1. Features
    1. Automatic data collection across all your AWS accounts
      1. Integration with Organizations
        1. Administrator account
        2. Detective administrator account
        3. Member account
        4. Delegated administrator account (AWS Organizations)
      2. Simplify setup with AWS Organizations
    2. Consolidates disparate events into a graph model
    3. Interactive visualizations for efficient investigation
    4. Seamless integration for investigating a security finding
    5. Simple deployment with no upfront data source integration or complex configurations to maintain
    6. Partner integrations
      1. Pivot from Splunk into Amazon Detective
  2. Use cases
    1. Incident investigation
      1. Triage
      2. Scoping
      3. Response
      4. (Demo Video)
    2. Threat hunting
    3. Root cause analysis
  3. Behavior graph
    1. Entities & relationships
      1. AWS account
        1. What API calls has the account used?
        2. What user agents has the account used?
        3. What autonomous system organizations (ASOs) has the account used?
        4. In what geographic locations has the account been active?
      2. AWS role
        1. What API calls has the role used?
        2. What user agents has the role used?
        3. What ASOs has the role used?
        4. In what geographic locations has the role been active?
        5. What resources have assumed this role?
        6. What roles has this role assumed?
        7. What role sessions have involved this role?
      3. AWS user
        1. What API calls has the user used?
        2. What user agents has the user used?
        3. In what geographic locations has the user been active?
        4. What roles has this user assumed?
        5. What role sessions have involved this user?
      4. Federated user
        1. What identity provider did the federated user authenticate with?
        2. What was the audience of the federated user? The audience identifies the application that requested the web identity token of the federated user.
        3. In what geographic locations has the federated user been active?
        4. What user agents has the federated user used?
        5. What ASOs has the federated user used?
        6. What roles has this federated user assumed?
        7. What role sessions have involved this federated user?
      5. EC2 instance
        1. What IP addresses have communicated with the instance?
        2. What ports have been used to communicate with the instance?
        3. What volume of data has been sent to and from the instance?
        4. What VPC contains the instance?
        5. What API calls has the EC2 instance used?
        6. What user agents has the EC2 instance used?
        7. What ASOs has the EC2 instance used?
        8. In what geographic locations has the EC2 instance been active?
        9. What roles has the EC2 instance assumed?
      6. Role session
        1. What resources were involved in this role session? In other words, what role was assumed, and what resource assumed the role?
        2. What API calls has the role session used?
        3. What user agents has the role session used?
        4. What ASOs has the role session used?
        5. In what geographic locations has the role session been active?
        6. What user or role started this role session?
        7. What role sessions started from this role session?
      7. IP address
        1. What API calls has the address used?
        2. What ports has the address used?
        3. What users and user agents have used the IP address?
        4. In what geographic locations has the IP address been active?
        5. What EC2 instances has this IP address been assigned to and communicated with?
      8. S3 bucket
        1. What principals interacted with the S3 bucket?
        2. What API calls were made to the S3 bucket?
        3. From what geographic locations did principals make API calls to the S3 bucket?
        4. What user agents were used to interact with the S3 bucket?
        5. What ASOs were used to interact with the S3 bucket?
      9. User agent
        1. What API calls has the user agent used?
        2. What users and roles have used the user agent?
        3. What IP addresses have used the user agent?
      10. Finding (from Amazon GuardDuty)
        1. Type
        2. Origin
        3. Time window
    2. Finding overview
      1. Entity details
      2. Scope time
    3. Summary findings
      1. Newly observed geolocations in the past 24 hours
      2. Roles and users with the most API call volume in the past 24 hours
      3. EC2 instances with the most traffic volume in the past 24 hours
  4. Security in Amazon Detective
  5. Prerequisites and recommendations
    1. Account must have Amazon GuardDuty enabled
    2. Account data volume must be within the Detective quota
    3. Recommended alignment with GuardDuty and AWS Security Hub
    4. Granting the required Detective permissions
    5. Recommended update to the GuardDuty CloudWatch notification frequency
  6. Detective source data
    1. CloudTrails logs
    2. VPC Flow logs
    3. Amazon GuardDuty findings
      1. Archiving an Amazon GuardDuty finding
  7. Amazon Detective FAQs
  8. Amazon Detective Partners
  9. Amazon Detective Security Blogs
  10. AWS re:Post questions for Amazon Detective
  11. Amazon Detective Pricing
  12. Free Cybersecurity Training