# How Detective is used for investigation
<a name="detective-investigation-about"></a>

Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of security findings or suspicious activity. Detective provides tools to support the overall investigation process. An investigation in Detective can start from a finding, a finding group, or an entity. 

## Investigation phases in Detective
<a name="how-detective-enables-investigation.title"></a>

Any Detective investigation process involves the following phases:

****Triage****  
The investigation process starts when you are notified about a suspected instance of malicious or high-risk activity. For example, you are assigned to look into findings or alerts uncovered by services such as Amazon GuardDuty and Amazon Inspector.  
In the triage phase, you determine whether you believe the activity is a true positive (genuine malicious activity) or false positive (not malicious or high-risk activity). Detective profiles support the triage process by providing insight into the activity for the involved entity.  
For true positive instances, you continue to the next phase.

****Scoping****  
During the scoping phase, analysts determine the extent of the malicious or high-risk activity and the underlying cause.  
Scoping answers the following types of questions:  
+ What systems and users were compromised?
+ Where did the attack originate?
+ How long has the attack been going on?
+ Is there other related activity to uncover? For example, if an attacker is extracting data from your system, how did they obtain it?
Detective visualizations can help you to identify other entities that were involved or affected.

**Response**  
The final step is to respond to the attack in order to stop the attack, minimize the damage, and prevent a similar attack from happening again.

## Starting points for a Detective Investigation
<a name="investigation-starting-points"></a>

Every investigation in Detective has an essential starting point. For example, you might be assigned an Amazon GuardDuty or AWS Security Hub CSPM finding to investigate. Or you might have a concern about unusual activity for a specific IP address.

Typical starting points for an investigation include findings detected by GuardDuty and entities extracted from Detective source data.

### Findings detected by GuardDuty
<a name="investigation-findings-detected-gdu"></a>

GuardDuty uses your log data to uncover suspected instances of malicious or high-risk activity. Detective provides resources that help you investigate these findings.

For each finding, Detective provides the associated finding details. Detective also shows the entities, such as IP addresses and AWS accounts, that are connected to the finding.

You can then explore the activity for the involved entities to determine whether the detected activity from the finding is a genuine cause for concern.

For more information, see [Analyzing a finding overview in Detective](finding-overview.md).

### AWS security findings aggregated by Security Hub CSPM
<a name="investigation-findings-detected-sechub"></a>

AWS Security Hub CSPM aggregates security findings from various findings providers in a single place, and provides you with a comprehensive view of your security state in AWS. Security Hub CSPM eliminates the complexity of addressing large volumes of findings from multiple providers. It reduces the effort required to manage and improve the security of all of your AWS accounts, resources, and workloads. Detective provides resources that help you investigate these findings.

For each finding, Detective provides the associated finding details. Detective also shows the entities, such as IP addresses and AWS accounts, that are connected to the finding.

For more information, see [Analyzing a finding overview in Detective](finding-overview.md).

### Entities extracted from Detective source data
<a name="investigation-entity-extracted"></a>

From the ingested Detective source data, Detective extracts entities such as IP addresses and AWS users. You can use one of these as an investigation starting point. 

Detective provides general details about the entity, such as the IP address or user name. It also provides details on activity history. For example, Detective can report what other IP addresses an entity has connected to, been connected to, or used.

For more information, see [Analyzing entities in Amazon Detective](entity-profiles.md).

## Detective Investigation flow
<a name="detective-investigation-flow"></a>

You can use Amazon Detective to investigate an entity such as an EC2 instance or an AWS user. You can also investigate security findings.

At a high level, the following image shows the process for a Detective Investigation.

![\[Diagram that shows the Detective Investigation process.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/diagram_investigation_flow_entity.png)


**Step 1: Select the entity to investigate**  
When looking at a finding in GuardDuty, analysts can choose to investigate an associated entity in Detective. See [Pivoting to an entity profile or finding overview from Amazon GuardDuty or AWS Security Hub CSPM](navigate-to-profile.md#profile-pivot-from-service).  
Selecting the entity takes you to the entity profile in Detective.

