Table of Contents
Introduction
A new feature in Preview called Amazon Detective makes it simple to look into, analyze, and swiftly pinpoint the source of suspected security problems or suspicious behaviors. You can perform quicker and more effective security investigations with the help of Amazon Detective, which automatically gathers log data from your AWS resources and combines machine learning, statistical analysis, and graph theory to generate a linked data set.
You may rapidly determine the source of security findings or suspicious actions with Amazon Detective’s analysis and investigation tools. From your AWS resources, Detective automatically collects log data. It then creates visualizations that will aid in carrying out security investigations more quickly and effectively using machine learning, statistical analysis, and graph theory.
You have access to historical incident data for up to a year with Detective. A collection of visualizations that display changes in the kind and amount of activity over a chosen time range are available for this data. This article covers detailed knowledge of Amazon Detective.
How Does Detective Work?
Detective automatically pulls time-based events from AWS CloudTrail and Amazon VPC flow logs, including login attempts, API calls, and network activity. Additionally, GuardDuty’s findings are ingested.
Detective builds an interactive, unified view of your resource behaviors and the interconnections between them over time from these events using machine learning and visualization. This behavior graph can be explored for odd behaviors like suspicious API calls or failed login attempts. Additionally, you can observe how these activities impact resources like Amazon EC2 instances and AWS accounts.
Who Uses Detective?
An account becomes the administrator account for a behavior graph when it enables Detective. A behavior graph is a linked collection of data from one or more AWS accounts examined. Administrator accounts ask member accounts to add their data to the behavior graph of the administrator account.
A Detective administrator account is designated for the organization by your organization management account. The organization behavior graph’s ability to include organization accounts as the Detective administrator account enables members.
Features of Amazon Detective
-
It provides Interactive visualizations for efficient investigation
In addition to a unified view that allows users to see all the context and details in one place, Amazon Detective offers interactive visualizations that simplify investigating issues more quickly and thoroughly with less effort.
It is also simpler to identify patterns that may validate or disprove a security issue and to comprehend all the resources impacted by the security finding. With the help of these visualizations, users may quickly and effectively filter massive quantities of event data into particular timelines, complete with all the information, context, and direction needed to conduct an investigation.
Users of Amazon Detective can view login attempts on a geographical map, delve into pertinent past activity, identify the root reason fast, and, if necessary, take action to address the additional issue.
-
It consolidates disparate events into a graph model
To further build the graph model that separates log data using machine learning, statistical analysis, and graph theory to build a linked set of data for security investigations, Amazon Detective can analyze trillions of events from many different data sources about the IP traffic, AWS management operations, and malicious or unauthorized activity. Due to the graph model’s prebuilt security-related associations and contextual and behavioral insights, users may quickly validate, analyze, and correlate the data to conclude.
-
It automates data collection across all AWS accounts
Users do not need to configure or enable data sources because Amazon Detective automatically ingests and processes pertinent data from all the enabled accounts. AWS CloudTrail, VPC Flow Logs, and Amazon GuardDuty results are just a few of the data sources that Amazon Detective gathers and examines, and it keeps up to a year’s worth of aggregated data for future investigation.
-
It provides seamless integration for investigating a security finding
To help swiftly analyze security issues discovered in these services, Amazon Detective is linked with AWS security services like Amazon GuardDuty and AWS Security Hub, as well as the AWS partner security products. Users can use Amazon Detective with a single click from these linked services, drill down into pertinent historical activity, and look into the problem immediately. So, for example, users can launch the Amazon Detective by selecting “Investigate” from an Amazon GuardDuty finding. This action gives users immediate insight into the pertinent activity for the resource in question. It gives them the details and context to decide whether the detected finding refers to suspicious activity.
-
It provides simple deployment with no upfront data source integration or complex configurations to maintain
There is no need to deploy software, set up agents, or keep up with complicated setups. Additionally, since there are no data sources to activate, users are spared the expense of data source activation, data transport, and data storage.
Benefits of Amazon Detective
The Amazon Detective creates visualizations containing the data users require to look into and react to security discoveries. Amazon Detective keeps up to a year’s worth of aggregated data, highlighting changes in the type and amount of activity over a chosen time window, connecting those changes to security discoveries, and thus offering simple-to-use visualizations. AWS management activities, terabytes of event data records concerning IP traffic, and harmful or unauthorized behavior are all processed automatically by Amazon Detective.
It arranges the data into a graph model that enumerates all the relationships about security in the user’s AWS environment. Amazon Detective then runs queries against this model to generate the visualizations used in the investigations. Additionally, the graph model is continuously updated as new data is made available from AWS resources, saving users time from having to keep up with constantly changing data.
To further assist users in swiftly analyzing and determining the reason for a security finding, Amazon Detective offers a unified view of user and resource interactions throughout time, with all context and data in one location.
Pricing
The cost of Amazon Detective is determined by the amount of information it receives from sources like AWS CloudTrail logs, Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, discoveries forwarded to AWS Security Hub from integrated AWS services, and Amazon GuardDuty results. Per account/Region/month, you are charged a fee per gigabyte (GB) consumed. There is no further cost to activate these log sources for analysis or for data kept in Amazon Detective. Amazon Detective keeps a year’s worth of aggregated data for analysis. The world over, Amazon Detective is accessible.
Conclusion
AWS CloudTrail and Amazon VPC flow logs are used by Detective to automatically extract time-based events, including login attempts, API calls, and network activity. It also consumes information uncovered by GuardDuty.