# Analyzing entities in Amazon Detective
<a name="entity-profiles"></a>

An entity is a single object extracted from the source data. Examples include a specific IP address, Amazon EC2 instance, or AWS account. For a list of entity types, see [Types of entities in the behavior graph data structure](graph-data-structure-overview.md#entity-types).

An Amazon Detective entity profile is a single page that provides detailed information about the entity and its activity. You might use an entity profile to get supporting details for an investigation into a finding or as part of a general hunt for suspicious activity.

**Topics**
+ [Using entity profiles](using-entity-profiles.md)
+ [Viewing and interacting with Detective profile panels](profile-panels.md)
+ [Navigating directly to an entity profile or finding overview](navigate-to-profile.md)
+ [Pivoting from a profile panel to another console](profile-panel-console-links.md)
+ [Exploring activity details on a profile panel](profile-panel-drilldown.md)
+ [Managing the scope time](scope-time-managing.md)
+ [Viewing details for associated findings in Detective](entity-finding-list.md)
+ [Viewing details for high-volume entities in Detective](high-volume-entities.md)

# Using entity profiles
<a name="using-entity-profiles"></a>

An entity profile appears when you perform one of the following actions:
+ From the Amazon GuardDuty console, choose the option to investigate an entity that is related to a selected finding.

  See [Pivoting to an entity profile or finding overview from Amazon GuardDuty or AWS Security Hub CSPM](navigate-to-profile.md#profile-pivot-from-service).
+ Go to the Detective URL for the entity profile.

  See [Navigating to an entity profile or finding overview using a URL](navigate-to-profile.md#profile-navigate-url).
+ Use the Detective search in the Detective console to look up an entity.
+ Choose a link to the entity profile from another entity profile or from a finding overview.

## Scope time for an entity profile
<a name="entity-profile-scope-time"></a>

When you navigate directly to an entity profile without providing the scope time, the scope time is set to the previous 24 hours.

When you navigate to an entity profile from another entity profile, the currently selected scope time remains in place.

When you navigate to an entity profile from a finding overview, the scope time is set to the finding time window.

For information on customizing the scope time to limit the data displayed on entity profiles, see [Managing the scope time](https://docs.aws.amazon.com//detective/latest/userguide/scope-time-managing.html).

## Entity identifier and type
<a name="entity-identifier-type"></a>

At the top of the profile are the entity identifier and the entity type. Each entity type has a corresponding icon, to provide a visual indicator of the type of profile.

## Involved findings
<a name="entity-profile-associated-findings"></a>

Each profile contains a list of findings that the entity was involved in during the scope time.

You can see the details for each finding, change the scope time to reflect the finding time window, and go to the finding overview to look for other involved resources.

See [Viewing details for associated findings in Detective](entity-finding-list.md).

## Finding groups involving this entity
<a name="entity-profile-associated-finding-group"></a>

Each profile contains a list of finding groups that an entity is included in.

A finding group is made up of findings, entities, and evidence that Detective collects into a group to provide more context on possible security issues.

For more information on finding groups, see [Analyzing finding groups](groups-about.md).

## Profile panels containing entity details and analytics results
<a name="entity-profile-panels"></a>

Each entity profile contains a set of one or more tabs. Each tab contains one or more profile panels. Each profile panel contains text and visualizations that are generated from the behavior graph data. The specific tabs and profile panels are tailored to the entity type.

For most entities, the panel at the top of the first tab provides high-level summary information about the entity.

Other profile panels highlight different types of activity. For an entity that is involved with a finding, the information on the entity profile panels can provide additional supporting evidence to help complete an investigation. Each profile panel provides access to guidance on how to use the information. For more information, see [Using profile panel guidance during an investigation](profile-panel-drilldown-kubernetes-api-volume.md#profile-panel-guidance). 

For more details about profile panels, the types of data they contain, and available options for interacting with them, see [Viewing and interacting with Detective profile panels](profile-panels.md).

## Navigating in an entity profile
<a name="profile-navigating"></a>

An entity profile contains a set of one or more tabs. Each tab contains one or more profile panels. Each profile panel contains text and visualizations that are generated from the behavior graph data.

As you scroll down through a profile tab, the following information remains visible at the top of the profile:
+ Entity type
+ Entity identifier
+ Scope time

![\[Profile header with the menu of available tabs.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_header_tab_menu.png)


# Viewing and interacting with Detective profile panels
<a name="profile-panels"></a>

Each entity profile on the Amazon Detective console consists of a set of profile panels. A profile panel is a visualization that provides general details or highlights specific activity associated with an entity. Profile panels use different types of visualizations to present different types of information. They can also provide links to additional details or to other profiles.

Each profile panel is intended to help analysts find answers to specific questions about entities and their associated activity. The answers to those questions help lead to a conclusion about whether the activity represents a genuine threat.

Profile panels use different types of visualizations to present different types of information.

## Types of information on a profile panel
<a name="profile-panel-data-types"></a>

Profile panels typically provide the following types of data.


|  Panel data type  |  Description  | 
| --- | --- | 
|  High-level information about a finding or entity  |  The simplest type of panel provides some basic information about an entity. Examples of information included on an information panel include the identifier, name, type, and creation date. ![\[Example of a profile panel containing high-level information about an entity.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_item_details.png) Most entity profiles contain an information panel for that entity.  | 
|  General summary of activity over time  |  Displays a summary of activity for an entity over time. This type of panel provides an overall view of how an entity is behaving during the scope time. ![\[Example of a profile panel containing an overview of activity over time for an entity.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_activity_summary.png) Here are some examples of summary data provided on Detective profile panels: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/detective/latest/userguide/profile-panels.html)  | 
|  Summary of activity grouped by values  |  Displays a summary of activity for an entity, grouped by specific values. You can see this type of profile panel on the profile for an EC2 instance. The profile panel shows the average volume of VPC flow log data to and from an EC2 instance for common ports that are associated with specific types of services. ![\[Example of a profile panel showing a summary of activity grouped by specific values.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_grouped_summary.png)  | 
|  Activity that only started during the scope time  |  During an investigation, it is valuable to see what activity only began to occur during a specific time frame. For example, are there API calls, geographic locations, or user agents that were not seen before? ![\[Example of a profile panel that highlights activity not observed before the scope time.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_newly_observed.png) If the behavior graph is still in training mode, the profile panel displays a notification message. The message is removed when the behavior graph has accumulated at least two weeks of data. For more information about training mode, see [Training period for new Detective behavior graphs](detective-data-training-period.md).  | 
|  Activity that changed significantly during the scope time  |  Similar to the new activity panels, profile panels can also display activity that changed significantly during the scope time. For example, a user might regularly issue a certain API call a few times a week. If the same user suddenly issues the same call multiple times in a single day, that might be evidence of malicious activity. ![\[Example of a profile panel showing activity that changed significantly during the scope time.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_changed_activity.png) If the behavior graph is still in training mode, the profile panel displays a notification message. The message is removed when the behavior graph has accumulated at least two weeks of data. For more information about training mode, see [Training period for new Detective behavior graphs](detective-data-training-period.md).  | 

