mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-06 07:48:57 +03:00
efca3ec611
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions) based on subdomain and content analysis. Restores 11 skills corrupted during prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields. All 754 skills now carry structured mappings for all 5 security frameworks: - MITRE ATT&CK (in tags) - MITRE ATLAS v5.5 (atlas_techniques) - MITRE D3FEND v1.3 (d3fend_techniques) - NIST AI RMF 1.0 (nist_ai_rmf) - NIST CSF 2.0 (nist_csf)
2.5 KiB
2.5 KiB
name, description, domain, subdomain, tags, version, author, license, nist_csf
| name | description | domain | subdomain | tags | version | author | license | nist_csf | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| detecting-beaconing-patterns-with-zeek | Performs statistical analysis of Zeek conn.log connection intervals to detect C2 beaconing patterns. Uses the ZAT library to load Zeek logs into Pandas DataFrames, calculates inter-arrival time standard deviation, and flags periodic connections with low jitter. Use when hunting for command-and-control callbacks in network data. | cybersecurity | security-operations |
|
1.0 | mahipal | Apache-2.0 |
|
Detecting Beaconing Patterns with Zeek
When to Use
- When investigating security incidents that require detecting beaconing patterns with zeek
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Instructions
Load Zeek conn.log data using ZAT (Zeek Analysis Tools), group connections by source/destination pairs, and compute timing statistics to identify beaconing.
from zat.log_to_dataframe import LogToDataFrame
import numpy as np
log_to_df = LogToDataFrame()
conn_df = log_to_df.create_dataframe('/path/to/conn.log')
# Group by src/dst pair and calculate inter-arrival time
for (src, dst), group in conn_df.groupby(['id.orig_h', 'id.resp_h']):
times = group['ts'].sort_values()
intervals = times.diff().dt.total_seconds().dropna()
if len(intervals) > 10:
std_dev = np.std(intervals)
mean_interval = np.mean(intervals)
# Low std_dev relative to mean = likely beaconing
Key analysis steps:
- Parse Zeek conn.log into DataFrame with ZAT LogToDataFrame
- Group connections by source IP and destination IP pairs
- Calculate inter-arrival time intervals between consecutive connections
- Compute standard deviation and coefficient of variation
- Flag pairs with low coefficient of variation as potential beacons
Examples
from zat.log_to_dataframe import LogToDataFrame
log_to_df = LogToDataFrame()
df = log_to_df.create_dataframe('conn.log')
print(df[['id.orig_h', 'id.resp_h', 'ts', 'duration']].head())