# Cases
AWS Security Incident Response allows you to create two types of cases - AWS supported or self-managed cases.
# Create an AWS supported case
You can create an AWS supported case for AWS Security Incident Response through the Console, the API, or the AWS Command Line Interface. AWS supported cases allow you to receive support from Security Incident Response engineers.
**Important**
Demo/simulation-cases are closing after a period of 90 days.
**Note**
AWS Security Incident Response engineers will respond to your case within 15 minutes. Response time is for a first response from AWS Security Incident Response engineers. We will make every reasonable effort to respond to your initial request within this time frame. This response time does not apply to subsequent responses.
**Note**
You can create AWS supported cases not only for active security incidents and investigations, but also for inquiries about AWS Security Incident Response capabilities. This includes questions about GuardDuty suppression rules, alert triaging configurations, proactive response workflows, and general guidance on security posture. Select the **Investigations and Inquiries** case type for these purposes.
# When to contact AWS Security Incident Response
You can contact AWS Security Incident Response for various purposes depending on your needs. The following table describes the different scenarios and the appropriate contact method for each.
| Scenario | When to Use | Response Time | Case Type |
| --- | --- | --- | --- |
| **Active Security Incident** | You are experiencing an urgent security incident requiring immediate incident response support and services | 15 minutes (first response) | [Active Security Incident](https://docs.aws.amazon.com/security-ir/latest/userguide/create-an-aws-supported-case.html) |
| **Investigation** | You have a perceived security incident and need support with log analysis and secondary confirmation of incident response investigation | 15 minutes (first response) | [Investigations and Inquiries](https://docs.aws.amazon.com/security-ir/latest/userguide/create-an-aws-supported-case.html) |
| **Inquiries and Guidance** | You have questions about Amazon GuardDuty findings, suppression rules, alert triaging configurations, proactive response workflows, or general security posture related to AWS Security Incident Response capabilities | 15 minutes (first response) | [Investigations and Inquiries](https://docs.aws.amazon.com/security-ir/latest/userguide/create-an-aws-supported-case.html) |
| **Onboarding Issues** | You are experiencing technical issues during the onboarding process for AWS Security Incident Response | Varies by support plan | [AWS Support case](https://docs.aws.amazon.com/awssupport/latest/user/case-management.html#creating-a-support-case) |
For all AWS-supported cases (Active Security Incident and Investigations and Inquiries), AWS Security Incident Response engineers will respond within 15 minutes for the first response. This response time applies only to the initial contact and does not apply to subsequent responses.
The following example covers use of the console.
1. Sign into AWS Security Incident Response via the AWS Management Console.
1. Choose **Create Case**
1. Choose **Resolve case with AWS**
1. Select the type of request
1. **Active Security Incident**: This type is for urgent incident response support and services.
1. **Investigations and Inquiries**: Use this type for perceived security incidents where AWS Security Incident Response engineers can support in log analysis and secondary confirmation of incident response investigation. You can also use this type for inquiries about GuardDuty findings, suppression rules, alert triaging configurations, proactive response workflows, and general security posture questions related to AWS Security Incident Response capabilities.
1. Set the start date estimate to the date of your earliest indicator of the incident. For example, when you experienced abnormal behavior for the first time or when you received the first related security alert.
1. Define a title for the case
1. Provide a detailed description of the case. Consider the following aspects which can help incident responders with the case resolution:
1. What happened?
1. Who discovered and reported the incident?
1. Who is affected by the case?
1. What is the known impact?
1. What is the urgency for this case?
1. Add one or multiple AWS account IDs that are in scope of the case.
1. Add optional case details:
1. Select the main services that are impacted from the drop-down list.
1. Select the main regions that are impacted from the drop-down list.
1. Add one or many threat actor IP addresses that you identified as part of this case.
1. Add optional additional incident responders to the case that will receive notifications. To add an individual, do the following:
1. Add an email address.
1. Add an optional first and last name.
1. Choose **Add new** to add another individual.
1. To remove an individual, choose the **Remove** option for an individual.
1. Choose **Add** to add all listed individuals to the case.
1. You can select multiple individuals and choose **Remove** to delete them from the list.
1. Add optional tags to the case.
1. To add a tag, do the following:
1. Choose **Add new tag**.
1. For **Key**, enter the name of the tag.
1. For **Value**, enter the value of the tag.
1. To remove a tag, choose the **Remove** option for that tag.
After a AWS supported case has been created, the AWS Security Incident Response engineers and your incident response team are immediately notified.
