Detective Investigation - Amazon Detective
Running a Detective InvestigationReviewing investigations reportsUnderstanding a Detective Investigations reportInvestigations report summaryDownloading an investigation reportArchiving an investigation report

Detective Investigation

You can use Amazon Detective Investigation to investigate IAM users and IAM roles using indicators of compromise, which can help you determine if a resource is involved in a security incident. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. With Detective Investigations you can maximize efficiency, focus on the security threats, and strengthen incidence response capabilities.

Detective Investigation uses machine learning models and threat intelligence to automatically analyze resources in your AWS environment to identify potential security incidents. It lets you proactively, effectively, and efficiently use automation built on top of Detective’s behavioral graph to improve security operations. Using Detective Investigations you can investigate attack tactics, impossible travel, flagged IP addresses, and finding groups. It performs initial security investigation steps and generates a report highlighting the risks identified by Detective, to help you understand security events and respond to potential incidents.

Running a Detective Investigation

Use Run investigation to analyze resources such as IAM users and IAM roles and to generate an investigation report. The generated report details anomalous behavior that indicates potential compromise.

Console

Follow these steps to run a Detective Investigation from the Investigations page using the Amazon Detective console.

  1. Sign in to the AWS Management Console. Then open the Detective console at https://console.aws.amazon.com/detective/.

  2. In the navigation pane, choose Investigations.

  3. In the Investigations page, choose Run investigation in the top right corner.

  4. In the Select resource section, you have three ways to run an investigation. You can choose to run the investigation for a resource recommended by Detective. You can run the investigation for a specific resource. You can also investigate a resource from the Detective Search page.

    1. Choose a recommended resource – Detective recommends resources based on its activity in findings and finding groups. To run the investigation for a resource recommended by Detective, in the Recommended resources table, select a resource to investigate.

      The Recommended resources table provides the following details:

      • Resource ARN – The Amazon Resource Name (ARN) of the AWS resource.

      • Reason to investigate – Displays the key reason(s) to investigate the resource. The reasons for which Detective recommends to investigate a resource are as follows:

        • If a resource was involved in a High Severity finding in the last 24 hours.

        • If a resource was involved in a finding group observed in the last 7 days. Detective finding groups let you examine multiple activities as they relate to a potential security event. For more details, see Analyzing finding groups.

        • If a resource was involved in a finding in the last 7 days.

      • Latest finding – Latest findings are prioritized on top of the list.

      • Resource type – Identifies the type of resource. For example, an AWS user or AWS role.

    2. Specify an AWS role or user with an ARN – You can select an AWS role or AWS user and run an investigation for the specific resource.

      Follow these steps to investigate a specific resource type.

      1. From the Select resource type drop-down list, choose AWS role or AWS user.

      2. Enter the Resource ARN of the IAM resource. For more details about Resource ARNs, see Amazon Resource Names (ARNs) in the IAM User Guide.

    3. Find a resource to investigate from the Search page – You can search all of your IAM resources from the Detective Search page.

      Follow these steps to investigate a resource from the Search page.

      1. In the navigation pane, choose Search.

      2. In the Search page, search for an IAM resource.

      3. Navigate to the profile page of the resource and run investigation from there.

  5. In the Investigation scope time section, choose the Scope time for the investigation to assess the selected resource's activity. You can select a Start date and Start time; and End date and End time in UTC format. The selected scope time window can be between at a minimum of 3 hours and a maximum of 30 days.

  6. Choose Run investigation.

API

To run an investigation programmatically, use the StartInvestigation operation of the Detective API. If you're using the AWS Command Line Interface (AWS CLI) run the start-investigation command.

In your request, use these parameters to run an investigation in Detective:

  • GraphArn – Specify the Amazon Resource Name (ARN) of the behavior graph.

  • EntityArn – Specify the unique Amazon Resource Name (ARN) of the IAM user and IAM role.

  • ScopeStartTime – Optionally, specify the data and time from which the investigation should begin. The value is an UTC ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.

  • ScopeEndTime – Optionally, specify the data and time when the investigation should end. The value is an UTC ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.

This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

aws detective start-investigation \
--graph-arn arn:aws:detective:us-east-1:123456789123:graph:fdac8011456e4e6182facb26dfceade0
 --entity-arn arn:aws:iam::123456789123:role/rolename --scope-start-time 2023-09-27T20:00:00.00Z 
--scope-end-time 2023-09-28T22:00:00.00Z

You can also run an investigation from the following pages in Detective:

  • An IAM user or IAM role profile page in Detective.

  • Graph visualization pane of a finding group.

  • Actions column of an involved resource.

  • IAM user or IAM role on a finding page.

After Detective runs the investigation for a resource, an investigation report is generated. To access the report, go to Investigations from the navigation pane.

Reviewing investigations reports

Investigations reports lets you review the generated Reports for investigations that you have run previously in Detective.

To review investigations reports

  1. Sign in to the AWS Management Console. Then open the Detective console at https://console.aws.amazon.com/detective/.

  2. In the navigation pane, choose Investigations.

Take note of the following attributes from an investigations report.

  • ID – The generated identifier of the investigations report. You can choose this ID to read a summary of the investigation report, which has the details of the investigation.

