PS-6 Access Agreements): https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
- Microsoft Purview Insider Risk: https://learn.microsoft.com/en-us/purview/insider-risk-management
- MITRE Insider Threat: https://attack.mitre.org/techniques/T1078/