The following table provides a history of the updates to this guide.
Change Description Date
Removed the limit on supported
GuardDuty finding types Detective is no longer limited to a selected set of GuardDuty finding types.
Detective ingests finding details for all finding types, and provides access to the entity profiles for the related entities.
September 20, 2021
Replaced finding profiles with
finding overviews Finding profiles contained visualizations that analyzed activity for the involved resource.
The new finding overview contains finding details ingested from GuardDuty, and a list of involved entities.
From the finding overview, you can pivot to the profiles for related entities.
September 20, 2021
Link to finding details from the
associated findings profile panel On an entity profile, when you choose a finding in the associated findings list, the finding details are displayed in the panel to the right. The scope time is set to the finding time window.
September 20, 2021
Added S3 buckets to the available entity types in Detective
Detective now provides profiles for S3 buckets.
The S3 bucket profiles provide details about the principals that interacted with the S3 bucket and the API operations that they performed on the S3 bucket.
September 20, 2021
New option to generate
Detective URLs in Splunk The Splunk Trumpet project allows you to send AWS content to Splunk. The project now allows you to add Detective URLs to navigate to profiles for GuardDuty findings.
September 8, 2021
Change Description Date Added the calling service to
information about API calls On the Detective console, information about API calls now includes the service that issued the call.
Added a Service column to the lists on the Overall API call volume, Newly observed API calls, and API calls with increased volume.
On the activity details for Overall API call volume and Newly observed geolocations, API methods are grouped under the services that issued them.
For activity that occurred before this change, the API methods are grouped under Unknown service.
July 14, 2021
Replaced AKIDs in the activity
details for accounts and roles On account profiles, the activity details for Overall API call volume now show users or roles instead of access key identifiers (AKIDs).
On role profiles, the activity details for Overall API call volume now show role sessions instead of AKIDs.
For activity that occurred before this change, the caller is listed as Unknown resource.
July 14, 2021
New Resource interaction tab
for users, roles, and role sessions The Resource interaction tab for users, roles, and role sessions contains information about role assumption activity that involved those entities. For role sessions, this is a new tab.
For users and roles, this is an existing tab with new content.
June 29, 2021
Change Description Date
Added activity details for the profile panel VPC flow volume to and from the finding's IP address
The profile panel VPC flow volume to and from the finding's IP address now allows you to display activity details.
The activity details are available only if the finding is associated with a single IP address. The activity details show the volume for each combination of ports, protocol, and direction.
February 25, 2021
Changed "master account" to
"administrator account" The term "master account"
is changed to "administrator account." The term is also changed in the Detective console and API.
February 25, 2021
Change Description Date Added the Detective Summary
page The Detective Summary page
contains visualizations to guide analysts to entities of interest based on geolocation, numbers of API calls, and EC2 traffic volume.
January 21, 2021
New activity details for the Overall API call volume profile panel on IP address profiles
You can now display activity details for IP addresses from the Overall API call volume profile panel.
The activity details show the number of successful and failed calls for each resource that issued the call from the IP address.
January 21, 2021
New Overall VPC flow volume profile panel on IP address profiles
The IP address profile now contains the Overall VPC flow volume profile panel.
The profile panel shows the volume of VPC flow traffic to and from the IP address.
You can display activity details to show the volume for each EC2 instance that the IP address communicated with.
January 21, 2021
Added option to set the activity details window to the default scope time
On the activity details for Overall API call volume and Overall VPC flow volume, you can set the time window for the activity details to the default scope time for the profile.
January 15, 2021
Updated the option to pivot from Amazon GuardDuty to Detective
In GuardDuty, the Investigate in Detective option is moved from the Actions menu to the finding details panel.
It displays a list of related entities. If the finding type is supported, the list also includes the finding.
You can then choose to navigate to either an entity profile or a finding profile.
January 15, 2021
Change Description Date Added handling of high-volume
time intervals for entities Added a new notice to indicate when an entity has one or more high-volume time intervals.
A new High-volume entities page displays all of the high-volume intervals for the current scope time.
December 18, 2020
Added time range selection for activity details on the Overall API call volume profile panel
On the Overall API flow volume profile panel, you can now display activity details for any selected time range.
The panel initially displays an option to display the activity details for the scope time.
September 29, 2020
Added time interval selection for activity details on the Overall VPC flow volume profile panel
On the Overall VPC flow volume panel, you can display activity details for a single time interval from the chart.
To display the details for a time interval, choose the time interval.
September 25, 2020
New role session and federated
user entities Detective now allows you
to explore and investigate federated authentication. You can see what resources have assumed each role, and when those authentications occurred.
September 17, 2020
Updates to scope time
management Removed the option to lock
or unlock the scope time. It is always locked.
On a finding profile, a warning is displayed if the scope time is different from the finding time window.
September 4, 2020
Profile header remains visible as
you scroll through a profile On profiles, the type, identifier, and scope time remain visible as you scroll through the profile panels on a tab.
When the tabs are not visible, you can use the tab dropdown list in the breadcrumbs to navigate to a different tab.
September 4, 2020
Change Description Date Added to the allowed criteria for
searches The allowed criteria for searches
has expanded. You can search for AWS users and AWS roles by name. You can use the ARN to search for findings, AWS roles, AWS users, and EC2 instances.
August 27, 2020
Search always displays search
results When you conduct a search, it
now displays the results on the Search page. From the results, you can pivot to a finding or entity profile.
August 27, 2020
Links to other consoles on
profile panels On the EC2 instance details profile panel, the EC2 instance identifier is linked to the Amazon EC2 console. On the User details, and Role details profile panels, the user name and role name are linked to the IAM console.
August 14, 2020
New activity details for Overvall
VPC flow volume profile panel From the Overall VPC flow volume profile panel, you can now display activity details.
The details show a list of interactions between the EC2 instance and IP addresses.
July 23, 2020
Amazon Detective general
availability release Detective is now generally
available. March 31, 2020
Introducing Amazon Detective
(preview) Detective uses machine learning
and purpose-built visualizations to help you analyze and
investigate security issues across your Amazon Web Services (AWS) workloads.
Detective is currently in preview.
December 3, 2019