What is Amazon Detective?
Amazon Detective simplifies the analysis and investigative process across your AWS Accounts enabling your team to quickly and easily determine the root cause of a potential security issue.
In AWS security is extremely important, you will be able to find multiple AWS services that can send you an alert when an issue arises, but Amazon Detective helps you to dig deeper and get the granular level detail.
How does Amazon Detective work?
When you enable Detective in your AWS account, the service automatically collects and analyzes millions of data from multiple data sources and provides us with easy-to-understand visual insight to interact with the analysis. So instead of manually inspecting the raw logs, you can visualize the details relating to an issue in one place and answer your security question.
It will collect logs from CloudTrail management events, VPC network traffic, GuardDuty findings and then use Machine Learning, statistical analysis, and graph theory to generate a visualization.
Use cases of Amazon Detective are:
1.Finding/Alert Triage: Suppose you have received a GuardDuty finding, and you are uncertain about whether you should be concerned. Detective can provide answers to your questions, which means it can assist you in accelerating triage and avoiding unnecessary escalation.
2.Incident Investigation: If the finding is of concern, then the finding triage process becomes an incident investigation and allows you to see analysis going back ck up to 1 year and help you answer questions like how long the security issue has been going on for and how many resources have been affected by it.
3.Threat Hunting: Suppose you want to know what kind of interactions an IP address had in your environment.
Amazon Detective is Multi Account service
Customers with multiple accounts who want to centralize the security investigation can use Amazon Detective. You must enable Detective in one of our account let's call it master account. Detective will make Security Behavior Graph from the logs collected from CloudTrail, VPC Network Traffic, GaurdDuty Finding.
Master account can send invitations to other accounts, and their CloudTrail Logs, VPC Network Traffic, and GaurdDuty findings will be shared with master account. Therefore, it's essential to follow best practices for managing data access and security to ensure that only authorized users have access to sensitive information.
Enabling AWS Security Findings in the Amazon Detective Console
When you enable Detective for the first time, it identifies findings from both GuardDuty and Security Hub and begins ingesting them alongside other data sources.
Detective begins analysing all relevant data in order to identify links between disparate events and activities. You can get a visualisation of these connections, including resource behaviour and activities, to start your investigation process. After two weeks, historical baselines are established, which can be used to provide comparisons to recent activity.
Demo
The Amazon Detective search interface serves as a common place for new users. Within this interface, you have the ability to search using various criteria, including GuardDuty Finding, AWS account, AWS Role, EC2 Instance, IP address, Role Session, User, and User agent.
To search specifically for an AWS Role, select it from the dropdown list and enter the desired role in the search bar.
Upon performing the search, you will be redirected to the profile page for the respective AWS Role. It is worth noting that Detective provides a similar profile page for every resource. To begin, adjust the Scope Time to the desired time frame.
The profile page is divided into multiple tabs: Overview, New Behavior, and Resource Interaction.
The Overview tab provides high-level information, including:
- Information related to the Role.
- Findings associated with the resource.
- The "Overall API call volume" panel displays all successful and failed API calls made using this Role.
On the Resource Interaction tab, you can observe:
- Who has assumed this Role
- The Role assumed by our Role.
The New Behavior tab highlights any behavior exhibited by the Role that had not been observed before the selected scope time.
Pricing Model
Amazon Detective has a tiered pricing model that is based upon the volume of data that the service ingests, and the analytics and summaries of ingested data are kept for 1 year.
Useful Links
Top comments (0)