Amazon Detective
💡 Definition
Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.
🔑 Key Concepts
- Automated Data Collection: Continuously pulls data from AWS CloudTrail logs, VPC Flow Logs, and Amazon GuardDuty findings.
- Behavior Graph: Creates a unified, interactive view of resource behaviors and interactions over time, powered by a graph database.
- Machine Learning & AI: Uses ML to identify unusual or suspicious behavior patterns.
- Faster Investigations: Helps security analysts quickly visualize and analyze potential security issues, reducing the time to root cause.
- Visualization: Provides intuitive visualizations to explore relationships and timelines of events.
⚙️ How it Works
When enabled, Detective automatically ingests and processes security-related data from specified AWS services. It then builds a "behavior graph" that shows all activities and interactions between accounts, users, and resources. Security analysts can then use Detective's interactive visualizations to investigate Amazon GuardDuty findings or other security alerts, quickly drilling down into related activities.
🎯 Use Cases
- Security Incident Response: Accelerating the investigation of potential security breaches or suspicious activities.
- Threat Hunting: Proactively searching for threats within your AWS environment.
- Root Cause Analysis: Understanding the full context and sequence of events leading to a security finding.
- Forensics: Providing a rich dataset for security forensics.
💰 Pricing Model
- Data Volume: Charged based on the volume of data ingested from AWS CloudTrail logs, VPC Flow Logs, and Amazon GuardDuty findings.
📝 Exam Tips (CLF-C02)
- Keywords: "Security investigations", "Root cause analysis", "Behavior graph", "Machine learning for security".
- Think of Detective as a forensic tool that complements Amazon GuardDuty by helping you investigate the findings.
- Helps security analysts understand why a security alert occurred and who/what was involved.
See Also: * Amazon GuardDuty * AWS Security Hub * CloudTrail * VPC Flow Logs