Amazon Detective logo

Amazon Detective

Amazon Detective is a security investigation service that makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. It automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build interactive visualizations that help you conduct faster and more efficient security investigations.

1 APIs 1 Capabilities 8 Features
AWSForensicsInvestigationSecurity

APIs

Amazon Detective API

The Amazon Detective API provides programmatic access to manage security investigation workflows. It enables developers to create and manage behavior graphs, invite and manage m...

Capabilities

Amazon Detective Security Investigation

Workflow capability for SOC analysts and security engineers to conduct end-to-end security investigations using Amazon Detective. Combines behavior graph management, member acco...

Run with Naftiko

Features

Behavior Graph Analysis

Automatically builds a behavior graph from log data using machine learning and graph theory to visualize security issues.

Security Investigations

Start and manage structured investigations on IAM users and roles with scoped time ranges and severity scoring.

Indicators of Compromise

Automatically identifies indicators including impossible travel, flagged IP addresses, new geolocations, new user agents, and TTP observations.

Multi-Account Support

Aggregate security data from multiple AWS accounts using an administrator account and member account model.

AWS Organizations Integration

Automatically enable new organization accounts as member accounts in the organization behavior graph.

Data Source Packages

Ingest security telemetry from CloudTrail, VPC Flow Logs, GuardDuty findings, EKS audit logs, and Active Directory audit logs.

Interactive Visualizations

Provides interactive graph visualizations in the AWS console to explore entity relationships and security events.

Investigation Severity Scoring

Assigns severity levels (Informational, Low, Medium, High, Critical) based on likelihood and impact of compromise indicators.

Use Cases

Security Incident Investigation

Rapidly investigate security incidents by analyzing entity behavior, network activity, and API call patterns across your AWS environment.

Threat Hunting

Proactively search for suspicious activity and potential threats using behavior analysis and machine learning across your AWS accounts.

Root Cause Analysis

Identify the root cause of security issues by exploring the relationships between resources, users, and events in a behavior graph.

Compliance Forensics

Collect and preserve forensic evidence for compliance investigations using structured investigations with defined scope and time ranges.

Multi-Account Security Operations

Centrally manage security investigations across an AWS Organization from a single administrator account.

Integrations

Amazon GuardDuty

Automatically ingests GuardDuty findings into the behavior graph for deeper investigation context.

AWS CloudTrail

Ingests CloudTrail API call logs to track user and service activity across your AWS environment.

Amazon VPC Flow Logs

Analyzes VPC flow logs to identify network communication patterns and anomalies.

Amazon EKS

Optionally ingests EKS audit logs to monitor Kubernetes API server activity.

AWS Organizations

Integrates with AWS Organizations to manage multi-account behavior graphs and auto-enable new accounts.

AWS Security Hub

Surfaces Detective investigation context within Security Hub for consolidated security findings.

Semantic Vocabularies

Amazon Detective Context

53 classes · 55 properties

JSON-LD

API Governance Rules

Amazon Detective API Rules

39 rules · 18 errors 12 warnings 9 info

SPECTRAL

Resources

🌐
Portal
Portal
🔗
Website
Website
🔗
Documentation
Documentation
📜
TermsOfService
TermsOfService
📜
PrivacyPolicy
PrivacyPolicy
💬
Support
Support
👥
GitHubOrganization
GitHubOrganization
🌐
Console
Console
📝
SignUp
SignUp
🔗
Login
Login
🟢
StatusPage
StatusPage
🔗
Contact
Contact
📰
Blog
Blog
📄
ReleaseNotes
ReleaseNotes
🔗
SpectralRules
SpectralRules
🔗
Vocabulary
Vocabulary
🔗
NaftikoCapability
NaftikoCapability