Amazon Detective: Root cause analysis
Analyzing the root cause of the incident
Amazon Detective is a service that facilitates triage, incident investigation and attacker’s hunt (Cyber Threat Hunting).
Starting with a finding from Amazon Guardduty or AWS Security Hub, or in the SIEM, Amazon Detective will inspect the incident in detail correlating the information with the VPC Flow Logs and the AWS CloudTrail Logs , to give the analyst the context, with geolocation, for him to see what is the normal behavior pattern and compare it with the incident.
Permits analyzing the behavior of resources:
And it will allow you to know if the connections come from normal locations (previously seen - known locations)
In this way, it facilitates the investigation, discarding false positives, and reaching to the root cause of an incident.
Amazon Detetive Mindmap
https://www.xmind.net/m/rdJPsS
Pricing
https://aws.amazon.com/detective/pricing
The service has a 30 day free trial, and from the first moment the service is activated, it already includes two previous weeks of available data to analyze.
The service has a page to verify the current usage and estimate future cost.