Security

Investigating Security Incidents with Amazon Detective - Root Cause Identification Through Graph Analysis

Learn about investigating GuardDuty findings with Detective, entity profiles, and leveraging behavior graphs.

約 3 分で読めます

Detective Overview

Detective is a service that automatically analyzes security findings and investigates root causes. After GuardDuty notifies you of "suspicious API calls detected," Detective supports the investigation phase of digging into "who did what, when, and from where." It automatically aggregates CloudTrail, VPC Flow Logs, and GuardDuty findings, visualizing anomalous patterns through behavior graphs.

Behavior Graphs and Entity Profiles

Behavior graphs automatically aggregate CloudTrail, VPC Flow Logs, and GuardDuty findings, building relationships between entities (IAM users, roles, EC2 instances, IP addresses) in a graph database. Entity profiles maintain baseline behavioral patterns for specific IAM users or EC2 instances over the past 12 months (API call frequency, communication destination IPs, data transfer volumes), highlighting anomalous activity. When you pivot from a GuardDuty finding to Detective, behavioral timelines for related entities are displayed, enabling you to trace unauthorized access paths.

Investigation Workflow

Detective's investigation workflow starts from GuardDuty findings. Clicking a finding displays entity profiles for related IAM roles, EC2 instances, and IP addresses. Profiles visualize 12 months of API call patterns, network connections, and geographic connection sources in a timeline. You can visually identify anomalous patterns such as "this role suddenly accessed a service it normally doesn't" or "connections from unusual IP addresses increased." The Investigation feature automatically expands the investigation scope, tracing related entities in a chain. For detailed information about security investigation, you can also check related books on Amazon.

Detective Pricing

Detective pricing is based on the volume of data ingested. CloudTrail management events cost approximately $2 per GB, and VPC Flow Logs cost approximately $0.75 per GB. The first 30 days are a free trial, allowing you to estimate actual costs in advance. When aggregating data from all accounts through Organizations integration, data volumes can be large, so verify costs beforehand. Use GuardDuty data as the primary source, and enable VPC Flow Logs ingestion based on security requirements.

Summary

Detective is a service that investigates the root cause of security incidents using behavior graphs and entity profiles. Starting investigations from GuardDuty findings, it automatically aggregates CloudTrail and VPC Flow Logs data to visualize anomalies in API call patterns and network connections over the past 12 months in a timeline.

Related Services

Amazon DetectiveA service that automatically analyzes security findings and investigates root causesAmazon GuardDutyA machine learning-powered threat detection serviceAWS Security HubCentrally manage your AWS security posture and automatically check compliance with best practices

Related Articles

Threat Detection with Amazon GuardDuty - ML-Based Anomaly Detection and Incident ResponseLearn how GuardDuty detects threats, classifies findings, and integrates with Security Hub for incident response.Centralized Security Posture Management with AWS Security Hub - Aggregating Findings and Automated ResponseAggregate findings from GuardDuty, Inspector, and Macie using ASFF, quantify your security score through automated security standard evaluations, and set up automated remediation via EventBridge.Building a Security Data Lake with Amazon Security Lake - Unified Analysis in OCSF FormatLearn about Security Lake's automatic aggregation of CloudTrail, VPC Flow Logs, and Route 53 logs, OCSF normalization, and integration with subscribers.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

Security Investigation and Threat Analysis - Streamlining Incident Response with Amazon DetectiveLearn how to use Amazon Detective for security incident investigation and threat analysis. This guide covers the detection-to-investigation workflow with GuardDuty integration and root cause identification through graph-based analysis.AWS Incident Response Toolchain - An Integrated Investigation Platform from CloudTrail to Security HubExplore the AWS incident response toolchain combining CloudTrail, Config, Detective, and Security Hub, and compare the investigation approach with Azure Sentinel.AWS Security Service Integration - Native Threat Detection from GuardDuty to Detective Without a SIEMWe explain the native threat detection mechanism through the integration of GuardDuty, Security Hub, Detective, and Macie, and compare the design philosophy differences with Azure Sentinel.Amazon GuardDutyA managed threat detection service that uses machine learning and threat intelligence to continuously monitor and detect threats across AWS accounts and workloads