creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-threat-intelligence-lifecycle-management/references/api-reference.md
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete 
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

198 lines
4.9 KiB
Markdown
Raw Blame History

# API Reference: Threat Intelligence Lifecycle Management
## Libraries Used
| Library | Purpose |
|---------|---------|
| `pymisp` | MISP threat intelligence platform API client |
| `stix2` | Create, parse, and manipulate STIX 2.1 objects |
| `requests` | HTTP client for external TI feed APIs |
| `json` | Parse and serialize intelligence data |
## Installation
```bash
pip install pymisp stix2 requests
```
## Authentication
### MISP Connection
```python
from pymisp import PyMISP
import os
MISP_URL = os.environ["MISP_URL"]
MISP_KEY = os.environ["MISP_API_KEY"]
MISP_VERIFYCERT = os.environ.get("MISP_VERIFY", "True") == "True"
misp = PyMISP(MISP_URL, MISP_KEY, ssl=MISP_VERIFYCERT)
```
## MISP API Operations
### Search for Events
```python
def search_events(tags=None, date_from=None, published=True):
results = misp.search(
controller="events",
tags=tags,
date_from=date_from,
published=published,
limit=100,
)
return results
```
### Create a Threat Intelligence Event
```python
from pymisp import MISPEvent, MISPAttribute
def create_ti_event(info, threat_level=2, analysis=1):
event = MISPEvent()
event.info = info
event.threat_level_id = threat_level # 1=High, 2=Medium, 3=Low, 4=Undefined
event.analysis = analysis # 0=Initial, 1=Ongoing, 2=Completed
event.distribution = 1 # 1=This community
created = misp.add_event(event)
return created
```
### Add Indicators to an Event
```python
def add_indicators(event_id, indicators):
for ioc in indicators:
attr = MISPAttribute()
attr.type = ioc["type"] # "ip-dst", "domain", "sha256", "url"
attr.value = ioc["value"]
attr.category = ioc.get("category", "Network activity")
attr.to_ids = ioc.get("to_ids", True)
attr.comment = ioc.get("comment", "")
misp.add_attribute(event_id, attr)
```
### Search for Specific IOCs
```python
def search_ioc(ioc_type, value):
results = misp.search(
controller="attributes",
type_attribute=ioc_type,
value=value,
)
return results
```
### Tag Management
```python
# Add TLP marking
misp.tag(event_id, "tlp:amber")
# Add threat actor tag
misp.tag(event_id, "mitre-attack-pattern:T1566.001")
# Add custom taxonomy
misp.tag(event_id, "adversary:APT29")
```
## STIX 2.1 Intelligence Objects
### Create STIX Indicator
```python
import stix2
indicator = stix2.Indicator(
name="Cobalt Strike C2 Domain",
pattern="[domain-name:value = 'c2.evil.example.com']",
pattern_type="stix",
valid_from="2025-01-15T00:00:00Z",
labels=["malicious-activity"],
confidence=85,
external_references=[
stix2.ExternalReference(
source_name="Internal IR",
description="Observed during incident IR-2025-001",
)
],
)
```
### Create STIX Threat Actor
```python
threat_actor = stix2.ThreatActor(
name="APT29",
aliases=["Cozy Bear", "The Dukes"],
threat_actor_types=["nation-state"],
roles=["agent"],
sophistication="expert",
resource_level="government",
primary_motivation="espionage",
)
```
### Create Relationships and Bundle
```python
relationship = stix2.Relationship(
relationship_type="indicates",
source_ref=indicator.id,
target_ref=threat_actor.id,
confidence=80,
)
bundle = stix2.Bundle(objects=[indicator, threat_actor, relationship])
```
### Convert MISP Event to STIX
```python
def misp_to_stix(event):
stix_objects = []
for attr in event.get("Attribute", []):
if attr["type"] == "ip-dst":
stix_objects.append(stix2.Indicator(
name=f"Malicious IP: {attr['value']}",
pattern=f"[ipv4-addr:value = '{attr['value']}']",
pattern_type="stix",
valid_from=attr["timestamp"],
))
elif attr["type"] == "domain":
stix_objects.append(stix2.Indicator(
name=f"Malicious Domain: {attr['value']}",
pattern=f"[domain-name:value = '{attr['value']}']",
pattern_type="stix",
valid_from=attr["timestamp"],
))
return stix2.Bundle(objects=stix_objects)
```
## Intelligence Lifecycle Phases
| Phase | MISP Action | STIX Object |
|-------|-------------|-------------|
| Collection | `misp.add_event()` | Bundle |
| Processing | `misp.add_attribute()` | Indicator, ObservedData |
| Analysis | `misp.tag()`, correlations | Relationship, ThreatActor |
| Dissemination | `misp.publish()`, TAXII push | Collection (TAXII) |
| Feedback | `misp.add_sighting()` | Sighting |
## Output Format
```json
{
"lifecycle_phase": "analysis",
"events_processed": 42,
"indicators_created": 156,
"stix_objects": {
"indicators": 120,
"threat_actors": 5,
"malware": 8,
"relationships": 95,
"attack_patterns": 23
},
"tlp_distribution": {
"tlp:white": 30,
"tlp:green": 45,
"tlp:amber": 65,
"tlp:red": 16
}
}
```
Reference in New Issue View Git Blame Copy Permalink