detecting-aws-guardduty-findings-automation

使用 EventBridge 和 Lambda 自动化处理 AWS GuardDuty 威胁检测发现,实现实时事件响应、自动隔离受损资源和安全通知工作流。

9 stars

Best use case

detecting-aws-guardduty-findings-automation is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

使用 EventBridge 和 Lambda 自动化处理 AWS GuardDuty 威胁检测发现,实现实时事件响应、自动隔离受损资源和安全通知工作流。

Teams using detecting-aws-guardduty-findings-automation should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/detecting-aws-guardduty-findings-automation/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/detecting-aws-guardduty-findings-automation/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/detecting-aws-guardduty-findings-automation/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How detecting-aws-guardduty-findings-automation Compares

Feature / Agentdetecting-aws-guardduty-findings-automationStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

使用 EventBridge 和 Lambda 自动化处理 AWS GuardDuty 威胁检测发现,实现实时事件响应、自动隔离受损资源和安全通知工作流。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 检测 AWS GuardDuty 发现自动化

## 概述

Amazon GuardDuty 是一种威胁检测服务,持续监控 AWS 账户的恶意活动和未授权行为。通过将 GuardDuty 与 Amazon EventBridge 和 AWS Lambda 集成,安全团队实现自动化、实时的威胁响应,将平均响应时间(MTTR)从数小时缩短到数秒。GuardDuty 分析 VPC 流日志、CloudTrail 管理和数据事件、DNS 日志、EKS 审计日志和 S3 数据事件。

## 前置条件

- 已启用 GuardDuty 的 AWS 账户
- Lambda 执行的 IAM 角色
- 为 GuardDuty 事件配置的 EventBridge
- 用于安全通知的 SNS 主题
- Security Hub 集成(推荐)

## 启用 GuardDuty

```bash
# 启用 GuardDuty
aws guardduty create-detector --enable --finding-publishing-frequency FIFTEEN_MINUTES

# 启用附加数据源
aws guardduty update-detector \
  --detector-id DETECTOR_ID \
  --data-sources '{
    "S3Logs": {"Enable": true},
    "Kubernetes": {"AuditLogs": {"Enable": true}},
    "MalwareProtection": {"ScanEc2InstanceWithFindings": {"EbsVolumes": true}},
    "RuntimeMonitoring": {"Enable": true}
  }'
```

## EventBridge 规则配置

### 高严重性发现的规则

```json
{
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"],
  "detail": {
    "severity": [{"numeric": [">=", 7.0]}]
  }
}
```

### 通过 CLI 创建 EventBridge 规则

```bash
aws events put-rule \
  --name "guardduty-high-severity" \
  --event-pattern '{
    "source": ["aws.guardduty"],
    "detail-type": ["GuardDuty Finding"],
    "detail": {
      "severity": [{"numeric": [">=", 7.0]}]
    }
  }'

aws events put-targets \
  --rule "guardduty-high-severity" \
  --targets "Id"="lambda-handler","Arn"="arn:aws:lambda:us-east-1:123456789012:function:guardduty-response"
```

## Lambda 自动响应函数

### EC2 实例隔离

```python
import boto3
import json
import os

ec2 = boto3.client('ec2')
sns = boto3.client('sns')

QUARANTINE_SG = os.environ.get('QUARANTINE_SECURITY_GROUP')
SNS_TOPIC = os.environ.get('SNS_TOPIC_ARN')

def lambda_handler(event, context):
    finding = event['detail']
    finding_type = finding['type']
    severity = finding['severity']
    account_id = finding['accountId']
    region = finding['region']

    # 提取资源信息
    resource = finding.get('resource', {})
    resource_type = resource.get('resourceType', '')

    if resource_type == 'Instance':
        instance_id = resource['instanceDetails']['instanceId']
        instance_tags = {t['key']: t['value']
                        for t in resource['instanceDetails'].get('tags', [])}

        # 如果已隔离则跳过
        if instance_tags.get('SecurityStatus') == 'Quarantined':
            return {'statusCode': 200, 'body': 'Already quarantined'}

        # 获取当前安全组用于取证
        instance = ec2.describe_instances(InstanceIds=[instance_id])
        current_sgs = [sg['GroupId'] for sg in
                       instance['Reservations'][0]['Instances'][0]['SecurityGroups']]

        # 使用发现信息和原始安全组标记实例
        ec2.create_tags(
            Resources=[instance_id],
            Tags=[
                {'Key': 'SecurityStatus', 'Value': 'Quarantined'},
                {'Key': 'GuardDutyFinding', 'Value': finding_type},
                {'Key': 'OriginalSecurityGroups', 'Value': ','.join(current_sgs)},
                {'Key': 'QuarantineTime', 'Value': finding['updatedAt']}
            ]
        )

        # 移至隔离安全组(阻断所有流量)
        if QUARANTINE_SG:
            ec2.modify_instance_attribute(
                InstanceId=instance_id,
                Groups=[QUARANTINE_SG]
            )

        # 创建 EBS 快照用于取证
        volumes = ec2.describe_volumes(
            Filters=[{'Name': 'attachment.instance-id', 'Values': [instance_id]}]
        )
        for vol in volumes['Volumes']:
            ec2.create_snapshot(
                VolumeId=vol['VolumeId'],
                Description=f'GuardDuty forensic snapshot - {finding_type}',
                TagSpecifications=[{
                    'ResourceType': 'snapshot',
                    'Tags': [
                        {'Key': 'Purpose', 'Value': 'ForensicCapture'},
                        {'Key': 'SourceInstance', 'Value': instance_id},
                        {'Key': 'FindingType', 'Value': finding_type}
                    ]
                }]
            )

        # 通知安全团队
        sns.publish(
            TopicArn=SNS_TOPIC,
            Subject=f'[GuardDuty] {finding_type} - 实例 {instance_id} 已隔离',
            Message=json.dumps({
                'action': 'instance_quarantined',
                'instance_id': instance_id,
                'finding_type': finding_type,
                'severity': severity,
                'account': account_id,
                'region': region,
                'original_security_groups': current_sgs,
                'description': finding.get('description', '')
            }, indent=2)
        )

        return {
            'statusCode': 200,
            'body': f'实例 {instance_id} 已隔离并创建快照'
        }

    return {'statusCode': 200, 'body': '非 EC2 发现已处理'}
```

