- Helps analyze/investigate root cause of security findings
- Helps dig deeper into suspicious activity
- Analyze data up to a year old
- Collects log data from all over
- Uses ML, stats, and graph theory to assess stuff
What does it interact with?
What does it look at?
- Login attempts
- API calls
- VPC flow logs
- EKS audit logs
- Network traffic
- Findings detected by GuardDuty
Do I need to enable GuardDuty first?
- Yes, two days before you can hope to use Detective
How does Detective work at scale?
- You can have up to 1200 accounts
- AWS orgs can integrate with detective
- Admin account can centrally manage detective behavior graph DB