AWS Detective






AWS Detective was integrated by Mindflow to enable users to automate their incident management and better protect their information system.

AWS Detective Overview

AWS Detective is an investigation service part of the AWS stack. The solution goes further than other investigation services available on AWS, such as GuardDuty, Macie, and Security Hub.

Detective helps when discovered security findings needs you to dig deeper and analyze more information to isolate the root cause and take action. Determining the root cause can be complex because it often involves collecting and combining logs from many separate data sources, using extract, transform, and load (ETL) tools or custom scripting to organize the data.

Using the solution analysts can investigate, and quickly identify the root cause of potential security issues or suspicious activities. To that end, Detective automatically collects log data from your AWS resources (Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, CloudTrail logs, EKS audit logs, and GuardDuty findings) and uses machine learning, statistical analysis, and graph theory to build a coherent set of data to enable you to perform fast efficient investigations.

Then it automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. Through this unified view, analysts can visualize all the details and context in one place to identify the underlying reasons for the findings, dive into relevant historical activities, and determine the root cause.

For example, a GuardDuty finding such as an unusual Console Login API call, can be investigated in Amazon Detective with details about the API call trends over time, and user login attempts on a geolocation map. Using these details you can identify the API call is legitimate or an indication of a compromised AWS resource.

AWS Detective can be managed via its console or API calls. As Mindflow integrates Detective, users can manage actions from Mindflow’s platform and automate further steps.

aws detective 1


Faster and more effective investigations

Unified view of user and resource interactions over time, with all the context and details in one place to help analysts analyze and determine the root cause of a security finding.

Save time with continuous data updates

Detective automatically processes terabytes of event data records about IP traffic, AWS management operations, and malicious or unauthorized activity. The data is then organized into a graph model summarizing the security-related relationships in your AWS environment. AWS Detective then queries this model to create visualizations used in investigations. The graph model is continuously updated as new data becomes available from AWS resources.

Automation Through Mindflow

Automation Use Case

Related Integrations