2.4. Phase 2 Reflection Checkpoint

Key Takeaways:

1. Detection requires three layers: monitoring (real-time awareness), logging (evidence), and troubleshooting (maintaining coverage)
2. Security Hub aggregates findings (ASFF); Security Lake aggregates raw logs (OCSF) — they're complementary
3. GuardDuty detects, EventBridge routes, Lambda/Step Functions remediate — know the detection-to-response chain
4. Most logging failures are caused by missing IAM permissions, disabled features, or network connectivity issues
5. Always pair remediation with prevention (Config rules, SCPs, automation)

Connecting Forward: In Phase 3, you'll apply detection knowledge to Incident Response — designing response plans, capturing forensic evidence, and automating containment for the threats that your detection systems identify.

Self-Check Questions:

• Can you explain the difference between Security Hub (ASFF) and Security Lake (OCSF)?
• Can you trace the flow from a GuardDuty finding through EventBridge to an automated remediation?
• Can you list three common reasons why Lambda functions might not have CloudWatch logs?