creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-14 15:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-stix-taxii-feed-integration/references/api-reference.md
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete 
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

4.7 KiB
Raw Blame History

API Reference: STIX/TAXII Threat Intelligence Feed Integration

Libraries Used

Library Purpose
taxii2-client TAXII 2.0/2.1 client for fetching CTI collections
stix2 Parse and create STIX 2.1 objects (indicators, malware, etc.)
requests HTTP fallback for custom TAXII endpoints
json Serialize and filter STIX bundles

Installation

pip install taxii2-client stix2 requests

Authentication

TAXII Server with HTTP Basic Auth

from taxii2client.v21 import Server, Collection
import os

TAXII_URL = os.environ["TAXII_URL"]  # e.g., "https://cti-taxii.mitre.org/taxii2/"
server = Server(
    TAXII_URL,
    user=os.environ.get("TAXII_USER"),
    password=os.environ.get("TAXII_PASS"),
)

TAXII Server with API Key

from taxii2client.v21 import Server as Server21

server = Server21(
    url=TAXII_URL,
    headers={"Authorization": f"Bearer {os.environ['TAXII_TOKEN']}"},
)

TAXII 2.1 Endpoints

Endpoint Description
GET /taxii2/ Server discovery — returns API roots
GET /{api-root}/ API root information
GET /{api-root}/collections/ List available collections
GET /{api-root}/collections/{id}/ Get collection details
GET /{api-root}/collections/{id}/objects/ Get STIX objects from collection
GET /{api-root}/collections/{id}/manifest/ Object manifest (metadata only)
POST /{api-root}/collections/{id}/objects/ Add objects to a collection
GET /{api-root}/status/{id}/ Check status of a POST operation

Core Operations

Discover Collections

for api_root in server.api_roots:
    print(f"API Root: {api_root.title}")
    for collection in api_root.collections:
        print(f"  Collection: {collection.title} ({collection.id})")
        print(f"    Can read: {collection.can_read}, Can write: {collection.can_write}")

Fetch STIX Objects from a Collection

from taxii2client.v21 import Collection

collection = Collection(
    f"{TAXII_URL}collections/{collection_id}/",
    user=os.environ.get("TAXII_USER"),
    password=os.environ.get("TAXII_PASS"),
)

# Get all objects
stix_bundle = collection.get_objects()

# Filter by STIX type
indicators = collection.get_objects(type=["indicator"])

# Filter by time range
from datetime import datetime
recent = collection.get_objects(
    added_after=datetime(2025, 1, 1).strftime("%Y-%m-%dT%H:%M:%SZ")
)

Parse STIX Objects

import stix2

bundle = stix2.parse(stix_bundle, allow_custom=True)
for obj in bundle.objects:
    if obj.type == "indicator":
        print(f"Indicator: {obj.name}")
        print(f"  Pattern: {obj.pattern}")
        print(f"  Valid: {obj.valid_from}{getattr(obj, 'valid_until', 'N/A')}")
    elif obj.type == "malware":
        print(f"Malware: {obj.name}{obj.malware_types}")
    elif obj.type == "attack-pattern":
        print(f"TTP: {obj.name}")

Extract IOCs from STIX Indicators

import re

def extract_iocs(stix_objects):
    iocs = {"ipv4": [], "domain": [], "url": [], "sha256": [], "md5": []}
    for obj in stix_objects:
        if obj.get("type") != "indicator":
            continue
        pattern = obj.get("pattern", "")
        # IPv4
        for ip in re.findall(r"ipv4-addr:value\s*=\s*'([^']+)'", pattern):
            iocs["ipv4"].append(ip)
        # Domain
        for domain in re.findall(r"domain-name:value\s*=\s*'([^']+)'", pattern):
            iocs["domain"].append(domain)
        # SHA-256
        for sha in re.findall(r"file:hashes\.'SHA-256'\s*=\s*'([^']+)'", pattern):
            iocs["sha256"].append(sha)
    return iocs

Create and Push STIX Objects

indicator = stix2.Indicator(
    name="Malicious IP",
    pattern="[ipv4-addr:value = '198.51.100.42']",
    pattern_type="stix",
    valid_from=datetime.now().strftime("%Y-%m-%dT%H:%M:%SZ"),
    labels=["malicious-activity"],
)
bundle = stix2.Bundle(objects=[indicator])

collection.add_objects(bundle.serialize())

Public TAXII Feeds

Provider URL Content
MITRE ATT&CK https://cti-taxii.mitre.org/taxii2/ ATT&CK Enterprise, Mobile, ICS
AlienVault OTX OTX API + STIX export Community threat intel
Anomali STAXX STAXX TAXII endpoint Curated threat feeds

Output Format

{
  "type": "bundle",
  "id": "bundle--a1b2c3d4",
  "objects": [
    {
      "type": "indicator",
      "id": "indicator--e5f6a7b8",
      "created": "2025-01-15T10:30:00Z",
      "name": "Malicious C2 IP",
      "pattern": "[ipv4-addr:value = '198.51.100.42']",
      "pattern_type": "stix",
      "valid_from": "2025-01-15T10:30:00Z",
      "labels": ["malicious-activity"]
    }
  ]
}
Reference in New Issue View Git Blame Copy Permalink