mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 13:44:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
1.5 KiB
1.5 KiB
API Reference: Performing Cloud Native Forensics with Falco
Falco Rule YAML Structure
- rule: Shell Spawned in Container
desc: Detect shell in container
condition: >
spawned_process and container
and proc.name in (bash, sh, zsh)
output: >
Shell spawned (user=%user.name command=%proc.cmdline
container=%container.name image=%container.image.repository)
priority: WARNING
tags: [container, shell, mitre_execution]
Falco Condition Fields
| Field | Description |
|---|---|
proc.name |
Process name |
proc.cmdline |
Full command line |
proc.pname |
Parent process name |
user.name |
User running process |
fd.name |
File descriptor name/path |
container.name |
Container name |
container.image.repository |
Container image |
container.privileged |
Privileged flag |
evt.type |
Syscall type (execve, open, connect) |
Falco Priority Levels
EMERGENCY > ALERT > CRITICAL > ERROR > WARNING > NOTICE > INFO > DEBUG
Falco HTTP API
import requests
# Health check
requests.get("http://localhost:8765/healthz")
# Version
requests.get("http://localhost:8765/version")
Helm Deployment
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \
--set driver.kind=ebpf \
--set falcosidekick.enabled=true
References
- Falco: https://falco.org/docs/
- Falco rules: https://github.com/falcosecurity/rules
- Falcosidekick: https://github.com/falcosecurity/falcosidekick