Forensic triage service
The diagram below represents the logical interaction view of the forensic triage service. A security event (Application security event) is reported by the Threat Detection Engine. The Threat Detection Engine initiates triaging function to determine the severity of threat based on the threat and infrastructure information. The triaging function initiates forensic acquisition and investigation flow for further analysis.
Interaction view
Forensic triage workflow
Implementation view
Forensic triage - implementation view
AWS Security Hub operating in AWS application account is reported with details of the compromised instance and the findings get aggregated to AWS Security Hub administrator AWS master Account. . The security administrator initiates one of the following forensic actions in Security Hub.
+
.. Forensic triage
.. Forensic isolation
. Amazon EventBridge initiates the triage Step Functions flow.
. Get Instance Lambda function assumes role into compromised application account and retrieves instance information.
. The triage flow triggers acquisition flow in parallel unless the instance tag IsTriageRequired is set to false.
+ .. Forensic memory acquisition flow initiates the memory acquisition Step Functions. .. Forensic disk acquisition flow initiates the disk acquisition Step Functions. . Once completed, the acquisition flow triage results are sent to SNS.