Analyzing finding groups - Amazon Detective

Analyzing finding groups

Amazon Detective finding groups enable you to examine multiple activities as they relate to a single security compromise event. If a threat actor is attempting to compromise your AWS environment, they typically perform a sequence of actions that lead to multiple security findings and unusual behaviors. These actions are often spread across time and resources. When security findings are investigated in isolation, it can lead to a misinterpretation of their significance and difficulty in finding the root cause. Amazon Detective addresses this problem by applying a graph analysis technique that infers relationships between findings and groups them together. We recommend treating finding groups as the starting point for investigating the involved entities and findings.

Detective analyzes data from findings and groups them with other findings that are likely to be related based on resources they share. For example, findings triggered by actions taken by the same IAM role sessions or originating from the same IP address are very likely to be part of the same underlying activity. It is valuable to investigate findings and evidence as a group even if the associations made by Detective are not related.

In addition to findings, each group includes resources involved by the findings. The resources can include Detective entities and resources outside of AWS such as IP Addresses or user agents.

Understanding the finding groups page

The finding groups page lists all the finding groups collected by Amazon Detective from your behavior graph. take note of the following attributes of finding groups:

Severity of a group

Each finding group is assigned a severity based on the AWS Security Finding Format (ASFF) severity of the associated findings. ASFF finding severity values are Critical, High, Medium, Low, or Informational from most to least severe. The severity of a grouping is equal to the highest severity finding among the findings in that grouping.

Groups that consist of Critical or High severity findings that impact a large number of resources should be prioritized for investigations, as they are more likely to represent high-impact security issues.

Group title

In the Title column, each group has a unique ID and a non-unique title. These are based on the ASFF type namespace for the group and the number of findings within that namespace in the cluster. For example, if a grouping has the title: Group with: TTP (2), Effect (1), and Unusual behavior (2) it includes five total findings consisting of two findings in the TTP namespace, one finding in the Effect namespace, and two findings in the Unusual Behavior namespace. For a complete list of namespaces, see Types taxonomy for ASFF.

Tactics in a group

The Tactics column in a group details which tactics category the activity falls into. Tactics are based on the MITRE ATT&CK matrix for AWS.

You can select a tactic on the chain to see a description of the tactic and which findings within the group are within that category. Underneath the chain is a list of the tactics detected within the group. These categories and the activities they typically represent are as follows:

  • Initial Access – An adversary is trying to get into someone else’s network.

  • Execution – An adversary is trying to get into someone else’s network.

  • Persistence – An adversary is trying to maintain their foothold.

  • Privilege Escalation – An adversary is trying to gain higher-level permissions.

  • Defense Evasion – An adversary is trying to avoid being detected.

  • Credential Access – An adversary is trying to steal account names and passwords.

  • Discovery – An adversary is trying to understand and learn about an environment.

  • Lateral Movement – An adversary is trying to move through an environment.

  • Collection – An adversary is trying to gather data of interest to their goal.

  • Command and Control – An adversary is trying to get into someone else’s network.

  • Collection – An adversary is trying to gather data of interest to their goal.

  • Exfiltration – An adversary is trying to steal data.

  • Impact – An adversary is trying to manipulate, interrupt, or destroy your systems and data.

  • Other – Indicates activity from a finding that does not align with tactics listed in the matrix.

Entities within a group

The Resources column contains details on the specific entities detected within this grouping. Select this value for a breakdown of entities based on the categories: Identity, Network, Storage, and Compute. Examples of resources in each category are:

  • Identity – IAM principals and AWS accounts, such as user and role

  • Network – IP address or other networking and VPC entities

  • Storage – Amazon S3 buckets or DDBs

  • Compute Amazon EC2 instances or Kubernetes containers

Accounts within a group

The Accounts column tells you what accounts own entities involved with the findings in the group. Accounts are listed by name and AWS ID so you can prioritize investigations of activity involving critical accounts.

Findings within a group

The Findings column has a bar graph showing the number of findings by severity. The findings include Amazon GuardDuty findings as well as evidence from Detective. You can select the graph to see an exact count of findings by severity.

Informational findings in finding groups

Amazon Detective identifies additional information related to a finding group based on data in your behavior graph collected within the last 45 days. Detective presents this information as a finding with the Informational severity. Evidence provides supporting information that highlights an unusual activity or unknown behavior that is potentially suspicious when viewed within a finding group. This might include newly observed geolocations or API calls observed within the scope time of a finding. Evidence findings are only viewable in Detective and are not sent to AWS Security Hub.

