creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 21:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-cloud-storage-access-patterns/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

2.2 KiB
Raw Blame History

name, description, domain, subdomain, tags, version, author, license, atlas_techniques, nist_ai_rmf, nist_csf
name description domain subdomain tags version author license atlas_techniques nist_ai_rmf nist_csf
analyzing-cloud-storage-access-patterns Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection. cybersecurity cloud-security
analyzing
cloud
storage
access
1.0 mahipal Apache-2.0
AML.T0024
AML.T0056
MEASURE-2.7
MAP-5.1
MANAGE-2.4
PR.IR-01
ID.AM-08
GV.SC-06
DE.CM-01

Analyzing Cloud Storage Access Patterns

When to Use

  • When investigating security incidents that require analyzing cloud storage access patterns
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Familiarity with cloud security concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Instructions

  1. Install dependencies: pip install boto3 requests
  2. Query CloudTrail for S3 Data Events using AWS CLI or boto3.
  3. Build access baselines: hourly request volume, per-user object counts, source IP history.
  4. Detect anomalies:
    • After-hours access (outside 8am-6pm local time)
    • Bulk downloads: >100 GetObject calls from single principal in 1 hour
    • New source IPs not seen in the prior 30 days
    • ListBucket enumeration spikes (reconnaissance indicator)
  5. Generate prioritized findings report.
python scripts/agent.py --bucket my-sensitive-data --hours-back 24 --output s3_access_report.json

Examples

CloudTrail S3 Data Event

{"eventName": "GetObject", "requestParameters": {"bucketName": "sensitive-data", "key": "financials/q4.xlsx"},
 "sourceIPAddress": "203.0.113.50", "userIdentity": {"arn": "arn:aws:iam::123456789012:user/analyst"}}
Reference in New Issue View Git Blame Copy Permalink