**Step 2: Analyze visualizations on profiles**  
Each entity profile contains a set of visualizations that are generated from the behavior graph. The behavior graph is created from the log files and other data that are fed into Detective.  
The visualizations show activity that is related to an entity. You use these visualizations to answer questions to determine whether the entity activity is unusual. See [Analyzing entities in Amazon Detective](entity-profiles.md).  
To help guide the investigation, you can use the Detective guidance provided for each visualization. The guidance outlines the displayed information, suggests questions for you to ask, and proposes next steps based on the answers. See [Using profile panel guidance during an investigation](profile-panel-drilldown-kubernetes-api-volume.md#profile-panel-guidance).  
Each profile contains a list of associated findings. You can view the details for a finding, and view the finding overview. See [Viewing details for associated findings in Detective](entity-finding-list.md).  
From an entity profile, you can pivot to other entity and finding profiles, to investigate further into activity for related assets.

**Step 3: Take action**  
Based on the results of your investigation, take the appropriate action.  
For a finding that is a false positive, you can archive the finding. From Detective, you can archive GuardDuty findings. For more details, see [Archiving an Amazon GuardDuty finding](https://docs.aws.amazon.com//detective/latest/userguide/finding-update-status.html).  
Otherwise, you take the appropriate action to address the vulnerability and mitigate damage. For example, you might need to update the configuration of a resource.

# Detective Investigation
<a name="investigations-about"></a>

You can use Amazon Detective Investigation to investigate IAM users and IAM roles using indicators of compromise, which can help you determine if a resource is involved in a security incident. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. With Detective Investigations you can maximize efficiency, focus on the security threats, and strengthen incidence response capabilities. 

Detective Investigation uses machine learning models and threat intelligence to automatically analyze resources in your AWS environment to identify potential security incidents. It lets you proactively, effectively, and efficiently use automation built on top of Detective’s behavioral graph to improve security operations. Using Detective Investigation you can investigate attack tactics, impossible travel, flagged IP addresses, and finding groups. It performs initial security investigation steps and generates a report highlighting the risks identified by Detective, to help you understand security events and respond to potential incidents.

**Topics**
+ [Running a Detective Investigation](run-investigations.md)
+ [Reviewing Detective Investigations reports](investigations-report.md)
+ [Understanding a Detective Investigations report](investigations-report-understand.md)
+ [Detective Investigations report summary](investigations-summary.md)
+ [Downloading a Detective Investigations report](download-investigation.md)
+ [Archiving a Detective Investigations report](archive-investigation.md)

# Running a Detective Investigation
<a name="run-investigations"></a>

Use **Run investigation** to analyze resources such as IAM users and IAM roles and to generate an investigation report. The generated report details anomalous behavior that indicates potential compromise.

------
#### [ Console ]

Follow these steps to run a Detective Investigation from the **Investigations page** using the Amazon Detective console.

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Investigations**. 

1. In the **Investigations** page, choose **Run investigation** in the top right corner. 

1. In the **Select resource** section, you have three ways to run an investigation. You can choose to run the investigation for a resource recommended by Detective. You can run the investigation for a specific resource. You can also investigate a resource from the Detective Search page.

   1. `Choose a recommended resource` – Detective recommends resources based on its activity in findings and finding groups. To run the investigation for a resource recommended by Detective, in the **Recommended resources** table, select a resource to investigate. 

      The Recommended resources table provides the following details: 
      + **Resource ARN** – The Amazon Resource Name (ARN) of the AWS resource.
      + **Reason to investigate** – Displays the key reason(s) to investigate the resource. The reasons for which Detective recommends to investigate a resource are as follows: 
        + If a resource was involved in a High Severity finding in the last 24 hours. 
        + If a resource was involved in a finding group observed in the last 7 days. Detective finding groups let you examine multiple activities as they relate to a potential security event. For more details, see [Analyzing finding groups](groups-about.md).
        + If a resource was involved in a finding in the last 7 days.
      + **Latest finding** – Latest findings are prioritized on top of the list. 
      + **Resource type** – Identifies the type of resource. For example, an AWS user or AWS role.

