# Exploring activity details on a profile panel
<a name="profile-panel-drilldown"></a>

During an investigation, you might want to investigate further into the pattern of activity for an entity.

On the following profile panels, you can display a summary of the activity details:
+ **Overall API call volume**, except for the profile panel on the user agent profile
+ **Newly observed geolocations**
+ **Overall VPC flow volume**
+ **VPC flow volume to and from the finding IP address**, for findings that are associated with a single IP address
+ **Container details**
+ **VPC flow volume** for clusters
+ **Overall Kubernetes API activity**

The activity details can answer these types of questions:
+ Which IP addresses were used?
+ Where were those IP addresses located?
+ Which API calls did each IP address make, and from which services did they make those calls?
+ Which principals or access key identifiers (AKIDs) were used to make the calls?
+ What resources were used to make those calls?
+ How many calls were made? How many succeeded and failed?
+ What volume of VPC flow log data was sent to or from each IP address?
+ What containers were active for a given cluster, image, or pod?

**Topics**
+ [Activity details for Overall API call volume](profile-panel-drilldown-overall-api-volume.md)
+ [Activity details for a geolocation](profile-panel-drilldown-new-geolocations.md)
+ [Activity details for overall VPC flow volume](profile-panel-drilldown-overall-vpc-volume.md)
+ [Overall Kubernetes API activity involving EKS cluster](profile-panel-drilldown-kubernetes-api-volume.md)

# Activity details for Overall API call volume
<a name="profile-panel-drilldown-overall-api-volume"></a>

The activity details for **Overall API call volume** show the API calls that were issued during a selected time range.

To display the activity details for a single time interval, choose the time interval on the chart.

To display the activity details for the current scope time, choose **Display details for scope time**.

Note that Detective began to store and display the service name for API calls as of July 14, 2021. That date is highlighted on the profile panel timeline. For activity that occurs before that date, the service name is **Unknown service**.

## Content of the activity details (users, roles, accounts, role sessions, EC2 instances, S3 buckets)
<a name="drilldown-api-volume-content"></a>

For IAM users, IAM roles, accounts, role sessions, EC2 instances, and S3 buckets, the activity details contain the following information:
+ Each tab provides information about the set of API calls that were issued during the selected time range.

  For S3 buckets, the information reflects API calls that were made to the S3 bucket.

  The API calls are grouped by the services that called them. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.
+ For each entry, the activity details show the number of successful and failed calls. The **Observed IP addresses** tab also shows the location of each IP address.
+ Each entry shows information about who made the calls. For accounts, the activity details identify the users or roles. For roles, the activity details identify the role sessions. For users and role sessions, the activity details identify the access key identifiers (AKIDs).

  Note that as of July 14, 2021, for account profiles, the activity details show users or roles instead of AKIDs. For role profiles, the activity details show role sessions instead of AKIDs. For activity that occurs before July 14, 2021, the caller is listed as **Unknown resource**.

The activity details contain the following tabs:

**Observed IP addresses**  
Initially displays the list of IP addresses used to issue API calls.  
You can expand each IP address to display the list of API calls that were issued from that IP address. The API calls are grouped by the services that called them. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.  
You can then expand each API call to display the list of callers from that IP address. Depending on the profile, the caller might be a user, role, role session, or AKID.  

![\[View of the Observed IP addresses tab of the Overall API call volume panel, with an entry expanded to show the hierarchy of IP address, API calls, and AKIDs. API calls are grouped by service.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_ipaddress.png)


**API method by service**  
Initially displays the list of API calls that were issued. The API calls are grouped by the services that issued the calls. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.  
You can expand each API method to display the list of IP addresses from which the calls were issued.  
You can then expand each IP address to display the list of AKIDs that issued that API call from that IP address.  

![\[View of the API method by service tab of the Overall API call volume panel, with an entry expanded to show the hierarchy of API calls, IP addresses, and AKIDs. API calls are grouped by service.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_apimethods.png)


**Resource or Access Key ID**  
Initially displays the list of users, roles, role sessions, or AKIDs that were used to issue API calls.  
You can expand each caller to display the list of IP addresses from which the caller issued API calls.  
You can then expand each IP address to display the list of API calls that were issued from that IP address by that caller. The API calls are grouped by the services that issued the calls. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under** Unknown service**.  

