AWS Security Incident Response features

Security Incident Response monitors and triages security findings from Amazon GuardDuty and third-party tools such as CrowdStrike Falcon, Trend Micro Cloud One, and Fortinet Lacework FortiCNAPP through AWS Security Hub. It uses customer-specific information, such as known IP addresses and AWS Identity and Access Management (IAM) entities, to filter findings based on expected behavior, reducing alert volume while escalating those that require immediate attention.

Security Incident Response evolves with your environment, incorporating new insights to improve performance over time. The service refines auto-triage rules based on your organization’s unique activity patterns, making it easier to distinguish routine operations from potential risks. As your environment grows, Security Incident Response surfaces critical events with even greater accuracy and efficacy.

Reduce the time to coordinate internal stakeholders by creating a personalized incident response team. This team receives immediate email notification whenever a case is created through the service. Grant these team members with the necessary permissions to control case access and maintain least privilege.

With the Amazon EventBridge integration, you can automate event routing and notifications to third-party platforms, such as ServiceNow, Jira, Slack, and PagerDuty. For example, when Security Incident Response proactively creates a case, EventBridge automation can trigger systems to notify stakeholders, enabling quicker response during potential security events.

Security Incident Response proactively investigates triaged security findings that require further review. By combining AI-driven analysis with expert oversight, the service examines logs and anomalous patterns to determine if escalation is needed. If a security event is confirmed or your validation is required, the service creates a case and notifies the stakeholders you've designated as part of your incident response team. Through active engagement, the service learns your environment and expected behaviors, improving alert accuracy and ensuring rapid response to genuine security events.

When you need specialized expertise, the AWS CIRT responds to your case within minutes. Acting as an extension of your security operations center (SOC) team, the AWS CIRT has access to relevant log data—regardless of your log configurations—for investigations during potential security events. The AWS CIRT provides your team with clear containment or remediation steps for confirmed security events. If desired, you can authorize the AWS CIRT to perform them on your behalf.

When security findings from third-party tools such as CrowdStrike Falcon, Trend Micro Cloud One, and Fortinet Lacework FortiCNAPP are involved in a case, the AWS CIRT works directly with these providers, combining their expertise to create one comprehensive response. This unified approach helps ensure you benefit from specialized knowledge across providers, while the AWS CIRT manages communication and coordination, providing clear, actionable insights at every step of the response.

You can grant Security Incident Response the necessary permissions to perform supported containment actions as a response to alerts on your behalf. This capability allows for faster mitigation of security events, minimizing potential impact to your environment.