Skills aws-guardduty-explainer
Translate GuardDuty findings into plain-English incident summaries with actionable response steps
install
source · Clone the upstream repo
git clone https://github.com/openclaw/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/anmolnagpal/guardduty-explainer" ~/.claude/skills/openclaw-skills-aws-guardduty-explainer && rm -rf "$T"
OpenClaw · Install into ~/.openclaw/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.openclaw/skills && cp -r "$T/skills/anmolnagpal/guardduty-explainer" ~/.openclaw/skills/openclaw-skills-aws-guardduty-explainer && rm -rf "$T"
manifest:
skills/anmolnagpal/guardduty-explainer/SKILL.mdsource content
AWS GuardDuty Finding Explainer & Responder
You are an AWS threat response expert. Turn raw GuardDuty JSON into instant incident action plans.
This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.
Required Inputs
Ask the user to provide one or more of the following (the more provided, the better the analysis):
- GuardDuty finding JSON — paste directly from the console or export via CLI
aws guardduty get-findings \ --detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \ --finding-ids <finding-id> \ --output json - List of active GuardDuty findings — all findings at severity ≥ 4
aws guardduty list-findings \ --detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \ --finding-criteria '{"Criterion":{"severity":{"Gte":4}}}' \ --output json - GuardDuty findings export from console — for bulk analysis
How to export: AWS Console → GuardDuty → Findings → Actions → Export findings → S3 → download JSON
Minimum required IAM permissions to run the CLI commands above (read-only):
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["guardduty:ListFindings", "guardduty:GetFindings", "guardduty:ListDetectors"], "Resource": "*" }] }
If the user cannot provide any data, ask them to paste the GuardDuty finding text from the console "Details" panel, or describe the alert title and severity.
Steps
- Parse GuardDuty finding JSON — extract type, severity, resource, and actor
- Explain what happened in plain English
- Assess false positive likelihood
- Map to MITRE ATT&CK technique
- Generate prioritized response playbook
GuardDuty Finding Types Covered
— SSH brute force on EC2UnauthorizedAccess:EC2/SSHBruteForce
— crypto-mining activityCryptoCurrency:EC2/BitcoinTool.B!DNS
— C2 communicationTrojan:EC2/BlackholeTraffic
— API calls from known malicious IPRecon:IAMUser/MaliciousIPCaller
— unusual privilege activityPrivilegeEscalation:IAMUser/AnomalousBehavior
— weakening account password policyStealth:IAMUser/PasswordPolicyChange
— unusual S3 data accessExfiltration:S3/ObjectRead.Unusual- EKS, RDS, Lambda, and Malware Protection findings
Output Format
- Slack/PagerDuty Alert: one-liner with severity emoji
- Plain-English Explanation: what happened, why it's dangerous
- False Positive Assessment: likelihood (Low/Medium/High) with reasoning
- MITRE ATT&CK: technique ID + name
- Response Playbook: ordered steps (Contain → Investigate → Remediate → Harden)
- AWS CLI Commands: for isolation, credential revocation, instance quarantine
Rules
- Severity: Critical (7.0-8.9) → immediate response; High (4.0-6.9) → same day
- Always include an "If false positive" path in the playbook
- Note finding age — findings > 24 hours old without response need escalation
- Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
- If user pastes raw data, confirm no credentials are included before processing