DEV Community

Cover image for The THREAT HUNTER of your Cloud - Amazon Detective
Anuvindh for AWS Community Builders

Posted on • Updated on • Originally published at ictpro.co.nz

The THREAT HUNTER of your Cloud - Amazon Detective

DAY 25 - THE THREAT HUNTER OF CLOUD - Day Twenty Five

Image tweetImage cover

100 days of Cloud on GitHub - Read On iCTPro.co.nz - Read on Dev.to


  • Collect logs from AWS resources
  • use Machine Learning , Statistical analysis and graph theory.
  • Detect and investigate threats

A fast and effective way to identify a root cause for security issues. Detective can process terabytes of data and comes with data visualization of the vast information from the report.

AMAZON Detective

Image pickchu

How to ?

  • Enable Amazon Detective from the console
  • The Data will be automatically organized into graph model. - investigate using GaurdDuty and AWS Security Hub, Amazon Macie.
  • Find the Cause using interactive visualizations.

Lets talk a bit about Amazon GuardDuty

Image gaurdduty
Its a treat detection service from AWS Which continuously monitors malicious activity. This is done with the help of Machine Learning & Anomaly detection.
Data's from CloudTrail, VPC flow logs, DNS logs are used for analysis to provide graph view.

GaurdDuty have to enabled and wait for 48 hours to enable the Detective

Why should we use ?

  • Investigate, determine the cause related to incidents.
  • Triage, determine who should look into it.
  • Threat Identification , detailed understanding to identify threat.

Cost ?

  • Free for 30 days
  • Check out this link to understand more about the Detective Pricing on each region.

Image budget

Works with Services
CloudTrail (AWS api calls), VPC flow logs (traffic on VPC)

Terminologies

  • Behavior graph - Generated from incoming data with the account
  • Detective source Data - information on AWS Flowlogs, CloudTrail and GaurdDuty Findings.
  • Entity - Extracted from source data.
  • Finding - issues found by guard duty.
  • Investigation - Finding out root cause for issue.
  • Profile - Visualizations and supporting information.
  • Profile Panel - Visualization on profile.
  • Relationship - what's happening with two individual resources. or how they are related.

You can use a primary account to collect all data to create graph from secondary account. Secondary account will only have data that contributed to primary account.

Important links


✅Connect with me on Twitter
🤝🏽Connect with me on Linkedin
🧑🏼‍🤝‍🧑🏻 Read more post on dev.to or iCTPro.co.nz
💻 Connect with me on GitHub

Top comments (0)