# Types of profile panel visualizations
<a name="profile-panel-display-types"></a>

Profile panel content can take one of the following forms.


|  Visualization type  |  Description  | 
| --- | --- | 
|  Key-value pairs  |  The simplest type of visualization is a set of key-value pairs. A finding or entity information panel is the most common example of a key-value pair panel. ![\[Example of a profile panel containing key-value pairs.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_key_value.png) Key-value pairs can also be used to add additional information to other types of panels. From a key-value pair panel, if a value is an identifier of an entity, then you can pivot to its profile.  | 
|  Table  |  A table is a simple multiple-column list of items. ![\[Example of a profile panel containing a simple table.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_table.png) You can sort, filter, and page through the table. You can change the number of entries to display on each page. See [Setting the preferences for a profile panel](profile-panel-preferences.md). If a value in the table is an identifier of an entity, then you can pivot to its profile.  | 
|  Timeline  |  A timeline visualization shows an aggregated value for defined intervals over time. ![\[Example of a profile panel containing timelines.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_timeline.png) The timeline highlights the current scope time, and includes additional peripheral time before and after the scope time. The peripheral time provides context for the activity in the scope time. Hover over a time interval to display a summary of the data for that time interval.  | 
|  Expandable table  |  An expandable table combines tables and timelines. ![\[Example of a profile panel containing an expandable table.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_expandable_table.png) The visualization starts as a table. You can sort, filter, and page through the table. You can change the number of entries to display on each page. See [Setting the preferences for a profile panel](profile-panel-preferences.md). You can then expand each row to show a timeline visualization specific to that row.  | 
|  Bar chart  |  A bar chart shows values based on groupings. Depending on the chart, you might be able to choose a bar to display a timeline of related activity. ![\[Example of a profile panel containing a bar chart.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_bar_chart.png)  | 
|  Geolocation chart  |  A geolocation chart displays a map that is marked to highlight data based on geographic location. It may be followed by a table containing details about individual geolocations. ![\[Example of a profile panel containing a geolocation chart.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_geolocation.png) Note that when processing incoming geographic data, Detective rounds the latitude and longitude values to a single decimal point.  | 

## Notes on profile panel content
<a name="profile-panel-other-notes"></a>

When viewing the content of a profile panel, be aware of the following items:

****Approximate count data warning****  
This warning indicates that items with extremely low counts do not appear due to the volume of applicable data.  
To ensure a completely accurate count, reduce the amount of data. The simplest way to do that is to reduce the length of the scope time. See [Managing the scope time](scope-time-managing.md).

****Rounding for geographic locations****  
Detective rounds all latitude and longitude values to a single decimal point.

**Changes to how Detective represents API calls**  
Beginning on July 14, 2021, Detective tracks the service that made each API call. Whenever Detective displays an API method, it also displays the associated service. On profile panels that display information about API calls, the calls are always grouped by the service. For data that Detective ingested before that date, the service name is listed as **Unknown service**.  
Also beginning on July 14, 2021, for accounts and roles, the activity details for the **Overall API call volume** profile panel no longer show the AKID of the resource that issued the call. For accounts, Detective displays the identifier of the principal (user or role) that issued the call. For roles, Detective displays the identifier of the role session. For data that Detective ingested before July 14, 2021, the identifier is listed as **Unknown resource**.  
For profile panels that display a list of API calls, the associated timeline highlights the period of time during which this transition occurred. The highlight starts on July 14, 2021, and ends when the update was fully propagated in Detective.

# Setting the preferences for a profile panel
<a name="profile-panel-preferences"></a>

For profile panels, you can customize the number of rows that appear on each page on profile panels by and configure the timestamp format preference.

## Setting the table length
<a name="profile-panel-preferences-table"></a>

For profile panels that contain tables or expandable tables, you can configure the number of rows to display on each page. 

Set your preference for the number of entries on each page.

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/). 

1. In the Detective navigation pane, under **Settings**, choose **Preferences**.

1. On the **Preferences** page, under **Table length**, click **Edit**. 

1. Choose the number of table rows you want to display on each page.

1. Choose **Save**.

## Setting the timestamp format
<a name="profile-panel-preferences-timestamp"></a>

For profile panels, you can configure the timestamp format preference that will be applied to all timestamps for each IAM user or IAM role in Detective. 
**Note**  
The timestamp format preference is not applied across the entire AWS account. 

Set the preference for timestamp.

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/). 

1. In the Detective navigation pane, under **Settings**, choose **Preferences**.

1. On the **Preferences** page, under **Timestamp preferences**, view and change the preferred display for all timestamps. 

1. By default, the timestamp format is set to UTC. Click **Edit** to choose your local timezone.

   Example:  
**Example**  

   UTC - 09/20/22 16:39 UTC

   Local - 09/20/2022 9:39 (UTC-07:00)

1. Choose **Save**.

# Navigating directly to an entity profile or finding overview
<a name="navigate-to-profile"></a>

To navigate directly to an entity profile or finding overview in Amazon Detective, you can use one of these options.
+ From Amazon GuardDuty or AWS Security Hub CSPM, you can pivot from a GuardDuty finding to the corresponding Detective finding profile.
+ You can assemble a Detective URL that identifies a finding or entity and sets the scope time to use.

## Pivoting to an entity profile or finding overview from Amazon GuardDuty or AWS Security Hub CSPM
<a name="profile-pivot-from-service"></a>

From the Amazon GuardDuty console, you can navigate to the entity profile for an entity that is related to a finding.

From the GuardDuty and AWS Security Hub CSPM consoles, you can also navigate to a finding overview. This also provides links to the entity profiles for the involved entities.

These links can help to streamline the investigation process. You can quickly use Detective to see the associated entity activity and determine next steps. You can then archive a finding if it is a false positive or explore further to determine the scope of the problem.

### How to pivot to the Amazon Detective console
<a name="profile-pivot-how-to"></a>

The investigation links are available for all GuardDuty findings. GuardDuty also allows you to choose whether to navigate to an entity profile or to the finding overview.

**To pivot to Detective from the GuardDuty console**

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

1. If necessary, choose **Findings** in the left navigation pane.

1. On the GuardDuty **Findings** page, choose the finding.

   The finding details pane displays to the right of the finding list.

1. On the finding details pane, choose **Investigate in Detective**.

   GuardDuty displays a list of available items to investigate in Detective.

   The list contains both the related entities, such as IP addresses or EC2 instances, and the finding.

1. Choose an entity or the finding.

   The Detective console opens in a new tab. The console opens to the entity or finding profile.

