Document history for Detective User Guide
The following table describes the important changes to the documentation since the last release of Detective. For notification about updates to this documentation, you can subscribe to an RSS feed.
-
Latest documentation update: November 06, 2024
| Change | Description | Date |
|---|---|---|
Added support for Amazon GuardDuty findings | Detective added support for the following three GuardDuty finding types that notify you when suspicious commands are executed on an Amazon EC2 instance or container workload within your AWS environment: | November 6, 2024 |
Added support for Amazon GuardDuty findings | Detective now provides support for the following GuardDuty Runtime Monitoring finding types.
| August 27, 2024 |
Added support for Amazon GuardDuty findings | Detective now provides support for GuardDuty Malware protection for S3. This helps you scan newly uploaded objects to Amazon S3 buckets for potential malware and suspicious uploads, and take action to isolate them before they are ingested into downstream processes. | July 9, 2024 |
Updated functionality | Detective added a new Radial layout to the finding group Visualization panel, to provide improved visualization for easier data interpretation. | June 26, 2024 |
New Security Lake source versions | In addition to source version 1 (OCSF 1.0.0-rc.2), Detective now ingests data from source version 2 (OCSF 1.1.0) for the Security Lake sources that are supported by Detective. | May 15, 2024 |
New Security Lake log source | You can use the Detective integration with Security Lake to collect logs and events from Amazon EKS Audit Logs. | May 15, 2024 |
Documentation update | The content from the Amazon Detective Administration Guide is now consolidated into the Amazon Detective User Guide. Amazon Detective Administration Guide will reach its end of standard support on May 08, 2024. | April 15, 2024 |
Added support for Amazon GuardDuty findings | Detective now provides support for the following GuardDuty Runtime Monitoring finding types.
| April 5, 2024 |
You are no longer required to be a GuardDuty customer to enable Amazon Detective. The requirement to have GuardDuty enabled in your account for 48 hours before enabling Detective has been removed. | February 2, 2024 | |
Added support for Amazon GuardDuty findings | Detective extends support for GuardDuty EC2 Runtime Monitoring finding types to ECS and EC2 resources. | January 30, 2024 |
Updated functionality | You can now run a Detective investigation from the Investigations page for a specific resource that you want to investigate. Detective recommends resources based on its activity in findings and finding groups. Detective Investigations lets you investigate IAM users and IAM roles with indicators of compromise, which can help you determine if a resource is involved in a security incident. | January 16, 2024 |
Updated functionality | You can now run a Detective investigation from the Investigations page on a recommended resource. Detective recommends resources based on its activity in findings and finding groups. Detective Investigations lets you investigate IAM users and IAM roles with indicators of compromise, which can help you determine if a resource is involved in a security incident. | December 26, 2023 |
Changes in how Detective reads the flow traffic for shared VPCs | If you are using a shared Amazon VPC, you may see changes in the traffic monitored by Detective. We recommend that you review the changes in Activity details for overall VPC flow volume to understand the potential effects on your coverage, and review how Detective calculates projected cost to understand how that can impact your service costs. | December 20, 2023 |
Regional availability | Added Europe (Stockholm), Europe (Paris), and Canada (Central) Regions to the list of AWS Regions where Detective integration with Security Lake is available. | December 8, 2023 |
New feature | Detective investigations lets you investigate IAM users and IAM roles with indicators of compromise, which can help you determine if a resource is involved in a security incident. | November 26, 2023 |
New feature | By default, Detective automatically generates finding group summaries for finding groups, powered by generative artificial intelligence (generative AI). Finding group summary, rapidly analyzes relationships between findings and affected resources, and then summarizes potential threats in natural language. | November 26, 2023 |
New feature | Detective integration with Security Lake lets you can query and retrieve the raw log data stored by Security Lake. Using this integration, you can collect logs and events from CloudTrail management events and Amazon Virtual Private Cloud (Amazon VPC) Flow Logs. | November 26, 2023 |
Added Detective investigations and finding groups summary actions to the
| November 26, 2023 | |
If a finding is correlated to a larger activity, Detective now notifies you to navigate to that finding group. | September 18, 2023 | |
Detective is now available in the Israel (Tel Aviv) Region. | August 25, 2023 | |
Detective finding groups visualization now includes finding groups with aggregated findings making it more efficient to analyze related evidences, entities, and findings. | August 8, 2023 | |
