Investigating Security Incidents with Amazon Detective - Root Cause Identification Through Graph Analysis
Learn about investigating GuardDuty findings with Detective, entity profiles, and leveraging behavior graphs.
Detective Overview
Detective is a service that automatically analyzes security findings and investigates root causes. After GuardDuty notifies you of "suspicious API calls detected," Detective supports the investigation phase of digging into "who did what, when, and from where." It automatically aggregates CloudTrail, VPC Flow Logs, GuardDuty findings, EKS audit logs, and S3 data events, visualizing anomalous patterns through behavior graphs. Detective uses internal ML models to automatically score deviation from baselines, eliminating the need for security analysts to manually correlate massive logs.
Behavior Graphs and Entity Profiles
Behavior graphs automatically aggregate CloudTrail, VPC Flow Logs, and GuardDuty findings, building relationships between entities (IAM users, roles, EC2 instances, IP addresses) in a graph database. Entity profiles maintain baseline behavioral patterns for specific IAM users or EC2 instances over the past 12 months (API call frequency, communication destination IPs, data transfer volumes), highlighting anomalous activity. When you pivot from a GuardDuty finding to Detective, behavioral timelines for related entities are displayed, enabling you to trace unauthorized access paths. The graph structure is built per region, and Organizations integration allows aggregating data from up to 1200 accounts into a single behavior graph.
Investigation Workflow
Detective's investigation workflow starts from GuardDuty findings. Clicking a finding displays entity profiles for related IAM roles, EC2 instances, and IP addresses. Profiles visualize 12 months of API call patterns, network connections, and geographic connection sources in a timeline. You can visually identify anomalous patterns such as "this role suddenly accessed a service it normally doesn't" or "connections from unusual IP addresses increased." The Investigation feature automatically expands the investigation scope, tracing related entities in a chain. The Finding Group feature groups related GuardDuty findings into a single attack scenario and provides a score indicating investigation priority. For detailed information about security investigation, you can also check related books on Amazon.
Detective Pricing
Detective pricing is based on the volume of data ingested. CloudTrail management events cost approximately $2 per GB, and VPC Flow Logs cost approximately $0.75 per GB. The first 30 days are a free trial, allowing you to estimate actual costs in advance. When aggregating data from all accounts through Organizations integration, data volumes can be large, so verify costs beforehand. Use GuardDuty data as the primary source, and enable VPC Flow Logs ingestion based on security requirements. During the free trial, the console displays estimated monthly costs, allowing you to confirm before production enablement.
Integration with GuardDuty and Security Hub
Detective integrates closely with GuardDuty and Security Hub, but each service has a distinctly different role. GuardDuty handles threat detection (notifying "what happened"), Security Hub handles aggregation and prioritization of findings (deciding "which is important"), and Detective handles the subsequent investigation (analyzing "why it happened and how far the impact extends"). You can pivot directly from the Security Hub console to Detective, and start an investigation with a single "Investigate in Detective" button on GuardDuty findings. However, Detective cannot perform detection on its own. If GuardDuty hasn't been enabled beforehand, Detective lacks sufficient source data to analyze. In practice, the standard flow is to enable GuardDuty across all regions and accounts, aggregate findings into Security Hub, then use Detective for deep-dive investigation on critical alerts.
Investigation Best Practices and Pitfalls
There are key considerations when using Detective in practice. First, immediately after enablement, the behavior graph isn't fully populated, so baseline accuracy is low. Normal behavior profiles begin accumulating about 2 weeks after enablement, reducing false positives. Second, when suspicious entities detected by the Investigation feature require immediate incident response (such as disabling access keys or revoking IAM role permissions), Detective cannot perform these actions directly. An architecture integrating with Systems Manager Automation runbooks or Step Functions is recommended. A common pitfall is that Detective builds behavior graphs per region, so if you operate across multiple regions, attacker activity spanning regions won't be consolidated into a single graph. Multi-region environments require checking Detective in each region separately.
Summary
Detective is a service that investigates the root cause of security incidents using behavior graphs and entity profiles. Starting investigations from GuardDuty findings, it automatically aggregates CloudTrail and VPC Flow Logs data to visualize anomalies in API call patterns and network connections over the past 12 months in a timeline. GuardDuty handles "detection," Security Hub handles "prioritization," and Detective handles "investigation" - combining all three streamlines the incident response cycle.