Detective Investigation
You can use Amazon Detective Investigation to investigate IAM users and IAM roles using indicators of compromise, which can help you determine if a resource is involved in a security incident. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. With Detective Investigations you can maximize efficiency, focus on the security threats, and strengthen incidence response capabilities.
Detective Investigation uses machine learning models and threat intelligence to automatically analyze resources in your AWS environment to identify potential security incidents. It lets you proactively, effectively, and efficiently use automation built on top of Detective’s behavioral graph to improve security operations. Using Detective Investigations you can investigate attack tactics, impossible travel, flagged IP addresses, and finding groups. It performs initial security investigation steps and generates a report highlighting the risks identified by Detective, to help you understand security events and respond to potential incidents.
Running a Detective Investigation
Use Run investigation to analyze resources such as IAM users and IAM roles and to generate an investigation report. The generated report details anomalous behavior that indicates potential compromise.
You can also run an investigation from the following pages in Detective:
-
An IAM user or IAM role profile page in Detective.
-
Graph visualization pane of a finding group.
Actions column of an involved resource.
-
IAM user or IAM role on a finding page.
After Detective runs the investigation for a resource, an investigation report is generated. To access the report, go to Investigations from the navigation pane.
Reviewing investigations reports
Investigations reports lets you review the generated Reports for investigations that you have run previously in Detective.
To review investigations reports
-
Sign in to the AWS Management Console. Then open the Detective console at https://console.aws.amazon.com/detective/
. -
In the navigation pane, choose Investigations.
Take note of the following attributes from an investigations report.
-
ID – The generated identifier of the investigations report. You can choose this ID to read a summary of the investigation report, which has the details of the investigation.
-
Status – Each investigation is associated with a Status based on the completion status of the investigation. Status values can be In progress, Succeeded, or Failed.
-
Severity – Each investigation is assigned a Severity. Detective automatically assigns a severity to the finding.
A severity represents the disposition as analyzed by the investigation of a single resource at a given scope time. A severity reported by an investigation doesn't imply or otherwise indicate the criticality or importance that an affected resource might have for your organization.
Investigation severity values can be Critical, High, Medium, Low, or Informational from most to least severe.
Investigations that are assigned a Critical or High severity value should be prioritized for further inspection, as they are more likely to represent high-impact security issues identified by Detective.
-
Entity – The Entity column contains details on the specific entities detected in the investigation. Some entities are AWS accounts, such as user and role.
-
Status – The Creation date column contains details on the date and time the investigation report was first created.
Understanding a Detective Investigations report
A Detective Investigations report lists a summary of the uncommon behavior or malicious activity that indicates compromise. It also lists the recommendations that Detective suggests to mitigate the security risk.
![Investigations reports lets you review the generated Reports for investigations that you have run previously in Detective.](/images/detective/latest/userguide/images/detective-investigations-report.png)
To view an investigations report for a specific investigation ID.
-
Sign in to the AWS Management Console. Then open the Detective console at https://console.aws.amazon.com/detective/
. -
In the navigation pane, choose Investigations.
-
In the Reports table, select an investigation ID.
Detective generates the report for the selected Scope time and User. The report contains an Indicators of Compromise section that includes details regarding one or more of the indicators of compromise listed below. As you review each indicator of compromise, optionally choose an item to drill down and review its details.
-
Tactics. Techniques, and Procedures – Identifies tactics, techniques, and procedures (TTPs) used in a potential security event. The MITRE ATT&CK framework is used to understand the TTPs. Tactics are based on the MITRE ATT&CK matrix for Enterprise
. -
Threat Intelligence Flagged IP Addresses – Suspicious IP addresses are flagged and identified as critical or severe threats based on Detective threat intelligence.
-
Impossible Travel – Detects and identifies unusual and impossible user activity for an account. For example, this indicator lists a drastic change between source to destination location of a user within a short time span.
-
Related Finding Group – Shows multiple activities as they relate to a potential security event. Detective uses graph analysis techniques that infers relationships between findings and entities, and groups them together as a finding group.
-
Related Findings – Related activities associated with a potential security event. Lists all distinct categories of evidence that are connected to the resource or the finding group.
-
New Geolocations – Identifies new geolocations used either at the resource or account level. For example, this indicator lists an observed geolocation that is an infrequent or unused location based on previous user activity.
-
New User Agents – Identifies new user agents used either at the resource or account level.
-
New ASOs – Identifies new Autonomous System Organizations (ASOs) used either at the resource or account level. For example, this indicator lists a new organization assigned as an ASO.
Investigations report summary
Investigations summary highlights anomalous indicators that require attention, for the selected scope time. Using the summary, you can more quickly identify the root cause of potential security issues, identify patterns, and understand the resources impacted by security events.
In the detailed investigations report summary, you can view the following details.
Investigations overview
In the Overview panel, you can see a visualization of IPs with high severity activity, which can give more context on the pathway of an attacker.
Detective highlights Unusual activity in the investigation, for example impossible travel from a source to a faraway destination by the IAM user.
Detective maps the investigations to tactics, techniques, and procedures (TTPs) used in a potential security event. The MITRE ATT&CK framework is used to understand the TTPs. Tactics are based on the MITRE ATT&CK
matrix for Enterprise
Investigations indicators
You can use the information in the Indicators pane, to determine if an AWS resource is involved in unusual activity that could indicate malicious behavior and its impact. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident.
Downloading an investigation report
You can download the Detective Investigations report in JSON format, to analyze it further or store it to your preferred storage solution such as an Amazon S3 bucket.
To download an investigations report from the Reports table.
-
Sign in to the AWS Management Console. Then open the Detective console at https://console.aws.amazon.com/detective/
. -
In the navigation pane, choose Investigations.
-
Select an investigation, from the Reports table, and choose Download.
To download an investigations report from the summary page.
-
Sign in to the AWS Management Console. Then open the Detective console at https://console.aws.amazon.com/detective/
. -
In the navigation pane, choose Investigations.
-
Select an investigation, from the Reports table.
-
In the investigations summary page, choose Download.
Archiving an investigation report
When you complete your investigation in Amazon Detective, you can Archive the investigation report. An archived investigation indicates you have completed reviewing the investigation.
You can archive or unarchive an investigation only if you are a Detective Administrator. Detective will store your archived investigations for 90 days.
To archive an investigations report from the Reports table.
-
Sign in to the AWS Management Console. Then open the Detective console at https://console.aws.amazon.com/detective/
. -
In the navigation pane, choose Investigations.
-
Select an investigation, from the Reports table, and choose Archive.
To archive an investigations report from the summary page.
-
Sign in to the AWS Management Console. Then open the Detective console at https://console.aws.amazon.com/detective/
. -
In the navigation pane, choose Investigations.
-
Select an investigation, from the Reports table.
-
In the investigations summary page, choose Archive.