Skip to content

Add skill: performing-cloud-native-threat-hunting-with-aws-detective#27

Open
juliosuas wants to merge 4 commits intomukul975:mainfrom
juliosuas:add-aws-detective-skill
Open

Add skill: performing-cloud-native-threat-hunting-with-aws-detective#27
juliosuas wants to merge 4 commits intomukul975:mainfrom
juliosuas:add-aws-detective-skill

Conversation

@juliosuas
Copy link
Copy Markdown
Contributor

@juliosuas juliosuas commented Mar 24, 2026

Summary

Complete AWS Detective automation skill with boto3 script for threat hunting.

Changes

  • SKILL.md with full workflow documentation
  • scripts/process.py with correct AWS Detective API usage
  • Fixed: search_entities safe no-op, list_finding_groups hasattr check
  • Fixed: NoCredentialsError wrapping for lazy credential validation
  • Fixed: dead paginator code removal, type hints (Optional[str])
  • references/ and assets/ supporting files

mukul975 and others added 4 commits March 28, 2026 02:06
@mukul975 @juliosuas
Trigger contributor recalculation
34ac9d6
@juliosuas
Add skill: performing-cloud-native-threat-hunting-with-aws-detective (f…
9fce1ca 
…ixes mukul975#6)
@claude @juliosuas
fix: add missing process.py implementation for aws-detective skill
610338b 
The process.py script was empty (0 bytes). Added a functional
implementation that lists behavior graphs, retrieves investigations,
queries indicators, and exports results — matching the pattern of
other skills in the repository.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude @juliosuas
Fix review comments: correct AWS Detective API usage and forensic ord…
1ff706e 
…ering

- Fix FilterCriteria to use singular Severity/Status with Value objects
  instead of invalid plural Severities/Statuses arrays (SKILL.md + process.py)
- Fix get_entity_history: rename to get_investigation_indicators, use
  investigation_id instead of entity_arn for InvestigationId parameter
- Replace invalid inv-* placeholders with 21-digit numeric IDs
- Fix Expected Output to match real API response structure (no embedded
  Indicators; document separate list-indicators call and indicator types)
- Fix CLI --filter-criteria example to use correct format
- Update process.py --severity to accept single value with validation
- Add --max-results validation (1-100 range)
- Add pagination via _collect_all_pages helper for all list API calls
- Reorder Response Actions checklist: evidence preservation before containment
- Reorder Phase 5 workflow: preserve evidence first when safe

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@juliosuas
Copy link
Copy Markdown
Contributor Author

juliosuas commented Mar 28, 2026

Rebased onto upstream/main ✅

@juliosuas juliosuas force-pushed the add-aws-detective-skill branch from afb5fb6 to 1ff706e Compare March 28, 2026 08:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@juliosuas @mukul975