CreateCase - AWS Security Incident Response
Request SyntaxURI Request ParametersRequest BodyResponse SyntaxResponse ElementsErrorsSee Also

CreateCase

Creates a new case.

Request Syntax

POST /v1/create-case HTTP/1.1
Content-type: application/json

{
   "clientToken": "string",
   "description": "string",
   "engagementType": "string",
   "impactedAccounts": [ "string" ],
   "impactedAwsRegions": [ 
      { 
         "region": "string"
      }
   ],
   "impactedServices": [ "string" ],
   "reportedIncidentStartDate": number,
   "resolverType": "string",
   "tags": { 
      "string" : "string" 
   },
   "threatActorIpAddresses": [ 
      { 
         "ipAddress": "string",
         "userAgent": "string"
      }
   ],
   "title": "string",
   "watchers": [ 
      { 
         "email": "string",
         "jobTitle": "string",
         "name": "string"
      }
   ]
}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

clientToken
Note

The clientToken field is an idempotency key used to ensure that repeated attempts for a single action will be ignored by the server during retries. A caller supplied unique ID (typically a UUID) should be provided.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 255.

Required: No

description

Required element used in combination with CreateCase

to provide a description for the new case.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 8000.

Required: Yes

engagementType

Required element used in combination with CreateCase to provide an engagement type for the new cases. Available engagement types include Security Incident | Investigation

Type: String

Valid Values: Security Incident | Investigation

Required: Yes

impactedAccounts

Required element used in combination with CreateCase to provide a list of impacted accounts.

Note

AWS account ID's may appear less than 12 characters and need to be zero-prepended. An example would be 123123123 which is nine digits, and with zero-prepend would be 000123123123. Not zero-prepending to 12 digits could result in errors.

Type: Array of strings

Array Members: Minimum number of 0 items. Maximum number of 200 items.

Length Constraints: Fixed length of 12.

Pattern: [0-9]{12}

Required: Yes

impactedAwsRegions

An optional element used in combination with CreateCase to provide a list of impacted regions.

Type: Array of ImpactedAwsRegion objects

Array Members: Minimum number of 0 items. Maximum number of 50 items.

Required: No

impactedServices

An optional element used in combination with CreateCase to provide a list of services impacted.

Type: Array of strings

Array Members: Minimum number of 0 items. Maximum number of 600 items.

Length Constraints: Minimum length of 3. Maximum length of 50.

Pattern: [a-zA-Z0-9 -.():]+

Required: No

reportedIncidentStartDate

Required element used in combination with CreateCase to provide an initial start date for the unauthorized activity.

Type: Timestamp

Required: Yes

resolverType

Required element used in combination with CreateCase to identify the resolver type.

Type: String

Valid Values: AWS | Self

Required: Yes

tags

An optional element used in combination with CreateCase to add customer specified tags to a case.

Type: String to string map

Map Entries: Minimum number of 0 items. Maximum number of 200 items.

Key Length Constraints: Minimum length of 1. Maximum length of 128.

Value Length Constraints: Minimum length of 0. Maximum length of 256.

Required: No

threatActorIpAddresses

An optional element used in combination with CreateCase to provide a list of suspicious internet protocol addresses associated with unauthorized activity.

Type: Array of ThreatActorIp objects

Array Members: Minimum number of 0 items. Maximum number of 200 items.

Required: No

title

Required element used in combination with CreateCase to provide a title for the new case.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 300.

Required: Yes

watchers

Required element used in combination with CreateCase to provide a list of entities to receive notifications for case updates.

Type: Array of Watcher objects

Array Members: Minimum number of 0 items. Maximum number of 30 items.

Required: Yes

Response Syntax

HTTP/1.1 201
Content-type: application/json

{
   "caseId": "string"
}

Response Elements

If the action is successful, the service sends back an HTTP 201 response.

The following data is returned in JSON format by the service.

caseId

A response element providing responses for requests to CreateCase. This element responds with the case ID.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 32.

Pattern: \d{10,32}.*

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

HTTP Status Code: 403

ConflictException

HTTP Status Code: 409

InternalServerException

HTTP Status Code: 500

InvalidTokenException

HTTP Status Code: 423

ResourceNotFoundException

HTTP Status Code: 404

SecurityIncidentResponseNotActiveException

HTTP Status Code: 400

ServiceQuotaExceededException

HTTP Status Code: 402

ThrottlingException

HTTP Status Code: 429

ValidationException

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: