Why HAQM Detective?

HAQM Detective makes it easier to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. HAQM Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.

HAQM Detective can analyze trillions of events from multiple data sources such as HAQM Virtual Private Cloud (HAQM VPC) Flow Logs, AWS CloudTrail logs, HAQM Elastic Kubernetes Service (HAQM EKS) audit logs, and security findings from multiple services like HAQM GuardDuty, AWS Security Hub, and more. Detective automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize all the details and context in one place to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.

Overview

Automatic data collection across all your AWS accounts

HAQM Detective automatically ingests and processes relevant data from all enabled accounts. You don't have to configure or enable any data sources. HAQM Detective collects and analyzes events from data sources, such as AWS CloudTrail logs, HAQM VPC Flow Logs, HAQM EKS audit logs, HAQM GuardDuty findings, AWS Security Hub findings, other integrated AWS security services, and maintains up to a year of aggregated data for analysis.

Consolidates disparate events into a graph model

HAQM Detective can analyze trillions of events from various data types, including IP traffic, AWS management operations, and potentially malicious or unauthorized activities. Detective constructs a graph model using machine learning, statistical analysis, and graph theory to build a linked set of data for security investigations. The pre-built graph model contains security-related relationships and offers contextual, and behavioral insights that enable you to quickly validate, compare, and correlate the data to reach conclusions. HAQM Detective’s visualizations are powered by the graph model, enabling you to rapidly answer your investigative questions without the complexity of querying raw logs. For example, the graph provides context and relationships, such as when an IP address connects to an EC2 instance and the API calls made by a role during a specific time period.

Interactive visualizations for efficient investigation

HAQM Detective provides interactive visualizations and insights using generative AI, making it easier to investigate issues faster and more thoroughly with less effort. With a unified view that enables you to visualize all the context and natural language summaries in one place, it becomes more easier to identify patterns that can validate or refute a security issue and understand all of the impacted resources within a security finding. Using these visualizations and insights, you can more easily filter large sets of event data into specific timelines, with all the details, context, and guidance to help you quickly investigate. HAQM Detective enables you to view login attempts by geolocation, drill down into relevant historical activities, and quickly determine a root cause and, if necessary, take action to resolve the issue.

Newly observed geolocations

Overall API call volume

The graph visualization shows you related AWS security findings and affected resources from a single security event, such as EC2 instances, IAM roles and users, S3 buckets, and IP addresses. The insights describe the events that took place during the security event in a natural language to help you understand the chain of events. This helps you investigate unusual or suspicious activity more quickly and with less effort. The Overall API call volume shows you successful and failed calls in a specific time period and compares it to the established baseline. This helps you to identify patterns of abnormal activity and validate a security finding.

Overall API call volume

More features

Seamless integration for investigating a security finding

HAQM Detective is integrated with AWS security services such as HAQM GuardDuty, AWS Security Hub, HAQM Inspector, HAQM Security Lake as well as AWS Partner security products to help quickly investigate security findings identified in these services. Using a single-step from these integrated services you can go to HAQM Detective and immediately see events related to findings, drill down into relevant historical activities and investigate the issue. For example, from an HAQM GuardDuty finding, you can launch HAQM Detective by clicking on “Investigate in Detective” that provides instant insight into the relevant activity for the involved resource. From Detective you can query and retrieve log sources stored in HAQM Security Lake without having to craft queries or leave the Detective console.

Security investigation support for HAQM GuardDuty Runtime Monitoring

HAQM Detective supports security investigations for GuardDuty ECS and EKS Runtime Monitoring, providing enhanced visualizations and additional context for new threat detections. You can use the runtime threat detections from GuardDuty and the investigative capabilities from Detective to improve your detection and response for potential threats to your container workloads. Detective supports the investigation of these new detections by including them into finding groups, visualizations, and other summaries for faster security investigations.

Simple deployment with no upfront data source integration or complex configurations to maintain

With few steps in the AWS Management Console, you can enable HAQM Detective. There is no software to deploy, agents to install, or complex configurations to maintain. There are also no data sources to enable, which means you do not have to incur the costs of data source enablement, data transfer, and data storage.