Amazon Detective is an Amazon Web Services (AWS) threat hunting platform (pre-release at the time of this writing) that offers a deep, cloud-native view of AWS resource data and history, optionally in the context of an Amazon GuardDuty alert. Amazon Detective augments threat detection systems like RSA NetWitness Platform by providing details about the size and scope of AWS specific security threats, and to help reconstruct “security events” affecting cloud assets and infrastructure.
We are pleased to announce the upcoming release of a new RSA NetWitness Platform integration with Amazon Detective. This integration will allow an analyst to pivot from a RSA NetWitness investigation directly into Amazon Detective to view the related AWS resource as needed. In addition, any RSA NetWitness logs customers who are consuming AWS GuardDuty alerts can also pivot directly to a related finding in Amazon Detective.
This integration provides several benefits:
- Reduced investigation time due to eliminating the manual pivot (RSA NetWitness takes you right to the entry)
- Get the added cloud-native visibility of Amazon Detective to dive deeper into an investigation
- Enable the analysts to use both tools for increased context around the incident, likely resulting in increased speed of investigations
How does the integration work?
Customers can enable this integration via the built-in custom context menu actions feature within RSA NetWitness. These actions will show up when you right-click on an appropriate meta key's value (e.g. IP address, domain name, GuardDuty finding ID) within the Investigate view and Event Reconstruction view.
Configuring a custom right-click action using the UI wizard
Clicking one of these will open a new browser window directly into Amazon Detective and query the meta key value in the appropriate context. From there the analyst can move around and investigate related data.
User pivoting on meta within the Events view
Landing page user is directed to by the browser
What kind of things can I pivot on?
There are a number of pivot options. Most searchable data points within Amazon Detective which have an equivalent meta key within RSA Netwitness Platform can be integrated. Below are the types of entities we have identified as candidates to start with:
RSA NetWitness Meta Key
Entity (AswAccount) Accountid
Entity (AwsRole) Principalid
Entity (AwsUser) Principalid
Through tight UI integration, this enables RSA NetWitness analysts with a powerful addition to their threat hunting arsenal in Amazon Detective. The integration is straightforward and easy to implement and customize and will save your analysts valuable investigation time.
Amazon Detective is still in preview, however once AWS releases it for general availability we will add links to the official integration guides and documentation in this post as well as in the RSA Link Integrations Catalog. Please follow this post for updates. For more information on Amazon Detective, see Amazon Detective on the AWS Blog or be watching for it at AWS re:Invent 2019 along with the announcement of our collaboration on this integration.