   1. `Specify an AWS role or user with an ARN` – You can select an AWS role or AWS user and run an investigation for the specific resource. 

      Follow these steps to investigate a specific resource type. 

      1. From the **Select resource type** drop-down list, choose AWS role or AWS user.

      1. Enter the **Resource ARN** of the IAM resource. For more details about Resource ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference-arns.html) in the IAM User Guide.

   1. `Find a resource to investigate from the Search page` – You can search all of your IAM resources from the Detective **Search** page. 

      Follow these steps to investigate a resource from the Search page.

      1. In the navigation pane, choose **Search**.

      1. In the Search page, search for an IAM resource. 

      1. Navigate to the profile page of the resource and run investigation from there.

1. In the **Investigation scope time** section, choose the **Scope time** for the investigation to assess the selected resource's activity. You can select a **Start date** and **Start time**; and **End date** and **End time** in UTC format. The selected scope time window can be between at a minimum of 3 hours and a maximum of 30 days.

1. Choose **Run investigation**. 

------
#### [ API ]

To run an investigation programmatically, use the [StartInvestigation](https://docs.aws.amazon.com//detective/latest/APIReference/API_StartInvestigation.html) operation of the Detective API. To run an investigation using the AWS Command Line Interface (AWS CLI) run the [start-investigation](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/detective/start-investigation.html) command.

In your request, use these parameters to run an investigation in Detective: 
+ `GraphArn` – Specify the Amazon Resource Name (ARN) of the behavior graph.
+ `EntityArn` – Specify the unique Amazon Resource Name (ARN) of the IAM user and IAM role.
+ `ScopeStartTime` – Optionally, specify the data and time from which the investigation should begin. The value is an UTC ISO8601 formatted string. For example,` 2021-08-18T16:35:56.284Z`.
+ `ScopeEndTime` – Optionally, specify the data and time when the investigation should end. The value is an UTC ISO8601 formatted string. For example,` 2021-08-18T16:35:56.284Z`.