![\[View of the Resource tab of the Overall API call volume panel, with an entry expanded to show the hierarchy of AKIDs, IP addresses, and API calls grouped by service.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_resource.png)


## Content of the activity details (IP addresses)
<a name="drilldown-api-volume-content-ip"></a>

For IP addresses, the activity details contain the following information:
+ Each tab provides information about the set of API calls that were issued during the selected time range. The API calls are grouped by the services that issued the calls. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.
+ For each entry, the activity details show the number of successful and failed calls.

The activity details contain the following tabs:

**Resource**  
Initially displays the list of resources that issued API calls from the IP address.  
For each resource, the list includes the resource name, the type, and the AWS account.  
You can expand each resource to display the list of API calls that the resource issued from the IP address. The API calls are grouped by the services that issued the calls. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.  

![\[View of the Resource tab of the activity details on the Overall API call volume profile panel for an IP address.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_ip_resource.png)


**API method by service**  
Initially displays the list of API calls that were issued. The API calls are grouped by the services that issued the calls. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.  
You can expand each API call to display the list of resources that issued the API call from the IP address during the selected time period.  

![\[View of the API method by service tab of the activity details of the Overall API call volume profile panel for an IP address.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_ip_apimethods.png)


## Sorting the activity details
<a name="drilldown-api-volume-sort"></a>

You can sort the activity details by any of the list columns.

When you sort using the first column, only the top-level list is sorted. The lower-level lists are always sorted by the count of successful API calls.

## Filtering the activity details
<a name="drilldown-api-volume-filter"></a>

You can use the filtering options to focus on specific subsets or aspects of the activity represented in the activity details.

On all of the tabs, you can filter the list by any of the values in the first column.

**To add a filter**

1. Choose the filter box.

1. From **Properties**, choose the property to use for the filtering.

1. Provide the value to use for the filtering. The filter supports partial values. For example, when you filter by API method, if you filter by **Instance**, the results include any API operation that has `Instance` in its name. So both `ListInstanceAssociations` and `UpdateInstanceInformation` would match.

   For service names, API methods, and IP addresses, you can either specify a value or choose a built-in filter.

   For **Common API substrings**, choose the substring that represents the type of operation, such as `List`, `Create`, or `Delete`. Each API method name starts with the operation type.

   For **CIDR patterns**, you can choose to include only public IP addresses, private IP addresses, or IP addresses that match a specific CIDR pattern.

1. Choose a Boolean option *Resource* or *Service*** : Contains** or **\$1: Does not contain**; or *API method* or *IP address*** = Equals** or **\$1: Does not equal** to set filters.  
![\[List of available filters for the activity details filter.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/api-volume-search.png)

To remove a filter, choose the **x** icon in the top-right corner.

To clear all of the filters, choose **Clear filter**.

## Selecting the time range for the activity details
<a name="drilldown-api-volume-time-range"></a>

 When you first display the activity details, the time range is either the scope time or a selected time interval. You can change the time range for the activity details.

**To change the time range for the activity details**

1. Choose **Edit**.

1. On **Edit time window**, choose the start and end time to use.

   To set the time window to the default scope time for the profile, choose **Set to default scope time**.

1. Choose **Update time window**.

The time range for the activity details is highlighted on the profile panel charts.

![\[Highlighted time window for the Overall API call volume profile panel\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_timehighlight.png)


## Querying raw logs
<a name="query-raw-logs"></a>

Amazon Detective integrates with Amazon Security Lake, which means that you can query and retrieve the raw log data stored by Security Lake. For more details about this integration, see [Amazon Detective Integration with Amazon Security Lake](securitylake-integration.md).

Using this integration, you can collect and query logs and events from the following sources which Security Lake natively supports.
+ AWS CloudTrail management events version 1.0 and after
+ Amazon Virtual Private Cloud (Amazon VPC) Flow Logs version 1.0 and after
+ Amazon Elastic Kubernetes Service (Amazon EKS) Audit Log version 2.0

**Note**  
There are no additional charges to query raw data logs in Detective. Usage charges for other AWS Services, including Amazon Athena, still apply at published rates.