**To create an AWS-supported case with AI investigation**
1. Open the AWS Security Incident Response console at [console.aws.amazon.com/](https://console.aws.amazon.com/).
1. Choose **Cases** from the navigation pane.
1. Choose **Create case**.
1. For **Case type**, select **AWS-supported case**.
1. Provide case details including title, incident start date, and affected AWS account ID.
1. In the **Describe the security event** section, provide a thorough description of the incident.
1. Provide additional information about affected AWS services, regions, and other relevant details.
1. Choose **Create case**.
After case creation, both the Security Incident Response engineers and AI agent begin working simultaneously.
**To respond to AI clarifying questions (optional)**
1. Navigate to the **Investigation** tab in your case.
1. Review any clarifying questions presented by the AI agent.
1. Respond to the questions or choose **Skip** if you prefer not to answer.
1. Choose **Submit** to continue. All fields are optional.
**Responsible AI disclosure**
Investigation summaries are generated using AWS Generative AI capabilities. You are responsible for evaluating AI-generated recommendations in your specific context, implementing appropriate oversight mechanisms, verifying findings independently, and maintaining human oversight of all security decisions.
# Create a self-managed case
You can create a self-managed for AWS Security Incident Response through the Console, API, or AWS Command Line Interface. This type of case *DOES NOT* engage the AWS Security Incident Response engineers. The following example covers use of the console.
1. Sign into AWS Security Incident Response via the AWS Management Console at [https://console.aws.amazon.com/security-ir/](https://console.aws.amazon.com).
1. Choose **Create Case.**
1. Choose **Resolve case with my own incident response team.**
1. Set the start date estimate to the date of your earliest indicator of the incident. For example, when you experienced abnormal behavior for the first time or when you received the first related security alert.
1. Define a title for the case. It is recommended to include the data into the case title as suggested when selecting the **Generate Title** option.
1. Enter AWS account IDs that are part of the case. To add an account ID, do the following:
1. Enter the 12-digit account ID and choose **Add account**.
1. To remove an account, choose **Remove** next to the account you want to remove from the case.
1. Provide a detailed description of the case.
1. Consider the following aspects which can help incident responders with the case resolution:
1. What happened?
1. Who discovered and reported the incident?
1. Who is affected by the case?
1. What is the known impact?
1. What is the urgency for this case?
1. Add optional case details:
1. Select the main services that are impacted from the drop-down list.
1. Select the main regions that are impacted from the drop-down list.
1. Add one or many threat actor IP addresses that you identified as part of this case.
1. Add optional additional incident responders to the case that will receive notifications. To add an individual, do the following:
1. Add an email address.
1. Add an optional first and last name.
1. Choose **Add new** to add another individual.
1. To remove an individual, choose the **Remove** option for an individual.
1. Choose **Add** to add all listed individuals to the case. You can select multiple individuals and choose **Remove** to delete them from the list.
1. Add optional tags to the case. To add a tag, do the following:
1. Choose **Add new tag**.
1. For **Key**, enter the name of the tag.
1. For **Value**, enter the value of the tag.
1. To remove a tag, choose the **Remove** option for that tag.
The incident response team will be notified by e-mail after the case is created.
# Working with AWS Security Incident Response engineers
After you open a security incident case, the AWS Security Incident Response engineers begin working on your incident. This section explains what to expect during the investigation and how to collaborate effectively with our team.