This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
aws detective start-investigation \
--graph-arn arn:aws:detective:us-east-1:123456789123:graph:fdac8011456e4e6182facb26dfceade0
 --entity-arn arn:aws:iam::123456789123:role/rolename --scope-start-time 2023-09-27T20:00:00.00Z 
--scope-end-time 2023-09-28T22:00:00.00Z
```

------

You can also run an investigation from the following pages in Detective:
+ An IAM user or IAM role profile page in Detective.
+ Graph visualization pane of a finding group.
+ Actions column of an involved resource.
+ IAM user or IAM role on a finding page.

After Detective runs the investigation for a resource, an investigation report is generated. To access the report, go to **Investigations** from the navigation pane. 

# Reviewing Detective Investigations reports
<a name="investigations-report"></a>

Investigations reports lets you review the generated **Reports** for investigations that you have run previously in Detective. 

To review investigations reports

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Investigations**. 

Take note of the following attributes from an investigations report. 
+ **ID** – The generated identifier of the investigations report. You can choose this **ID** to read a summary of the investigation report, which has the details of the investigation.
+ **Status** – Each investigation is associated with a **Status** based on the completion status of the investigation. Status values can be **In progress**, **Succeeded**, or **Failed**.
+ **Severity** – Each investigation is assigned a **Severity**. Detective automatically assigns a severity to the finding. 

  A severity represents the disposition as analyzed by the investigation of a single resource at a given scope time. A severity reported by an investigation doesn't imply or otherwise indicate the criticality or importance that an affected resource might have for your organization.

  Investigation severity values can be **Critical**, **High**, **Medium**, **Low**, or **Informational** from most to least severe.

  Investigations that are assigned a Critical or High severity value should be prioritized for further inspection, as they are more likely to represent high-impact security issues identified by Detective. 
+ **Entity** – The **Entity** column contains details on the specific entities detected in the investigation. Some entities are AWS accounts, such as user and role. 
+ **Status** – The **Creation** date column contains details on the date and time the investigation report was first created. 

# Understanding a Detective Investigations report
<a name="investigations-report-understand"></a>

A Detective Investigations report lists a summary of the uncommon behavior or malicious activity that indicates compromise. It also lists the recommendations that Detective suggests to mitigate the security risk.

To view an investigations report for a specific investigation ID.

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Investigations**. 

1. In the **Reports** table, select an investigation **ID**.

![\[Investigations reports lets you review the generated Reports for investigations that you have run previously in Detective.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/detective-investigations-report.png)


Detective generates the report for the selected **Scope** time and **User**. The report contains an **Indicators of Compromise** section that includes details regarding one or more of the indicators of compromise listed below. As you review each indicator of compromise, optionally choose an item to drill down and review its details.
+ **Tactics. Techniques, and Procedures** – Identifies tactics, techniques, and procedures (TTPs) used in a potential security event. The MITRE ATT&CK framework is used to understand the TTPs. Tactics are based on the [MITRE ATT&CK matrix for Enterprise](https://attack.mitre.org/matrices/enterprise/).
+ **Threat Intelligence Flagged IP Addresses** – Suspicious IP addresses are flagged and identified as critical or severe threats based on Detective threat intelligence. 
+ **Impossible Travel** – Detects and identifies unusual and impossible user activity for an account. For example, this indicator lists a drastic change between source to destination location of a user within a short time span. 
+ **Related Finding Group** – Shows multiple activities as they relate to a potential security event. Detective uses graph analysis techniques that infers relationships between findings and entities, and groups them together as a finding group.
+ **Related Findings** – Related activities associated with a potential security event. Lists all distinct categories of evidence that are connected to the resource or the finding group.
+ **New Geolocations** – Identifies new geolocations used either at the resource or account level. For example, this indicator lists an observed geolocation that is an infrequent or unused location based on previous user activity. 
+ **New User Agents** – Identifies new user agents used either at the resource or account level. 
+ **New ASOs** – Identifies new Autonomous System Organizations (ASOs) used either at the resource or account level. For example, this indicator lists a new organization assigned as an ASO. 

# Detective Investigations report summary
<a name="investigations-summary"></a>

Investigations summary highlights anomalous indicators that require attention, for the selected scope time. Using the summary, you can more quickly identify the root cause of potential security issues, identify patterns, and understand the resources impacted by security events. 

In the detailed investigations report summary, you can view the following details.

**Investigations overview**

In the **Overview** panel, you can see a visualization of IPs with high severity activity, which can give more context on the pathway of an attacker. 

Detective highlights **Unusual activity** in the investigation, for example impossible travel from a source to a faraway destination by the IAM user. 

Detective maps the investigations to tactics, techniques, and procedures (TTPs) used in a potential security event. The MITRE ATT&CK framework is used to understand the TTPs. Tactics are based on the [MITRE ATT&CK matrix for Enterprise](https://attack.mitre.org/matrices/enterprise/).

**Investigations indicators**

You can use the information in the **Indicators** pane, to determine if an AWS resource is involved in unusual activity that could indicate malicious behavior and its impact. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident.

# Downloading a Detective Investigations report
<a name="download-investigation"></a>

You can download the Detective Investigations report in JSON format, to analyze it further or store it to your preferred storage solution such as an Amazon S3 bucket. 

**To download an investigations report from the Reports table.**

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Investigations**. 

1. Select an investigation, from the **Reports** table, and choose **Download**.

**To download an investigations report from the summary page.**

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Investigations**. 

1. Select an investigation, from the **Reports** table. 

1. In the investigations summary page, choose **Download**.

# Archiving a Detective Investigations report
<a name="archive-investigation"></a>

When you complete your investigation in Amazon Detective, you can **Archive** the investigation report. An archived investigation indicates you have completed reviewing the investigation.

You can archive or unarchive an investigation only if you are a Detective Administrator. Detective will store your archived investigations for 90 days.

**To archive an investigations report from the Reports table.**

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Investigations**. 

1. Select an investigation, from the **Reports** table, and choose **Archive**.

**To archive an investigations report from the summary page.**

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Investigations**. 

1. Select an investigation, from the **Reports** table. 

1. In the investigations summary page, choose **Archive**.