Amazon Detective - User Guide
Amazon DetectiveUser Guide
Amazon Detective User GuideAmazon Detective: User GuideCopyright 2021 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.Amazon's trademarks and trade dress may not be used in connection with any product or service that is notAmazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages ordiscredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who mayor may not be affiliated with, connected to, or sponsored by Amazon.
Amazon Detective User GuideTable of ContentsHow Detective is used for investigation . 1Investigation phases and starting points . 1Investigation phases . 1Starting points for a Detective investigation . 2Detective investigation flows . 2Overview of a typical Detective finding investigation flow . 2Overview of a typical Detective entity investigation flow . 4Data in a behavior graph . 5How Amazon Detective uses source data to populate a behavior graph . 5How Detective processes source data . 5Detective extraction . 6Detective analytics . 6Training period for new behavior graphs . 6Overview of the behavior graph data structure . 7Types of elements in the behavior graph data structure . 7Types of entities in the behavior graph data structure . 7Supported finding types . 10AWS CloudTrail-based findings . 10VPC flow-based findings . 11Navigating directly to a profile . 14Pivoting from another console . 14How to pivot to the Amazon Detective console . 14Troubleshooting the pivot . 15Navigating using a URL . 15Format of a profile URL . 15Troubleshooting a URL . 17Searching for a finding or entity . 18Completing the search . 18Using the search results . 19Troubleshooting the search . 19Using the Summary page . 20Newly observed geolocations in the past 24 hours . 20Roles and users with the most API call volume in the past 24 hours . 20EC2 instances with the most traffic volume in the past 24 hours . 21Approximate value notification . 21Managing the scope time for profiles . 22Setting specific start and end dates and times . 22Selecting a length of time from the current time . 22Setting the scope time to the finding time window . 23Analyzing finding details . 24How to display a finding profile . 24Scope time used for the finding profile . 24Finding title and type . 24Profile panels containing finding details and analytics results . 25Analyzing entity details . 26How to display an entity profile . 26Scope time for an entity profile . 26Entity identifier and type . 26Profile panels containing entity details and analytics results . 26Navigating in a profile . 28Viewing and interacting with profile panels . 29Profile panel content . 29Types of information on a profile panel . 29Types of profile panel visualizations . 33iii
Amazon Detective User GuideOther notes on profile panel content .Setting the number of table rows per page .Pivoting to another console .Pivoting to another entity or finding profile .Exploring activity details .Overall API call volume .Geolocations .Overall VPC flow volume .VPC flow volume to and from the finding's IP address .Viewing findings for an entity .Using profile panel guidance .High-volume entities .What is a high-volume entity? .Viewing the high-volume entity notification on a profile .Viewing the list of high-volume entities for the current scope time .Archiving a GuardDuty finding .Document history .iv3636373737384244464849505050515253
Amazon Detective User GuideInvestigation phases and starting pointsHow Amazon Detective is used forinvestigationAmazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of securityfindings or suspicious activities. If you are new to Detective, see What is Detective? and Detective termsand concepts in the Detective Administration Guide.Topics Investigation phases and starting points (p. 1) Investigation flows in Amazon Detective (p. 2)Investigation phases and starting pointsAmazon Detective provides tools to support the overall investigation process. An investigation inDetective can start from a finding or an entity.Investigation phasesAny investigation process involves the following phases:TriageThe investigation process starts when you are notified about a suspected instance of malicious orhigh-risk activity. For example, you are assigned to look into findings or alerts uncovered by servicessuch as Amazon GuardDuty.In the triage phase, you determine whether you believe the activity is a true positive (genuinemalicious activity) or false positive (not malicious or high-risk activity). Detective profiles support thetriage process by providing insight into the activity for the involved entity.For true positive instances, you continues to the next phase.ScopingDuring the scoping phase, analysts determine the extent of the malicious or high-risk activity andthe underlying cause.Scoping answers the following types of questions: What systems and users were compromised? Where did the attack originate? How long has the attack been going on? Is there other related activity to uncover? For example, if an attacker is extracting data from yoursystem, how did they obtain it?Detective visualizations can help you to identify other entities that were involved or affected.ResponseThe final step is to respond to the attack in order to stop the attack, minimize the damage, andprevent a similar attack from happening again.1
