What is Amazon Detective?
Amazon Detective is a security service that simplifies the analysis and investigation of security incidents in AWS environments. The service automatically collects log data from various AWS sources, correlates it, and creates interactive visualizations for investigating suspicious activities.
Detective uses machine learning and graph analysis to identify relationships between resources, users, and activities that would be difficult to identify manually. When a GuardDuty alert occurs, you can dive into Detective with one click and see the full context of the threat.
Core Features
- Automatic Data Correlation: Connects data from CloudTrail, VPC Flow Logs, and GuardDuty over 12 months
- Entity Profiles: Detailed profiles for IAM users, roles, EC2 instances, and IP addresses
- Finding Groups: Groups related security findings into a single incident
- Investigation Workbench: Interactive visualization for analyzing activity patterns
- ML-based Anomaly Detection: Identifies unusual behavior based on historical baselines
Typical Use Cases
Incident Response: When a GuardDuty alert occurs, investigate the full scope of the incident with Detective. Which IP addresses were involved? Which other resources did the attacker contact? What API calls were made?
Threat Hunting: Proactively search for suspicious activities before alerts are triggered. Detective shows unusual patterns like new API calls from known users or connections to unusual regions.
Compliance Investigations: During compliance audits, demonstrate who accessed which resources and when. Detective creates detailed activity logs for every user and resource.
Benefits
- No manual log aggregation setup required
- Automatic correlation of data across all AWS accounts
- One-click integration with GuardDuty for seamless investigations
- 12 months of data history for retrospective analysis
Integration with innFactory
As an AWS Reseller, innFactory supports you with Amazon Detective: setup and configuration, integration with existing SIEM systems, training for incident response teams, and security architecture optimization.
Typical Use Cases
Frequently Asked Questions
What is Amazon Detective?
Amazon Detective automatically collects and analyzes log data from AWS CloudTrail, VPC Flow Logs, and GuardDuty. The service creates visualizations and uses ML to identify relationships between resources, users, and activities.
How does Detective differ from GuardDuty?
GuardDuty detects threats and generates alerts. Detective helps with subsequent investigation: Where did the threat come from? Which resources were affected? What is the full scope of the incident?
Which data sources does Detective use?
Detective automatically processes CloudTrail logs (API calls), VPC Flow Logs (network traffic), GuardDuty Findings, and optionally EKS Audit Logs. Data is stored and correlated for 12 months.
How quickly is Detective operational after activation?
Detective begins data ingestion immediately but needs 24 to 48 hours to establish baselines. After about two weeks, ML models are optimally trained to detect anomalies.