Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.
Amazon Detective can analyze trillions of events from multiple data sources such as Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize all the details and context in one place to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.
Automatic data collection across all your AWS accounts
Amazon Detective automatically ingests and processes relevant data from all enabled accounts. You don't have to configure or enable any data sources. Amazon Detective collects and analyzes events from data sources, such as AWS CloudTrail, VPC Flow Logs, and Amazon GuardDuty findings, and maintains up to a year of aggregated data for analysis.
Consolidates disparate events into a graph model
Amazon Detective can analyze trillions of events from many separate data sources about the IP traffic, AWS management operations, and malicious or unauthorized activity to construct a graph model that distills log data using machine learning, statistical analysis, and graph theory to build a linked set of data for security investigations. The graph model is prebuilt with security-related relationships and summarizes contextual, and behavioral insights that enable you to quickly validate, compare, and correlate the data to reach conclusions. Amazon Detective’s visualizations are powered by the graph model enabling you to rapidly answer your investigative questions without the complexity of querying raw logs. For example, the graph provides context and relationships around when an IP addresses connected to an EC2 instance, and the API calls that a role has issued in a specific time period.
Interactive visualizations for efficient investigation
Amazon Detective provides interactive visualizations that makes it easy to investigate issues faster and more thoroughly with less effort. With an unified view that enables you to visualize all the context and details in one place, it is easier to identify patterns that may validate or refute a security issue, and to understand all of the resources impacted by a security finding. Using these visualizations, you can easily filter large sets of event data into specific timelines, with all the details, context, and guidance to help you quickly investigate. Amazon Detective enables you to view login attempts on a geolocation map, drill down into relevant historical activities, and quickly determine a root cause and, if necessary, take action to resolve the issue.
The Amazon Detective geolocation map shows you activity coming from newly observed locations that weren’t previously observed. This helps you to identify unusual activity and investigate if it is legitimate or suspicious activity.
The Overall API call volume shows you successful and failed calls in a specific time period and compares it to the established baseline. This helps you to identify patterns of abnormal activity and validate a security finding.
Seamless integration for investigating a security finding
Amazon Detective is integrated with AWS security services such as Amazon GuardDuty and AWS Security Hub as well as AWS partner security products to help quickly investigate security findings identified in these services. Using a single-click from these integrated services you can go to Amazon Detective and immediately see events related to the finding, drill down into relevant historical activities and investigate the issue. For example, from an Amazon GuardDuty finding, you can launch Amazon Detective by clicking on “Investigate” that provides instant insight into the relevant activity for the involved resource, giving you the details and context to quickly decide whether the detected finding reflects actual suspicious activity.
Simple deployment with no upfront data source integration or complex configurations to maintain
With few clicks in the AWS Management Console, you can enable Amazon Detective. There is no software to deploy, agents to install, or complex configurations to maintain. There are also no data sources to enable, which means you do not have to incur the costs of data source enablement, data transfer, and data storage.
Learn more about Amazon Detective capabilities and implementation by reading the documentation.
Instantly get access to the AWS Free Tier.
Get started building with Amazon Detective.