Amazon Detective website screenshot

Amazon Detective

Amazon Detective is a security investigation service that makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. It automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build interactive visualizations that help you conduct faster and more efficient security investigations.

1 APIs 8 Features
ForensicsInvestigationSecurity

APIs

Amazon Detective API

The Amazon Detective API provides programmatic access to manage security investigation workflows. It enables developers to create and manage behavior graphs, invite and manage m...

Collections

Arazzo Workflows

Amazon Detective Archive a Resolved Investigation

Find a behavior graph's investigations, inspect one, and archive it when it has succeeded.

ARAZZO

Amazon Detective Enable a Data Source Package

Start a data source package on a behavior graph and verify its ingest state.

ARAZZO

Amazon Detective Onboard a Behavior Graph with Member Accounts

Create a new behavior graph and invite member accounts, then confirm their membership status.

ARAZZO

Amazon Detective Member Accepts a Behavior Graph Invitation

List open invitations for a member account, accept one, and confirm enrollment.

ARAZZO

Amazon Detective Run an Investigation and Collect Indicators

Start an investigation on an entity, poll until it completes, then list its indicators.

ARAZZO

Amazon Detective Start Monitoring a Member Account

Invite a member account, enable data ingest for it, and confirm it is being monitored.

ARAZZO

Amazon Detective Tag a Behavior Graph

Discover behavior graphs, apply tag values to one, and read the tags back.

ARAZZO

Pricing Plans

Rate Limits

Amazon Detective Rate Limits

5 limits

RATE LIMITS

FinOps

Features

Behavior Graph Analysis

Automatically builds a behavior graph from log data using machine learning and graph theory to visualize security issues.

Security Investigations

Start and manage structured investigations on IAM users and roles with scoped time ranges and severity scoring.

Indicators of Compromise

Automatically identifies indicators including impossible travel, flagged IP addresses, new geolocations, new user agents, and TTP observations.

Multi-Account Support

Aggregate security data from multiple AWS accounts using an administrator account and member account model.

AWS Organizations Integration

Automatically enable new organization accounts as member accounts in the organization behavior graph.

Data Source Packages

Ingest security telemetry from CloudTrail, VPC Flow Logs, GuardDuty findings, EKS audit logs, and Active Directory audit logs.

Interactive Visualizations

Provides interactive graph visualizations in the AWS console to explore entity relationships and security events.

Investigation Severity Scoring

Assigns severity levels (Informational, Low, Medium, High, Critical) based on likelihood and impact of compromise indicators.

Use Cases

Security Incident Investigation

Rapidly investigate security incidents by analyzing entity behavior, network activity, and API call patterns across your AWS environment.

Threat Hunting

Proactively search for suspicious activity and potential threats using behavior analysis and machine learning across your AWS accounts.

Root Cause Analysis

Identify the root cause of security issues by exploring the relationships between resources, users, and events in a behavior graph.

Compliance Forensics

Collect and preserve forensic evidence for compliance investigations using structured investigations with defined scope and time ranges.

Multi-Account Security Operations

Centrally manage security investigations across an AWS Organization from a single administrator account.

Semantic Vocabularies

Amazon Detective Context

53 classes · 55 properties

JSON-LD

API Governance Rules

Amazon Detective API Rules

39 rules · 18 errors 12 warnings 9 info

SPECTRAL

JSON Structure

Amazon Detective Account Structure

2 properties

JSON STRUCTURE

Amazon Detective Administrator Structure

3 properties

JSON STRUCTURE

Amazon Detective Graph Structure

2 properties

JSON STRUCTURE

Amazon Detective Indicator Structure

2 properties

JSON STRUCTURE

Amazon Detective Member Detail Structure

12 properties

JSON STRUCTURE

Amazon Detective Unprocessed Graph Structure

2 properties

JSON STRUCTURE

Example Payloads

Resources

🔗
PostmanWorkspace
PostmanWorkspace
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🌐
Portal
Portal
🔗
Website
Website
🔗
Documentation
Documentation
📜
TermsOfService
TermsOfService
📜
PrivacyPolicy
PrivacyPolicy
💬
Support
Support
👥
GitHubOrganization
GitHubOrganization
🌐
Console
Console
📝
Signup
Signup
🔗
Login
Login
🟢
StatusPage
StatusPage
🔗
Contact
Contact
📰
Blog
Blog
📄
ReleaseNotes
ReleaseNotes
🔗
SpectralRules
SpectralRules
🔗
Vocabulary
Vocabulary

