creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 06:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/building-threat-intelligence-feed-integration/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

58 lines
2.1 KiB
Markdown
Raw Blame History

# API Reference: Threat Intelligence Feed Integration Agent
## Overview
Ingests threat intelligence from TAXII 2.1 servers, Abuse.ch URLhaus, and Feodo Tracker. Normalizes all indicators to STIX 2.1 format, deduplicates, and exports as a STIX bundle.
## Dependencies
| Package | Version | Purpose |
|---------|---------|---------|
| requests | >=2.28 | HTTP API calls |
| taxii2-client | >=2.3 | TAXII 2.1 server communication |
| stix2 | >=3.0 | STIX 2.1 object creation and serialization |
## CLI Usage
```bash
# Ingest from multiple sources
python agent.py --urlhaus --feodo --output ti_bundle.json
# Ingest from TAXII feed
python agent.py --taxii-url https://taxii.example.com/taxii2/ \
--taxii-collection https://taxii.example.com/taxii2/collections/abc/ \
--taxii-user user --taxii-pass pass
```
## Key Functions
### `ingest_taxii_feed(taxii_url, collection_url, username, password, hours_back)`
Connects to a TAXII 2.1 collection and retrieves indicators added within the specified time window.
### `ingest_urlhaus_feed()`
Fetches recent malicious URLs from the URLhaus API (`https://urlhaus-api.abuse.ch/v1/urls/recent/`).
### `ingest_feodotracker()`
Downloads the Feodo Tracker recommended C2 IP blocklist in JSON format.
### `normalize_to_stix(indicators)`
Converts raw indicators to STIX 2.1 `Indicator` objects with proper patterns for ipv4, domain, url, and sha256 types.
### `deduplicate(indicators)`
Removes duplicate indicators across feeds using SHA-256 hash of `type:value`.
### `export_stix_bundle(stix_objects, output_path)`
Serializes STIX objects into a `Bundle` and writes to a JSON file.
### `push_to_splunk_ti(splunk_url, session_key, indicators)`
Pushes indicators to the Splunk ES threat intelligence framework via REST API.
## External APIs Used
| API | Endpoint | Auth | Purpose |
|-----|----------|------|---------|
| TAXII 2.1 | Configurable | Basic auth | STIX indicator ingestion |
| URLhaus | `https://urlhaus-api.abuse.ch/v1/` | None | Malicious URL feed |
| Feodo Tracker | `https://feodotracker.abuse.ch/downloads/` | None | C2 IP blocklist |
| Splunk REST | `/services/data/threat_intel/item/ip_intel` | Session key | TI push |
Reference in New Issue View Git Blame Copy Permalink