# Detective Investigation
<a name="investigations-about"></a>

You can use Amazon Detective Investigation to investigate IAM users and IAM roles using indicators of compromise, which can help you determine if a resource is involved in a security incident. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. With Detective Investigations you can maximize efficiency, focus on the security threats, and strengthen incidence response capabilities. 

Detective Investigation uses machine learning models and threat intelligence to automatically analyze resources in your AWS environment to identify potential security incidents. It lets you proactively, effectively, and efficiently use automation built on top of Detective’s behavioral graph to improve security operations. Using Detective Investigation you can investigate attack tactics, impossible travel, flagged IP addresses, and finding groups. It performs initial security investigation steps and generates a report highlighting the risks identified by Detective, to help you understand security events and respond to potential incidents.

**Topics**
+ [Running a Detective Investigation](run-investigations.md)
+ [Reviewing Detective Investigations reports](investigations-report.md)
+ [Understanding a Detective Investigations report](investigations-report-understand.md)
+ [Detective Investigations report summary](investigations-summary.md)
+ [Downloading a Detective Investigations report](download-investigation.md)
+ [Archiving a Detective Investigations report](archive-investigation.md)

# Running a Detective Investigation
<a name="run-investigations"></a>

Use **Run investigation** to analyze resources such as IAM users and IAM roles and to generate an investigation report. The generated report details anomalous behavior that indicates potential compromise.

------
#### [ Console ]

Follow these steps to run a Detective Investigation from the **Investigations page** using the Amazon Detective console.

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Investigations**. 

1. In the **Investigations** page, choose **Run investigation** in the top right corner. 

1. In the **Select resource** section, you have three ways to run an investigation. You can choose to run the investigation for a resource recommended by Detective. You can run the investigation for a specific resource. You can also investigate a resource from the Detective Search page.

   1. `Choose a recommended resource` – Detective recommends resources based on its activity in findings and finding groups. To run the investigation for a resource recommended by Detective, in the **Recommended resources** table, select a resource to investigate. 

      The Recommended resources table provides the following details: 
      + **Resource ARN** – The Amazon Resource Name (ARN) of the AWS resource.
      + **Reason to investigate** – Displays the key reason(s) to investigate the resource. The reasons for which Detective recommends to investigate a resource are as follows: 
        + If a resource was involved in a High Severity finding in the last 24 hours. 
        + If a resource was involved in a finding group observed in the last 7 days. Detective finding groups let you examine multiple activities as they relate to a potential security event. For more details, see [Analyzing finding groups](groups-about.md).
        + If a resource was involved in a finding in the last 7 days.
      + **Latest finding** – Latest findings are prioritized on top of the list. 
      + **Resource type** – Identifies the type of resource. For example, an AWS user or AWS role.

   1. `Specify an AWS role or user with an ARN` – You can select an AWS role or AWS user and run an investigation for the specific resource. 

      Follow these steps to investigate a specific resource type. 

      1. From the **Select resource type** drop-down list, choose AWS role or AWS user.

      1. Enter the **Resource ARN** of the IAM resource. For more details about Resource ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference-arns.html) in the IAM User Guide.

   1. `Find a resource to investigate from the Search page` – You can search all of your IAM resources from the Detective **Search** page. 

      Follow these steps to investigate a resource from the Search page.

      1. In the navigation pane, choose **Search**.

      1. In the Search page, search for an IAM resource. 

      1. Navigate to the profile page of the resource and run investigation from there.

1. In the **Investigation scope time** section, choose the **Scope time** for the investigation to assess the selected resource's activity. You can select a **Start date** and **Start time**; and **End date** and **End time** in UTC format. The selected scope time window can be between at a minimum of 3 hours and a maximum of 30 days.

1. Choose **Run investigation**. 

------
#### [ API ]

To run an investigation programmatically, use the [StartInvestigation](https://docs.aws.amazon.com//detective/latest/APIReference/API_StartInvestigation.html) operation of the Detective API. To run an investigation using the AWS Command Line Interface (AWS CLI) run the [start-investigation](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/detective/start-investigation.html) command.

In your request, use these parameters to run an investigation in Detective: 
+ `GraphArn` – Specify the Amazon Resource Name (ARN) of the behavior graph.
+ `EntityArn` – Specify the unique Amazon Resource Name (ARN) of the IAM user and IAM role.
+ `ScopeStartTime` – Optionally, specify the data and time from which the investigation should begin. The value is an UTC ISO8601 formatted string. For example,` 2021-08-18T16:35:56.284Z`.
+ `ScopeEndTime` – Optionally, specify the data and time when the investigation should end. The value is an UTC ISO8601 formatted string. For example,` 2021-08-18T16:35:56.284Z`.

