AWS protection services like Amazon GuardDuty, Amazon Macie, and AWS Security Hub in addition to accomplice safety products can be used to perceive capability protection issues, or findings. These services are in reality beneficial in alerting you when something is inaccurate and stating how you can fix it. Determining the root cause of protection findings can be an all-inclusive technique that often entails amassing and mixing logs from many separate facts resources, the use of extract, transform, and load (ETL) instrument or custom scripting to organize the information, after which safety analysts having to research the facts and conduct prolonged investigations.
AWS Detective simplifies this system by using enabling your safety groups to effortlessly look at and speedy get to the basis purpose of a finding. Amazon Detective can analyze trillions of activities from a couple of information resources together with Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of your assets, users, and the interactions among them through the years. With this unified view, you may visualize all of the details and context in a single place to perceive the underlying motives for the findings, drill down into applicable historic activities, and speedy determine the root cause.
The first step is to select a finding to triage
When looking at a finding in GuardDuty or AWS Security Hub, analysts can choose to investigate the finding in Detective.
From within Detective, analysts can use the Detective search function to find and select a finding to triage
Selecting the finding takes the analyst to the finding profile in Detective.
The finding profile contains a set of visualizations
The visualizations are generated from the behavior graph. The behavior graph in turn is created from the log files and other data that are fed into Detective.
Most of the visualizations show activity that is related to the entity or entities involved in the finding. Analysts use these visualizations to answer questions that are critical to completing the triage of the finding.
To help guide the triage, analysts can use the Detective guidance provided for each visualization. The guidance outlines the displayed information, suggests questions for analysts to ask, and proposes next steps based on the answers..
From the finding profile, analysts can pivot to entity profiles to dive deeper into a specific asset that is involved with the finding.
Once they determine whether a finding is a true or false positive, analysts update the finding status in the original service
For GuardDuty findings, Detective provides an option to archive the finding.
You can find more complete information about the product and its documentation on the official Amazon website.