daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/cloud/aws/guardduty/guardduty-findings.yaml

58 lines
2.0 KiB
YAML
Raw Blame History

id: guardduty-findings
info:
name: Open GuardDuty Findings
author: DhiyaneshDK
severity: medium
description: |
Check for AWS GuardDuty findings and resolve them step by step to ensure that your AWS infrastructure is protected against security threats.
impact: |
GuardDuty findings indicate potential security threats, such as compromised instances, unauthorized access, or malicious activities within your AWS environment, requiring immediate investigation.
remediation: |
Investigate and respond to GuardDuty findings by analyzing the threat details and taking corrective actions, such as blocking malicious IPs, revoking compromised credentials, or isolating affected instances. Use AWS Security Hub or AWS Config for automated remediation where applicable.
reference:
- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/GuardDuty/findings.html
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
tags: cloud,devops,aws,amazon,guardduty,aws-cloud-config
variables:
region: "us-west-2"
flow: |
code(1)
for(let DetectorIds of iterate(template.detectors)){
set("detector", DetectorIds)
code(2)}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws guardduty list-detectors --region $region --query 'DetectorIds' --output json
extractors:
- type: json
name: detectors
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws guardduty list-findings --region $region --detector-id $detector --query 'FindingIds' --output json
matchers:
- type: regex
regex:
- '\"(.*)\"'
extractors:
- type: dsl
dsl:
- '"The AWS account has open GuardDuty Findings"'
# digest: 4a0a00473045022100e3c328614414aef385eb992b48dc665cffd2a483618b008b2b8cc7cff933c87502202c2e1a3ef936449c944508ccfb2460ac96d065c3e72244fb83cb529ed5a3e95e:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink