Posted On: Sep 7, 2021
Amazon Detective, in coordination with the Splunk Trumpet project, has released the ability to pivot from an Amazon GuardDuty finding in Splunk directly to an Amazon Detective entity profile so that customers can quickly identify the root cause of potential security issues or suspicious activities.
This new capability will help simplify security analysis for your security and operations teams by enabling a quick pivot from Splunk into Amazon Detective. You no longer need to copy and paste URLs or search in Detective for the resource you want. Instead, Amazon Detective can do the heavy lifting while you focus on quickly answering investigative questions. For example, Amazon Detective can help you answer questions such as: “How long has this IP address that I am investigating in Splunk been interacting with the resources in my AWS accounts?”, “Which of my EC2 instances did this IP address communicate with?”, “What data volumes were exchanged with this IP address?”, “Which ports did the communication occur on?”, or “Which users and roles invoked API operations from this IP address?”
The new Amazon Detective integration is available now as part of the Splunk Trumpet Project in all of the Regions where Amazon Detective is supported. This integration is an addition to the Lambda pre-processor that sends GuardDuty findings to Splunk. The updated code receives the input records for Amazon GuardDuty findings and parses the content to generate the appropriate Amazon Detective URLs as additional fields in Splunk. The URLs that Splunk generates use the format for profile URLs that is described in Navigating directly to a profile using a URL the Amazon Detective User Guide. Here is an example URL for an EC2 instance: (https://console.aws.amazon.com/detective/home?region=us-east-1#entities/Ec2Instance/i-0149bf6226265a199?scopeStart=1624674429&scopeEnd=1626473483).
Use the following instructions to complete the initial Splunk integration with AWS: Automating AWS Data Ingestion into Splunk. On the Splunk Trumpet project installation page, select Detective GuardDuty URLs from the AWS CloudWatch Events dropdown.
Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues. To get started, enable a 30-day free trial of Amazon Detective with just a few clicks in the AWS Management console. See the AWS Regions page for all the Regions where Detective is available. To learn more, visit the Amazon Detective product page.