AWS Security Academy · Lesson

Analyzing Entities and Time Windows

Examine accounts, IPs, and instances across a span of activity.

Entities and Time Together

Effective investigation combines two questions: which entities were involved, and over what time did they behave oddly? Detective is built around both. Mastering how it presents entities and time windows lets you read a graph quickly and confidently.

What Counts as an Entity

In Detective, an entity is anything the graph tracks: an IAM user or role, an EC2 instance, an AWS account, an IP address, a user agent, or a finding itself. Each has a profile page summarizing how it behaved and what it connected to.

All lessons in this course

How Detective Builds a Behavior Graph
Pivoting from a GuardDuty Finding
Analyzing Entities and Time Windows
Spotting Anomalous Activity Patterns

← Back to AWS Security Academy