Amazon Detective User GuideStarting points for a Detective investigationStarting points for a Detective investigationEvery investigation in Detective has an essential starting point. For example, you might be assigned anAmazon GuardDuty finding to investigate. Or you might have a concern about unusual activity tied to aspecific IP address.Typical starting points for an investigation include findings detected by GuardDuty and entities extractedfrom Detective source data.Findings detected by GuardDutyThis is the most common starting point for an investigation process in Detective. GuardDuty uses yourlog data to uncover suspected instances of malicious or high-risk activity. Detective provides resourcesthat help you dig further into these findings.Starting with a finding, you can do the following: See what entities, such as IP addresses and AWS accounts, are connected to that finding. See what other findings might be related to that finding. See what activity occurred close in time or location to that finding.For more information, see Analyzing finding details (p. 24).Entities extracted from Detective source dataFrom the ingested Detective source data, Detective extracts entities such as IP addresses and AWS users.You can use one of these as an investigation starting point. For more information, see Analyzing entitydetails (p. 26).Detective provides general details about the entity, such as the IP address or user name. It also providesdetails on activity history. For example, Detective can report what other IP addresses an entity hasconnected to, been connected to, or used.Investigation flows in Amazon DetectiveYou can use Amazon Detective to investigate a security finding or an entity such as an EC2 instance or anAWS user.Overview of a typical Detective finding investigationflowAt a high level, the following image shows the process for investigating a finding in Detective.2
Amazon Detective User GuideOverview of a typical Detective finding investigation flowStep 1: Select a finding to investigateWhen you look at a finding in Amazon GuardDuty or AWS Security Hub, you can chooseto investigate the finding in Detective. See the section called “Pivoting from anotherconsole” (p. 14).From within Detective, you can use the Detective search function to find and select a finding totriage. See Searching for a finding or entity (p. 18).Selecting the finding takes you to the finding profile in Detective.Step 2: Analyze visualizations on profilesThe finding profile contains a set of visualizations that are generated from the behavior graph. Thebehavior graph is created from the log files and other data that are fed into Detective.Most of the visualizations show activity that is related to the entity or entities involved in thefinding. You use these visualizations to answer questions that are critical to completing the triage ofthe finding. See Analyzing finding details (p. 24).To help guide the triage, you can use the Detective guidance provided for each visualization. Theguidance outlines the displayed information, suggests questions for you to ask, and proposes nextsteps based on the answers. See the section called “Using profile panel guidance” (p. 49).From the finding profile, you can pivot to entity profiles to delve deeper into a specific asset that isinvolved with the finding. See Analyzing entity details (p. 26).Step 3: Update the finding statusOnce you determine whether a finding is a true or false positive, you update the finding status inthe original service. For GuardDuty findings, Detective provides an option to archive the finding. SeeArchiving a GuardDuty finding (p. 52).3
Amazon Detective User GuideOverview of a typical Detective entity investigation flowOverview of a typical Detective entity investigationflowAt a high level, the following image shows the process for investigating an entity in Detective.Step 1: Select the entity to investigateWhen looking at a finding in GuardDuty, analysts can choose to investigate an associated entity inDetective. See the section called “Pivoting from another console” (p. 14).You can use the Detective search function to find and select an entity to investigate. See Searchingfor a finding or entity (p. 18).You can also use the Detective Summary page to identify an entity to investigate. See Using theSummary page (p. 20).Selecting the entity takes you to the entity profile in Detective.Step 2: Analyze visualizations on profilesEach entity profile contains a set of visualizations that are generated from the behavior graph. Thebehavior graph is created from the log files and other data that are fed into Detective.The visualizations show activity that is related to an entity. You use these visualizations to answerquestions to determine whether the entity activity is unusual. See Analyzing entity details (p. 26).To help guide the investigation, you can use the Detective guidance provided for each visualization.The guidance outlines the displayed information, suggests questions for you to ask, and proposesnext steps based on the answers. See the section called “Using profile panel guidance” (p. 49).From an entity profile, you can pivot to other entity and finding profiles, to delve deeper into activityfor related assets.4
