Analyzing finding groups - Amazon Detective

Analyzing finding groups

Amazon Detective finding groups let you examine multiple activities as they relate to a potential security event. You can analyze the root cause for high severity GuardDuty findings using finding groups. If a threat actor is attempting to compromise your AWS environment, they typically perform a sequence of actions that lead to multiple security findings and unusual behaviors. These actions are often spread across time and entities. When security findings are investigated in isolation, it can lead to a misinterpretation of their significance, and difficulty in finding the root cause. Amazon Detective addresses this problem by applying a graph analysis technique that infers relationships between findings and entities, and groups them together. We recommend treating finding groups as the starting point for investigating the involved entities and findings.

Detective analyzes data from findings and groups them with other findings that are likely to be related based on resources they share. For example, findings related to actions taken by the same IAM role sessions or originating from the same IP address are very likely to be part of the same underlying activity. It's valuable to investigate findings and evidence as a group, even if the associations made by Detective aren't related.

In addition to findings, each group includes entities involved in the findings. The entities can include resources outside of AWS such as IP Addresses or user agents.

Note

After an initial GuardDuty finding occurs that is related to another finding, the finding group with all related findings and all involved entities is created within 48 hours.

Understanding the finding groups page

The finding groups page lists all the finding groups collected by Amazon Detective from your behavior graph. take note of the following attributes of finding groups:

Severity of a group

Each finding group is assigned a severity based on the AWS Security Finding Format (ASFF) severity of the associated findings. ASFF finding severity values are Critical, High, Medium, Low, or Informational from most to least severe. The severity of a grouping is equal to the highest severity finding among the findings in that grouping.

Groups that consist of Critical or High severity findings that impact a large number of entities should be prioritized for investigations, as they are more likely to represent high-impact security issues.

Group title

In the Title column, each group has a unique ID and a non-unique title. These are based on the ASFF type namespace for the group and the number of findings within that namespace in the cluster. For example, if a grouping has the title: Group with: TTP (2), Effect (1), and Unusual behavior (2) it includes five total findings consisting of two findings in the TTP namespace, one finding in the Effect namespace, and two findings in the Unusual Behavior namespace. For a complete list of namespaces, see Types taxonomy for ASFF.

Tactics in a group

The Tactics column in a group details which tactics category the activity falls into. The tactics, techniques, and procedures categories in the following list align to the MITRE ATT&CK matrix.

You can select a tactic on the chain to see a description of the tactic and which findings within the group are within that category. Following the chain is a list of the tactics detected within the group. These categories and the activities they typically represent are as follows:

  • Initial Access – An adversary is trying to get into someone else’s network.

  • Execution – An adversary is trying to get into someone else’s network.

  • Persistence – An adversary is trying to maintain their foothold.

  • Privilege Escalation – An adversary is trying to gain higher-level permissions.

  • Defense Evasion – An adversary is trying to avoid being detected.

  • Credential Access – An adversary is trying to steal account names and passwords.

  • Discovery – An adversary is trying to understand and learn about an environment.

  • Lateral Movement – An adversary is trying to move through an environment.

  • Collection – An adversary is trying to gather data of interest to their goal.

  • Command and Control – An adversary is trying to get into someone else’s network.

  • Collection – An adversary is trying to gather data of interest to their goal.

  • Exfiltration – An adversary is trying to steal data.

  • Impact – An adversary is trying to manipulate, interrupt, or destroy your systems and data.

  • Other – Indicates activity from a finding that does not align with tactics listed in the matrix.

Entities within a group

The Entities column contains details on the specific entities detected within this grouping. Select this value for a breakdown of entities based on the categories: Identity, Network, Storage, and Compute. Examples of entities in each category are:

  • Identity – IAM principals and AWS accounts, such as user and role

  • Network – IP address or other networking and VPC entities

  • Storage – Amazon S3 buckets or DDBs

  • Compute Amazon EC2 instances or Kubernetes containers

Accounts within a group

The Accounts column tells you what AWS accounts own entities involved with the findings in the group. The AWS Accounts are listed by name and AWS ID so you can prioritize investigations of activity involving critical accounts.

Findings within a group

The Findings column has a lists the entities within a group by severity. The findings include Amazon GuardDuty findings, Amazon Inspector findings, AWS security findings, and evidence from Detective. You can select the graph to see an exact count of findings by severity.

GuardDuty findings are part of the Detective core package and are ingested by default. All other AWS security findings that are aggregated by Security Hub are ingested as an optional data source. See Source data used in a behavior graph for more details.

Informational findings in finding groups

Amazon Detective identifies additional information related to a finding group based on data in your behavior graph collected within the last 45 days. Detective presents this information as a finding with the Informational severity. Evidence provides supporting information that highlights an unusual activity or unknown behavior that is potentially suspicious when viewed within a finding group. This might include newly observed geolocations or API calls observed within the scope time of a finding. Evidence findings are only viewable in Detective and are not sent to AWS Security Hub.

Detective determines the location of requests using MaxMind GeoIP databases. MaxMind reports very high accuracy of their data at the country level, although accuracy varies according to factors such as country and type of IP. For more information about MaxMind, see MaxMind IP Geolocation. If you think any of the GeoIP data is incorrect, you can submit a correction request to Maxmind at MaxMind Correct GeoIP2 Data.

