Amazon Detective のアイコン

Amazon Detective Specialized2019年〜

A service that automatically analyzes security findings and investigates root causes

About 3 min read

What It Does

Amazon Detective is a service for investigating and analyzing the root causes of security incidents in your AWS environment. It automatically collects and integrates data from VPC Flow Logs, CloudTrail logs, and GuardDuty findings to build a graph database. Security analysts can quickly understand the relationships and impact of suspicious activities through visual dashboards.

Use Cases

It is used for detailed investigation of suspicious API calls detected by GuardDuty, analysis of abnormal behavior patterns of IAM users and roles, and tracking suspicious communications from EC2 instances. It is especially effective when you need to quickly determine 'who did what, and when' during a security incident to prioritize your response.

Everyday Analogy

Think of it like an investigation board in a detective show. When a case (security incident) occurs, Detective automatically gathers related evidence (log data) and creates a relationship map (resource connections). The investigator (security analyst) can trace the suspect's (attacker's) actions chronologically by looking at the board.

What Is Detective?

Amazon Detective is a service that assists with security incident investigations. AWS environments generate massive volumes of logs every day, and manually investigating these logs when a security issue occurs is extremely time-consuming. Detective automatically collects and analyzes log data, presenting it in a visually intuitive format to dramatically reduce investigation time.

Data Sources and Analysis

Detective automatically ingests CloudTrail management events, VPC Flow Logs, GuardDuty findings, and EKS audit logs. It integrates this data into a graph database and builds relationships between resources. For example, you can visualize which EC2 instances an IAM user accessed and which IP addresses those instances communicated with, all as a connected flow.

Integration with GuardDuty

Detective works closely with GuardDuty. When GuardDuty detects a threat, you can investigate the finding in detail with a single click in Detective. If GuardDuty reports 'suspicious API call detected,' Detective lets you examine the activity before and after that API call, related resources, and how the behavior differs from normal patterns. For a deeper understanding of GuardDuty integration, reference books (Amazon) are also helpful.

Getting Started

To get started with Detective, simply enable it in the Detective console. GuardDuty must be enabled first. Once activated, ingestion of historical log data begins automatically. It takes a few hours for data to accumulate, but once complete, you can select findings or resources to begin your investigation.

Things to Watch Out For

  • GuardDuty must be enabled before activating Detective, as GuardDuty findings are a primary data source for Detective
  • Pricing is based on the volume of log data ingested, so estimate costs in advance for large-scale environments
  • Detective is an investigation and analysis tool - threat detection is handled by GuardDuty, and response automation by Security Hub. Using all three services together is most effective
共有するXB!

Related Services

Amazon GuardDuty iconAmazon GuardDutyA machine learning-powered threat detection serviceAWS Security Hub iconAWS Security HubCentrally manage your AWS security posture and automatically check compliance with best practicesAWS CloudTrail iconAWS CloudTrailA service that records and monitors API activity in your AWS accountAmazon VPC iconAmazon VPCBuild a logically isolated virtual network on AWS

Related Articles

CloudTrail Sees Everything - How API Calls Are Recorded and Practical Forensic InvestigationThis article explains how CloudTrail records AWS API calls, the differences between management events and data events, SQL analysis with CloudTrail Lake, and forensic investigation techniques when a security incident occurs.Investigating Security Incidents with Amazon Detective - Root Cause Identification Through Graph AnalysisLearn about investigating GuardDuty findings with Detective, entity profiles, and leveraging behavior graphs.Threat Detection with Amazon GuardDuty - ML-Based Anomaly Detection and Incident ResponseLearn how GuardDuty detects threats, classifies findings, and integrates with Security Hub for incident response.Security Investigation and Threat Analysis - Streamlining Incident Response with Amazon DetectiveLearn how to use Amazon Detective for security incident investigation and threat analysis. This guide covers the detection-to-investigation workflow with GuardDuty integration and root cause identification through graph-based analysis.

More in This Category

IAM Access Analyzer iconIAM Access Analyzer SpecializedA service that detects externally accessible resources and unused access permissionsAWS Certificate Manager iconAWS Certificate Manager EssentialA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Artifact iconAWS Artifact SpecializedA service for on-demand access to AWS compliance reports and agreementsAWS Audit Manager iconAWS Audit Manager SpecializedA service that automates evidence collection and assessment for compliance auditsAWS CloudHSM iconAWS CloudHSM SpecializedA service for managing encryption keys using dedicated hardware security modulesAmazon Cognito iconAmazon Cognito PopularA service that provides authentication, authorization, and user management for web and mobile applicationsAWS Directory Service iconAWS Directory Service SpecializedA service that provides managed Active Directory on AWSAWS Firewall Manager iconAWS Firewall Manager SpecializedA service for centrally managing firewall rules across your entire AWS Organization

Similar Articles and Services

Security Investigation and Threat Analysis - Streamlining Incident Response with Amazon DetectiveLearn how to use Amazon Detective for security incident investigation and threat analysis. This guide covers the detection-to-investigation workflow with GuardDuty integration and root cause identification through graph-based analysis.Investigating Security Incidents with Amazon Detective - Root Cause Identification Through Graph AnalysisLearn about investigating GuardDuty findings with Detective, entity profiles, and leveraging behavior graphs.AWS Security Service Integration - Native Threat Detection from GuardDuty to Detective Without a SIEMWe explain the native threat detection mechanism through the integration of GuardDuty, Security Hub, Detective, and Macie, and compare the design philosophy differences with Azure Sentinel.AWS Incident Response Toolchain - An Integrated Investigation Platform from CloudTrail to Security HubExplore the AWS incident response toolchain combining CloudTrail, Config, Detective, and Security Hub, and compare the investigation approach with Azure Sentinel.Amazon GuardDutyA managed threat detection service that uses machine learning and threat intelligence to continuously monitor and detect threats across AWS accounts and workloads