creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-16 07:53:18 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-ot-network-traffic-analysis-with-nozomi/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

73 lines
2.3 KiB
Markdown
Raw Blame History

# API Reference: Implementing OT Network Traffic Analysis with Nozomi
## Nozomi Guardian REST API
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/api/v1/alerts` | GET | Retrieve security alerts |
| `/api/v1/assets` | GET | Get discovered asset inventory |
| `/api/v1/nodes` | GET | Get network nodes |
| `/api/v1/links` | GET | Get network links/connections |
| `/api/v1/sessions` | GET | Get active network sessions |
| `/api/v1/queries` | POST | Execute N2OS query |
| `/api/v1/health` | GET | Sensor health status |
## Authentication
```bash
# Bearer token
curl -s -k -H "Authorization: Bearer <token>" https://guardian/api/v1/assets
# API key (Vantage)
curl -s -H "X-Api-Key: <key>" https://vantage.nozominetworks.com/api/v1/assets
```
## N2OS Query Language
```sql
-- Find all PLCs
alerts | where type == plc
-- Find new connections in last 24h
sessions | where first_seen > ago(24h) | sort by bytes desc
-- Find Modbus traffic
sessions | where protocol == modbus | select src_ip, dst_ip, function_code
```
## Supported OT Protocols
| Protocol | Detection | DPI Support |
|----------|-----------|-------------|
| Modbus/TCP | Full | Function code analysis |
| S7comm | Full | Block read/write detection |
| EtherNet/IP (CIP) | Full | Service code inspection |
| DNP3 | Full | Object group parsing |
| OPC UA | Full | Service/node inspection |
| BACnet | Full | Object/property analysis |
| PROFINET | Full | Cyclic/acyclic detection |
| IEC 60870-5-104 | Full | ASDU type parsing |
## Alert Risk Levels
| Level | Score Range | Response |
|-------|-------------|----------|
| Critical | 9.0 - 10.0 | Immediate investigation |
| High | 7.0 - 8.9 | Investigate within 4 hours |
| Medium | 4.0 - 6.9 | Investigate within 24 hours |
| Low | 0.1 - 3.9 | Review during next shift |
## Sensor Deployment
| Mode | Use Case |
|------|----------|
| SPAN/Mirror | Switch mirror port monitoring |
| TAP | Network TAP for full-duplex capture |
| Smart Polling | Active query for asset enrichment |
### References
- Nozomi Guardian API Docs: https://www.nozominetworks.com/resources/
- IEC 62443-3-3: https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards
- NIST SP 800-82 Rev 3: https://csrc.nist.gov/publications/detail/sp/800-82/rev-3/final
Reference in New Issue View Git Blame Copy Permalink