Analyzing entity details - Amazon Detective

Analyzing entity details

An entity is a single object extracted from the source data. Examples include a specific IP address, Amazon EC2 instance, or AWS account. For a list of entity types, see Types of entities in the behavior graph data structure.

An Amazon Detective entity profile is a single page that provides detailed information about the entity and its activity. You might use an entity profile to get supporting details for an investigation into a finding or as part of a general hunt for suspicious activity.

How to display an entity profile

An entity profile appears when you perform one of the following actions:

Scope time for an entity profile

When you navigate directly to an entity profile without providing the scope time, the scope time is set to the previous 24 hours.

When you navigate to an entity profile from another entity profile, the currently selected scope time remains in place.

When you navigate to an entity profile from a finding overview, the scope time is set to the finding time window.

For information on setting the scope time, see Managing the scope time.

Entity identifier and type

At the top of the profile are the entity identifier and the entity type. Each entity type has a corresponding icon, to provide a visual indicator of the type of profile.

Involved findings

Each profile contains a list of findings that the entity was involved in during the scope time.

You can see the details for each finding, change the scope time to reflect the finding time window, and go to the finding overview to look for other involved resources.

See Viewing details for associated findings.

Finding groups involving this entity

Each profile contains a list of finding groups that an entity is included in.

A finding group is made up of findings, entities, and evidence that Detective collects into a group to provide more context on possible security issues.

For more information on finding groups, see Analyzing finding groups.

Profile panels containing entity details and analytics results

Each entity profile contains a set of one or more tabs. Each tab contains one or more profile panels. Each profile panel contains text and visualizations that are generated from the behavior graph data. The specific tabs and profile panels are tailored to the entity type.

For most entities, the panel at the top of the first tab provides high-level summary information about the entity.

Other profile panels highlight different types of activity. For an entity that is involved with a finding, the information on the entity profile panels can provide additional supporting evidence to help complete an investigation. Each profile panel provides access to guidance on how to use the information. For more information, see Using profile panel guidance during an investigation.

For more details about profile panels, the types of data they contain, and available options for interacting with them, see Viewing and interacting with profile panels.