Posted On: Jan 22, 2021

Amazon GuardDuty has added Amazon Detective hyperlink pivots to make it even easier to jump from a GuardDuty security finding into a pre-populated Amazon Detective investigation experience.

Amazon GuardDuty continuously monitors for malicious or unauthorized behavior and generates security findings when such behavior is detected, which include details about the resources, users, IPs, domains, and actors involved. Amazon Detective complements Amazon GuardDuty by organizing and retaining log and event data from sources such as AWS CloudTrail and Amazon Virtual Private Cloud (VPC) Flow Logs into an analytics-driven graph model that summarizes resources, user behaviors, and associated interactions observed across a customer’s enabled accounts for up to the last 12 months. Detective uses this data to produce tailored visualizations that summarize workload and user behavior to help customers answer questions like, “what network activity has this EC2 been involved with?” or “which federated user invoked APIs that are associated with this security finding?” without having to organize any data or develop, configure, or tune their own queries and algorithms. These visualizations provide the details, context, and guidance that help security analysts quickly determine the nature and extent of issues identified by Amazon GuardDuty or similar security solutions.

Customers can pivot from the GuardDuty console to the Detective console using a finding, or a resource associated with the finding such as an EC2 instance, AWS Account, IAM user, or IP address as a starting point. Detective then provides visual summaries and details of API and network activity that led to GuardDuty’s detection of the threat. Upon successful resolution, the finding can be archived in Detective, which results in the finding also being archived in GuardDuty.  To learn more, see the Amazon GuardDuty integration with Amazon Detective User Guide

Amazon GuardDuty offers a 30-day free trial to make it easy to get up and running and try the service at no cost or commitment. During this period, the estimated cost of the service post free-trail is calculated and displayed in the GuardDuty console to make it easy to evaluate service spend across all accounts enabled before transitioning to paid usage. Similarly, Amazon Detective offers a 30-day free trial with estimated cost displayed in the Detective console. Both can be evaluated independently or together using these free trial offerings. To get started, you can enable one or both with a few clicks in the AWS Management console. See the AWS Regions page for all the regions where GuardDuty and Detective are available.