creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-14 06:54:57 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/correlating-threat-campaigns/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.1 KiB
Raw Blame History

Threat Campaign Correlation API Reference

MISP REST API

# Search attributes
curl -X POST "https://misp.example.com/attributes/restSearch" \
  -H "Authorization: YOUR_API_KEY" -H "Content-Type: application/json" \
  -d '{"type": "ip-src", "value": "185.220.101.42"}'

# Search events by tag
curl -X POST "https://misp.example.com/events/restSearch" \
  -H "Authorization: YOUR_API_KEY" -H "Content-Type: application/json" \
  -d '{"tags": ["apt28", "fancy-bear"], "from": "2024-01-01"}'

# Get event with correlations
curl "https://misp.example.com/events/view/1234" \
  -H "Authorization: YOUR_API_KEY" -H "Accept: application/json"

# Add attribute to event
curl -X POST "https://misp.example.com/attributes/add/1234" \
  -H "Authorization: YOUR_API_KEY" -H "Content-Type: application/json" \
  -d '{"type": "ip-dst", "value": "203.0.113.50", "category": "Network activity", "to_ids": true}'

MISP Correlation Engine

Correlation Type Description
Attribute match Same value in multiple events
CIDR overlap IPs in same /24 or /16 subnet
Fuzzy hash (ssdeep) Similar malware samples
Over-correlation Common values excluded (CDN IPs)

OpenCTI GraphQL API

# Query campaign relationships
query {
  campaign(id: "campaign-uuid") {
    name
    first_seen
    last_seen
    objectsOfRelationship(relationship_type: "uses") {
      edges { node { ... on Malware { name } } }
    }
    objectsOfRelationship(relationship_type: "attributed-to") {
      edges { node { ... on IntrusionSet { name aliases } } }
    }
  }
}

STIX 2.1 Campaign Object

{
  "type": "campaign",
  "spec_version": "2.1",
  "id": "campaign--uuid",
  "name": "Operation ShadowStrike",
  "first_seen": "2024-01-15T00:00:00Z",
  "last_seen": "2024-06-30T00:00:00Z",
  "objective": "Data exfiltration from financial sector"
}

STIX Relationship Types

Type Source Target
attributed-to Campaign Threat Actor
uses Intrusion Set Malware / Tool
targets Campaign Identity / Sector
indicates Indicator Malware
related-to Any Any
Reference in New Issue View Git Blame Copy Permalink