AWS Detective

AWS Detective service helps to analyze security issues.

It automatically collects and analyzes security logs like VPC flow log, Cloudtrail and guard duty results and utilizes machine learning, graph theory and visualization to help in RCA.

You can answer questions like
1) How did this security incident happen?
2) Where was the first intrusion
3) How to prevent such incidents.

Amazon Detective requires that you have Amazon GuardDuty enabled on your accounts for at least 48 hours before you enable Detective on those accounts. Findings are sent from GuardDuty to Detective every 6 hrs by default, this can be changed to be as fast as every 15 minutes. It takes 2 weeks of data to build a historical baseline.

Finding Groups
It groups findings from various services together based on incidents, so you can see the related findings in one place. It shows severity, entity affected, MITRE tactic used etc. The group is constructed as a graph that allows you to see the relation between various incidents that occurred. By default, the graph visualization is force-directed. You can manipulate the graph to get more details or different visualizations.

For principals, EC2 instances, and EKS clusters you can see the most number of API calls and success, and failure counts.
Powerful search functionality allows you to search the incidents in the environment through various options. This lets you see if the failures are consistent or if is there a suspicious pattern.

Inside the investigation, you can see a visualization of how different incidents and entities are related to each other. You can manipulate this graph, and research the information that Detective gathers to gain insight into the security incident.

Investigations
For findings in GuardDuty, you have the option to pivot to Detective and investigate the finding concerning the different entities involved (EC2 instance, IAM Role, Account, etc. )

This runs an investigation of the findings in the data so far gathered and creates a report of all the related and relevant data. This can be used, then by the security analyst to find out details on how the attack occurred (eg: A day with many failed API calls with a bruteforce SSH), and what are remediation actions to be taken (isolate EC2, revoke sessions, rotate keys etc..)

Analysts can find the details of the mappings to tactics, techniques, and procedures (TTP). All TTPs are classified according to their severity. The console shows the techniques and actions used. By selecting a specific TTP, they can see the details in the right pane.

Once the analyst has enough information about the incident they can take remediation steps (isolate EC2, revoke sessions, rotate keys etc..)

More information can be gained from this walkthrough of Detective (From AWS): https://www.youtube.com/watch?v=Rz8MvzPfTZA