Finding groups now include vulnerability findings from Amazon Inspector. | June 13, 2023 | |
Detective now provides support for GuardDuty Lambda Protection. | May 26, 2023 | |
Added AWS security findings as a new optional data source package. | Detective now provides AWS security findings as an optional data source package. This optional data source package allows Detective to ingest data from Security Hub and adds that data to your behavior graph. | May 16, 2023 |
Added support for Amazon GuardDuty EKS Runtime Monitoring finding types | Detective now provides support for GuardDuty EKS Runtime Monitoring finding types. | May 3, 2023 |
Added support for Amazon GuardDuty RDS Protection finding types | Detective now provides support for GuardDuty RDS Protection finding types. | April 20, 2023 |
Added support for additional Amazon GuardDuty finding types | Detective now provides profiles for the following additional GuardDuty finding types:
| April 12, 2023 |
Detective offers managed policies to securely choose the permissions that you need. | April 3, 2023 | |
Added new section for Amazon Virtual Private Cloud (Amazon VPC) flow traffic with Amazon Elastic Kubernetes Service (Amazon EKS) clusters. | March 2, 2023 | |
Finding group now includes a dynamic visual representation of Detective's behavior graph | Detective finding group now includes a dynamic visual representation of Detective's behavior graph to emphasize the relationship between entities and findings within the finding group. | February 28, 2023 |
Detective now provides the option to export data to your browser from the Detective console. | February 7, 2023 | |
Detective now adds visual summaries and analytics about your Amazon Virtual Private Cloud (VPC) flow logs from your Amazon Elastic Kubernetes Service Amazon EKS workloads. | January 19, 2023 | |
Detective now supports GuardDuty get findings actions through the AmazonDetectiveFullAccess policy. The security chapter now provides details about the following new managed policies for Detective: AmazonDetectiveMemberAccess and AmazonDetectiveInvestigatorAccess. | January 17, 2023 | |
With Detective, you can access up to a year of historical event data. | December 20, 2022 | |
Detective now provides the option to adjust the scope time so view the activity for any 24-hour time frame in the previous 365 days. | October 5, 2022 | |
Detective now provides case insensitive search. | October 3, 2022 | |
Detective now provides a way to configure the scope timestamp format preference. This preference will be applied to all timestamps in Detective. | October 3, 2022 | |
Detective now supports finding groups that connect related findings together in a single display to help you investigate potential malicious activity in your environment. From a finding group profile, you can pivot to entity profiles and finding overviews related to that group. | August 3, 2022 | |
Detective now provides profiles to allow you to investigate activity associated with the following container-related entities: Amazon EKS clusters, container images, Kubernetes pods, and Kubernetes subjects. | July 26, 2022 | |
Detective now supports EKS audit logs as an optional data source package. An administrator account can enable this new data source for their existing behavior graph. Graphs created after this date will have this data source enabled by default. Administrators can disable this data source manually at any time. | July 26, 2022 | |
Detective now has a service-linked role, | December 16, 2021 | |
Detective is now integrated with Organizations. The organization management account designates a Detective administrator account for the organization. The Detective administrator account can view all of the accounts in the organization, and enable those accounts as member accounts in the organization behavior graph. | December 16, 2021 | |
Finding profiles contained visualizations that analyzed activity for the involved resource. The new finding overview contains finding details ingested from GuardDuty, and a list of involved entities. From the finding overview, you can pivot to the profiles for related entities. | September 20, 2021 | |
Removed the limit on supported GuardDuty finding types | Detective is no longer limited to a selected set of GuardDuty finding types. Detective automatically collects finding details for all finding types, and provides access to the entity profiles for the related entities. | September 20, 2021 |
Link to finding details from the associated findings profile panel | On an entity profile, when you choose a finding in the associated findings list, the finding details are displayed in the panel to the right. The scope time is set to the finding time window. | September 20, 2021 |
Added S3 buckets to the available entity types in Detective | Detective now provides profiles for S3 buckets. The S3 bucket profiles provide details about the principals that interacted with the S3 bucket and the API operations that they performed on the S3 bucket. | September 20, 2021 |
The Splunk Trumpet project allows you to send AWS content to Splunk. The project now allows you to add Detective URLs to navigate to profiles for GuardDuty findings. | September 8, 2021 | |