**To query raw logs**

1. Choose **display details for scope time**. 

1. From here, you can start to **Query raw logs**. 

1. In the **Raw log preview** table, you can view the logs and events retrieved by querying data from Security Lake. For more details about the raw event logs, you can view the data displayed in Amazon Athena. 

   From the Query raw logs table, you can **Cancel query request**, **See results in Amazon Athena**, and **Download results** as a comma-separated values (.csv) file. 

If you see logs in Detective, but the query returned no results, it could happen because of the following reasons.
+ Raw logs may become available in Detective before showing up in Security Lake log tables. Try again later.
+ Logs may be missing from Security Lake. If you waited for an extended period of time, it indicates that logs are missing from Security Lake. Contact your Security Lake administrator to resolve the issue.

# Activity details for a geolocation
<a name="profile-panel-drilldown-new-geolocations"></a>

The activity details for **Newly observed geolocations** show the API calls that were issued from a geolocation during the scope time. The API calls include all calls issued from the geolocation. They are not limited to calls that used the finding or profile entity. For S3 buckets, the activity calls are API calls made to the S3 bucket.

Detective determines the location of requests using MaxMind GeoIP databases. MaxMind reports very high accuracy of their data at the country level, although accuracy varies according to factors such as country and type of IP. For more information about MaxMind, see [MaxMind IP Geolocation](https://support.maxmind.com/hc/en-us/sections/4407519834267-IP-Geolocation). If you think any of the GeoIP data is incorrect, you can submit a correction request to Maxmind at [MaxMind Correct GeoIP2 Data](https://support.maxmind.com/hc/en-us/articles/4408252036123-GeoIP-Correction).

The API calls are grouped by the services that issued the calls. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.

To display the activity details, do one of the following:
+ On the map, choose a geolocation.
+ In the list, choose **Details** for a geolocation.

The activity details replace the geolocation list. To return to the geolocation list, choose **Return to all results**.

Note that Detective began to store and display the service name for API calls as of July 14, 2021. For activity that occurs before that date, the service name is **Unknown service**.

## Content of the activity details
<a name="profile-panel-drilldown-geolocation-content"></a>

Each tab provides information about all of the API calls that were issued from the geolocation during the scope time.

For each IP address, resource, and API method, the list shows the number of successful and failed API calls.

The activity details contain the following tabs:

**Observed IP addresses**  
Initially displays the list of IP addresses that were used to issue API calls from the selected geolocation.  
You can expand each IP address to display the resources that issued API calls from that IP address. The list displays the resource name. To see the principal ID, hover over the name.  
You can then expand each resource to display the specific API calls that were issued from that IP address by that resource. The API calls are grouped by the services that issued the calls. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.  

![\[View of the Observed IP addresses tab of the Newly observed geolocations panel with an entry expanded to show the hierarchy of IP address, resources, and API methods.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_geo_ips.png)


**Resource**  
Initially displays the list of resources that issued API calls from the selected geolocation. The list displays the resource name. To see the principal ID, pause on the name. For each resource, the **Resource** tab also displays the associated AWS account.  
You can expand each user or role to display the list of API calls that were issued by that resource. The API calls are grouped by the services that issued the calls. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under **Unknown service**.  
You can then expand each API call to display the list of IP addresses from which the resource issued the API call.  

![\[View of the Resource tab of the Newly observed geolocations panel, with an entry expanded to show the hierarchy of user or role, API methods, and IP addresses.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_geo_resources.png)


## Sorting the activity details
<a name="drilldown-geolocation-sort"></a>

You can sort the activity details by any of the list columns.

When you sort using the first column, only the top-level list is sorted. The lower-level lists are always sorted by the count of successful API calls.

## Filtering the activity details
<a name="drilldown-geolocation-filter"></a>

You can use the filtering options to focus on specific subsets or aspects of the activity represented in the activity details.

On all of the tabs, you can filter the list by any of the values in the first column.

**To add a filter**

1. Choose the filter box.

1. From **Properties**, choose the property to use for the filtering.

1. Provide the value to use for the filtering. The filter supports partial values. For example, when you filter by API method, if you filter by **Instance**, the results include any API operation that has `Instance` in its name. So both `ListInstanceAssociations` and `UpdateInstanceInformation` would match.