   If you have not enabled Detective, then the console opens to a landing page that provides an overview of Detective. From there, you can choose to enable Detective.

**To pivot to Detective from the Security Hub CSPM console**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

1. If necessary, choose **Findings** in the left navigation pane.

1. On the Security Hub CSPM **Findings** page, choose a GuardDuty finding.

1. In the details pane, choose **Investigate in Detective** and then choose **Investigate finding**.

   When you choose **Investigate finding**, the Detective console opens in a new tab. The console opens to the finding overview.

   The Detective console always opens to the Region where the finding originated, even if you pivot from your aggregation Region. For more information about finding aggregation, see [Aggregating findings across Regions](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html) in the *AWS Security Hub User Guide*.

   If you have not enabled Detective, the console opens to the Detective landing page. From there, you can enable Detective.

### Troubleshooting the pivot
<a name="profile-pivot-troubleshooting"></a>

To use the pivot, one of the following must be true:
+ Your account must be an administrator account for both Detective and the service you are pivoting from.
+ You have assumed a cross-account role that grants you administrator account access to the behavior graph.

For more information about the recommendation to align administrator accounts, see [Recommended alignment with Amazon GuardDuty and AWS Security Hub CSPM](https://docs.aws.amazon.com/detective/latest/userguide/detective-setup.html#detective-recommendations).

If the pivot does not work, check the following.
+ **Does the finding belong to an enabled member account in your behavior graph?** If the associated account was not invited to the behavior graph as a member account, then the behavior graph does not contain data for that account.

  If an invited member account did not accept the invitation, then the behavior graph does not contain data for that account.
+ **Is the finding archived?** Detective does not receive archived findings from GuardDuty.
+ **Did the finding occur before Detective began to ingest data into your behavior graph?** If the finding is not present in the data that Detective ingests, then the behavior graph does not contain data for it.
+ **Is the finding from the correct Region?** Each behavior graph is specific to a Region. A behavior graph does not contain data from other Regions.

## Navigating to an entity profile or finding overview using a URL
<a name="profile-navigate-url"></a>

To navigate to an entity profile or finding overview in Amazon Detective, you can use a URL that provides a direct link to it. The URL identifies the finding or entity. It can also specify the scope time to use on the profile. Detective maintains up to a year of historical event data.

### Format of a profile URL
<a name="profile-url-format"></a>

**Note**  
If you are using the old URL format, Detective will automatically redirect to the new URL. The old format of the URL was:  
https://console.aws.amazon.com/detective/home?region=*Region*\$1*type*/*namespace*/*instanceID*?*parameters*

The new format of the profile URL is as follows: 
+ For entities - https://console.aws.amazon.com/detective/home?region=*Region*\$1*entities*/*namespace*/*instanceID*?*parameters*
+ For findings - https://console.aws.amazon.com/detective/home?region=*Region*\$1*findings*/*instanceID*?*parameters*

The URL requires the following values.

***Region***  
The Region that you want to use.

***type***  
The type of item for the profile that you are navigating to.  
+ `entities` - Indicates that you are navigating to an entity profile
+ `findings` - Indicates that you are navigating to a finding overview

***namespace***  
For entities, the namespace is the name of the entity type.  
+ `AwsAccount`
+ `AwsRole`
+ `AwsRoleSession`
+ `AwsUser`
+ `Ec2Instance`
+ `FederatedUser`
+ `IpAddress`
+ `S3Bucket`
+ `UserAgent`
+ `FindingGroup`
+ `KubernetesSubject`
+ `ContainerPod`
+ `ContainerCluster`
+ `ContainerImage`

***instanceID***  
The instance identifier of the finding or entity.  
+ For a GuardDuty finding, the GuardDuty finding identifier.
+ For an AWS account, the account ID.
+ For AWS roles and users, the principal ID of the role or of the user.
+ For federated users, the principal ID of the federated user. The principal ID is either `<identityProvider>:<username>` or `<identityProvider>:<audience>:<username>`.
+ For IP addresses, the IP address.
+ For user agents, the user agent name.
+ For EC2 instances, the instance ID.
+ For role sessions, the session identifier. The session identifier uses the format` <rolePrincipalID>:<sessionName>`.
+ For S3 buckets, the bucket name.
+ For FindingGroups, a UUID. for example, `ca6104bc-a315-4b15-bf88-1c1e60998f83`
+ For EKS resources, use the following formats:
  + EKS cluster: *<clusterName>\$1<accountId>\$1EKS*
  + Kubernetes Pod: *<podUid>\$1<clusterName>\$1<accountId>\$1EKS*
  + Kubernetes Subject: *<subjectName>\$1<clusterName>\$1<accountId>*
  + Container image: *<registry>/<repository>:<tag>@<digest>*
The finding or entity must be associated with an enabled account in your behavior graph.

The URL can also include the following optional parameters, which are used to set the scope time. For more information about scope time and how it is used on profiles, see [Managing the scope time](scope-time-managing.md).

**`scopeStart`**  
Start time for the scope time to use on the profile. Start time must be within the last 365 days.  
The value is the epoch timestamp.  
If you provide a start time but no end time, then the scope time ends at the current time.

**`scopeEnd`**  
End time for the scope time to use on the profile.  
The value is the epoch timestamp.  
If you provide an end time, but no start time, then the scope time includes all time before the end time.

If you don't specify the scope time, then the default scope time is used.
+ For findings, the default scope time uses the first and last times that the finding activity was observed.
+ For entities, the default scope time is the previous 24 hours.

Here is an example of a Detective URL:

`https://console.aws.amazon.com/detective/home?region=us-east-1#entities/IpAddress/192.168.1.1?scopeStart=1552867200&scopeEnd=1552910400`

This example URL provides the following instructions.
+ Display the entity profile for the IP address 192.168.1.
+ Use a scope time that starts Monday, March 18, 2019 12:00:00 AM GMT and that ends Monday, March 18, 2019 12:00:00 PM GMT.

### Troubleshooting a URL
<a name="profile-url-troubleshooting"></a>

If the URL does not display the expected profile, first check that the URL uses the correct format and that you have provided the correct values.
+ Did you start with the correct URL (`findings` or `entities`)? 
+ Did you specify the correct namespace?
+ Did you provide the correct identifier?

If the values are correct, then you can also check the following.
+ **Does the finding or entity belong to an enabled member account in your behavior graph?** If the associated account was not invited to the behavior graph as a member account, then the behavior graph does not contain data for that account.

  If an invited member account did not accept the invitation, then the behavior graph does not contain data for that account.
+ **For a finding, is the finding archived?** Detective does not receive archived findings from Amazon GuardDuty.
+ **Did the finding or entity occur before Detective began to ingest data into your behavior graph?** If the finding or entity is not present in the data that Detective ingests, then the behavior graph does not contain data for it.
+ **Is the finding or entity from the correct Region?** Each behavior graph is specific to a Region. A behavior graph does not contain data from other Regions.

