Amazon Detective Security Investigation
Workflow capability for SOC analysts and security engineers to conduct end-to-end security investigations using Amazon Detective. Combines behavior graph management, member account administration, investigation lifecycle management, and indicator analysis into a unified workflow for threat hunting and security forensics.
What You Can Do
MCP Tools
list-graphs
List all Amazon Detective behavior graphs
create-graph
Create a new Amazon Detective behavior graph to begin security monitoring
list-members
List member accounts contributing data to a behavior graph
get-members
Get detailed membership information for specific accounts
create-members
Invite AWS accounts to contribute data to a behavior graph
delete-members
Remove member accounts from a behavior graph
start-investigation
Initiate a Detective investigation on a suspicious IAM user or role
get-investigation
Get the results, severity, and status of a security investigation
list-investigations
List all security investigations with filtering by severity, status, and state
update-investigation-state
Archive a completed investigation or reactivate an archived one
list-indicators
Get indicators of compromise (TTPs, flagged IPs, impossible travel) from an investigation
list-datasource-packages
List data source packages and their ingest status in a behavior graph
update-datasource-packages
Enable additional data source packages like EKS audit logs or AD audit logs
describe-organization-configuration
Get the organization behavior graph configuration including auto-enable settings
list-organization-admin-accounts
List Detective administrator accounts in the organization