You can observe evidence for different principal types (such as IAM user or IAM role). For some evidence types, you can observe evidence for all accounts. This means evidences affect your entire behavior graph. If an evidence finding is observed for all accounts, you will also see at least one additional informational evidence finding of the same type for an individual IAM role. For example, if you see a New geolocation observed for all accounts finding, you will see another for New geolocation observed for a principal.

Types of evidence in finding groups
  • New geolocation observed

  • New Autonomous System Organization (ASO) observed

  • New user agent observed

  • New API call issued

  • New geolocation observed for all accounts

  • New IAM principal observed for all accounts

Finding group profiles

When you select a group title, a finding group profile opens with additional details about that group. The details panel in the finding groups profile page supports the display of up to 1000 entities and findings for finding groups parent and children.

The group profile page displays the set Scope time of the group. This is the date and time from the earliest finding or evidence included in the group to the most recently updated finding or evidence in a group. You can also see the Finding group severity, which is equal to the highest severity category among findings in the group. Other details within this profile panel include:

  • The Involved tactics chain shows you which tactics, are attributed to the findings in the group. Tactics are based on the MITRE ATT&CK Matrix for Enterprise. The tactics are shown as a chain of colored dots that represents the typical progression of an attack from the earliest to latest stages. This means the leftmost circles on the chain typically represent less severe activities where an adversary is trying to gain or maintain access your environment. Conversely, activities toward the right are the most severe and can include data tampering or destruction.

  • The relationships that this group has with other groups. Occasionally, one or more previously unconnected groups of findings could be merged into a new group based on a newly discovered link, for example, a finding that involves entities from the existing groups. In this case, Amazon Detective deactivates the parent groups and creates a child group. You can trace the lineage for any group back to its parent groups. Groups can have the following relationships:

    • Child finding group – A finding group created when a finding involved in two other finding groups is involved in a new finding. The parent groups of the finding are listed for any child group.

    • Parent finding group – A finding group is a parent when a child group has been created from it. If a finding group is a parent, the related children are listed with it. A parent group's status becomes Inactive when it's merged into an Active child group.

There are two information tabs that open profile panels. Using the Involved entities and Involved findings tabs, you can view further details about the group.

Use Run investigation to generate an investigation report. The generated report details anomalous behavior that indicates compromise. For more details about Detective investigations, see Investigating IAM resources using Detective investigations.

Profile panels within groups

Involved entities

Focuses on the entities in the finding group, including what findings within the group each entity is linked to. The tags attached to each entity are also displayed so you can quickly identify important entities based on tagging. Select an entity to view its entity profile.

Involved findings

Has details about each finding, including finding severity, each entity involved, and when that finding was first and last seen. Select a finding type in the list to open a finding details panel with additional information about that finding. As part of the Involved findings panel, you may see Informational findings based on Detective evidence from your behavior graph.

Finding group visualization

Amazon Detective provides an interactive visualization of finding groups. This visualization is designed to help you investigate issues faster and more thoroughly with less effort. The finding group Visualization panel displays the findings and entities involved in a finding group. You can use this interactive visualization to analyze, understand, and triage the impact of the finding group. This panel helps visualize the information presented in the Involved entities and Involved findings table. From the visual presentation, you can select findings or entities for further analysis.

Detective finding groups with aggregated findings are a cluster of findings that are connected to the same type of resource. With aggregated findings, you can quickly assess the makeup of a finding group and interpret security issues faster. In the finding groups details panel, similar findings are combined and you can expand the findings to view relatively similar findings together. For example, an evidence node, which has informational findings and medium findings of the same type are aggregated. Currently, you can view the title, source, type, and severity of finding groups with aggregated findings.

From this interactive panel, you can:

  • Use Run investigation to generate an investigation report. The generated report details anomalous behavior that indicates compromise. For more details about Detective investigations, see Investigating IAM resources using Detective investigations.

  • View more details on finding groups with aggregated findings to analyze the involved evidence, entities, and findings.

  • View the labels for the entities and findings to identify the affected entities with potential security issues. You can toggle off the Label.

  • Rearrange the entities and findings to better understand their interconnectedness. Isolate entities and findings from a group by moving the selected item in the finding group.

  • Select the evidences, entities, and findings to view more details about them. To select multiple items, choose command/control and either choose the items, or drag and drop them using your pointer.

  • Adjust the layout to fit all entities and findings into the finding group window. View what entity types are prevalent in a finding group.

Note

The finding group Visualization panel supports the display of finding groups with up to 100 entities and findings.

You can choose Select layout to view the findings and entities in a Circle, Force-directed, or Grid layout. The Force-directed layout positions the entities and findings so that links are a consistent length between items and the links are distributed evenly. This helps to reduce overlapping. The layout that you select defines the placement of findings in the Visualization panel.


                A visualization panel showing the interconnections between the entities and
                    findings included in a finding group. The Force-directed
                    layout positions the entities and findings so that links are a consistent length
                    between items and the links are distributed evenly.

The dynamic Legend changes based on the entities and findings in your current graph. It helps you identify what each visual element represents.