## Adding Detective URLs for findings to Splunk
<a name="profile-splunk-integration-url"></a>

The Splunk Trumpet project allows you send data from AWS services to Splunk.

You can configure the Trumpet project to generate Detective URLs for Amazon GuardDuty findings. You can then use these URLs to pivot directly from Splunk to the corresponding Detective finding profiles.

The Trumpet project is available from GitHub at [https://github.com/splunk/splunk-aws-project-trumpet](https://github.com/splunk/splunk-aws-project-trumpet).

On the configuration page for the Trumpet project, from **AWS CloudWatch Events**, choose **Detective GuardDuty URLs**.

# Pivoting from a profile panel to another console
<a name="profile-panel-console-links"></a>

For EC2 instances, IAM users, and IAM roles, you can navigate directly from the details profile panel to the corresponding console. The information available from the console can provide additional input for your security investigation.

On the **EC2 instance details** profile panel, the EC2 instance identifier is linked to the Amazon EC2 console.

On the **User details** profile panel, the user name is linked to the IAM console.

On the **Role details** profile panel, the role name is linked to the IAM console.

## Pivoting from a profile panel to another entity profile
<a name="profile-panel-pivot"></a>

When a profile panel contains an identifier of a different entity, it is usually a link to that entity profile. The exceptions are the links to the Amazon EC2 and IAM consoles on the EC2 instance, IAM users, and IAM roles profiles. See [Pivoting from a profile panel to another console](#profile-panel-console-links).

For example, from a list of IP addresses, you might be able to display the profile for a specific IP address. That way you can see if there is any other information available to help you to complete your investigation.

# Exploring activity details on a profile panel
<a name="profile-panel-drilldown"></a>

During an investigation, you might want to investigate further into the pattern of activity for an entity.

On the following profile panels, you can display a summary of the activity details:
+ **Overall API call volume**, except for the profile panel on the user agent profile
+ **Newly observed geolocations**
+ **Overall VPC flow volume**
+ **VPC flow volume to and from the finding IP address**, for findings that are associated with a single IP address
+ **Container details**
+ **VPC flow volume** for clusters
+ **Overall Kubernetes API activity**

The activity details can answer these types of questions:
+ Which IP addresses were used?
+ Where were those IP addresses located?
+ Which API calls did each IP address make, and from which services did they make those calls?
+ Which principals or access key identifiers (AKIDs) were used to make the calls?
+ What resources were used to make those calls?
+ How many calls were made? How many succeeded and failed?
+ What volume of VPC flow log data was sent to or from each IP address?
+ What containers were active for a given cluster, image, or pod?

**Topics**
+ [Activity details for Overall API call volume](profile-panel-drilldown-overall-api-volume.md)
+ [Activity details for a geolocation](profile-panel-drilldown-new-geolocations.md)
+ [Activity details for overall VPC flow volume](profile-panel-drilldown-overall-vpc-volume.md)
+ [Overall Kubernetes API activity involving EKS cluster](profile-panel-drilldown-kubernetes-api-volume.md)

# Activity details for Overall API call volume
<a name="profile-panel-drilldown-overall-api-volume"></a>

The activity details for **Overall API call volume** show the API calls that were issued during a selected time range.

To display the activity details for a single time interval, choose the time interval on the chart.

To display the activity details for the current scope time, choose **Display details for scope time**.

Note that Detective began to store and display the service name for API calls as of July 14, 2021. That date is highlighted on the profile panel timeline. For activity that occurs before that date, the service name is **Unknown service**.

## Content of the activity details (users, roles, accounts, role sessions, EC2 instances, S3 buckets)
<a name="drilldown-api-volume-content"></a>

For IAM users, IAM roles, accounts, role sessions, EC2 instances, and S3 buckets, the activity details contain the following information:
+ Each tab provides information about the set of API calls that were issued during the selected time range.

  For S3 buckets, the information reflects API calls that were made to the S3 bucket.

  The API calls are grouped by the services that called them. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.
+ For each entry, the activity details show the number of successful and failed calls. The **Observed IP addresses** tab also shows the location of each IP address.
+ Each entry shows information about who made the calls. For accounts, the activity details identify the users or roles. For roles, the activity details identify the role sessions. For users and role sessions, the activity details identify the access key identifiers (AKIDs).

  Note that as of July 14, 2021, for account profiles, the activity details show users or roles instead of AKIDs. For role profiles, the activity details show role sessions instead of AKIDs. For activity that occurs before July 14, 2021, the caller is listed as **Unknown resource**.

The activity details contain the following tabs:

**Observed IP addresses**  
Initially displays the list of IP addresses used to issue API calls.  
You can expand each IP address to display the list of API calls that were issued from that IP address. The API calls are grouped by the services that called them. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.  
You can then expand each API call to display the list of callers from that IP address. Depending on the profile, the caller might be a user, role, role session, or AKID.  

![\[View of the Observed IP addresses tab of the Overall API call volume panel, with an entry expanded to show the hierarchy of IP address, API calls, and AKIDs. API calls are grouped by service.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_ipaddress.png)


**API method by service**  
Initially displays the list of API calls that were issued. The API calls are grouped by the services that issued the calls. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.  
You can expand each API method to display the list of IP addresses from which the calls were issued.  
You can then expand each IP address to display the list of AKIDs that issued that API call from that IP address.  

![\[View of the API method by service tab of the Overall API call volume panel, with an entry expanded to show the hierarchy of API calls, IP addresses, and AKIDs. API calls are grouped by service.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_apimethods.png)


**Resource or Access Key ID**  
Initially displays the list of users, roles, role sessions, or AKIDs that were used to issue API calls.  
You can expand each caller to display the list of IP addresses from which the caller issued API calls.  
You can then expand each IP address to display the list of API calls that were issued from that IP address by that caller. The API calls are grouped by the services that issued the calls. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under** Unknown service**.  

![\[View of the Resource tab of the Overall API call volume panel, with an entry expanded to show the hierarchy of AKIDs, IP addresses, and API calls grouped by service.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_resource.png)


## Content of the activity details (IP addresses)
<a name="drilldown-api-volume-content-ip"></a>

For IP addresses, the activity details contain the following information:
+ Each tab provides information about the set of API calls that were issued during the selected time range. The API calls are grouped by the services that issued the calls. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.
+ For each entry, the activity details show the number of successful and failed calls.

The activity details contain the following tabs:

**Resource**  
Initially displays the list of resources that issued API calls from the IP address.  
For each resource, the list includes the resource name, the type, and the AWS account.  
You can expand each resource to display the list of API calls that the resource issued from the IP address. The API calls are grouped by the services that issued the calls. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.  

