Getting Recon:IAMUser/MaliciousIPCaller.Custom findings in Detective

First of all, the finding perhaps was not on Amazon Detective itself but in Amazon GuardDuty. The thing about this finding is that it records a certain type of fingerprinting or 'reconnaissance' attacks performed by IP addressses already on a custom threat list you might have there. This is the type of finding that reports that those IP addresses are first trying to identify your resources and then define a vector attack and exploiting it in future actions.

You might want to use the investigate with detective in the GuardDuty's detail pane to analyze the finding further down. Finally, a resource that might be of help is this recent blog post for more info in how to investigate these type of events.

These types of findings most certainly should be investigated and urgently at that. The finding (https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-maliciousipcallercustom) means that access keys belonging to an IAM user in your AWS account were used from a known malicious IP address. Usually, that means that some criminal has obtained access to your AWS account with all the permissions that specific IAM user has.

Criminals typically additionally look to escalate their privileges. They try to create more IAM users, IAM roles, IAM policies, or to modify resource-based policies (such as S3 bucket policies) to gain more access than the IAM user initially had. GuardDuty should detect such attempts separately, if GuardDuty is enabled in the AWS region where those attempts are made.

All that having been said, this particular finding has the .Custom suffix, meaning that the IP wasn't identified as malicious by AWS's general security intellegence but listed on one of the custom "threat IP" lists in your GuardDuty configuration. There's a more detailed explanation in documentation: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html

I suggest you urgently review the GuardDuty finding to see which IAM user's key it's about and which IP address the request came from. The finding should show useful general info, such as the IP's approximate geolocation and BGP ASN (autonomous system number), identifying the ISP in whose network the IP address is advertised from on the public internet.

It's entirely possible that this might be a false alarm, if a potentially harmless IP has got placed on your custom threat IP list by mistake. However, if the IP address does belong to a bad actor, that would mean that at least one of your IAM access keys has been exfiltrated and is being actively used by someone on the outside, likely with malicious intent. If that is the case, you should urgently disable the access keys of the IAM user and investigate if they were used to obtain a different kind of foothold or to steal your data.