mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 14:14:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
70 lines
2.1 KiB
Markdown
70 lines
2.1 KiB
Markdown
# API Reference: Triaging Security Alerts in Splunk
|
|
|
|
## splunklib (Splunk SDK for Python)
|
|
|
|
### Installation
|
|
```bash
|
|
pip install splunk-sdk
|
|
```
|
|
|
|
### Connection
|
|
```python
|
|
import splunklib.client as client
|
|
service = client.connect(host="localhost", port=8089,
|
|
username="admin", password="password")
|
|
```
|
|
|
|
### Running Searches
|
|
```python
|
|
# Blocking search (wait for results)
|
|
job = service.jobs.create(query, exec_mode="blocking")
|
|
|
|
# Parse results
|
|
import splunklib.results as results
|
|
for result in results.JSONResultsReader(job.results(output_mode="json")):
|
|
if isinstance(result, dict):
|
|
print(result)
|
|
```
|
|
|
|
### Search Parameters
|
|
| Parameter | Description |
|
|
|-----------|-------------|
|
|
| `exec_mode` | `blocking` (wait) or `normal` (async) |
|
|
| `earliest_time` | Search time range start (e.g., `-24h`) |
|
|
| `latest_time` | Search time range end (e.g., `now`) |
|
|
| `output_mode` | `json`, `xml`, or `csv` |
|
|
|
|
## Key SPL Commands for Triage
|
|
|
|
| Command | Purpose |
|
|
|---------|---------|
|
|
| `` `notable` `` | Macro to access ES notable events |
|
|
| `lookup asset_lookup_by_cidr` | Enrich with asset information |
|
|
| `lookup identity_lookup_expanded` | Enrich with identity context |
|
|
| `lookup threat_intel_by_ip` | Check IP against threat feeds |
|
|
| `tstats` | Fast datamodel statistics |
|
|
| `sendalert update_notable_event` | Update notable event status |
|
|
|
|
## Notable Event Status Values
|
|
| Value | Status |
|
|
|-------|--------|
|
|
| 0 | Unassigned |
|
|
| 1 | New |
|
|
| 2 | In Progress |
|
|
| 3 | Pending |
|
|
| 4 | Resolved |
|
|
| 5 | Closed |
|
|
|
|
## Disposition Categories
|
|
| Disposition | Criteria |
|
|
|-------------|----------|
|
|
| True Positive | Confirmed malicious activity |
|
|
| Benign True Positive | Alert correct but activity authorized |
|
|
| False Positive | Benign behavior matched detection logic |
|
|
| Undetermined | Insufficient data to classify |
|
|
|
|
## References
|
|
- Splunk SDK for Python: https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/
|
|
- Splunk ES notable events: https://docs.splunk.com/Documentation/ES/latest/Admin/Managenotableevents
|
|
- SPL reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/
|