creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-security-logs-with-splunk/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

96 lines
2.5 KiB
Markdown
Raw Blame History

# API Reference: Analyzing Security Logs with Splunk
## splunk-sdk (splunklib)
### Connection
```python
import splunklib.client as client
service = client.connect(
host="splunk.example.com",
port=8089,
username="admin",
password="secret",
autologin=True,
)
```
### Running Searches
```python
import splunklib.results as results
# Blocking (synchronous) search
job = service.jobs.create(
"search index=windows EventCode=4625 | stats count by src_ip",
**{"earliest_time": "-24h", "latest_time": "now", "exec_mode": "blocking"}
)
# Read results as JSON
reader = results.JSONResultsReader(job.results(output_mode="json"))
for row in reader:
if isinstance(row, dict):
print(row)
job.cancel()
```
### Oneshot Search (Simple Queries)
```python
result_stream = service.jobs.oneshot(
"search index=windows EventCode=4624 | head 10",
earliest_time="-1h",
output_mode="json",
)
reader = results.JSONResultsReader(result_stream)
```
### Saved Searches
```python
# List saved searches
for saved in service.saved_searches:
print(saved.name)
# Run a saved search
saved_search = service.saved_searches["My Alert"]
job = saved_search.dispatch()
```
### KV Store Lookups
```python
collection = service.kvstore["threat_intel_iocs"]
# Insert record
collection.data.insert(json.dumps({"ip": "1.2.3.4", "threat": "C2"}))
# Query records
records = collection.data.query(query=json.dumps({"threat": "C2"}))
```
### Key SPL Patterns for Security Analysis
| Pattern | SPL |
|---------|-----|
| Failed logons | `index=windows EventCode=4625 \| stats count by src_ip` |
| Lateral movement | `index=windows EventCode=4624 Logon_Type=3 \| stats dc(host) by src_ip` |
| Process creation | `index=sysmon EventCode=1 \| table _time, Image, CommandLine` |
| C2 beaconing | `index=proxy \| timechart span=1m count by dest_ip` |
| DNS tunneling | `index=dns \| stats count, avg(len(query)) by domain` |
### Splunk REST API Endpoints
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/services/search/jobs` | POST | Create a new search job |
| `/services/search/jobs/{sid}/results` | GET | Retrieve search results |
| `/services/saved/searches` | GET | List saved searches |
| `/services/data/indexes` | GET | List available indexes |
| `/services/authentication/users` | GET | List Splunk users |
### References
- splunk-sdk PyPI: https://pypi.org/project/splunk-sdk/
- Splunk REST API docs: https://docs.splunk.com/Documentation/Splunk/latest/RESTREF
- Splunk SDK for Python: https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/
Reference in New Issue View Git Blame Copy Permalink