Replaced AKIDs in the activity details for accounts and roles | On account profiles, the activity details for Overall API call volume now show users or roles instead of access key identifiers (AKIDs). On role profiles, the activity details for Overall API call volume now show role sessions instead of AKIDs. For activity that occurred before this change, the caller is listed as Unknown resource. | July 14, 2021 |
Added the calling service to information about API calls | On the Detective console, information about API calls now includes the service that issued the call. Added a Service column to the lists on the Overall API call volume, Newly observed API calls, and API calls with increased volume. On the activity details for Overall API call volume and Newly observed geolocations, API methods are grouped under the services that issued them. For activity that occurred before this change, the API methods are grouped under Unknown service. | July 14, 2021 |
New Resource interaction tab for users, roles, and role sessions | The Resource interaction tab for users, roles, and role sessions contains information about role assumption activity that involved those entities. For role sessions, this is a new tab. For users and roles, this is an existing tab with new content. | June 29, 2021 |
Increased the data volume quotas for behavior graphs. At 3.24 TB per day, Detective issues a warning. At 3.6 TB per day, no new accounts can be added. At 4.5 TB per day, Detective stops ingesting data into the behavior graph. | June 10, 2021 | |
When you use the Detective Python script | May 19, 2021 | |
Added automatic enabling of member accounts that pass the data volume check | When member accounts accept an invitation, their status is Accepted (Not enabled) until Detective verifies that their data will not cause the behavior graph data volume to exceed the quota. If the data volume is not a problem, Detective automatically changes the status to Accepted (Enabled). Note that existing member accounts that are currently Accepted (Not enabled) cannot be enabled automatically. | May 12, 2021 |
A new section in the security chapter provides details about managed policies for Detective.
Detective currently provides a single managed policy,
| May 10, 2021 | |
Changed the data volume values in the member accounts list | On the account management page, the member accounts list now displays the daily data volume for each member account. Previously the list displayed the volume as a percentage of the total allowed volume. | April 29, 2021 |
Revised options for managing member accounts | Replaced the Manage accounts menu with an Actions menu. Combined the options for adding individual accounts and adding accounts from a .csv file. Moved Enable accounts from Manage accounts to a separate option next to Actions. | April 5, 2021 |
Added behavior graph tags and authorization based on tags | When you enable Detective, you can add tags to the behavior graph. You can manage tags for a behavior graph from the General page. Detective also supports authorization based on tag values. | March 31, 2021 |
Added support for additional Amazon GuardDuty finding types | Detective now provides profiles for the following additional GuardDuty finding types:
| March 29, 2021 |
Added differences for AWS GovCloud (US) Regions | Detective is now available in the AWS GovCloud (US) Regions. In AWS GovCloud (US-East) and AWS GovCloud (US-West), Detective does not send invitation emails to member accounts. Detective also does not automatically remove member accounts that are shut down in AWS. | March 24, 2021 |
Added tabs to filter the member account list based on the member account status | The list of member accounts now displays tabs that you can use to filter the list based on the member account status. You can view all member accounts, those that have a status of Accepted (Enabled), or those that have a status other than Accepted (Enabled). | March 16, 2021 |
Added support for additional Amazon GuardDuty finding types | Detective now provides profiles for the following additional GuardDuty finding types:
| March 4, 2021 |
The Detective | February 26, 2021 | |
Changed "master account" to "administrator account" | The term "master account" is changed to "administrator account." The term is also changed in the Detective console and API. | February 25, 2021 |
Changed "master account" to "administrator account" | The term "master account" is changed to "administrator account." The term is also changed in the Detective console and API. | February 25, 2021 |
Added activity details for the profile panel VPC flow volume to and from the finding's IP address | The profile panel VPC flow volume to and from the finding's IP address now allows you to display activity details. The activity details are available only if the finding is associated with a single IP address. The activity details show the volume for each combination of ports, protocol, and direction. | February 25, 2021 |
Added API option to not send invitation emails to member accounts | When using the Detective API to add member accounts, administrator accounts can choose to not send invitation emails to member accounts. | February 25, 2021 |
