Posted On: Jan 21, 2021

Amazon Detective now provides enhanced IP address analytics enabling faster security investigations. With this new capability you can answer questions about a specific IP address such as “how long has this IP address been interacting with the resources in my accounts”, “which of my EC2 instances did this IP address communicate with?”, “What were the data volumes exchanged with this IP address and which ports did the communication occur on?”, or “Which users and roles invoked API operations from this IP address?”. By providing answers to questions such as these, Detective empowers security analysts to quickly determine IP address behavior and diagnose security incidents.

Once enabled, Detective automatically and cost-effectively processes all VPC flow records and CloudTrail management events across enabled accounts, collating this data by observed resources such as an IP address. Security analysts can quickly visualize and examine aggregations of an IP address’s network and API activity as well as its resource interactions in Detective. These IP address details can be accessed either by searching for an IP address that needs to be investigated or by traversing to the IP address details as a part of a security investigation that is being conducted in Detective for resources that may have interacted with the IP address. When viewing an IP address’s details, Detective now enables security analysts to examine the actual users and roles that invoked API operations from the IP address. Security analysts can also use Detective to examine a visual summary of inbound and outbound network traffic patterns where the IP has been involved and “drilldown” to explore the traffic details for interactions between the IP address and EC2 instances across covered accounts. Detective retains collected summaries and analytics from ingested logs for 12 months easily enabling an examination of historical activity.

These new capabilities will help simplify security analysis for your security and operations teams by enabling a quick assessment of an IP address’ activity across enabled AWS accounts and resources. Instead of exporting, storing, and analyzing VPC flow & CloudTrail data in a custom or third-party tool, you can let Amazon Detective do the heavy lifting while you focus on quickly answering your investigative questions. Enhanced IP analytics is available now in all of Detective’s supported regions and is included at no extra cost as part of your service subscription.

Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues. To get started, enable a 30-day free trial of Amazon Detective with just a few clicks in the AWS Management console. See the AWS Regions page for all the regions where Detective is available. To learn more, visit the Amazon Detective product page.