creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/building-threat-intelligence-feed-integration/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.1 KiB
Raw Blame History

API Reference: Threat Intelligence Feed Integration Agent

Overview

Ingests threat intelligence from TAXII 2.1 servers, Abuse.ch URLhaus, and Feodo Tracker. Normalizes all indicators to STIX 2.1 format, deduplicates, and exports as a STIX bundle.

Dependencies

Package Version Purpose
requests >=2.28 HTTP API calls
taxii2-client >=2.3 TAXII 2.1 server communication
stix2 >=3.0 STIX 2.1 object creation and serialization

CLI Usage

# Ingest from multiple sources
python agent.py --urlhaus --feodo --output ti_bundle.json

# Ingest from TAXII feed
python agent.py --taxii-url https://taxii.example.com/taxii2/ \
  --taxii-collection https://taxii.example.com/taxii2/collections/abc/ \
  --taxii-user user --taxii-pass pass

Key Functions

ingest_taxii_feed(taxii_url, collection_url, username, password, hours_back)

Connects to a TAXII 2.1 collection and retrieves indicators added within the specified time window.

ingest_urlhaus_feed()

Fetches recent malicious URLs from the URLhaus API (https://urlhaus-api.abuse.ch/v1/urls/recent/).

ingest_feodotracker()

Downloads the Feodo Tracker recommended C2 IP blocklist in JSON format.

normalize_to_stix(indicators)

Converts raw indicators to STIX 2.1 Indicator objects with proper patterns for ipv4, domain, url, and sha256 types.

deduplicate(indicators)

Removes duplicate indicators across feeds using SHA-256 hash of type:value.

export_stix_bundle(stix_objects, output_path)

Serializes STIX objects into a Bundle and writes to a JSON file.

push_to_splunk_ti(splunk_url, session_key, indicators)

Pushes indicators to the Splunk ES threat intelligence framework via REST API.

External APIs Used

API Endpoint Auth Purpose
TAXII 2.1 Configurable Basic auth STIX indicator ingestion
URLhaus https://urlhaus-api.abuse.ch/v1/ None Malicious URL feed
Feodo Tracker https://feodotracker.abuse.ch/downloads/ None C2 IP blocklist
Splunk REST /services/data/threat_intel/item/ip_intel Session key TI push
Reference in New Issue View Git Blame Copy Permalink