Detective Flashcards
Detective
What is Detective?
Find root cause of security findings or suspicious activity
Detective
What types of events is it most concerned with?
Time-based events
Detective
Sources of data?
CloudTrail, VPC Flow Logs, GuardDuty
Detective
How does it work?
ML to find outliers
Detective
How do you use Detective?
Interactively! You’re a detective following a trail of evidence.
Detective
Example path of a human using Detective?
Start with a Finding, trace thru failed logins, other accesses by the target
Detective
What about cross-account?
Whichever account enabled Detective is the admin acct. Collect data across accounts.
Detective
Example question it tries to answer?
Is this spike in traffic from this instances expected?
Detective
How do you do cross-account?
Organizations! Or, invite other accounts, then aggregates data across them.
Detective
What are the account types in cross-accounts?
Administrator and Member (admin invites member accounts to join)
Detective
How does Detective work with AWS Organizations?
Org delegates to a Detective admin account, can auto-add other Org accounts
Detective
General work flow?
Let it log and analyze everything, it finds Findings (one-pagers).
Detective
Integration with GuardDuty?
Detective collects data and associates it to each GuardDuty Finding.