Posted On: Sep 20, 2021

Amazon Detective expands security investigation support for Amazon Simple Storage Service (S3) and DNS-related findings on Amazon GuardDuty, providing full coverage of all detections from GuardDuty. Along with this, Detective now makes it even easier for a security analyst to investigate entities and behaviors using a revamped user experience. 

Now, security analysts can easily investigate unusual activities on their S3 buckets, and answer questions such as “Who created the S3 bucket?”, “When was the S3 bucket created?”, “Who made the S3 bucket public?”, and “Did the user execute sensitive APIs such as disable logging on other S3 buckets?”. They can also deep dive on findings related to low-reputation domain names (such as those associated with cryptocurrency-related activities) and algorithmically-generated domains. With this, security analysts can now easily analyze, investigate, and quickly identify the root cause of all GuardDuty finding types using Detective.

Amazon Detective also improved the existing resource profile pages to enable customers to more quickly focus on the activity associated with the involved entities for a finding. The new finding overview provides a more complete set of details for each finding, and provides links to the profiles for each involved entity. Analysts can use this to further understand how various entities such as EC2 instances, IAM principals, and IP addresses are associated with findings. For example, Detective aggregates S3 bucket-level activity and relevant investigation context from existing data sources in an S3 bucket profile to aid investigations and provide analysts with the ability to pivot to other resources, such as the IAM user/roles sessions resources that accessed the bucket, or the remote IP address that invoked S3 bucket level APIs within the scope time.

Security analysts who already use Detective for their security investigations will have the new capabilities enabled without performing any additional steps. They can also use the "Investigate in Detective" option in GuardDuty and Security Hub to pivot to Detective for further investigation of the newly supported findings. To read more about how to pivot from GuardDuty and Security Hub to Detective, see the Detective User Guide.

Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues. To get started, enable a 30-day free trial of Amazon Detective with just a few clicks in the AWS Management console. See the AWS Regions page for all the regions where Detective is available. To learn more, visit the Amazon Detective product page.