Amazon Detective: Root cause analysis

Analyzing the root cause of the incident

Amazon Detective is a service that facilitates triage, incident investigation and attacker’s hunt (Cyber Threat Hunting).

Amazon Detective

Starting with a finding from Amazon Guardduty or AWS Security Hub, or in the SIEM, Amazon Detective will inspect the incident in detail correlating the information with the VPC Flow Logs and the AWS CloudTrail Logs , to give the analyst the context, with geolocation, for him to see what is the normal behavior pattern and compare it with the incident.

Amazon Detective Amazon Detective

Permits analyzing the behavior of resources:

Amazon Detective

And it will allow you to know if the connections come from normal locations (previously seen - known locations)

Amazon Detective

In this way, it facilitates the investigation, discarding false positives, and reaching to the root cause of an incident.

Amazon Detetive Mindmap

The service has a 30 day free trial, and from the first moment the service is activated, it already includes two previous weeks of available data to analyze.
The service has a page to verify the current usage and estimate future cost.