Sources

Raw ↑
opencollection: 1.0.0
info:
  name: Amazon Detective
  version: '2018-10-26'
request:
  auth:
    type: apikey
    key: Authorization
    value: '{{Authorization}}'
    placement: header
items:
- info:
    name: Graph
    type: folder
  items:
  - info:
      name: Amazon Detective Create Graph
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/graph
      body:
        type: json
        data: '{}'
    docs: Creates a new behavior graph for the calling account and sets it as the administrator account.
  - info:
      name: Amazon Detective Delete Graph
      type: http
    http:
      method: DELETE
      url: https://api.detective.{region}.amazonaws.com/graph
      body:
        type: json
        data: '{}'
    docs: Disables Amazon Detective and queues the behavior graph for deletion. This operation requires the behavior graph
      ARN in the request.
  - info:
      name: Amazon Detective List Graphs
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/graphs/list
      body:
        type: json
        data: '{}'
    docs: Returns the list of behavior graphs that the calling account is an administrator account of. This operation can
      only be called by a Detective administrator account.
- info:
    name: Members
    type: folder
  items:
  - info:
      name: Amazon Detective Create Members
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/graph/members
      body:
        type: json
        data: '{}'
    docs: Sends a request to invite the specified AWS accounts to be member accounts in the behavior graph. This operation
      can only be called by the administrator account.
  - info:
      name: Amazon Detective Delete Members
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/graph/members/removal
      body:
        type: json
        data: '{}'
    docs: Removes the specified member accounts from the behavior graph. The removed accounts no longer contribute data to
      the behavior graph.
  - info:
      name: Amazon Detective Get Members
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/graph/members/get
      body:
        type: json
        data: '{}'
    docs: Returns the membership details for specified member accounts for a behavior graph.
  - info:
      name: Amazon Detective List Members
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/graph/members/list
      body:
        type: json
        data: '{}'
    docs: Retrieves the list of member accounts for a behavior graph. Does not return member accounts that were removed.
  - info:
      name: Amazon Detective Start Monitoring Member
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/graph/members/monitoringEnable
      body:
        type: json
        data: '{}'
    docs: Sends a request to enable data ingest for a member account that has a status of ACCEPTED_BUT_DISABLED.
- info:
    name: Invitations
    type: folder
  items:
  - info:
      name: Amazon Detective Accept Invitation
      type: http
    http:
      method: PUT
      url: https://api.detective.{region}.amazonaws.com/invitation
      body:
        type: json
        data: '{}'
    docs: Accepts an invitation for the member account to contribute data to a behavior graph.
  - info:
      name: Amazon Detective Reject Invitation
      type: http
    http:
      method: PUT
      url: https://api.detective.{region}.amazonaws.com/invitation/removal
      body:
        type: json
        data: '{}'
    docs: Rejects an invitation to contribute the account data to a behavior graph.
  - info:
      name: Amazon Detective List Invitations
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/invitations/list
      body:
        type: json
        data: '{}'
    docs: Retrieves the list of open and accepted behavior graph invitations for the member account.
  - info:
      name: Amazon Detective Disassociate Membership
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/membership/removal
      body:
        type: json
        data: '{}'
    docs: Removes the member account from the specified behavior graph. This operation can only be called by a Detective member
      account.
- info:
    name: Datasources
    type: folder
  items:
  - info:
      name: Amazon Detective List Datasource Packages
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/graph/datasources/list
      body:
        type: json
        data: '{}'
    docs: Lists data source packages in the behavior graph.
  - info:
      name: Amazon Detective Batch Get Graph Member Datasources
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/graph/datasources/get
      body:
        type: json
        data: '{}'
    docs: Gets data source package information for the behavior graph.
  - info:
      name: Amazon Detective Batch Get Membership Datasources
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/membership/datasources/get
      body:
        type: json
        data: '{}'
    docs: Gets information on the data source package history for an account.
