GetCase - AWS Security Incident Response
Request SyntaxURI Request ParametersRequest BodyResponse SyntaxResponse ElementsErrorsSee Also

GetCase

Returns the attributes of a case.

Request Syntax

GET /v1/cases/caseId/get-case HTTP/1.1

URI Request Parameters

The request uses the following URI parameters.

caseId

Required element for GetCase to identify the requested case ID.

Length Constraints: Minimum length of 10. Maximum length of 32.

Pattern: \d{10,32}.*

Required: Yes

Request Body

The request does not have a request body.

Response Syntax

HTTP/1.1 200
Content-type: application/json

{
   "actualIncidentStartDate": number,
   "caseArn": "string",
   "caseAttachments": [ 
      { 
         "attachmentId": "string",
         "attachmentStatus": "string",
         "createdDate": number,
         "creator": "string",
         "fileName": "string"
      }
   ],
   "caseStatus": "string",
   "closedDate": number,
   "closureCode": "string",
   "createdDate": number,
   "description": "string",
   "engagementType": "string",
   "impactedAccounts": [ "string" ],
   "impactedAwsRegions": [ 
      { 
         "region": "string"
      }
   ],
   "impactedServices": [ "string" ],
   "lastUpdatedDate": number,
   "pendingAction": "string",
   "reportedIncidentStartDate": number,
   "resolverType": "string",
   "threatActorIpAddresses": [ 
      { 
         "ipAddress": "string",
         "userAgent": "string"
      }
   ],
   "title": "string",
   "watchers": [ 
      { 
         "email": "string",
         "jobTitle": "string",
         "name": "string"
      }
   ]
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

actualIncidentStartDate

Response element for GetCase that provides the actual incident start date as identified by data analysis during the investigation.

Type: Timestamp

caseArn

Response element for GetCase that provides the case ARN

Type: String

Length Constraints: Minimum length of 12. Maximum length of 80.

Pattern: arn:aws:security-ir:\w+?-\w+?-\d+:[0-9]{12}:case/[0-9]{10}

caseAttachments

Response element for GetCase that provides a list of current case attachments.

Type: Array of CaseAttachmentAttributes objects

Array Members: Minimum number of 0 items. Maximum number of 50 items.

caseStatus

Response element for GetCase that provides the case status. Options for statuses include Submitted | Detection and Analysis | Eradication, Containment and Recovery | Post-Incident Activities | Closed

Type: String

Valid Values: Submitted | Acknowledged | Detection and Analysis | Containment, Eradication and Recovery | Post-incident Activities | Ready to Close | Closed

closedDate

Response element for GetCase that provides the date a specified case was closed.

Type: Timestamp

closureCode

Response element for GetCase that provides the summary code for why a case was closed.

Type: String

Valid Values: Investigation Completed | Not Resolved | False Positive | Duplicate

createdDate

Response element for GetCase that provides the date the case was created.

Type: Timestamp

description

Response element for GetCase that provides contents of the case description.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 8000.

engagementType

Response element for GetCase that provides the engagement type. Options for engagement type include Active Security Event | Investigations

Type: String

Valid Values: Security Incident | Investigation

impactedAccounts

Response element for GetCase that provides a list of impacted accounts.

Type: Array of strings

Array Members: Minimum number of 0 items. Maximum number of 200 items.

Length Constraints: Fixed length of 12.

Pattern: [0-9]{12}

impactedAwsRegions

Response element for GetCase that provides the impacted regions.

Type: Array of ImpactedAwsRegion objects

Array Members: Minimum number of 0 items. Maximum number of 50 items.

impactedServices

Response element for GetCase that provides a list of impacted services.

Type: Array of strings

Array Members: Minimum number of 0 items. Maximum number of 600 items.

Length Constraints: Minimum length of 3. Maximum length of 50.

Pattern: [a-zA-Z0-9 -.():]+

lastUpdatedDate

Response element for GetCase that provides the date a case was last modified.

Type: Timestamp

pendingAction

Response element for GetCase that identifies the case is waiting on customer input.

Type: String

Valid Values: Customer | None

reportedIncidentStartDate

Response element for GetCase that provides the customer provided incident start date.

Type: Timestamp

resolverType

Response element for GetCase that provides the current resolver types.

Type: String

Valid Values: AWS | Self

threatActorIpAddresses

Response element for GetCase that provides a list of suspicious IP addresses associated with unauthorized activity.

Type: Array of ThreatActorIp objects

Array Members: Minimum number of 0 items. Maximum number of 200 items.

title

Response element for GetCase that provides the case title.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 300.

watchers

Response element for GetCase that provides a list of Watchers added to the case.

Type: Array of Watcher objects

Array Members: Minimum number of 0 items. Maximum number of 30 items.

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

HTTP Status Code: 403

ConflictException

HTTP Status Code: 409

InternalServerException

HTTP Status Code: 500

InvalidTokenException

HTTP Status Code: 423

ResourceNotFoundException

HTTP Status Code: 404

SecurityIncidentResponseNotActiveException

HTTP Status Code: 400

ServiceQuotaExceededException

HTTP Status Code: 402

ThrottlingException

HTTP Status Code: 429

ValidationException

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: