UPDATE 31 Mar 2020: Amazon Detective has been made officially GA by AWS as of today! See the notes at the end of this post for links to the official documentation with more details on usage and implementation.
Amazon Detective is an Amazon Web Services (AWS) threat hunting platform that offers a deep, cloud-native view of AWS resource data and history, optionally in the context of an AWS-generated alert (such as from Amazon GuardDuty). Amazon Detective augments threat detection systems like RSA NetWitness Platform by providing details about the size and scope of AWS specific security threats, and to help reconstruct “security events” affecting cloud assets and infrastructure.
We are pleased to announce the release of a new RSA NetWitness Platform integration with Amazon Detective. This integration will allow an analyst to pivot from a RSA NetWitness investigation directly into Amazon Detective to view the related AWS resource as needed. In addition, any RSA NetWitness logs customers who are consuming AWS GuardDuty alerts can also pivot directly to a related finding in Amazon Detective.
This integration provides several benefits:
- Reduced investigation time due to eliminating the manual pivot (RSA NetWitness takes you right to the entry)
- Get the added cloud-native visibility of Amazon Detective to dive deeper into an investigation
- Enable the analysts to use both tools for increased context around the incident, likely resulting in increased speed of investigations
How does the integration work?
Customers can enable this integration via the built-in custom context menu actions feature within RSA NetWitness. These actions will show up when you right-click on an appropriate meta key's value (e.g. IP address, domain name, GuardDuty finding ID) within the Investigate view and Event Reconstruction view.
Configuring a custom right-click action using the UI wizard
Clicking one of these will open a new browser window directly into Amazon Detective and query the meta key value in the appropriate context. From there the analyst can move around and investigate related data.
User pivoting on meta within the Events view
Landing page user is directed to by the browser
What kind of things can I pivot on?
There are a number of pivot options. Most searchable data points within Amazon Detective which have an equivalent meta key within RSA Netwitness Platform can be integrated. Below are the types of entities we have identified as candidates to start with:
AWS Concept | RSA NetWitness Meta Key |
Finding (id) | operation.id |
Entity (IpAddress) | ip.src,ip.dst,alias.ip |
Entity (AswAccount) Accountid | reference.id1 |
Entity (AwsRole) Principalid | user.id |
Entity (AwsUser) Principalid | user.id |
Entity (UserAgent) | user.agent |
Entity (Instanceid) | agent.id |
Summary
Through tight UI integration, this enables RSA NetWitness analysts with a powerful addition to their threat hunting arsenal in Amazon Detective. The integration is straightforward and easy to implement and customize and will save your analysts valuable investigation time.
Documentation
- RSA NetWitness Platform Documentation: Amazon Detective Event Source Configuration Guide
- Amazon Detective Documentation: Navigating to a Profile using a URL
- Amazon Detective on the AWS Blog
Good hunting!
