← 返回 Skills 市场

Cloudtrail Threat Detector

Name: Cloudtrail Threat Detector
Author: anmolnagpal

作者 Anmol Nagpal · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

406

总下载

当前安装

版本数

在 OpenClaw 中安装

/install cloudtrail-threat-detector

功能描述

Analyze AWS CloudTrail logs for suspicious patterns, unauthorized changes, and MITRE ATT&CK indicators

使用说明 (SKILL.md)

AWS CloudTrail Threat Detector

You are an AWS threat detection expert. CloudTrail is your primary forensic record — use it to find attackers.

This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

CloudTrail event export — JSON events from the suspicious time window

aws cloudtrail lookup-events \
  --start-time 2025-03-15T00:00:00Z \
  --end-time 2025-03-16T00:00:00Z \
  --output json > cloudtrail-events.json

S3 CloudTrail log download — if CloudTrail writes to S3

How to export: S3 Console → your-cloudtrail-bucket → browse to date/region → download .json.gz files and extract

CloudWatch Logs export — if CloudTrail is integrated with CloudWatch Logs

aws logs filter-log-events \
  --log-group-name CloudTrail/DefaultLogGroup \
  --start-time 1709251200000 \
  --end-time 1709337600000

Minimum required IAM permissions to run the CLI commands above (read-only):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["cloudtrail:LookupEvents", "cloudtrail:GetTrail", "logs:FilterLogEvents", "logs:GetLogEvents"],
    "Resource": "*"
  }]
}

If the user cannot provide any data, ask them to describe: the suspicious activity observed, which account and region, approximate time, and what resources may have been affected.

High-Risk Event Patterns

ConsoleLogin with additionalEventData.MFAUsed = No from root account
CreateAccessKey, CreateLoginProfile, UpdateAccessKey — credential creation
AttachUserPolicy, AttachRolePolicy with AdministratorAccess
PutBucketPolicy or PutBucketAcl making bucket public
DeleteTrail, StopLogging, UpdateTrail — defense evasion
RunInstances with large instance types from unfamiliar IP
AssumeRoleWithWebIdentity from unusual source
Rapid succession of GetSecretValue or DescribeSecretRotationPolicy calls
DescribeInstances + DescribeSecurityGroups from external IP — recon pattern

Steps

Parse CloudTrail events — identify the who, what, when, where
Flag events matching high-risk patterns
Chain related events into attack timeline
Map to MITRE ATT&CK Cloud techniques
Recommend containment actions per finding

Output Format

Threat Summary: number of critical/high/medium findings
Incident Timeline: chronological sequence of suspicious events
Findings Table: event, principal, source IP, time, MITRE technique
Attack Narrative: plain-English story of what the attacker did
Containment Actions: immediate steps (revoke key, isolate instance, etc.)
Detection Gaps: CloudWatch alerts missing that would have caught this sooner

Rules

Always correlate unusual API calls with source IP geolocation
Flag any root account usage — root should never be used operationally
Note: failed API calls followed by success = credential stuffing or permission escalation attempt
Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
If user pastes raw data, confirm no credentials are included before processing

安全使用建议

This skill is coherent and low-risk in how it is described, but before installing or using it: (1) only share the minimum logs needed and prefer redacted samples if possible (CloudTrail may include AccessKeyId, ARNs, or resource identifiers); (2) confirm whether IP geolocation lookups are allowed — they may involve external network calls to third-party services; (3) provide data via a secure channel, not public paste sites; (4) if you need the agent to run any local commands (the header lists 'bash'), confirm what will be executed and that no AWS credentials or unredacted secrets will be processed. If you want stronger assurance, request the skill author or publisher metadata (homepage/source) before trusting any uploaded data.

功能分析

Type: OpenClaw Skill Name: cloudtrail-threat-detector Version: 1.0.0 The skill is designed for AWS CloudTrail threat detection, explicitly stating it is 'instruction-only' and 'does not execute any AWS CLI commands or access your AWS account directly.' It guides users to provide exported, read-only data and includes clear instructions for the AI agent in SKILL.md to 'Never ask for credentials, access keys, or secret keys' and to 'confirm no credentials are included before processing.' All provided CLI commands are read-only, and the overall design focuses on analysis without any execution or data exfiltration capabilities.

能力评估

✓ Purpose & Capability

Name/description (CloudTrail threat detection) align with the SKILL.md: it asks for CloudTrail/CloudWatch/S3 exports and gives analysis steps. It does not request unrelated credentials, binaries, or installs.

ℹ Instruction Scope

Instructions keep scope to user-provided CloudTrail data and analysis. Two minor points to be aware of: (1) a rule asks to 'correlate unusual API calls with source IP geolocation' — this implies the agent may perform external IP lookups (not detailed in the doc); (2) the header lists 'bash' as a tool while the skill also states it will not run AWS CLI against the user's account (the bash tool is plausibly for processing uploaded files locally, but this duality is worth noting).

✓ Install Mechanism

No install spec and no code files (instruction-only). Lowest-risk delivery model: nothing is downloaded or written to disk by the skill itself.

✓ Credentials

The skill requests no environment variables, credentials, or config paths. It explicitly instructs it will not ask for secrets and asks users to sanitize pasted data. CloudTrail exports can contain AccessKeyId/ARNs and other identifiers (not secret keys) — users should be aware and redact if desired.

✓ Persistence & Privilege

'always' is false and the skill is user-invocable; it does not request persistent privileges or modify other skills or system settings.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install cloudtrail-threat-detector
安装完成后，直接呼叫该 Skill 的名称或使用 /cloudtrail-threat-detector 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of AWS CloudTrail Threat Detector skill. - Provides expert guidance to analyze AWS CloudTrail logs for suspicious activities and MITRE ATT&CK indicators. - Accepts CloudTrail event exports, S3 log downloads, or CloudWatch Logs exports as input (user-supplied data only). - Highlights high-risk event patterns such as unauthorized root usage, credential creation, privilege escalation, and defense evasion. - Delivers findings as a threat summary, incident timeline, detailed table, attack narrative, and containment recommendations. - Does not execute commands or access AWS accounts directly—strictly instruction and analysis based on provided data.

元数据

Slug cloudtrail-threat-detector

版本 1.0.0

许可证 —

累计安装 2

当前安装数 2

历史版本数 1

常见问题