mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-16 07:53:18 +03:00
mukul975
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2.3 KiB
2.3 KiB
API Reference: Implementing OT Network Traffic Analysis with Nozomi
Nozomi Guardian REST API
| Endpoint | Method | Description |
|---|---|---|
/api/v1/alerts |
GET | Retrieve security alerts |
/api/v1/assets |
GET | Get discovered asset inventory |
/api/v1/nodes |
GET | Get network nodes |
/api/v1/links |
GET | Get network links/connections |
/api/v1/sessions |
GET | Get active network sessions |
/api/v1/queries |
POST | Execute N2OS query |
/api/v1/health |
GET | Sensor health status |
Authentication
# Bearer token
curl -s -k -H "Authorization: Bearer <token>" https://guardian/api/v1/assets
# API key (Vantage)
curl -s -H "X-Api-Key: <key>" https://vantage.nozominetworks.com/api/v1/assets
N2OS Query Language
-- Find all PLCs
alerts | where type == plc
-- Find new connections in last 24h
sessions | where first_seen > ago(24h) | sort by bytes desc
-- Find Modbus traffic
sessions | where protocol == modbus | select src_ip, dst_ip, function_code
Supported OT Protocols
| Protocol | Detection | DPI Support |
|---|---|---|
| Modbus/TCP | Full | Function code analysis |
| S7comm | Full | Block read/write detection |
| EtherNet/IP (CIP) | Full | Service code inspection |
| DNP3 | Full | Object group parsing |
| OPC UA | Full | Service/node inspection |
| BACnet | Full | Object/property analysis |
| PROFINET | Full | Cyclic/acyclic detection |
| IEC 60870-5-104 | Full | ASDU type parsing |
Alert Risk Levels
| Level | Score Range | Response |
|---|---|---|
| Critical | 9.0 - 10.0 | Immediate investigation |
| High | 7.0 - 8.9 | Investigate within 4 hours |
| Medium | 4.0 - 6.9 | Investigate within 24 hours |
| Low | 0.1 - 3.9 | Review during next shift |
Sensor Deployment
| Mode | Use Case |
|---|---|
| SPAN/Mirror | Switch mirror port monitoring |
| TAP | Network TAP for full-duplex capture |
| Smart Polling | Active query for asset enrichment |
References
- Nozomi Guardian API Docs: https://www.nozominetworks.com/resources/
- IEC 62443-3-3: https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards
- NIST SP 800-82 Rev 3: https://csrc.nist.gov/publications/detail/sp/800-82/rev-3/final