creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-cloud-native-forensics-with-falco/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

60 lines
1.5 KiB
Markdown
Raw Blame History

# API Reference: Performing Cloud Native Forensics with Falco
## Falco Rule YAML Structure
```yaml
- rule: Shell Spawned in Container
desc: Detect shell in container
condition: >
spawned_process and container
and proc.name in (bash, sh, zsh)
output: >
Shell spawned (user=%user.name command=%proc.cmdline
container=%container.name image=%container.image.repository)
priority: WARNING
tags: [container, shell, mitre_execution]
```
## Falco Condition Fields
| Field | Description |
|-------|-------------|
| `proc.name` | Process name |
| `proc.cmdline` | Full command line |
| `proc.pname` | Parent process name |
| `user.name` | User running process |
| `fd.name` | File descriptor name/path |
| `container.name` | Container name |
| `container.image.repository` | Container image |
| `container.privileged` | Privileged flag |
| `evt.type` | Syscall type (execve, open, connect) |
## Falco Priority Levels
`EMERGENCY > ALERT > CRITICAL > ERROR > WARNING > NOTICE > INFO > DEBUG`
## Falco HTTP API
```python
import requests
# Health check
requests.get("http://localhost:8765/healthz")
# Version
requests.get("http://localhost:8765/version")
```
## Helm Deployment
```bash
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \
--set driver.kind=ebpf \
--set falcosidekick.enabled=true
```
### References
- Falco: https://falco.org/docs/
- Falco rules: https://github.com/falcosecurity/rules
- Falcosidekick: https://github.com/falcosecurity/falcosidekick
Reference in New Issue View Git Blame Copy Permalink