![\[View of the Resource tab of the activity details on the Overall API call volume profile panel for an IP address.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_ip_resource.png)


**API method by service**  
Initially displays the list of API calls that were issued. The API calls are grouped by the services that issued the calls. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.  
You can expand each API call to display the list of resources that issued the API call from the IP address during the selected time period.  

![\[View of the API method by service tab of the activity details of the Overall API call volume profile panel for an IP address.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_ip_apimethods.png)


## Sorting the activity details
<a name="drilldown-api-volume-sort"></a>

You can sort the activity details by any of the list columns.

When you sort using the first column, only the top-level list is sorted. The lower-level lists are always sorted by the count of successful API calls.

## Filtering the activity details
<a name="drilldown-api-volume-filter"></a>

You can use the filtering options to focus on specific subsets or aspects of the activity represented in the activity details.

On all of the tabs, you can filter the list by any of the values in the first column.

**To add a filter**

1. Choose the filter box.

1. From **Properties**, choose the property to use for the filtering.

1. Provide the value to use for the filtering. The filter supports partial values. For example, when you filter by API method, if you filter by **Instance**, the results include any API operation that has `Instance` in its name. So both `ListInstanceAssociations` and `UpdateInstanceInformation` would match.

   For service names, API methods, and IP addresses, you can either specify a value or choose a built-in filter.

   For **Common API substrings**, choose the substring that represents the type of operation, such as `List`, `Create`, or `Delete`. Each API method name starts with the operation type.

   For **CIDR patterns**, you can choose to include only public IP addresses, private IP addresses, or IP addresses that match a specific CIDR pattern.

1. Choose a Boolean option *Resource* or *Service*** : Contains** or **\$1: Does not contain**; or *API method* or *IP address*** = Equals** or **\$1: Does not equal** to set filters.  
![\[List of available filters for the activity details filter.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/api-volume-search.png)

To remove a filter, choose the **x** icon in the top-right corner.

To clear all of the filters, choose **Clear filter**.

## Selecting the time range for the activity details
<a name="drilldown-api-volume-time-range"></a>

 When you first display the activity details, the time range is either the scope time or a selected time interval. You can change the time range for the activity details.

**To change the time range for the activity details**

1. Choose **Edit**.

1. On **Edit time window**, choose the start and end time to use.

   To set the time window to the default scope time for the profile, choose **Set to default scope time**.

1. Choose **Update time window**.

The time range for the activity details is highlighted on the profile panel charts.

![\[Highlighted time window for the Overall API call volume profile panel\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_timehighlight.png)


## Querying raw logs
<a name="query-raw-logs"></a>

Amazon Detective integrates with Amazon Security Lake, which means that you can query and retrieve the raw log data stored by Security Lake. For more details about this integration, see [Amazon Detective Integration with Amazon Security Lake](securitylake-integration.md).

Using this integration, you can collect and query logs and events from the following sources which Security Lake natively supports.
+ AWS CloudTrail management events version 1.0 and after
+ Amazon Virtual Private Cloud (Amazon VPC) Flow Logs version 1.0 and after
+ Amazon Elastic Kubernetes Service (Amazon EKS) Audit Log version 2.0

**Note**  
There are no additional charges to query raw data logs in Detective. Usage charges for other AWS Services, including Amazon Athena, still apply at published rates.

**To query raw logs**

1. Choose **display details for scope time**. 

1. From here, you can start to **Query raw logs**. 

1. In the **Raw log preview** table, you can view the logs and events retrieved by querying data from Security Lake. For more details about the raw event logs, you can view the data displayed in Amazon Athena. 

   From the Query raw logs table, you can **Cancel query request**, **See results in Amazon Athena**, and **Download results** as a comma-separated values (.csv) file. 

If you see logs in Detective, but the query returned no results, it could happen because of the following reasons.
+ Raw logs may become available in Detective before showing up in Security Lake log tables. Try again later.
+ Logs may be missing from Security Lake. If you waited for an extended period of time, it indicates that logs are missing from Security Lake. Contact your Security Lake administrator to resolve the issue.

# Activity details for a geolocation
<a name="profile-panel-drilldown-new-geolocations"></a>

The activity details for **Newly observed geolocations** show the API calls that were issued from a geolocation during the scope time. The API calls include all calls issued from the geolocation. They are not limited to calls that used the finding or profile entity. For S3 buckets, the activity calls are API calls made to the S3 bucket.

Detective determines the location of requests using MaxMind GeoIP databases. MaxMind reports very high accuracy of their data at the country level, although accuracy varies according to factors such as country and type of IP. For more information about MaxMind, see [MaxMind IP Geolocation](https://support.maxmind.com/hc/en-us/sections/4407519834267-IP-Geolocation). If you think any of the GeoIP data is incorrect, you can submit a correction request to Maxmind at [MaxMind Correct GeoIP2 Data](https://support.maxmind.com/hc/en-us/articles/4408252036123-GeoIP-Correction).

The API calls are grouped by the services that issued the calls. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.

To display the activity details, do one of the following:
+ On the map, choose a geolocation.
+ In the list, choose **Details** for a geolocation.

The activity details replace the geolocation list. To return to the geolocation list, choose **Return to all results**.

Note that Detective began to store and display the service name for API calls as of July 14, 2021. For activity that occurs before that date, the service name is **Unknown service**.

## Content of the activity details
<a name="profile-panel-drilldown-geolocation-content"></a>

Each tab provides information about all of the API calls that were issued from the geolocation during the scope time.

For each IP address, resource, and API method, the list shows the number of successful and failed API calls.

The activity details contain the following tabs:

**Observed IP addresses**  
Initially displays the list of IP addresses that were used to issue API calls from the selected geolocation.  
You can expand each IP address to display the resources that issued API calls from that IP address. The list displays the resource name. To see the principal ID, hover over the name.  
You can then expand each resource to display the specific API calls that were issued from that IP address by that resource. The API calls are grouped by the services that issued the calls. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.  

![\[View of the Observed IP addresses tab of the Newly observed geolocations panel with an entry expanded to show the hierarchy of IP address, resources, and API methods.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_geo_ips.png)


**Resource**  
Initially displays the list of resources that issued API calls from the selected geolocation. The list displays the resource name. To see the principal ID, pause on the name. For each resource, the **Resource** tab also displays the associated AWS account.  
You can expand each user or role to display the list of API calls that were issued by that resource. The API calls are grouped by the services that issued the calls. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.  
You can then expand each API call to display the list of IP addresses from which the resource issued the API call.  

![\[View of the Resource tab of the Newly observed geolocations panel, with an entry expanded to show the hierarchy of user or role, API methods, and IP addresses.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_geo_resources.png)


## Sorting the activity details
<a name="drilldown-geolocation-sort"></a>

You can sort the activity details by any of the list columns.

When you sort using the first column, only the top-level list is sorted. The lower-level lists are always sorted by the count of successful API calls.