### IAM 凭据入侵响应

```python
import boto3
import json
import os

iam = boto3.client('iam')
sns = boto3.client('sns')

SNS_TOPIC = os.environ.get('SNS_TOPIC_ARN')

def lambda_handler(event, context):
    finding = event['detail']
    finding_type = finding['type']

    if 'IAMUser' not in finding_type and 'UnauthorizedAccess' not in finding_type:
        return {'statusCode': 200, 'body': 'Not an IAM finding'}

    resource = finding.get('resource', {})
    access_key_details = resource.get('accessKeyDetails', {})
    user_name = access_key_details.get('userName', '')
    access_key_id = access_key_details.get('accessKeyId', '')

    if not user_name:
        return {'statusCode': 200, 'body': 'No user identified'}

    actions_taken = []

    # 停用受损的访问密钥
    if access_key_id and access_key_id != 'GeneratedFindingAccessKeyId':
        try:
            iam.update_access_key(
                UserName=user_name,
                AccessKeyId=access_key_id,
                Status='Inactive'
            )
            actions_taken.append(f'已停用访问密钥 {access_key_id}')
        except Exception as e:
            actions_taken.append(f'停用密钥失败: {str(e)}')

    # 为用户附加拒绝所有策略
    deny_policy = {
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*"
        }]
    }

    try:
        iam.put_user_policy(
            UserName=user_name,
            PolicyName='GuardDuty-DenyAll-Quarantine',
            PolicyDocument=json.dumps(deny_policy)
        )
        actions_taken.append(f'已为 {user_name} 应用拒绝所有策略')
    except Exception as e:
        actions_taken.append(f'应用拒绝策略失败: {str(e)}')

    # 通知
    sns.publish(
        TopicArn=SNS_TOPIC,
        Subject=f'[GuardDuty] IAM 入侵 - {user_name}',
        Message=json.dumps({
            'finding_type': finding_type,
            'user': user_name,
            'access_key': access_key_id,
            'actions_taken': actions_taken,
            'severity': finding['severity']
        }, indent=2)
    )

    return {'statusCode': 200, 'body': json.dumps(actions_taken)}
```

## Terraform 部署

```hcl
resource "aws_guardduty_detector" "main" {
  enable = true
  finding_publishing_frequency = "FIFTEEN_MINUTES"

  datasources {
    s3_logs { enable = true }
    kubernetes { audit_logs { enable = true } }
    malware_protection {
      scan_ec2_instance_with_findings {
        ebs_volumes { enable = true }
      }
    }
  }
}

resource "aws_cloudwatch_event_rule" "guardduty_high" {
  name        = "guardduty-high-severity"
  description = "GuardDuty 高严重性发现"

  event_pattern = jsonencode({
    source      = ["aws.guardduty"]
    detail-type = ["GuardDuty Finding"]
    detail = {
      severity = [{ numeric = [">=", 7.0] }]
    }
  })
}

resource "aws_cloudwatch_event_target" "lambda" {
  rule = aws_cloudwatch_event_rule.guardduty_high.name
  arn  = aws_lambda_function.guardduty_response.arn
}
```

## 发现类别

| 类别 | 严重性范围 | 示例 |
|------|-----------|------|
| Backdoor | 5.0 - 8.0 | Backdoor:EC2/C&CActivity |
| CryptoCurrency | 5.0 - 8.0 | CryptoCurrency:EC2/BitcoinTool |
| Trojan | 5.0 - 8.0 | Trojan:EC2/BlackholeTraffic |
| UnauthorizedAccess | 5.0 - 8.0 | UnauthorizedAccess:IAMUser/ConsoleLogin |
| Recon | 2.0 - 5.0 | Recon:EC2/PortProbeUnprotected |
| Persistence | 5.0 - 8.0 | Persistence:IAMUser/AnomalousBehavior |

