AWS Detective was integrated by Mindflow to enable users to automate their incident management and better protect their information system.
AWS Detective Overview
AWS Detective is an investigation service part of the AWS stack. The solution goes further than other investigation services available on AWS, such as GuardDuty, Macie, and Security Hub.
Detective helps when discovered security findings needs you to dig deeper and analyze more information to isolate the root cause and take action. Determining the root cause can be complex because it often involves collecting and combining logs from many separate data sources, using extract, transform, and load (ETL) tools or custom scripting to organize the data.
Using the solution analysts can investigate, and quickly identify the root cause of potential security issues or suspicious activities. To that end, Detective automatically collects log data from your AWS resources (Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, CloudTrail logs, EKS audit logs, and GuardDuty findings) and uses machine learning, statistical analysis, and graph theory to build a coherent set of data to enable you to perform fast efficient investigations.
Then it automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. Through this unified view, analysts can visualize all the details and context in one place to identify the underlying reasons for the findings, dive into relevant historical activities, and determine the root cause.
For example, a GuardDuty finding such as an unusual Console Login API call, can be investigated in Amazon Detective with details about the API call trends over time, and user login attempts on a geolocation map. Using these details you can identify the API call is legitimate or an indication of a compromised AWS resource.
AWS Detective can be managed via its console or API calls. As Mindflow integrates Detective, users can manage actions from Mindflow’s platform and automate further steps.
Faster and more effective investigations
Unified view of user and resource interactions over time, with all the context and details in one place to help analysts analyze and determine the root cause of a security finding.
Save time with continuous data updates
Detective automatically processes terabytes of event data records about IP traffic, AWS management operations, and malicious or unauthorized activity. The data is then organized into a graph model summarizing the security-related relationships in your AWS environment. AWS Detective then queries this model to create visualizations used in investigations. The graph model is continuously updated as new data becomes available from AWS resources.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.