New features in Amazon Detective enable customers to quickly and efficiently investigate AWS security issues.
Detective collects and analyzes events from AWS CloudTrail logs, Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, Amazon GuardDuty findings, and Amazon Elastic Kubernetes Service (EKS) audit logs that describe IP traffic, AWS management operations, and malicious or unauthorized activity.
Also, Detective offers investigation support for findings in AWS Security Hub in addition to those detected by GuardDuty.
Customers who have activated Security Hub and integrated AWS security services can use Security Hub to obtain an overview of their security environment and assess it according to security industry standards and best practices. Furthermore, the findings from the integrated AWS security services will be sent to Security Hub.
When Detective for AWS Security Findings is enabled, it starts analyzing all the relevant data to identify connections between disparate events and activities.
After Amazon Web Services customers have been using the service for two weeks, Amazon Detective provides a visualization of the connections between resources and activities, along with historical baselines that can be compared to recent activity to facilitate the investigation process.
Currently, findings coming from Security Hub are not included in the Finding groups section of the Detective console and AWS stated that it plans to expand Finding groups to cover the newly integrated AWS security services in a blog post.