   For service names, API methods, and IP addresses, you can either specify a value or choose a built-in filter.

   For **Common API substrings**, choose the substring that represents the type of operation, such as `List`, `Create`, or `Delete`. Each API method name starts with the operation type.

   For **CIDR patterns**, you can choose to include only public IP addresses, private IP addresses, or IP addresses that match a specific CIDR pattern.

1. If you have multiple filters, choose a Boolean option to set how those filters are connected.  
![\[List of available connectors between individual filters for the activity details filter.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_geo_filterconnectors.png)

1. To remove a filter, choose the **x** icon in the top-right corner.

1. To clear all of the filters, choose **Clear filter**.

# Activity details for overall VPC flow volume
<a name="profile-panel-drilldown-overall-vpc-volume"></a>

For an EC2 instance, the activity details for **Overall VPC flow volume** show the interactions between the EC2 instance and IP addresses during a selected time range.

For a Kubernetes pod, **Overall VPC flow volume** displays the overall volume of bytes into and out of the Kubernetes pod's assigned IP address for all destination IP addresses. The Kubernetes pod's IP address is not unique when `hostNetwork:true`. In this case, the panel shows traffic to other pods with the same configuration and the node hosting them.

For an IP address, the activity details for **Overall VPC flow volume** show the interactions between the IP address and EC2 instances during a selected time range.

To display the activity details for a single time interval, choose the time interval on the chart.

To display the activity details for the current scope time, choose **display details for scope time**.

## Content of the activity details
<a name="drilldown-vpc-volume-content"></a>

The content reflects the activity during the selected time range.

For an EC2 instance, the activity details contain an entry for each unique combination of IP address, local port, remote port, protocol, and direction.

For an IP address, the activity details contain an entry for each unique combination of EC2 instance, local port, remote port, protocol, and direction.

Each entry displays the volume of inbound traffic, the volume of outbound traffic, and whether the access request was accepted or rejected. On finding profiles, the **Annotations** column indicates when an IP address is related to the current finding.

![\[Activity details for the Overall VPC flow volume profile panel.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_vpc_initial.png)


## Sorting the activity details
<a name="drilldown-vpc-volume-sort"></a>

You can sort the activity details by any of the columns in the table.

By default, the activity details are sorted first by the annotations, then by the inbound traffic.

## Filtering the activity details
<a name="drilldown-vpc-volume-filter"></a>

To focus on specific activity, you can filter the activity details by the following values:
+ IP address or EC2 instance
+ Local or remote port
+ Direction
+ Protocol
+ Whether the request was accepted or rejected

**To add and remove filters**

1. Choose the filter box.

1. From **Properties**, choose the property to use for the filtering.

1. Provide the value to use for the filtering. The filter supports partial values.

   To filter by IP address, you can either specify a value or choose a built-in filter.

   For **CIDR patterns**, you can choose to include only public IP addresses, private IP addresses, or IP addresses that match a specific CIDR pattern.

1. If you have multiple filters, choose a Boolean option to set how those filters are connected.  
![\[List of available connectors between individual filters for the activity details filter.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_vpc_filterconnectors.png)

1. To remove a filter, choose the **x** icon in the top-right corner.

1. To clear all of the filters, choose **Clear filter**.

## Selecting the time range for the activity details
<a name="drilldown-vpc-volume-time-range"></a>

 When you first display the activity details, the time range is either the scope time or a selected time interval. You can change the time range for the activity details.

**To change the time range for the activity details**

1. Choose **Edit**.

1. On **Edit time window**, choose the start and end time to use.

   To set the time window to the default scope time for the profile, choose **Set to default scope time**.

1. Choose **Update time window**.

The time range for the activity details is highlighted on the profile panel charts.

![\[Highlighted time window for the activity details on the Overall VPC flow volume profile panel.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_vpc_timehighlight.png)


## Displaying the volume of traffic for selected rows
<a name="drilldown-vpc-volume-chart-details"></a>

When you identify rows that are of interest, you can display on the main charts the volume of traffic over time for those rows.