This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
aws detective start-investigation \
--graph-arn arn:aws:detective:us-east-1:123456789123:graph:fdac8011456e4e6182facb26dfceade0
 --entity-arn arn:aws:iam::123456789123:role/rolename --scope-start-time 2023-09-27T20:00:00.00Z 
--scope-end-time 2023-09-28T22:00:00.00Z
```

------

You can also run an investigation from the following pages in Detective:
+ An IAM user or IAM role profile page in Detective.
+ Graph visualization pane of a finding group.
+ Actions column of an involved resource.
+ IAM user or IAM role on a finding page.

After Detective runs the investigation for a resource, an investigation report is generated. To access the report, go to **Investigations** from the navigation pane. 

# Reviewing Detective Investigations reports
<a name="investigations-report"></a>

Investigations reports lets you review the generated **Reports** for investigations that you have run previously in Detective. 

To review investigations reports

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Investigations**. 

Take note of the following attributes from an investigations report. 
+ **ID** – The generated identifier of the investigations report. You can choose this **ID** to read a summary of the investigation report, which has the details of the investigation.
+ **Status** – Each investigation is associated with a **Status** based on the completion status of the investigation. Status values can be **In progress**, **Succeeded**, or **Failed**.
+ **Severity** – Each investigation is assigned a **Severity**. Detective automatically assigns a severity to the finding. 

  A severity represents the disposition as analyzed by the investigation of a single resource at a given scope time. A severity reported by an investigation doesn't imply or otherwise indicate the criticality or importance that an affected resource might have for your organization.

  Investigation severity values can be **Critical**, **High**, **Medium**, **Low**, or **Informational** from most to least severe.

  Investigations that are assigned a Critical or High severity value should be prioritized for further inspection, as they are more likely to represent high-impact security issues identified by Detective. 
+ **Entity** – The **Entity** column contains details on the specific entities detected in the investigation. Some entities are AWS accounts, such as user and role. 
+ **Status** – The **Creation** date column contains details on the date and time the investigation report was first created. 

# Understanding a Detective Investigations report
<a name="investigations-report-understand"></a>

A Detective Investigations report lists a summary of the uncommon behavior or malicious activity that indicates compromise. It also lists the recommendations that Detective suggests to mitigate the security risk.

To view an investigations report for a specific investigation ID.

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Investigations**. 

1. In the **Reports** table, select an investigation **ID**.

![\[Investigations reports lets you review the generated Reports for investigations that you have run previously in Detective.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/detective-investigations-report.png)


Detective generates the report for the selected **Scope** time and **User**. The report contains an **Indicators of Compromise** section that includes details regarding one or more of the indicators of compromise listed below. As you review each indicator of compromise, optionally choose an item to drill down and review its details.
+ **Tactics. Techniques, and Procedures** – Identifies tactics, techniques, and procedures (TTPs) used in a potential security event. The MITRE ATT&CK framework is used to understand the TTPs. Tactics are based on the [MITRE ATT&CK matrix for Enterprise](https://attack.mitre.org/matrices/enterprise/).
+ **Threat Intelligence Flagged IP Addresses** – Suspicious IP addresses are flagged and identified as critical or severe threats based on Detective threat intelligence. 
+ **Impossible Travel** – Detects and identifies unusual and impossible user activity for an account. For example, this indicator lists a drastic change between source to destination location of a user within a short time span. 
+ **Related Finding Group** – Shows multiple activities as they relate to a potential security event. Detective uses graph analysis techniques that infers relationships between findings and entities, and groups them together as a finding group.
+ **Related Findings** – Related activities associated with a potential security event. Lists all distinct categories of evidence that are connected to the resource or the finding group.
+ **New Geolocations** – Identifies new geolocations used either at the resource or account level. For example, this indicator lists an observed geolocation that is an infrequent or unused location based on previous user activity. 
+ **New User Agents** – Identifies new user agents used either at the resource or account level. 
+ **New ASOs** – Identifies new Autonomous System Organizations (ASOs) used either at the resource or account level. For example, this indicator lists a new organization assigned as an ASO. 

# Detective Investigations report summary
<a name="investigations-summary"></a>

Investigations summary highlights anomalous indicators that require attention, for the selected scope time. Using the summary, you can more quickly identify the root cause of potential security issues, identify patterns, and understand the resources impacted by security events. 

In the detailed investigations report summary, you can view the following details.

**Investigations overview**

In the **Overview** panel, you can see a visualization of IPs with high severity activity, which can give more context on the pathway of an attacker. 

Detective highlights **Unusual activity** in the investigation, for example impossible travel from a source to a faraway destination by the IAM user. 

Detective maps the investigations to tactics, techniques, and procedures (TTPs) used in a potential security event. The MITRE ATT&CK framework is used to understand the TTPs. Tactics are based on the [MITRE ATT&CK matrix for Enterprise](https://attack.mitre.org/matrices/enterprise/).

**Investigations indicators**

You can use the information in the **Indicators** pane, to determine if an AWS resource is involved in unusual activity that could indicate malicious behavior and its impact. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident.

# Downloading a Detective Investigations report
<a name="download-investigation"></a>

You can download the Detective Investigations report in JSON format, to analyze it further or store it to your preferred storage solution such as an Amazon S3 bucket. 

**To download an investigations report from the Reports table.**

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Investigations**. 

1. Select an investigation, from the **Reports** table, and choose **Download**.

**To download an investigations report from the summary page.**

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Investigations**. 

1. Select an investigation, from the **Reports** table. 

1. In the investigations summary page, choose **Download**.

# Archiving a Detective Investigations report
<a name="archive-investigation"></a>

When you complete your investigation in Amazon Detective, you can **Archive** the investigation report. An archived investigation indicates you have completed reviewing the investigation.

You can archive or unarchive an investigation only if you are a Detective Administrator. Detective will store your archived investigations for 90 days.

**To archive an investigations report from the Reports table.**

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Investigations**. 

1. Select an investigation, from the **Reports** table, and choose **Archive**.

**To archive an investigations report from the summary page.**

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Investigations**. 

1. Select an investigation, from the **Reports** table. 

1. In the investigations summary page, choose **Archive**.