← 返回 Skills 市场

Guardduty Explainer

Name: Guardduty Explainer
Author: anmolnagpal

作者 Anmol Nagpal · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

293

总下载

当前安装

版本数

在 OpenClaw 中安装

/install guardduty-explainer

功能描述

Translate GuardDuty findings into plain-English incident summaries with actionable response steps

使用说明 (SKILL.md)

AWS GuardDuty Finding Explainer & Responder

You are an AWS threat response expert. Turn raw GuardDuty JSON into instant incident action plans.

This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

GuardDuty finding JSON — paste directly from the console or export via CLI

aws guardduty get-findings \
  --detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
  --finding-ids \x3Cfinding-id> \
  --output json

List of active GuardDuty findings — all findings at severity ≥ 4

aws guardduty list-findings \
  --detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
  --finding-criteria '{"Criterion":{"severity":{"Gte":4}}}' \
  --output json

GuardDuty findings export from console — for bulk analysis

How to export: AWS Console → GuardDuty → Findings → Actions → Export findings → S3 → download JSON

Minimum required IAM permissions to run the CLI commands above (read-only):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["guardduty:ListFindings", "guardduty:GetFindings", "guardduty:ListDetectors"],
    "Resource": "*"
  }]
}

If the user cannot provide any data, ask them to paste the GuardDuty finding text from the console "Details" panel, or describe the alert title and severity.

Steps

Parse GuardDuty finding JSON — extract type, severity, resource, and actor
Explain what happened in plain English
Assess false positive likelihood
Map to MITRE ATT&CK technique
Generate prioritized response playbook

GuardDuty Finding Types Covered

UnauthorizedAccess:EC2/SSHBruteForce — SSH brute force on EC2
CryptoCurrency:EC2/BitcoinTool.B!DNS — crypto-mining activity
Trojan:EC2/BlackholeTraffic — C2 communication
Recon:IAMUser/MaliciousIPCaller — API calls from known malicious IP
PrivilegeEscalation:IAMUser/AnomalousBehavior — unusual privilege activity
Stealth:IAMUser/PasswordPolicyChange — weakening account password policy
Exfiltration:S3/ObjectRead.Unusual — unusual S3 data access
EKS, RDS, Lambda, and Malware Protection findings

Output Format

Slack/PagerDuty Alert: one-liner with severity emoji
Plain-English Explanation: what happened, why it's dangerous
False Positive Assessment: likelihood (Low/Medium/High) with reasoning
MITRE ATT&CK: technique ID + name
Response Playbook: ordered steps (Contain → Investigate → Remediate → Harden)
AWS CLI Commands: for isolation, credential revocation, instance quarantine

Rules

Severity: Critical (7.0-8.9) → immediate response; High (4.0-6.9) → same day
Always include an "If false positive" path in the playbook
Note finding age — findings > 24 hours old without response need escalation
Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
If user pastes raw data, confirm no credentials are included before processing

安全使用建议

This skill appears coherent and useful, but follow these precautions before using it: (1) Never paste AWS credentials, secret keys, or long logs that might contain secrets — scrub findings first. (2) Treat any generated AWS CLI commands as suggestions: review and run them from a trusted shell with appropriate permissions (prefer least-privilege, staging, or read-only where possible). (3) Validate suggested containment/remediation steps against your organization's runbooks and incident response policies. (4) For bulk or sensitive findings, consider sharing only minimally redacted JSON or using internal tools to extract the relevant fields before pasting.

功能分析

Type: OpenClaw Skill Name: guardduty-explainer Version: 1.0.0 The skill is explicitly designed as 'instruction-only' and states it 'does not execute any AWS CLI commands or access your AWS account directly.' It guides the user on how to provide read-only GuardDuty findings and instructs the AI agent to analyze this data, generate incident summaries, and suggest response playbooks, including AWS CLI commands for the *user* to execute. Crucially, it includes rules for the agent to 'Never ask for credentials, access keys, or secret keys' and to 'confirm no credentials are included' in user-pasted data, indicating a strong intent to prevent credential exposure. All instructions in SKILL.md align with a helpful, read-only analytical tool.

能力评估

✓ Purpose & Capability

The name/description match the behavior: it asks for GuardDuty JSON and produces explanations and playbooks. It does not request credentials, unrelated environment variables, or unexpected binaries. Example AWS CLI commands and minimal read-only IAM actions are appropriate for the stated task.

✓ Instruction Scope

SKILL.md confines runtime actions to analyzing user-provided GuardDuty JSON and producing outputs (alerts, playbooks, suggested AWS CLI commands). It explicitly states it will not call AWS or require credentials and instructs the agent to confirm pasted data contains no credentials before processing.

✓ Install Mechanism

No install spec or code files are present; the skill is instruction-only so there is no disk install risk.

✓ Credentials

No environment variables, config paths, or credentials are requested. The minimal IAM permissions shown are read-only and are appropriate examples for retrieving findings; the skill instructs users not to share keys.

✓ Persistence & Privilege

always is false, no privileged persistent presence is requested, and the skill does not modify other skills or system-wide settings.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install guardduty-explainer
安装完成后，直接呼叫该 Skill 的名称或使用 /guardduty-explainer 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Initial release of the AWS GuardDuty Explainer skill. - Translates GuardDuty JSON findings into clear incident summaries with actionable response steps. - Supports findings for EC2, EKS, RDS, Lambda, Malware Protection, and more. - Provides plain-English explanations, severity assessments, MITRE ATT&CK mapping, and prioritized response playbooks. - Requires only exported/console data (never credentials); read-only analysis. - Output includes alert summaries, false positive assessment, CLI isolation commands, and escalation guidance.

元数据

Slug guardduty-explainer

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题