Security Investigation and Threat Analysis - Streamlining Incident Response with Amazon Detective
Learn how to use Amazon Detective for security incident investigation and threat analysis. This guide covers the detection-to-investigation workflow with GuardDuty integration and root cause identification through graph-based analysis.
Challenges of Security Investigation and Detective Overview
Rapidly identifying the root cause of a security incident is critical. However, cross-analyzing multiple data sources such as VPC Flow Logs, CloudTrail logs, and GuardDuty findings is time-consuming and requires deep expertise. Amazon Detective is a service that automatically collects and analyzes security data using machine learning, statistical analysis, and graph theory to quickly identify incident root causes. Starting from findings in GuardDuty, Security Hub, and other AWS security services, it automatically correlates related resources, IP addresses, and user activities. While on-premises SIEM tools require significant effort for log collection, normalization, and correlation rule configuration, Detective automates these tasks, letting security analysts focus on investigation. Detective's graph-based visualization lets you intuitively trace relationships between entities without writing queries.
Graph-Based Analysis and Behavioral Profiling
Detective's core technology is a graph database that represents relationships between AWS resources, IP addresses, IAM users, and API calls as a graph structure. This behavior graph is automatically built from up to 12 months of log data and learns normal behavior patterns as a baseline. When anomalous behavior is detected, you can visually trace related entities (resources, users, IP addresses) on the graph to quickly understand the attack path and blast radius. For example, when a suspicious API call is detected, it visualizes the IAM role that made the call, the EC2 instance that assumed the role, and the IP address that connected to the instance as a chain of relationships. Time-series analysis lets you review changes in API call volume, network traffic, and login patterns over specific periods to accurately pinpoint the incident's timing and duration. Here is an example of listing Detective behavior graphs using the AWS CLI. ```bash aws detective list-graphs \ --region ap-northeast-1 ``` To check the investigation status of a specific member account, use the following command. ```bash aws detective list-members \ --graph-arn arn:aws:detective:ap-northeast-1:123456789012:graph:example \ --region ap-northeast-1 ```
GuardDuty Integration and Incident Response Workflow
The integration between Detective and GuardDuty enables a seamless workflow from threat detection to investigation. When GuardDuty detects suspicious activity, Detective automatically aggregates all entities and activities related to that finding. You can navigate directly from the GuardDuty console to Detective's investigation view and immediately begin detailed analysis. Detective's investigation summary feature automatically compiles key information related to a finding (affected resources, associated IP addresses, API call timeline), providing a starting point for investigation. Integration with Security Hub enables centralized management of findings from multiple security services with seamless transition to detailed investigation in Detective. Organizations integration aggregates security data across the entire multi-account environment into a single behavior graph, enabling detection and investigation of cross-account attack patterns. Unlike Microsoft Sentinel, where incident investigation requires manually extracting data from Log Analytics workspaces using KQL, Detective displays the full picture of related entities from a GuardDuty finding with a single click, significantly reducing time to start investigation. To comprehensively learn security investigation best practices, refer to technical books (Amazon).
Automated Investigation and Threat Intelligence
Detective's automated investigation feature performs comprehensive security assessments on IAM users and IAM roles. It analyzes past activity for a specified entity, automatically detecting deviations from normal patterns, suspicious API calls, and anomalous network connections, then generates a report. Integration with threat intelligence feeds automatically flags communications with known malicious IP addresses and domains. Investigation results are categorized by severity, clearly identifying items that security analysts should prioritize. Integration with CloudWatch metrics enables monitoring of Detective usage and data ingestion volume for cost management. Combining Lambda functions with EventBridge enables automated responses to specific detection patterns. Here is an example EventBridge rule configuration that routes GuardDuty High-severity findings to Lambda. ```json { "source": ["aws.guardduty"], "detail-type": ["GuardDuty Finding"], "detail": { "severity": [{ "numeric": [">=", 7] }] } } ``` This configuration enables automated responses such as modifying security groups, restricting IAM policies, and sending SNS notifications, automating the initial response to incidents.
Detective Pricing
Detective pricing is based on the volume of data ingested. The first 1,000 GB/month costs approximately 2.00 USD per GB, and the next 9,000 GB costs approximately 1.00 USD per GB. Data sources include CloudTrail logs, VPC Flow Logs, and GuardDuty findings, with costs varying based on log volume. A 30-day free trial lets you assess actual costs before production deployment. Evaluate the investment as a means to reduce incident response time compared to the cost of investigating GuardDuty findings efficiently.
Summary - Building a Security Investigation Foundation
Amazon Detective is a service that uses graph-based analysis and machine learning to rapidly identify the root cause of security incidents. The seamless workflow from detection to investigation through GuardDuty integration, visualization of entity relationships through behavior graphs, and comprehensive security assessment through automated investigation significantly improve incident response efficiency. Organizations integration for unified investigation across multi-account environments and threat intelligence feed integration for automatic detection of known threats contribute to strengthening the overall security posture. Compared to Microsoft Sentinel's KQL-based investigation, Detective provides an intuitive investigation experience through graph visualization and rapid investigation initiation with one-click navigation from GuardDuty.