New activity details for the Overall API call volume profile panel on IP address profiles | You can now display activity details for IP addresses from the Overall API call volume profile panel. The activity details show the number of successful and failed calls for each resource that issued the call from the IP address. | February 23, 2021 |
New Overall VPC flow volume profile panel on IP address profiles | The IP address profile now contains the Overall VPC flow volume profile panel. The profile panel shows the volume of VPC flow traffic to and from the IP address. You can display activity details to show the volume for each EC2 instance that the IP address communicated with. | January 21, 2021 |
The Detective Summary page contains visualizations to guide analysts to entities of interest based on geolocation, numbers of API calls, and Amazon EC2 traffic volume. | January 21, 2021 | |
Updated the option to pivot from Amazon GuardDuty to Detective | In GuardDuty, the Investigate in Detective option is moved from the Actions menu to the finding details panel. It displays a list of related entities. If the finding type is supported, the list also includes the finding. You can then choose to navigate to either an entity profile or a finding profile. | January 15, 2021 |
Added option to set the activity details window to the default scope time | On the activity details for Overall API call volume and Overall VPC flow volume, you can set the time window for the activity details to the default scope time for the profile. | January 15, 2021 |
Added a new notice to indicate when an entity has one or more high-volume time intervals. A new High-volume entities page displays all of the high-volume intervals for the current scope time. | December 18, 2020 | |
Member account quota increased to 1,200 | Master accounts can now invite up to 1,200 member accounts to their behavior graph. Previously the quota was 1,000. | December 11, 2020 |
Updated the information about behavior graph data volume quotas to add the specific quota values. | December 11, 2020 | |
Added time range selection for activity details on the Overall API call volume profile panel | On the Overall API flow volume panel, you can now display activity details for any selected time range. The panel initially displays an option to display the activity details for the scope time. | September 29, 2020 |
Added time interval selection for activity details on the Overall VPC flow volume profile panel | On the Overall VPC flow volume panel, you can display activity details for a single time interval from the chart. To display the details for time interval, choose the time interval. | September 25, 2020 |
Detective now allows you to explore and investigate federated authentication. You can see what resources have assumed each role, and when those authentications occurred. | September 17, 2020 | |
Removed the option to lock or unlock the scope time. It is always locked. On a finding profile, a warning is displayed if the scope time is different from the finding time window. | September 4, 2020 | |
Profile header remains visible as you scroll through a profile | On profiles, the type, identifier, and scope time remain visible as you scroll through the profile panels on a tab. When the tabs are not visible, you can use the tab drop down list in the breadcrumbs to navigate to a different tab. | September 4, 2020 |
When you conduct a search, it now displays the results on the Search page. From the results, you can pivot to a finding or entity profile. | August 27, 2020 | |
The allowed criteria for searches has expanded. You can search for AWS users and AWS roles by name. You can use the ARN to search for findings, AWS roles, AWS users, and EC2 instances. | August 27, 2020 | |
On the EC2 instance details profile panel, the EC2 instance identifier is linked to the Amazon EC2 console. On the User details, and Role details profile panels, the user name and role name are linked to the IAM console. | August 14, 2020 | |
The Overall VPC flow volume profile panel now provides access to activity details. The activity details show the traffic flow between IP addresses and an EC2 instance during a selected time period. | July 23, 2020 | |
Member accounts can now see their usage and projected cost | Member accounts can now view their own usage information. For member accounts, the Usage page shows the amount of data ingested into each behavior graph that they contribute to. Member accounts can also see their projected 30-day cost. | May 26, 2020 |
Free trial is now per account instead of per behavior graph | Each account Amazon Detective now receives a separate free trial within each Region. The free trial starts either when the account enables Detective, or the first time the account is enabled as a member account. | May 26, 2020 |
New open source Python scripts on GitHub | The new amazon-detective-multiaccount-scripts | January 21, 2020 |
Introducing Amazon Detective | Detective uses machine learning and purpose-built visualizations to help you analyze and investigate security issues across your Amazon Web Services (AWS) workloads. | December 2, 2019 |