  • Status – Each investigation is associated with a Status based on the completion status of the investigation. Status values can be In progress, Succeeded, or Failed.

  • Severity – Each investigation is assigned a Severity. Detective automatically assigns a severity to the finding.

    A severity represents the disposition as analyzed by the investigation of a single resource at a given scope time. A severity reported by an investigation doesn't imply or otherwise indicate the criticality or importance that an affected resource might have for your organization.

    Investigation severity values can be Critical, High, Medium, Low, or Informational from most to least severe.

    Investigations that are assigned a Critical or High severity value should be prioritized for further inspection, as they are more likely to represent high-impact security issues identified by Detective.

  • Entity – The Entity column contains details on the specific entities detected in the investigation. Some entities are AWS accounts, such as user and role.

  • Status – The Creation date column contains details on the date and time the investigation report was first created.

Understanding a Detective Investigations report

A Detective Investigations report lists a summary of the uncommon behavior or malicious activity that indicates compromise. It also lists the recommendations that Detective suggests to mitigate the security risk.

Investigations reports lets you review the generated Reports for investigations that you have run previously in Detective.

To view an investigations report for a specific investigation ID.

  1. Sign in to the AWS Management Console. Then open the Detective console at https://console.aws.amazon.com/detective/.

  2. In the navigation pane, choose Investigations.

  3. In the Reports table, select an investigation ID.

Detective generates the report for the selected Scope time and User. The report contains an Indicators of Compromise section that includes details regarding one or more of the indicators of compromise listed below. As you review each indicator of compromise, optionally choose an item to drill down and review its details.

  • Tactics. Techniques, and Procedures – Identifies tactics, techniques, and procedures (TTPs) used in a potential security event. The MITRE ATT&CK framework is used to understand the TTPs. Tactics are based on the MITRE ATT&CK matrix for Enterprise.

  • Threat Intelligence Flagged IP Addresses – Suspicious IP addresses are flagged and identified as critical or severe threats based on Detective threat intelligence.

  • Impossible Travel – Detects and identifies unusual and impossible user activity for an account. For example, this indicator lists a drastic change between source to destination location of a user within a short time span.

  • Related Finding Group – Shows multiple activities as they relate to a potential security event. Detective uses graph analysis techniques that infers relationships between findings and entities, and groups them together as a finding group.

  • Related Findings – Related activities associated with a potential security event. Lists all distinct categories of evidence that are connected to the resource or the finding group.

  • New Geolocations – Identifies new geolocations used either at the resource or account level. For example, this indicator lists an observed geolocation that is an infrequent or unused location based on previous user activity.

  • New User Agents – Identifies new user agents used either at the resource or account level.

  • New ASOs – Identifies new Autonomous System Organizations (ASOs) used either at the resource or account level. For example, this indicator lists a new organization assigned as an ASO.

Investigations report summary

Investigations summary highlights anomalous indicators that require attention, for the selected scope time. Using the summary, you can more quickly identify the root cause of potential security issues, identify patterns, and understand the resources impacted by security events.

In the detailed investigations report summary, you can view the following details.

Investigations overview

In the Overview panel, you can see a visualization of IPs with high severity activity, which can give more context on the pathway of an attacker.

Detective highlights Unusual activity in the investigation, for example impossible travel from a source to a faraway destination by the IAM user.

Detective maps the investigations to tactics, techniques, and procedures (TTPs) used in a potential security event. The MITRE ATT&CK framework is used to understand the TTPs. Tactics are based on the MITRE ATT&CK matrix for Enterprise.

Investigations indicators

You can use the information in the Indicators pane, to determine if an AWS resource is involved in unusual activity that could indicate malicious behavior and its impact. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident.

Downloading an investigation report

You can download the Detective Investigations report in JSON format, to analyze it further or store it to your preferred storage solution such as an Amazon S3 bucket.

To download an investigations report from the Reports table.

  1. Sign in to the AWS Management Console. Then open the Detective console at https://console.aws.amazon.com/detective/.

  2. In the navigation pane, choose Investigations.

  3. Select an investigation, from the Reports table, and choose Download.

To download an investigations report from the summary page.

  1. Sign in to the AWS Management Console. Then open the Detective console at https://console.aws.amazon.com/detective/.

  2. In the navigation pane, choose Investigations.

  3. Select an investigation, from the Reports table.

  4. In the investigations summary page, choose Download.

Archiving an investigation report

When you complete your investigation in Amazon Detective, you can Archive the investigation report. An archived investigation indicates you have completed reviewing the investigation.

You can archive or unarchive an investigation only if you are a Detective Administrator. Detective will store your archived investigations for 90 days.

To archive an investigations report from the Reports table.

  1. Sign in to the AWS Management Console. Then open the Detective console at https://console.aws.amazon.com/detective/.

  2. In the navigation pane, choose Investigations.

  3. Select an investigation, from the Reports table, and choose Archive.

To archive an investigations report from the summary page.

  1. Sign in to the AWS Management Console. Then open the Detective console at https://console.aws.amazon.com/detective/.

  2. In the navigation pane, choose Investigations.

  3. Select an investigation, from the Reports table.

  4. In the investigations summary page, choose Archive.