## Filtering the activity details
<a name="drilldown-geolocation-filter"></a>

You can use the filtering options to focus on specific subsets or aspects of the activity represented in the activity details.

On all of the tabs, you can filter the list by any of the values in the first column.

**To add a filter**

1. Choose the filter box.

1. From **Properties**, choose the property to use for the filtering.

1. Provide the value to use for the filtering. The filter supports partial values. For example, when you filter by API method, if you filter by **Instance**, the results include any API operation that has `Instance` in its name. So both `ListInstanceAssociations` and `UpdateInstanceInformation` would match.

   For service names, API methods, and IP addresses, you can either specify a value or choose a built-in filter.

   For **Common API substrings**, choose the substring that represents the type of operation, such as `List`, `Create`, or `Delete`. Each API method name starts with the operation type.

   For **CIDR patterns**, you can choose to include only public IP addresses, private IP addresses, or IP addresses that match a specific CIDR pattern.

1. If you have multiple filters, choose a Boolean option to set how those filters are connected.  
![\[List of available connectors between individual filters for the activity details filter.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_geo_filterconnectors.png)

1. To remove a filter, choose the **x** icon in the top-right corner.

1. To clear all of the filters, choose **Clear filter**.

# Activity details for overall VPC flow volume
<a name="profile-panel-drilldown-overall-vpc-volume"></a>

For an EC2 instance, the activity details for **Overall VPC flow volume** show the interactions between the EC2 instance and IP addresses during a selected time range.

For a Kubernetes pod, **Overall VPC flow volume** displays the overall volume of bytes into and out of the Kubernetes pod's assigned IP address for all destination IP addresses. The Kubernetes pod's IP address is not unique when `hostNetwork:true`. In this case, the panel shows traffic to other pods with the same configuration and the node hosting them.

For an IP address, the activity details for **Overall VPC flow volume** show the interactions between the IP address and EC2 instances during a selected time range.

To display the activity details for a single time interval, choose the time interval on the chart.

To display the activity details for the current scope time, choose **display details for scope time**.

## Content of the activity details
<a name="drilldown-vpc-volume-content"></a>

The content reflects the activity during the selected time range.

For an EC2 instance, the activity details contain an entry for each unique combination of IP address, local port, remote port, protocol, and direction.

For an IP address, the activity details contain an entry for each unique combination of EC2 instance, local port, remote port, protocol, and direction.

Each entry displays the volume of inbound traffic, the volume of outbound traffic, and whether the access request was accepted or rejected. On finding profiles, the **Annotations** column indicates when an IP address is related to the current finding.

![\[Activity details for the Overall VPC flow volume profile panel.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_vpc_initial.png)


## Sorting the activity details
<a name="drilldown-vpc-volume-sort"></a>

You can sort the activity details by any of the columns in the table.

By default, the activity details are sorted first by the annotations, then by the inbound traffic.

## Filtering the activity details
<a name="drilldown-vpc-volume-filter"></a>

To focus on specific activity, you can filter the activity details by the following values:
+ IP address or EC2 instance
+ Local or remote port
+ Direction
+ Protocol
+ Whether the request was accepted or rejected

**To add and remove filters**

1. Choose the filter box.

1. From **Properties**, choose the property to use for the filtering.

1. Provide the value to use for the filtering. The filter supports partial values.

   To filter by IP address, you can either specify a value or choose a built-in filter.

   For **CIDR patterns**, you can choose to include only public IP addresses, private IP addresses, or IP addresses that match a specific CIDR pattern.

1. If you have multiple filters, choose a Boolean option to set how those filters are connected.  
![\[List of available connectors between individual filters for the activity details filter.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_vpc_filterconnectors.png)

1. To remove a filter, choose the **x** icon in the top-right corner.

1. To clear all of the filters, choose **Clear filter**.

## Selecting the time range for the activity details
<a name="drilldown-vpc-volume-time-range"></a>

 When you first display the activity details, the time range is either the scope time or a selected time interval. You can change the time range for the activity details.

**To change the time range for the activity details**

1. Choose **Edit**.

1. On **Edit time window**, choose the start and end time to use.

   To set the time window to the default scope time for the profile, choose **Set to default scope time**.

1. Choose **Update time window**.

The time range for the activity details is highlighted on the profile panel charts.

![\[Highlighted time window for the activity details on the Overall VPC flow volume profile panel.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_vpc_timehighlight.png)


## Displaying the volume of traffic for selected rows
<a name="drilldown-vpc-volume-chart-details"></a>

When you identify rows that are of interest, you can display on the main charts the volume of traffic over time for those rows.

For each row to add to the charts, select the check box. For each selected row, the volume is displayed as a line on the inbound or outbound charts.

![\[Traffic for selected activity details rows displayed on the main charts for the Overall VPC flow volume profile panel.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_vpc_select_rows.png)


To focus on the traffic volume for the selected entries, you can hide the overall volume. To show or hide the overall traffic volume, toggle **Overall traffic**.

![\[Traffic for selected activity details rows displayed on the main charts on the Overall VPC flow volume profile panel. Overall traffic is hidden.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_vpc_overall_off.png)


## Displaying the VPC flow traffic for EKS clusters
<a name="display-traffic-for-eks-clusters"></a>

Detective has visibility into your Amazon Virtual Private Cloud (Amazon VPC) flow logs, which represent the traffic that traverses your Amazon Elastic Kubernetes Service (Amazon EKS) clusters. For Kubernetes resources, the content of the VPC flow logs depends on the Container Network Interface (CNI) deployed in the EKS cluster.

An EKS cluster with a default configuration uses the Amazon VPC CNI plugin. For more details, see [Managing VPC CNI](https://docs.aws.amazon.com//eks/latest/userguide/managing-vpc-cni.html) in the **Amazon EKS User Guide**. The Amazon VPC CNI plugin sends internal traffic with the IP address of the pod and translates the source IP address to the IP address of the node for external communication. Detective can capture and correlate internal traffic to the correct pod but it can’t do the same for external traffic.

If you want Detective to have visibility into the external traffic of your pods, enable External Source Network Address Translation (SNAT). Enabling SNAT comes with limitations and drawbacks. For more details, see [ SNAT for pods](https://docs.aws.amazon.com//eks/latest/userguide/external-snat.html) in the **Amazon EKS User Guide**.

If you use a different CNI plugin, Detective has limited visibility to pods with `hostNetwork:true`. For these pods, the **VPC Flow** panel displays all traffic to the IP address of the pod. This includes the traffic to the host node and any pod on the node with the `hostNetwork:true` configuration.

Detective displays traffic in the **VPC flow** panel of an EKS pod for the following EKS cluster configurations:
+ In a cluster with the Amazon VPC CNI plugin, any pod with the configuration `hostNetwork:false` sending traffic inside the VPC of the cluster.
+ In a cluster with the Amazon VPC CNI plugin and the configuration `AWS_VPC_K8S_CNI_EXTERNALSNAT=true`, any pod with `hostNetwork:false` sending traffic outside the VPC of the cluster.
+ Any pod with the configuration `hostNetwork:true`. Traffic from the node is mixed with traffic from other pods that have the configuration `hostNetwork:true`.

