Mitch Hanks

Amazon Detective and RSA NetWitness Platform Integration

Blog Post created by Mitch Hanks Employee on Dec 4, 2019

Amazon Detective is an Amazon Web Services (AWS) threat hunting platform (pre-release at the time of this writing) that offers a deep, cloud-native view of AWS resource data and history, optionally in the context of an Amazon GuardDuty alert.  Amazon Detective augments threat detection systems like RSA NetWitness Platform by providing details about the size and scope of AWS specific security threats, and to help reconstruct “security events” affecting cloud assets and infrastructure.

 

We are pleased to announce the upcoming release of a new RSA NetWitness Platform integration with Amazon Detective.  This integration will allow an analyst to pivot from a RSA NetWitness investigation directly into Amazon Detective to view the related AWS resource as needed.  In addition, any RSA NetWitness logs customers who are consuming AWS GuardDuty alerts can also pivot directly to a related finding in Amazon Detective.

 

 

 

 

Typical use case scenario for this integrationTypical use case scenario for this integration

 

 

This integration provides several benefits:

 

  • Reduced investigation time due to eliminating the manual pivot (RSA NetWitness takes you right to the entry)
  • Get the added cloud-native visibility of Amazon Detective to dive deeper into an investigation
  • Enable the analysts to use both tools for increased context around the incident, likely resulting in increased speed of investigations

 

How does the integration work?

Customers can enable this integration via the built-in custom context menu actions feature within RSA NetWitness.  These actions will show up when you right-click on an appropriate meta key's value (e.g. IP address, domain name, GuardDuty finding ID) within the Investigate view and Event Reconstruction view. 

 

Configuring a custom right-click action using the UI wizard

 

Configuring a custom right-click action using the UI wizard

 

Clicking one of these will open a new browser window directly into Amazon Detective and query the meta key value in the appropriate context.  From there the analyst can move around and investigate related data.

 

User pivoting on meta within the Events view

 

User pivoting on meta within the Events view

 

 

 

Landing page user is directed to by the browser

 

Landing page user is directed to by the browser

 

 

What kind of things can I pivot on?

There are a number of pivot options. Most searchable data points within Amazon Detective which have an equivalent meta key within RSA Netwitness Platform can be integrated.  Below are the types of entities we have identified as candidates to start with:

 

AWS Concept

RSA NetWitness Meta Key

Finding (id)

operation.id

Entity (IpAddress)

ip.src,ip.dst,alias.ip

Entity (AswAccount)  Accountid

reference.id1

Entity (AwsRole) Principalid

user.id

Entity (AwsUser) Principalid

user.id

Entity (UserAgent)

user.agent

Entity (Instanceid)

agent.id

  

Summary

Through tight UI integration, this enables RSA NetWitness analysts with a powerful addition to their threat hunting arsenal in Amazon Detective.  The integration is straightforward and easy to implement and customize and will save your analysts valuable investigation time.

 

Amazon Detective is still in preview, however once AWS releases it for general availability we will add links to the official integration guides and documentation in this post as well as in the RSA Link Integrations Catalog.   Please follow this post for updates.  For more information on Amazon Detective, see Amazon Detective on the AWS Blog or be watching for it at AWS re:Invent 2019 along with the announcement of our collaboration on this integration.

 

Good hunting!

  

Outcomes