# What to expect from AWS Security Incident Response engineers
When you open an AWS supported case, a Security Incident Response engineer is assigned to your incident. Your assigned responder will:
+ Review the initial information you provided in the case
+ Analyze relevant AWS service logs and security findings
+ Identify the scope and impact of the security incident
+ Develop an investigation and response plan tailored to your situation
**Response timeline**: The service level objective (SLO) for acknowledgment of new cases by AWS Security Incident Response engineers is within 15 minutes. The initial assessment timeline might vary based on case severity and complexity. If AWS Security Incident Response engineers don't receive a response or critical information from you within 5 business days, the case is closed.
# Investigation workflow
AWS Security Incident Response engineers follow a structured incident response process aligned with the NIST 800-61r2 framework. During your investigation, you can expect the following phases:
1. **Initial triage** - Security Incident Response engineers review your case details and confirm the incident scope
1. **Investigation** - Security Incident Response engineers analyze logs, identify indicators of compromise, and determine root cause
1. **Containment** - Security Incident Response engineers recommend actions to limit the incident's impact
1. **Eradication and recovery** - Security Incident Response engineers help you remove threats and restore normal operations
1. **Post-incident review** - Security Incident Response engineers provide findings and recommendations to prevent future incidents
Throughout these phases, your Security Incident Response engineer keeps you informed through case updates and may request additional information or actions from you.
# Information Security Incident Response engineers may request
To investigate your incident effectively, AWS Security Incident Response engineers may ask you to provide:
+ **Timeline details** - When you first detected the incident and any relevant events leading up to it
+ **Affected resources** - Specific AWS account IDs, services, regions, and resource ARNs involved
+ **Access information** - Details about who has access to affected resources and any recent access changes
+ **Business context** - How the affected resources are used and the potential business impact
+ **Logs and evidence** - Additional logs, screenshots, or artifacts that may help the investigation
+ **Authorization** - Approval to perform specific containment or remediation actions on your behalf
Your Security Incident Response engineer will explain why each piece of information is needed and how it helps the investigation.
# Communication best practices
Effective communication accelerates incident resolution. Follow these practices when working with AWS Security Incident Response engineers:
+ **Respond promptly** to information requests from your Security Incident Response engineer
+ **Provide complete information** even if you're uncertain about its relevance
+ **Ask questions** if you don't understand a recommendation or need clarification
+ **Update the case** with any new developments or changes to the incident
+ **Designate a primary contact** from your team to coordinate with Security Incident Response engineers
**Important**
If AWS Security Incident Response engineers don't receive a response to critical information requests within 5 business days, we work toward case closure. You can reopen a case if new information becomes available.
# Your role during the investigation
While AWS Security Incident Response engineers lead the investigation, your participation is essential. You're responsible for the following actions:
+ Providing timely responses to information requests
+ Implementing recommended containment and remediation actions in your AWS environment
+ Authorizing Security Incident Response engineers to take actions on your behalf (if you enabled proactive response)
+ Coordinating with your internal teams (security, legal, compliance) as needed
+ Making business decisions about incident response priorities and trade-offs
AWS Security Incident Response engineers provide expertise and recommendations, but you maintain control over your AWS resources and make final decisions about response actions.
# Case closure
AWS Security Incident Response engineers close your case when:
+ The incident has been contained and remediated
+ All investigation findings have been shared with you
+ No further Security Incident Response engineer assistance is required
+ You request case closure
Before closing a case, your Security Incident Response engineer provides a summary of findings, actions taken, and recommendations for improving your security posture.
If you need additional assistance after case closure, you can open a new case or contact AWS Support.
# Responding to an AWS generated case
AWS Security Incident Response might create an outbound notification or case when you need to act on or be aware of something that potentially impacts your account or resources. This only occurs if you enabled the proactive response and alert triaging workflows as part of your subscription.
These notifications appear as Security Incident Response cases with the prefix "[Proactive case]" in the AWS Security Incident Response console. To view and manage these cases, complete the following steps:
+ Open the Security Incident Response console at https://console.aws.amazon.com/security-ir/
+ Choose **Cases**.
+ You see all cases, including those with the "[Proactive case]" prefix.
You can update, resolve, and reopen these cases as needed. You can communicate directly with the AWS Security Incident Response team through these cases, ensuring efficient handling of potential security issues.