You can observe evidence for different principal types (such as IAM user or IAM role). For some evidence types, you can observe evidence for all accounts. This means they affect your entire behavior graph. If an evidence finding is observed for all accounts, you will also see at least one additional informational evidence finding of the same type for an individual IAM role. For example, if you see a New geolocation observed for all accounts finding, you will see another for New geolocation observed for a principal..

Types of evidence in finding groups
  • New geolocation observed

  • New ASO observed

  • New user agent observed

  • New API call issued

  • New geolocation observed for all accounts

  • New IAM principal observed for all accounts

Finding group profiles

When you select a group title, a finding group profile opens with additional details about that group.

The group profile page displays the set Scope time of the group. This is the date and time from the earliest finding or evidence included in the group to the most recently updated finding or evidence in a group. You can also see the Finding group severity, which is equal to the highest severity category among findings in the group. Other details within this profile panel include:

  • The Involved tactics chain shows you which tactics, are attributed to the findings in the group. Tactics are based on the MITRE ATT&CK Matrix for Enterprise. The tactics are shown as a chain of colored dots that represents the typical progression of an attack from the earliest to latest stages. This means the leftmost circles on the chain typically represent less severe activities where an adversary is trying to gain or maintain access your environment. Conversely, activities toward the right are the most severe and can include data tampering or destruction.

  • The relationships that this group has with other groups. Occasionally, one or more previously unconnected groups of findings could be merged into a new group based on newly discovered link, for example, a finding that involves resources from the existing groups. In this case, Amazon Detective deactivates the parent groups and creates a child group. You can trace the lineage for any group back to its parent groups. Groups can have the following relationships:

    • Child finding group – A finding group created when a finding involved in two other finding groups is involved in a new finding. The parent groups of the finding are listed for any child group.

    • Parent finding group – A finding group is a parent when a child group has been created from it. If a finding group is a parent, the related children are listed with it. A parent group's status becomes Inactive when it's merged into an Active child group.

There are two information tabs that open profile panels. Using the Involved resources and Involved findings tabs, you can view further details about the group.

Profile panels within groups

Involved resources

Focuses on the resources in the finding group, including what findings within the group each resource is linked to. The tags attached to each resource are also displayed so you can quickly identify important resources based on tagging. Select a resource to view its entity profile.

Involved findings

Has details about each finding, including finding severity, each resource involved, and when that finding was first and last seen. Select a finding type in the list to open a finding details panel with additional information about that finding. As part of the Involved findings panel, you may see Informational findings based on Detective evidence from your behavior graph.

Finding group visualization

Amazon Detective provides an interactive visualization of finding groups. This visualization is designed to help you investigate issues faster and more thoroughly with less effort. The finding group Visualization panel displays the findings and entities involved in a finding group. This interactive visualization can help you analyze, understand, and triage the impact of the finding group. This panel helps visualize the information presented in the Involved entities and Involved findings table. From the visual presentation, you can select findings or entities for further analysis.

From this interactive panel, you can:

  • Rearrange the entities and findings to better understand their interconnectedness.

  • Select items to view more details.

  • View what resource types are prevalent in a finding group.

  • Quickly assess the makeup of the finding group.


The finding group Visualization panel supports the display of finding groups with up to 100 entities and findings

You can choose Select layout to view the findings and entities in a Circle, Force-directed, or Grid layout. The Force-directed layout positions the entities and findings so that links are a consistent length between items and the links are distributed evenly. This helps to reduce overlapping. The layout that you select defines the placement of findings in the Visualization panel.

                A visualization panel showing the interconnections between the entities and
                    findings included in a finding group. The Force-directed
                    layout positions the entities and findings so that links are a consistent length
                    between items and the links are distributed evenly.

The Legend helps you identify what each visual element represents.

From this panel, you can:

  • Isolate entities and findings from a group by moving the selected item in the finding group.

  • View more details about multiple entities and findings. To select multiple items, press command/control and either choose the items or drag and drop them using your pointer.

  • View the text labels for entities. You can zoom to 120% or higher.

  • Reset the layout to fit all entities and findings into the finding group window.