CASE 103 · PLUME · 2024
Threat-hunting that the SOC can actually finish before their shift ends.
An online gaming company’s SOC was investigating GuardDuty findings by hand — pulling CloudTrail, VPC Flow Logs, and DNS data into Athena queries and assembling the picture manually. A medium-severity investigation took two hours. We rolled out Amazon Detective with its prebuilt investigation graphs.
Online gaming
SECURITY
2024
RESULTS
What changed, by the numbers.
INVESTIGATION TIME
2h → 18m
FALSE-POSITIVE TRIAGE
< 5m
FINDINGS CLOSED / SHIFT
+4×
INVESTIGATION COVERAGE
100%
HOW IT WENT
The SOC had been doing good work, but the work was slow. Pulling together the picture for a single GuardDuty finding meant Athena queries against three datasets, cross-referencing IPs, building a timeline by hand. Analysts were closing maybe four findings per shift; about 40% of findings never got investigated.
Detective sits on top of CloudTrail, VPC Flow Logs, and GuardDuty findings and pre-computes the relationship graph. Opening a finding now opens a graph with the relevant resources, principals, and timeframes already laid out. Athena queries are still available for the deep dives.
Median investigation time dropped from two hours to eighteen minutes. False-positive triage falls inside five minutes most of the time. Per-analyst throughput went up 4x, and the 40% uninvestigated finding backlog disappeared — every finding now gets at least a quick look.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.