Mitch Hanks

Amazon Detective and RSA NetWitness Platform Integration

Blog Post created by Mitch Hanks Employee on Dec 4, 2019

UPDATE 31 Mar 2020: Amazon Detective has been made officially GA by AWS as of today!  See the notes at the end of this post for links to the official documentation with more details on usage and implementation.

 

Amazon Detective is an Amazon Web Services (AWS) threat hunting platform that offers a deep, cloud-native view of AWS resource data and history, optionally in the context of an AWS-generated alert (such as from Amazon GuardDuty).   Amazon Detective augments threat detection systems like RSA NetWitness Platform by providing details about the size and scope of AWS specific security threats, and to help reconstruct “security events” affecting cloud assets and infrastructure.

 

We are pleased to announce the release of a new RSA NetWitness Platform integration with Amazon Detective.  This integration will allow an analyst to pivot from a RSA NetWitness investigation directly into Amazon Detective to view the related AWS resource as needed.  In addition, any RSA NetWitness logs customers who are consuming AWS GuardDuty alerts can also pivot directly to a related finding in Amazon Detective.

 

 

 

 

Typical use case scenario for this integrationTypical use case scenario for this integration

 

 

This integration provides several benefits:

 

  • Reduced investigation time due to eliminating the manual pivot (RSA NetWitness takes you right to the entry)
  • Get the added cloud-native visibility of Amazon Detective to dive deeper into an investigation
  • Enable the analysts to use both tools for increased context around the incident, likely resulting in increased speed of investigations

 

How does the integration work?

Customers can enable this integration via the built-in custom context menu actions feature within RSA NetWitness.  These actions will show up when you right-click on an appropriate meta key's value (e.g. IP address, domain name, GuardDuty finding ID) within the Investigate view and Event Reconstruction view. 

 

Configuring a custom right-click action using the UI wizard

 

Configuring a custom right-click action using the UI wizard

 

Clicking one of these will open a new browser window directly into Amazon Detective and query the meta key value in the appropriate context.  From there the analyst can move around and investigate related data.

 

User pivoting on meta within the Events view

 

User pivoting on meta within the Events view

 

 

 

Landing page user is directed to by the browser

 

Landing page user is directed to by the browser

 

 

What kind of things can I pivot on?

There are a number of pivot options. Most searchable data points within Amazon Detective which have an equivalent meta key within RSA Netwitness Platform can be integrated.  Below are the types of entities we have identified as candidates to start with:

 

AWS Concept

RSA NetWitness Meta Key

Finding (id)

operation.id

Entity (IpAddress)

ip.src,ip.dst,alias.ip

Entity (AswAccount)  Accountid

reference.id1

Entity (AwsRole) Principalid

user.id

Entity (AwsUser) Principalid

user.id

Entity (UserAgent)

user.agent

Entity (Instanceid)

agent.id

  

Summary

Through tight UI integration, this enables RSA NetWitness analysts with a powerful addition to their threat hunting arsenal in Amazon Detective.  The integration is straightforward and easy to implement and customize and will save your analysts valuable investigation time.

 

Documentation

 

Good hunting!

  

Outcomes