  - info:
      name: Amazon Detective Update Datasource Packages
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/graph/datasources/update
      body:
        type: json
        data: '{}'
    docs: Starts a data source packages for the specified behavior graph.
- info:
    name: Investigations
    type: folder
  items:
  - info:
      name: Amazon Detective Start Investigation
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/investigations/startInvestigation
      body:
        type: json
        data: '{}'
    docs: Initiates a Detective investigation on an entity in a behavior graph.
  - info:
      name: Amazon Detective Get Investigation
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/investigations/getInvestigation
      body:
        type: json
        data: '{}'
    docs: Returns the investigation results of an investigation for a behavior graph.
  - info:
      name: Amazon Detective List Investigations
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/investigations/listInvestigations
      body:
        type: json
        data: '{}'
    docs: Lists investigations for a behavior graph using filters such as time range, entity ARN, and investigation state.
  - info:
      name: Amazon Detective Update Investigation State
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/investigations/updateInvestigationState
      body:
        type: json
        data: '{}'
    docs: Updates the state of an investigation. Valid states are ACTIVE and ARCHIVED.
  - info:
      name: Amazon Detective List Indicators
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/investigations/listIndicators
      body:
        type: json
        data: '{}'
    docs: Gets the indicators from an investigation. You can use the filters to narrow the results based on the type of indicator.
- info:
    name: Organizations
    type: folder
  items:
  - info:
      name: Amazon Detective Enable Organization Admin Account
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/orgs/enableAdminAccount
      body:
        type: json
        data: '{}'
    docs: Designates the Detective administrator account for the organization in the current Region.
  - info:
      name: Amazon Detective Disable Organization Admin Account
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/orgs/disableAdminAccount
    docs: Removes the Detective administrator account in the current Region. Must be called from the organization management
      account.
  - info:
      name: Amazon Detective Describe Organization Configuration
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/orgs/describeOrganizationConfiguration
      body:
        type: json
        data: '{}'
    docs: Returns information about the configuration for the organization behavior graph.
  - info:
      name: Amazon Detective Update Organization Configuration
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/orgs/updateOrganizationConfiguration
      body:
        type: json
        data: '{}'
    docs: Updates the configuration for the organization behavior graph.
  - info:
      name: Amazon Detective List Organization Admin Accounts
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/orgs/listAdminAccounts
      body:
        type: json
        data: '{}'
    docs: Lists the Detective administrator accounts in the organization.
- info:
    name: Tags
    type: folder
  items:
  - info:
      name: Amazon Detective List Tags for Resource
      type: http
    http:
      method: GET
      url: https://api.detective.{region}.amazonaws.com/tags/:resourceArn
      params:
      - name: resourceArn
        value: arn:aws:detective:us-east-1:123456789012:graph:abc123def456
        type: path
        description: The ARN of the behavior graph for which you want to list tag values.
    docs: Returns the tag values that are assigned to a behavior graph.
  - info:
      name: Amazon Detective Tag Resource
      type: http
    http:
      method: POST
      url: https://api.detective.{region}.amazonaws.com/tags/:resourceArn
      params:
      - name: resourceArn
        value: arn:aws:detective:us-east-1:123456789012:graph:abc123def456
        type: path
        description: The ARN of the behavior graph to assign the tags to.
      body:
        type: json
        data: '{}'
    docs: Applies tag values to a behavior graph.
  - info:
      name: Amazon Detective Untag Resource
      type: http
    http:
      method: DELETE
      url: https://api.detective.{region}.amazonaws.com/tags/:resourceArn
      params:
      - name: resourceArn
        value: arn:aws:detective:us-east-1:123456789012:graph:abc123def456
        type: path
        description: The ARN of the behavior graph to remove the tags from.
      - name: tagKeys
        value: Environment,Team
        type: query
        description: The tag keys of the tags to remove from the behavior graph.
    docs: Removes tags from a behavior graph.
bundled: true