Amazon Detective features

Why Amazon Detective?

Amazon Detective makes it easier to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.

Amazon Detective can analyze trillions of events from multiple data sources such as Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, AWS CloudTrail logs, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and security findings from multiple services like Amazon GuardDuty, AWS Security Hub, and more. Detective automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize all the details and context in one place to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.

Overview

Automatic data collection across all your AWS accounts

Amazon Detective automatically ingests and processes relevant data from all enabled accounts. You don't have to configure or enable any data sources. Amazon Detective collects and analyzes events from data sources, such as AWS CloudTrail logs, Amazon VPC Flow Logs, Amazon EKS audit logs, Amazon GuardDuty findings, AWS Security Hub findings, other integrated AWS security services, and maintains up to a year of aggregated data for analysis.

Consolidates disparate events into a graph model

Amazon Detective can analyze trillions of events from various data types, including IP traffic, AWS management operations, and potentially malicious or unauthorized activities. Detective constructs a graph model using machine learning, statistical analysis, and graph theory to build a linked set of data for security investigations. The pre-built graph model contains security-related relationships and offers contextual, and behavioral insights that enable you to quickly validate, compare, and correlate the data to reach conclusions. Amazon Detective’s visualizations are powered by the graph model, enabling you to rapidly answer your investigative questions without the complexity of querying raw logs. For example, the graph provides context and relationships, such as when an IP address connects to an EC2 instance and the API calls made by a role during a specific time period.

Interactive visualizations for efficient investigation

Amazon Detective provides interactive visualizations and insights using generative AI, making it easier to investigate issues faster and more thoroughly with less effort. With a unified view that enables you to visualize all the context and natural language summaries in one place, it becomes more easier to identify patterns that can validate or refute a security issue and understand all of the impacted resources within a security finding. Using these visualizations and insights, you can more easily filter large sets of event data into specific timelines, with all the details, context, and guidance to help you quickly investigate. Amazon Detective enables you to view login attempts by geolocation, drill down into relevant historical activities, and quickly determine a root cause and, if necessary, take action to resolve the issue.

Newly observed geolocations

Overall API call volume

The graph visualization shows you related AWS security findings and affected resources from a single security event, such as EC2 instances, IAM roles and users, S3 buckets, and IP addresses. The insights describe the events that took place during the security event in a natural language to help you understand the chain of events. This helps you investigate unusual or suspicious activity more quickly and with less effort. The Overall API call volume shows you successful and failed calls in a specific time period and compares it to the established baseline. This helps you to identify patterns of abnormal activity and validate a security finding.

Overall API call volume

More features

Seamless integration for investigating a security finding

Amazon Detective is integrated with AWS security services such as Amazon GuardDuty, AWS Security Hub, Amazon Inspector, Amazon Security Lake as well as AWS Partner security products to help quickly investigate security findings identified in these services. Using a single-step from these integrated services you can go to Amazon Detective and immediately see events related to findings, drill down into relevant historical activities and investigate the issue. For example, from an Amazon GuardDuty finding, you can launch Amazon Detective by clicking on “Investigate in Detective” that provides instant insight into the relevant activity for the involved resource. From Detective you can query and retrieve log sources stored in Amazon Security Lake without having to craft queries or leave the Detective console.

Security investigation support for Amazon GuardDuty Runtime Monitoring

Amazon Detective supports security investigations for GuardDuty ECS and EKS Runtime Monitoring, providing enhanced visualizations and additional context for new threat detections. You can use the runtime threat detections from GuardDuty and the investigative capabilities from Detective to improve your detection and response for potential threats to your container workloads. Detective supports the investigation of these new detections by including them into finding groups, visualizations, and other summaries for faster security investigations.

Simple deployment with no upfront data source integration or complex configurations to maintain

With few steps in the AWS Management Console, you can enable Amazon Detective. There is no software to deploy, agents to install, or complex configurations to maintain. There are also no data sources to enable, which means you do not have to incur the costs of data source enablement, data transfer, and data storage.