## 多账户设置

```bash
# 指定 GuardDuty 管理员
aws guardduty enable-organization-admin-account \
  --admin-account-id 111111111111

# 为新账户自动启用
aws guardduty update-organization-configuration \
  --detector-id DETECTOR_ID \
  --auto-enable
```

## 参考资料

- AWS GuardDuty Best Practices: https://aws.github.io/aws-security-services-best-practices/guides/guardduty/
- EventBridge Integration: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_eventbridge.html
- GuardDuty Finding Types Reference

Related Skills

performing-ioc-enrichment-automation

9
from killvxk/cybersecurity-skills-zh

通过编排 VirusTotal、AbuseIPDB、Shodan、MISP 和其他情报源的查询, 自动化入侵指标(IOC)丰富化,提供上下文评分和处置建议。 适用于 SOC 分析师在告警分诊或事件调查期间需要对 IP、域名、URL 和文件哈希 进行快速多源丰富化时。

implementing-soar-automation-with-phantom

9
from killvxk/cybersecurity-skills-zh

使用 Splunk SOAR(原 Phantom)实施安全编排、自动化和响应(SOAR)工作流, 自动化告警分诊、IOC 富化、遏制动作和事件响应剧本。 适用于 SOC 团队需要减少分析师手工工作、标准化响应流程, 或将多种安全工具集成到自动化工作流中时。

detecting-wmi-persistence

9
from killvxk/cybersecurity-skills-zh

通过分析 Sysmon 事件 ID 19、20 和 21 中的恶意 EventFilter、EventConsumer 和 FilterToConsumerBinding 创建,检测 WMI 事件订阅持久化。

detecting-t1548-abuse-elevation-control-mechanism

9
from killvxk/cybersecurity-skills-zh

通过监控注册表修改、进程提升标志和异常的父子进程关系,检测提升控制机制滥用,包括 UAC 绕过、sudo 利用和 setuid/setgid 操纵。

detecting-t1055-process-injection-with-sysmon

9
from killvxk/cybersecurity-skills-zh

通过分析 Sysmon 事件中的跨进程内存操作、远程线程创建和异常 DLL 加载模式,检测进程注入技术(T1055),包括经典 DLL 注入、进程镂空和 APC 注入。

detecting-t1003-credential-dumping-with-edr

9
from killvxk/cybersecurity-skills-zh

利用 EDR 遥测数据、Sysmon 进程访问监控和 Windows 安全事件关联,检测针对 LSASS 内存、SAM 数据库、NTDS.dit 和缓存凭据的 OS 凭据转储技术。

detecting-suspicious-powershell-execution

9
from killvxk/cybersecurity-skills-zh

检测可疑的 PowerShell 执行模式,包括编码命令、下载器(download cradles)、AMSI 绕过尝试以及受限语言模式规避。

detecting-suspicious-oauth-application-consent

9
from killvxk/cybersecurity-skills-zh

使用 Microsoft Graph API、审计日志和权限分析,检测 Azure AD / Microsoft Entra ID 中的高风险 OAuth 应用授权同意,识别非法同意授权攻击。

detecting-supply-chain-attacks-in-ci-cd

9
from killvxk/cybersecurity-skills-zh

扫描 GitHub Actions 工作流和 CI/CD 流水线配置,检测供应链攻击(Supply Chain Attack)向量, 包括未固定的 Action 版本、通过表达式的脚本注入、依赖混淆(Dependency Confusion)和密钥泄露。 使用 PyGithub 和 YAML 解析进行自动化审计。适用于加固 CI/CD 流水线或调查被攻击的构建系统。

detecting-stuxnet-style-attacks

9
from killvxk/cybersecurity-skills-zh

本技能涵盖检测遵循Stuxnet攻击模式的复杂网络物理攻击——在修改PLC逻辑的同时欺骗传感器读数以向操作员隐藏操控行为。内容涉及PLC逻辑完整性监控、基于物理的过程异常检测、工程师工作站入侵指标、USB传播攻击向量,以及从IT到OT横向移动直至过程操控的多阶段攻击链检测。

detecting-sql-injection-via-waf-logs

9
from killvxk/cybersecurity-skills-zh

分析 WAF(Web 应用防火墙,ModSecurity/AWS WAF/Cloudflare)日志,检测 SQL 注入(SQL Injection)攻击活动。 解析 ModSecurity 审计日志和 JSON WAF 事件日志,识别 SQLi 模式(UNION SELECT、OR 1=1、SLEEP()、BENCHMARK()), 追踪攻击源,关联多阶段注入尝试,并生成带 OWASP 分类的事件报告。

detecting-spearphishing-with-email-gateway

9
from killvxk/cybersecurity-skills-zh

鱼叉式网络钓鱼(Spearphishing)使用个性化、经过研究的内容针对特定个人,可绕过通用垃圾邮件过滤器。邮件安全网关(SEG)如 Microsoft Defender for Office 365、Proofpoint、Mimecast 和 Barracuda 提供高级检测能力,包括行为分析、URL 引爆、附件沙箱和冒充检测。本技能涵盖配置这些网关以检测和拦截定向钓鱼攻击。