Detective does not display traffic in the **VPC flow** panel for:
+ In a cluster with the Amazon VPC CNI plugin and the configuration `AWS_VPC_K8S_CNI_EXTERNALSNAT=false`, any pod with the configuration `hostNetwork:false` sending traffic outside the VPC of the cluster.
+ In a cluster without the Amazon VPC CNI plugin for Kubernetes, any pod with the configuration `hostNetwork:false`.
+ Any pod sending traffic to another pod that is hosted in the same node.

## Displaying the VPC flow traffic for shared Amazon VPCs
<a name="vpc-flow-traffic-shared-vpc"></a>

Detective has visibility into your Amazon Virtual Private Cloud (Amazon VPC) flow logs for shared VPCs:
+ If a Detective member account has a shared Amazon VPC and there are other non-Detective accounts using the shared VPC, Detective monitors all traffic from that VPC, and provides visualization on all the traffic flow within the VPC. 
+ If you have an Amazon EC2 instance inside a shared Amazon VPC and the shared VPC owner is not a Detective member, Detective will not monitor any traffic from the VPC. If you want to view the traffic flow within the VPC, you must add the Amazon VPC owner as a member of your Detective graph.

# Overall Kubernetes API activity involving EKS cluster
<a name="profile-panel-drilldown-kubernetes-api-volume"></a>

The activity details for **Overall Kubernetes API activity involving EKS cluster** show the number of successful and failed Kubernetes API calls that were issued during a selected time range.

To display the activity details for a single time interval, choose the time interval on the chart.

To display the activity details for the current scope time, choose **Display details for scope time**.

## Content of the activity details (Cluster, pod, user, role, role session)
<a name="drilldown-kubernetes-api-volume-content"></a>

For a cluster, pod, user, role, or role session, the activity details contain the following information:
+ Each tab provides information about the set of API calls that were issued during the selected time range.

  For clusters, the API calls occurred inside the cluster.

  For pods, the API calls targeted the pod.

  For users, roles, and role sessions, the API calls were issued by Kubernetes users that authenticated as that user, role, or role session.
+ For each entry, the activity details show the number of successful, failed, unauthorized, and forbidden calls.
+ The information includes the IP address, the type of Kubernetes call, the entity that was affected by the call, and the subject (service account or user) that made the call. From the activity details, you can pivot to the profiles for the IP address, subject, and the affected entity.

The activity details contain the following tabs:

**Subject**  
Initially displays the list of service accounts and users that were used to make API calls.  
You can expand each service account and user to display the list of IP addresses from which the account or user made API calls.  
You can then expand each IP address to show the Kubernetes API calls that were made by that account or user from that IP address.   
Expand the Kubernetes API call to see the `requestURI `to identify the action that was done.  

![\[View of the Subjects tab of the Overall Kubernetes API call volume panel, with an entry expanded to show the hierarchy of IP address, and API calls.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/kube-subject-drilldown.png)


**IP Address**  
Initially displays the list of IP addresses from which the API calls were made.  
You can expand each call to display the list of Kubernetes subjects (service accounts and users) that made the call.  
You can then expand each subject to a list of API call types made by the subject during the scope time.  
Expand the API call type to see the requestURI to identify the action that was done.  

![\[View of the IP address tab of the Overall Kubernetes API call volume panel, with an entry expanded to show the hierarchy of API calls, IP addresses, and AKIDs. API calls are grouped by service\]](http://docs.aws.amazon.com/detective/latest/userguide/images/kube-ip-drilldown.png)


**Kubernetes API call**  
Initially displays the list of Kubernetes API call verbs.  
You can expand each API verb to display the requestURIs associated with that action.  
You can then expand each requestURI to see Kubernetes subject (service accounts and users) that made the API call.  
Expand the subject to see which IPs that subject used to make the API call.  

![\[View of the Resource tab of the Overall API call volume panel, with an entry expanded to show the hierarchy of AKIDs, IP addresses, and API calls grouped by service.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_resource.png)


## Sorting the activity details
<a name="drilldown-kubernetes-api-volume-sort"></a>

You can sort the activity details by any of the list columns.

When you sort using the first column, only the top-level list is sorted. The lower-level lists are always sorted by the count of successful API calls.

## Filtering the activity details
<a name="drilldown-kubernetes-api-volume-filter"></a>

You can use the filtering options to focus on specific subsets or aspects of the activity represented in the activity details.

On all of the tabs, you can filter the list by any of the values in the first column.

## Selecting the time range for the activity details
<a name="drilldown-kubernetes-api-volume-time-range"></a>

 When you first display the activity details, the time range is either the scope time or a selected time interval. You can change the time range for the activity details.

**To change the time range for the activity details**

1. Choose **Edit**.

1. On **Edit time window**, choose the start and end time to use.

   To set the time window to the default scope time for the profile, choose **Set to default scope time**.

1. Choose **Update time window**.

The time range for the activity details is highlighted on the profile panel charts.

![\[Highlighted time window for the Overall API call volume profile panel\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_timehighlight.png)


## Using profile panel guidance during an investigation
<a name="profile-panel-guidance"></a>

Each profile panel is designed to provide answers to specific questions that arise as you conduct an investigation and analyze the activity for the related entities.

The guidance provided for each profile panel helps you find these answers.

Profile panel guidance starts with a single sentence on the panel itself. This guidance provides a brief explanation of the data presented on the panel.

To display more detailed guidance for a panel, choose **More info** from the panel heading. This extended guidance appears in the help pane.

The guidance can provide these types of information:
+ An overview of the panel content
+ How to use the panel to answer the relevant questions
+ Suggested next steps based on the answers

# Managing the scope time
<a name="scope-time-managing"></a>

Customize the scope time used to limit the data displayed on entity profiles.

The charts, timelines, and other data displayed on entity profiles are all based on the current scope time. Scope time is the summary of activity for an entity over time. This appears at the top right of each profile in the Amazon Detective console. The data displayed on those charts, timelines, and other visualizations is based on the scope time. For some profile panels, additional time is added before and after the scope time to provide context. In Detective, all timestamps are displayed in UTC by default. You can select your local time zone by changing the **Timestamp preferences**. To update the **Timestamp preference**, see [Setting the timestamp format](profile-panel-preferences.md#profile-panel-preferences-timestamp).

Detective analytics uses the scope time when checking for unusual activity. The analytics process gets the activity during the scope time, then compares it to the activity during the 45 days before the scope time. It also uses that 45-day timeframe to generate baselines of activity. 