For each row to add to the charts, select the check box. For each selected row, the volume is displayed as a line on the inbound or outbound charts.

![\[Traffic for selected activity details rows displayed on the main charts for the Overall VPC flow volume profile panel.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_vpc_select_rows.png)


To focus on the traffic volume for the selected entries, you can hide the overall volume. To show or hide the overall traffic volume, toggle **Overall traffic**.

![\[Traffic for selected activity details rows displayed on the main charts on the Overall VPC flow volume profile panel. Overall traffic is hidden.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_vpc_overall_off.png)


## Displaying the VPC flow traffic for EKS clusters
<a name="display-traffic-for-eks-clusters"></a>

Detective has visibility into your Amazon Virtual Private Cloud (Amazon VPC) flow logs, which represent the traffic that traverses your Amazon Elastic Kubernetes Service (Amazon EKS) clusters. For Kubernetes resources, the content of the VPC flow logs depends on the Container Network Interface (CNI) deployed in the EKS cluster.

An EKS cluster with a default configuration uses the Amazon VPC CNI plugin. For more details, see [Managing VPC CNI](https://docs.aws.amazon.com//eks/latest/userguide/managing-vpc-cni.html) in the **Amazon EKS User Guide**. The Amazon VPC CNI plugin sends internal traffic with the IP address of the pod and translates the source IP address to the IP address of the node for external communication. Detective can capture and correlate internal traffic to the correct pod but it can’t do the same for external traffic.

If you want Detective to have visibility into the external traffic of your pods, enable External Source Network Address Translation (SNAT). Enabling SNAT comes with limitations and drawbacks. For more details, see [ SNAT for pods](https://docs.aws.amazon.com//eks/latest/userguide/external-snat.html) in the **Amazon EKS User Guide**.

If you use a different CNI plugin, Detective has limited visibility to pods with `hostNetwork:true`. For these pods, the **VPC Flow** panel displays all traffic to the IP address of the pod. This includes the traffic to the host node and any pod on the node with the `hostNetwork:true` configuration.

Detective displays traffic in the **VPC flow** panel of an EKS pod for the following EKS cluster configurations:
+ In a cluster with the Amazon VPC CNI plugin, any pod with the configuration `hostNetwork:false` sending traffic inside the VPC of the cluster.
+ In a cluster with the Amazon VPC CNI plugin and the configuration `AWS_VPC_K8S_CNI_EXTERNALSNAT=true`, any pod with `hostNetwork:false` sending traffic outside the VPC of the cluster.
+ Any pod with the configuration `hostNetwork:true`. Traffic from the node is mixed with traffic from other pods that have the configuration `hostNetwork:true`.

Detective does not display traffic in the **VPC flow** panel for:
+ In a cluster with the Amazon VPC CNI plugin and the configuration `AWS_VPC_K8S_CNI_EXTERNALSNAT=false`, any pod with the configuration `hostNetwork:false` sending traffic outside the VPC of the cluster.
+ In a cluster without the Amazon VPC CNI plugin for Kubernetes, any pod with the configuration `hostNetwork:false`.
+ Any pod sending traffic to another pod that is hosted in the same node.

## Displaying the VPC flow traffic for shared Amazon VPCs
<a name="vpc-flow-traffic-shared-vpc"></a>

Detective has visibility into your Amazon Virtual Private Cloud (Amazon VPC) flow logs for shared VPCs:
+ If a Detective member account has a shared Amazon VPC and there are other non-Detective accounts using the shared VPC, Detective monitors all traffic from that VPC, and provides visualization on all the traffic flow within the VPC. 
+ If you have an Amazon EC2 instance inside a shared Amazon VPC and the shared VPC owner is not a Detective member, Detective will not monitor any traffic from the VPC. If you want to view the traffic flow within the VPC, you must add the Amazon VPC owner as a member of your Detective graph.

# Overall Kubernetes API activity involving EKS cluster
<a name="profile-panel-drilldown-kubernetes-api-volume"></a>

The activity details for **Overall Kubernetes API activity involving EKS cluster** show the number of successful and failed Kubernetes API calls that were issued during a selected time range.

To display the activity details for a single time interval, choose the time interval on the chart.

To display the activity details for the current scope time, choose **Display details for scope time**.