Amazon Detective User GuideHow Amazon Detective uses sourcedata to populate a behavior graphData in a behavior graphIn Detective, you conduct investigations using data from a Detective behavior graph.A behavior graph is a linked set of data generated from the Detective source data that is ingested fromone or more Amazon Web Services (AWS) accounts.The behavior graph uses the source data to do the following: Generate an overall picture of your systems, users, and the interactions among them over time Perform more detailed analysis of specific activity to help you answer specific questions that arise asyou conduct investigationsNote that all extraction, modeling, and analytics of behavior graph data occurs within the context ofeach individual behavior graph.For information about how an administrator account manages the member accounts in a behaviorgraph, see For administrator accounts: Managing the accounts in your behavior graph in DetectiveAdministration Guide.Contents How Amazon Detective uses source data to populate a behavior graph (p. 5) Training period for new behavior graphs (p. 6) Overview of the behavior graph data structure (p. 7) Supported finding types (p. 10)How Amazon Detective uses source data topopulate a behavior graphTo provide the raw material for investigations, Detective brings together data from across your AWSenvironment and beyond, including the following: Log data, including Amazon Virtual Private Cloud (Amazon VPC) and AWS CloudTrail Findings uncovered by Amazon GuardDutyTo learn more about the source data used in a behavior graph, see Source data used in a behavior graphin Detective Administration Guide.How Detective processes source dataAs new data comes in, Detective uses a combination of extraction and analytics to populate the behaviorgraph.5
Amazon Detective User GuideDetective extractionDetective extractionExtraction is based on configured mapping rules. A mapping rule basically says "Whenever you see thispiece of data, use it in this specific way to update behavior graph data."For example, an incoming Detective source data record might include an IP address. If it does, Detectiveuses the information in that record to create a new IP address entity or update an existing IP addressentity.Detective analyticsAnalytics are more complex algorithms that dig deeper into the data to provide insight into activity thatis associated with entities.For example, one type of Detective analytic analyzes how often activity occurs. For entities that makeAPI calls, the analytic looks for API calls that the entity doesn't normally use. The analytic also looks for alarge spike in the number of API calls.Analytic insights support investigations by providing answers to key analyst questions and are frequentlyused to populate finding and entity profile panels.Training period for new behavior graphsOne avenue of investigation for a finding is to compare the activity during the finding scope time toactivity that occurred before the finding wa
In Detective, you conduct investigations using data from a Detective behavior graph. A behavior graph is a linked set of data generated from the Detective source data that is ingested from one or more Amazon Web Services (AWS) accounts.
Exploratory data analysis is detective work--numerical detective work--or counting detective work--or graphical detective work. A detective investigating a crime needs both tools and understanding. If he has no fingerprint powder, he will fail to find fingerprints on most surfaces. If he does not understand where the criminal is likely to have .
Amazon SageMaker Amazon Transcribe Amazon Polly Amazon Lex CHATBOTS Amazon Rekognition Image Amazon Rekognition Video VISION SPEECH Amazon Comprehend Amazon Translate LANGUAGES P3 P3dn C5 C5n Elastic inference Inferentia AWS Greengrass NEW NEW Ground Truth Notebooks Algorithms Marketplace RL Training Optimization Deployment Hosting N E W AI & ML
Investment Detective Version 2.1 Page 5 of 55 Welcome Please read and understand the Software License Agreement Hi and welcome to PropertyInvesting.com's Investment Detective. Investment Detective has been created to assist you in tracking down the profits on both existing and potential property deals.
On-time Renewal Fee - Private Detective Security Company (dual license) 700.00 Late Renewal Fee - Private Detective Security Company (dual license) 800.00 Reinstatement Fee - Private Detective Security Company (dual license) 1050.0 0 EMPLOYEE REGISTRATION (non-Law Enforcement) Initial- Private Detective - Unarmed Employee 45.00
You can offer your products on all Amazon EU Marketplaces without having to open separate accounts locally. Amazon Marketplaces include Amazon.co.uk, Amazon.de, Amazon.fr, Amazon.it and Amazon.es, countries representing over 80% of European Ecommerce spend. You have a single user interface to manage your European seller account details.
Why Amazon Vendors Should Invest In Amazon Marketing Services 7 The Amazon Marketing Services program provides vendors an opportunity to: Create engaging display ad content Measure ad content success Reach potential customers throughout Amazon and Amazon-owned & operated sites Amazon Marketing Services offers targeting options for vendors to optimize their
Honeywell Air Detective User Guide www.honeywell.com 3 1.0INTRODUCTION The Honeywell Air Detective is intended for use by HVAC and environmental test professionals to analyze residential air quality for selected allergens including spores, specific pollen types, as well as other organic particles.
Walking is mainly on rough paths, tracks and grass, which may be muddy at times. There are two stiles and four kissing gates and some short steep slopes, but generally gently undulating. The walk starts close to Moor Park station on the Metropolitan line and ends at Hatch End station with trains to Euston and Harrow & Wealdstone. The highlights of this walk are the Old Furze Wood, the 97 .
