New Amazon Detective Service

Alex T.

2019-12-06 / Modified on 2019-12-06

Another interesting AWS service that was launched at the Amazon conference in Las Vegas 2019 — Amazon Detective, the name of which reveals the function that it performs.

Amazon Detective makes it easy to analyze and speedy perceive the root cause of potential protection issues or suspicious activities. Amazon Detective robotically collects log records from your AWS resources and makes use machine learning of, statistical analysis, and graph concept to build a related set of facts that permits you to without difficulty behavior faster and extra security investigations.

AWS protection services like Amazon GuardDuty, Amazon Macie, and AWS Security Hub in addition to accomplice safety products can be used to perceive capability protection issues, or findings. These services are in reality beneficial in alerting you when something is inaccurate and stating how you can fix it. Determining the root cause of protection findings can be an all-inclusive technique that often entails amassing and mixing logs from many separate facts resources, the use of extract, transform, and load (ETL) instrument or custom scripting to organize the information, after which safety analysts having to research the facts and conduct prolonged investigations.
AWS Detective simplifies this system by using enabling your safety groups to effortlessly look at and speedy get to the basis purpose of a finding. Amazon Detective can analyze trillions of activities from a couple of information resources together with Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of your assets, users, and the interactions among them through the years. With this unified view, you may visualize all of the details and context in a single place to perceive the underlying motives for the findings, drill down into applicable historic activities, and speedy determine the root cause.

How does it work?

01
The first step is to select a finding to triage

When looking at a finding in GuardDuty or AWS Security Hub, analysts can choose to investigate the finding in Detective.
02
From within Detective, analysts can use the Detective search function to find and select a finding to triage

Selecting the finding takes the analyst to the finding profile in Detective.
03
The finding profile contains a set of visualizations

The visualizations are generated from the behavior graph. The behavior graph in turn is created from the log files and other data that are fed into Detective.
Most of the visualizations show activity that is related to the entity or entities involved in the finding. Analysts use these visualizations to answer questions that are critical to completing the triage of the finding.
To help guide the triage, analysts can use the Detective guidance provided for each visualization. The guidance outlines the displayed information, suggests questions for analysts to ask, and proposes next steps based on the answers..
From the finding profile, analysts can pivot to entity profiles to dive deeper into a specific asset that is involved with the finding.
04
Once they determine whether a finding is a true or false positive, analysts update the finding status in the original service

For GuardDuty findings, Detective provides an option to archive the finding.