> ## Documentation Index > Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt > Use this file to discover all available pages before exploring further. # SIR Create Case Create a new security incident response case. External Documentation To learn more, visit the [AWS documentation](https://docs.aws.amazon.com/security-ir/latest/APIReference/API_CreateCase.html). ## Basic Parameters
| Parameter | Description | | ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | AWS Region(s) | A comma-separated list of AWS region(s) where this action will be executed.

For example, to execute in US East and Europe, enter `us-east-1,eu-west-1`.

Alternatively, you can use the asterisk symbol `*` to run the action in all available AWS Regions. | | Client Token | A unique identifier (typically a UUID) to ensure request idempotency, preventing duplicate case creation if a request is retried. | | Description | A detailed description for the case. | | Engagement Type | The type of engagement for the case. | | Impacted AWS Regions | A list of AWS regions objects impacted by the security incident. Each entry should specify a `region` identifier (e.g., `us-east-1`).

For example:
\[
  \{
    "region": "us-east-1"
  },
  \{
    "region": "eu-south-1"
  }
]
For more information about `Impacted AWS Regions`, refer to [AWS Security Incident Response API documentation](https://docs.aws.amazon.com/security-ir/latest/APIReference/API_ImpactedAwsRegion.html). | | Impacted Accounts | A comma-separated list of accounts impacted by the incident.

**Note**: AWS account IDs must always be exactly 12 digits. IDs with fewer than 12 digits must be zero-padded at the beginning. For example, account ID `123123123` (9 digits) should be formatted as `000123123123`. | | Impacted Services | A comma-separated list of services impacted by the security incident. | | Reported Incident Start Date | The initial start date of the unauthorized activity. | | Resolver Type | The entity responsible for resolving the case. | | Threat Actor IP Addresses | A list of suspicious IP addresses associated with unauthorized activity. Each entry must include `ipAddress`.

For example:
\[
  \{
    "ipAddress": "192.0.2.1",
    "userAgent": "Mozilla/5.0"
  }
]
| | Title | The title of the case. | | Watchers | A list of individuals who will receive notifications about case updates. Each entry must include `email` address.

For example:
\[
  \{
    "name": "John Doe",
    "email": "[john.doe@example.com](mailto:john.doe@example.com)",
    "jobTitle": "Security Engineer"
  }
]
**Note**: The maximum number of watchers is 30. |
## Advanced Parameters
| Parameter | Description | | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Tags | A list of key-value pairs of tags to apply to the case.

For example:
\{
  "Department": "Security",
  "Priority": "High"
}
|
## Example Output ```json theme={"dark"} { "caseId": "1234567890" } ``` ## Workflow Library Example [Sir Create Case with Aws and Send Results Via Email](https://library.blinkops.com/workflows/sir-create-case-with-aws-and-send-results-via-email)
Workflow Library Preview this Workflow on desktop