creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-14 15:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/building-incident-response-dashboard/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.2 KiB
Raw Blame History

API Reference: Building Incident Response Dashboard

splunk-sdk (splunklib)

import splunklib.client as client
import splunklib.results as results

service = client.connect(host="localhost", port=8089,
                         username="admin", password="changeme")

# Run a blocking search
job = service.jobs.create(
    'search index=notable | stats count by urgency',
    earliest_time="-24h", latest_time="now", exec_mode="blocking"
)
for result in results.JSONResultsReader(job.results(output_mode="json")):
    print(result)

# Create a saved search (dashboard panel)
service.saved_searches.create("IR_Affected_Systems", search="""
    search index=notable incident_id="IR-*"
    | stats count by dest, urgency | sort - count
""")

Key SPL Patterns for IR Dashboards

--- Incident summary single-value panels
| makeresults | eval status="CONTAINMENT", affected=7, contained=5

--- SOC Metrics (MTTD / MTTR)
index=notable status_label="Resolved*"
| eval mttr_hours = round((status_end - _time) / 3600, 1)
| stats avg(mttr_hours) AS avg_mttr by urgency

--- Analyst workload
index=notable earliest=-7d | stats count by owner | sort - count

--- IOC spread tracking
index=* (src_ip IN ("1.2.3.4") OR dest="evil.com")
| timechart span=1h count by sourcetype

--- Alert disposition
index=notable status_label="Closed*"
| stats count by disposition
| eventstats sum(count) AS total
| eval pct = round(count/total*100, 1)

Dashboard Studio (Splunk v2)

<dashboard version="2" theme="dark">
  <label>IR Dashboard</label>
  <row>
    <panel><title>Affected Systems</title>
      <table><search><query>| inputlookup ir_systems.csv</query></search></table>
    </panel>
  </row>
</dashboard>

TheHive API (Case Tracking)

import requests
headers = {"Authorization": "Bearer <api_key>"}
# List open cases
resp = requests.get("http://thehive:9000/api/case",
    headers=headers, params={"range": "0-50", "sort": "-startDate"})

References

Reference in New Issue View Git Blame Copy Permalink