We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”
Customize cookie preferences
We use cookies and similar tools (collectively, "cookies") for the following purposes.
Essential
Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms.
Performance
Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes.
Allowed
Functional
Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly.
Allowed
Advertising
Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising.
Allowed
Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by selecting Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice.
Your privacy choices
We display ads relevant to your interests on AWS sites and on other properties, including cross-context behavioral advertising. Cross-context behavioral advertising uses data from one site or app to advertise to you on a different company’s site or app.
To not allow AWS cross-context behavioral advertising based on cookies or similar technologies, select “Don't allow” and “Save privacy choices” below, or visit an AWS site with a legally-recognized decline signal enabled, such as the Global Privacy Control. If you delete your cookies or visit this site from a different browser or device, you will need to make your selection again. For more information about cookies and how we use them, please read our AWS Cookie Notice.
К сожалению, данный материал на выбранном языке не доступен. Мы постоянно работаем над расширением контента, предоставляемого пользователю на выбранном языке. Благодарим вас за терпение!
Amazon Detective makes it easier to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.
Amazon Detective can analyze trillions of events from multiple data sources such as Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, AWS CloudTrail logs, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and security findings from multiple services like Amazon GuardDuty, AWS Security Hub, and more. Detective automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize all the details and context in one place to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.
Overview
Automatic data collection across all your AWS accounts
Amazon Detective automatically ingests and processes relevant data from all enabled accounts. You don't have to configure or enable any data sources. Amazon Detective collects and analyzes events from data sources, such as AWS CloudTrail logs, Amazon VPC Flow Logs, Amazon EKS audit logs, Amazon GuardDuty findings, AWS Security Hub findings, other integrated AWS security services, and maintains up to a year of aggregated data for analysis.
Consolidates disparate events into a graph model
Amazon Detective can analyze trillions of events from various data types, including IP traffic, AWS management operations, and potentially malicious or unauthorized activities. Detective constructs a graph model using machine learning, statistical analysis, and graph theory to build a linked set of data for security investigations. The pre-built graph model contains security-related relationships and offers contextual, and behavioral insights that enable you to quickly validate, compare, and correlate the data to reach conclusions. Amazon Detective’s visualizations are powered by the graph model, enabling you to rapidly answer your investigative questions without the complexity of querying raw logs. For example, the graph provides context and relationships, such as when an IP address connects to an EC2 instance and the API calls made by a role during a specific time period.
Interactive visualizations for efficient investigation
Amazon Detective provides interactive visualizations and insights using generative AI, making it easier to investigate issues faster and more thoroughly with less effort. With a unified view that enables you to visualize all the context and natural language summaries in one place, it becomes more easier to identify patterns that can validate or refute a security issue and understand all of the impacted resources within a security finding. Using these visualizations and insights, you can more easily filter large sets of event data into specific timelines, with all the details, context, and guidance to help you quickly investigate. Amazon Detective enables you to view login attempts by geolocation, drill down into relevant historical activities, and quickly determine a root cause and, if necessary, take action to resolve the issue.
Overall API call volume
The graph visualization shows you related AWS security findings and affected resources from a single security event, such as EC2 instances, IAM roles and users, S3 buckets, and IP addresses. The insights describe the events that took place during the security event in a natural language to help you understand the chain of events. This helps you investigate unusual or suspicious activity more quickly and with less effort. The Overall API call volume shows you successful and failed calls in a specific time period and compares it to the established baseline. This helps you to identify patterns of abnormal activity and validate a security finding.
More features
Seamless integration for investigating a security finding
Amazon Detective is integrated with AWS security services such as Amazon GuardDuty, AWS Security Hub, Amazon Inspector, Amazon Security Lake as well as AWS Partner security products to help quickly investigate security findings identified in these services. Using a single-step from these integrated services you can go to Amazon Detective and immediately see events related to findings, drill down into relevant historical activities and investigate the issue. For example, from an Amazon GuardDuty finding, you can launch Amazon Detective by clicking on “Investigate in Detective” that provides instant insight into the relevant activity for the involved resource. From Detective you can query and retrieve log sources stored in Amazon Security Lake without having to craft queries or leave the Detective console.
Security investigation support for Amazon GuardDuty Runtime Monitoring
Amazon Detective supports security investigations for GuardDuty ECS and EKS Runtime Monitoring, providing enhanced visualizations and additional context for new threat detections. You can use the runtime threat detections from GuardDuty and the investigative capabilities from Detective to improve your detection and response for potential threats to your container workloads. Detective supports the investigation of these new detections by including them into finding groups, visualizations, and other summaries for faster security investigations.
Simple deployment with no upfront data source integration or complex configurations to maintain
With few steps in the AWS Management Console, you can enable Amazon Detective. There is no software to deploy, agents to install, or complex configurations to maintain. There are also no data sources to enable, which means you do not have to incur the costs of data source enablement, data transfer, and data storage.