## Content of the activity details (Cluster, pod, user, role, role session)
<a name="drilldown-kubernetes-api-volume-content"></a>

For a cluster, pod, user, role, or role session, the activity details contain the following information:
+ Each tab provides information about the set of API calls that were issued during the selected time range.

  For clusters, the API calls occurred inside the cluster.

  For pods, the API calls targeted the pod.

  For users, roles, and role sessions, the API calls were issued by Kubernetes users that authenticated as that user, role, or role session.
+ For each entry, the activity details show the number of successful, failed, unauthorized, and forbidden calls.
+ The information includes the IP address, the type of Kubernetes call, the entity that was affected by the call, and the subject (service account or user) that made the call. From the activity details, you can pivot to the profiles for the IP address, subject, and the affected entity.

The activity details contain the following tabs:

**Subject**  
Initially displays the list of service accounts and users that were used to make API calls.  
You can expand each service account and user to display the list of IP addresses from which the account or user made API calls.  
You can then expand each IP address to show the Kubernetes API calls that were made by that account or user from that IP address.   
Expand the Kubernetes API call to see the `requestURI `to identify the action that was done.  

![\[View of the Subjects tab of the Overall Kubernetes API call volume panel, with an entry expanded to show the hierarchy of IP address, and API calls.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/kube-subject-drilldown.png)


**IP Address**  
Initially displays the list of IP addresses from which the API calls were made.  
You can expand each call to display the list of Kubernetes subjects (service accounts and users) that made the call.  
You can then expand each subject to a list of API call types made by the subject during the scope time.  
Expand the API call type to see the requestURI to identify the action that was done.  

![\[View of the IP address tab of the Overall Kubernetes API call volume panel, with an entry expanded to show the hierarchy of API calls, IP addresses, and AKIDs. API calls are grouped by service\]](http://docs.aws.amazon.com/detective/latest/userguide/images/kube-ip-drilldown.png)


**Kubernetes API call**  
Initially displays the list of Kubernetes API call verbs.  
You can expand each API verb to display the requestURIs associated with that action.  
You can then expand each requestURI to see Kubernetes subject (service accounts and users) that made the API call.  
Expand the subject to see which IPs that subject used to make the API call.  

![\[View of the Resource tab of the Overall API call volume panel, with an entry expanded to show the hierarchy of AKIDs, IP addresses, and API calls grouped by service.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_resource.png)


## Sorting the activity details
<a name="drilldown-kubernetes-api-volume-sort"></a>

You can sort the activity details by any of the list columns.

When you sort using the first column, only the top-level list is sorted. The lower-level lists are always sorted by the count of successful API calls.

## Filtering the activity details
<a name="drilldown-kubernetes-api-volume-filter"></a>

You can use the filtering options to focus on specific subsets or aspects of the activity represented in the activity details.

On all of the tabs, you can filter the list by any of the values in the first column.

## Selecting the time range for the activity details
<a name="drilldown-kubernetes-api-volume-time-range"></a>

 When you first display the activity details, the time range is either the scope time or a selected time interval. You can change the time range for the activity details.

**To change the time range for the activity details**

1. Choose **Edit**.

1. On **Edit time window**, choose the start and end time to use.

   To set the time window to the default scope time for the profile, choose **Set to default scope time**.

1. Choose **Update time window**.

The time range for the activity details is highlighted on the profile panel charts.

![\[Highlighted time window for the Overall API call volume profile panel\]](http://docs.aws.amazon.com/detective/latest/userguide/images/screen_profile_panel_drilldown_api_timehighlight.png)


## Using profile panel guidance during an investigation
<a name="profile-panel-guidance"></a>

Each profile panel is designed to provide answers to specific questions that arise as you conduct an investigation and analyze the activity for the related entities.

The guidance provided for each profile panel helps you find these answers.

Profile panel guidance starts with a single sentence on the panel itself. This guidance provides a brief explanation of the data presented on the panel.

To display more detailed guidance for a panel, choose **More info** from the panel heading. This extended guidance appears in the help pane.

The guidance can provide these types of information:
+ An overview of the panel content
+ How to use the panel to answer the relevant questions
+ Suggested next steps based on the answers