On a finding overview, the scope time reflects the first and last time the finding was observed. For more information about finding overview, see [Analyzing a finding overview in Detective](finding-overview.md).

As you work through an investigation, you can adjust the scope time. For example, if the original analysis was based on activity from a single day, you might want to expand that to a week or a month. The expanded period could help you get a better sense of whether the activity fits a normal pattern or is unusual.

You can also set the scope time to match an associated finding for the current entity.

When you change the scope time, Detective repeats its analysis and updates the displayed data based on the new scope time.

The scope time cannot be shorter than one hour and not longer than one year. The start and end time must be on an hour.

## Setting specific start and end dates and times
<a name="scope-time-select-date"></a>

You can set the scope time start and end dates from the Detective console.

**To set specific start and end times for the new scope time**

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. On an entity profile, choose the scope time.

1. On the **Edit scope time** panel, under **Start**, choose the new start date and time for the scope time. For the new start time, you choose the hour only.

1. Under **End**, choose the new end date and time for the scope time. For the new end time, you choose the hour only. The end time must be at least an hour later than the start time.

1. When you're finished editing, to save the changes and update the displayed data, choose **Update scope time**.

## Edit the length of time for the scope time
<a name="scope-time-select-length"></a>

When you set a scope time length, Detective sets the scope time to that amount of time from the current time.

**To edit the length of time for the scope time**

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. On an entity profile, choose the scope time.

1. On the **Edit scope time** panel, next to **Historical**, choose the length of time for the scope time.

   Specifying a time range updates the **Start** and **End** settings.

1. When you're finished editing, to save the changes and update the displayed data, choose **Update scope time**.

## Setting the scope time to a finding time window
<a name="scope-time-align-to-finding"></a>

Each finding has an associated time window, which reflects the first and last times the finding was observed. When you view a finding overview, the scope time changes to the finding time window.

From an entity profile, you can align the scope time to the time window for an associated finding. This allows you to investigate the activity that occurred during that time.

To align the scope time to a finding time window, on the **Associated findings** panel, choose the finding that you want to use.

Detective populates the finding details and sets the scope time to the finding time window.

## Setting the scope time on the summary page
<a name="scope-time-summary-page"></a>

As you review the **Summary** page, you can adjust the Scope time to view the activity for any 24-hour time frame in the previous 365 days.

To set the scope time on the Summary page

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the Detective navigation pane, choose **Summary**. 

1. On the **Scope time** panel, next to **Summary**, you can change the **Start date and time**. Start time must be within the last 365 days.

   When you change the **Start date and time**, the **End date and time** is automatically updated to 24 hours after your chosen start time.
**Note**  
With Detective, you can access up to a year of historical event data. For more information on source data in Detective, see [Source data used in a behavior graph](https://docs.aws.amazon.com/detective/latest/userguide/detective-source-data-about.html).

1. When you're finished editing, to save the changes and update the displayed data, choose **Update scope time**.

# Viewing details for associated findings in Detective
<a name="entity-finding-list"></a>

Each entity profile contains an associated findings panel that lists the findings that involved the entity during the current scope time. One indication that an entity has been compromised is its involvement in multiple findings. The types of findings can also provide insight into the type of activity to be concerned about.

The associated findings panel is displayed immediately below the entity details profile panel.

For each finding, the table includes the following information:
+ The finding title, which is also a link to the finding overview.
+ The AWS account associated with the finding, which is also a link to the account profile
+ The finding type
+ The earliest time that the finding was observed
+ The most recent time that the finding was observed
+ The finding severity

To display the finding details for a finding, choose the radio button for the finding. Detective populates the finding details panel at the right of the page. Detective also changes the scope time to be the finding time window. This allows you to focus on activity that occurred during that time.

If you navigated to the entity profile from a finding overview, then that finding is selected automatically and the details for the finding are displayed.

From the finding details, to navigate back to the finding overview, choose **See all related entities**.

You can also archive the finding. For more details, see [Archiving an Amazon GuardDuty finding](https://docs.aws.amazon.com//detective/latest/userguide/finding-update-status.html).

# Viewing details for high-volume entities in Detective
<a name="high-volume-entities"></a>

In the [behavior graph](behavior-graph-data-about.md), Amazon Detective tracks relationships between entities. For example, each behavior graph tracks when an AWS user creates an AWS role and when an EC2 instance connects to an IP address.

When an entity has too many relationships during a time period, Detective cannot store all of the relationships. When this occurs during the current scope time, Detective notifies you. Detective also provides a list of occurrences of high-volume entities.

## What is a high-volume entity?
<a name="high-volume-entity-about"></a>

During a given time interval, an entity might be the origin or destination of an extremely large number of connections. For example, an EC2 instance may have connections from millions of IP addresses.

Detective maintains a limit on the number of connections that it can accommodate during each time interval. If an entity exceeds that limit, then Detective discards the connections for that time interval.

For example, assume that the limit is 100,000,000 connections per time interval. If an EC2 instance is connected to by more than 100,000,000 IP addresses during a time interval, then Detective discards the connections from that time interval.

However, you might be able to analyze that activity based on the entity at the other end of the relationship. To continue the example, while an EC2 instance might be connected to from millions of IP addresses, a single IP address connects to far fewer EC2 instances. Each IP address profile provides details about the EC2 instances that the IP address connected to.

## Viewing the high-volume entity notification on a profile
<a name="high-volume-entity-profile-notification"></a>

Detective displays a notice at the top of a finding or entity profile if the scope time includes a time interval where the entity is high-volume. For finding profiles, the notice is for the involved entity.

The notice includes the list of relationships that have high-volume time intervals. Each list entry contains a description of the relationship and the start of the high-volume time interval.

A high-volume time interval might be an indicator of suspicious activity. To understand what other activity occurred at the same time, you can focus your investigation on a high-volume time interval. The high-volume entity notice includes an option to set the scope time to that time interval.

**To set the scope time to a high-volume time interval**

1. In the high-volume entity notice, choose the time interval.

1. On the pop-up menu, choose **Apply scope time**.

## Viewing the list of high-volume entities for the current scope time
<a name="high-volume-entity-list"></a>

The **High-volume entities** page contains a list of high-volume time intervals and entities during the current scope time.

**To display the High-volume entities page**

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the Detective navigation pane, choose **High-volume entities**.

Each entry in the list contains the following information:
+ The start of the high-volume time interval
+ The identifier and type of the entity
+ The description of the relationship, such as "EC2 instance connected from IP address"

You can filter and sort the list by any of the columns. You can also navigate to the entity profile for an involved entity.

**To navigate to the profile for an entity**

1. In the **High-volume entities** list, choose the row to navigate from.

1. Choose **View profile with high-volume scope time**.

When you use this option to navigate to an entity profile, the scope time is set as follows:
+ The scope time starts 30 days before the high-volume time interval.
+ The scope time ends at the end of the high-volume time interval.