Amazon Detective
Amazon Detective is a security investigation service that makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. It automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build interactive visualizations that help you conduct faster and more efficient security investigations.
APIs
Amazon Detective API
The Amazon Detective API provides programmatic access to manage security investigation workflows. It enables developers to create and manage behavior graphs, invite and manage m...
Capabilities
Amazon Detective Security Investigation
Workflow capability for SOC analysts and security engineers to conduct end-to-end security investigations using Amazon Detective. Combines behavior graph management, member acco...
Run with NaftikoFeatures
Automatically builds a behavior graph from log data using machine learning and graph theory to visualize security issues.
Start and manage structured investigations on IAM users and roles with scoped time ranges and severity scoring.
Automatically identifies indicators including impossible travel, flagged IP addresses, new geolocations, new user agents, and TTP observations.
Aggregate security data from multiple AWS accounts using an administrator account and member account model.
Automatically enable new organization accounts as member accounts in the organization behavior graph.
Ingest security telemetry from CloudTrail, VPC Flow Logs, GuardDuty findings, EKS audit logs, and Active Directory audit logs.
Provides interactive graph visualizations in the AWS console to explore entity relationships and security events.
Assigns severity levels (Informational, Low, Medium, High, Critical) based on likelihood and impact of compromise indicators.
Use Cases
Rapidly investigate security incidents by analyzing entity behavior, network activity, and API call patterns across your AWS environment.
Proactively search for suspicious activity and potential threats using behavior analysis and machine learning across your AWS accounts.
Identify the root cause of security issues by exploring the relationships between resources, users, and events in a behavior graph.
Collect and preserve forensic evidence for compliance investigations using structured investigations with defined scope and time ranges.
Centrally manage security investigations across an AWS Organization from a single administrator account.
Integrations
Automatically ingests GuardDuty findings into the behavior graph for deeper investigation context.
Ingests CloudTrail API call logs to track user and service activity across your AWS environment.
Analyzes VPC flow logs to identify network communication patterns and anomalies.
Optionally ingests EKS audit logs to monitor Kubernetes API server activity.
Integrates with AWS Organizations to manage multi-account behavior graphs and auto-enable new accounts.
Surfaces Detective investigation context within Security Hub for consolidated security findings.