Actions
SIR Update Case
Update an existing Security Incident Response case.
External Documentation
To learn more, visit the AWS documentation.
Parameters
| Parameter | Description |
|---|---|
| AWS Region(s) | A comma-separated list of AWS region(s) where this action will be executed. For example, to execute in US East and Europe, enter us-east-1,eu-west-1.Alternatively, you can use the asterisk symbol * to run the action in all available AWS Regions. |
| Actual Incident Start Date | The actual incident start date. |
| Case ID | The ID of the case to update. |
| Description | A detailed description for the case. |
| Engagement Type | The type of engagement for the case. |
| Impacted Accounts To Add | A comma-separated list of accounts to add as impacted by the case. Note : AWS account IDs must always be exactly 12 digits. IDs with fewer than 12 digits must be zero-padded at the beginning. For example, account ID 123123123 (9 digits) should be formatted as 000123123123. |
| Impacted Accounts To Delete | A comma-separated list of accounts to remove from impacted accounts. Note : AWS account IDs must always be exactly 12 digits. IDs with fewer than 12 digits must be zero-padded at the beginning. For example, account ID 123123123 (9 digits) should be formatted as 000123123123. Incorrect formatting will result in API errors. |
| Impacted Aws Regions To Add | A list of AWS regions to add as impacted by the security incident. Each entry should specify a region identifier (e.g., “us-east-1”).For example: [ { "region": "us-east-1" }, { "region": "eu-south-1" }]For more information about Impacted AWS Regions, refer to AWS Security Incident Response API documentation. |
| Impacted Aws Regions To Delete | A list of AWS regions to remove from impacted regions. Each entry should specify a region identifier (e.g., “us-east-1”).For example: [ { "region": "us-east-1" }, { "region": "eu-south-1" }]Note: Removing all regions is not allowed - at least one region must remain for each case. For more information about Impacted AWS Regions, refer to AWS Security Incident Response API documentation. |
| Impacted Services To Add | A comma-separated list of services to add as impacted by the security incident. |
| Impacted Services To Delete | A comma-separated list of services to remove from impacted by the security incident. |
| Reported Incident Start Date | The initial start date of the unauthorized activity. |
| Threat Actor IP Addresses To Add | A list of suspicious IP addresses to add as associated with unauthorized activity. Each entry must include ipAddress.For example: [ { "ipAddress": "192.0.2.1", "userAgent": "Mozilla/5.0" }] |
| Threat Actor IP Addresses To Delete | A list of suspicious IP addresses to remove from associated with unauthorized activity. Each entry must include ipAddress.For example: [ { "ipAddress": "192.0.2.1", "userAgent": "Mozilla/5.0" }] |
| Title | The title of the case. |
| Watchers To Add | A list of individuals to add as watchers to the case. Each entry must include email address.For example: [ { "name": "John Doe", "email": "john.doe@example.com", "jobTitle": "Security Engineer" }]Note: The maximum number of watchers is 30. |
| Watchers To Delete | A list of individuals to remove from watchers to the case. Each entry must include email address.For example: [ { "name": "John Doe", "email": "john.doe@example.com", "jobTitle": "Security Engineer" }] |
Example Output
Workflow Library Example
Sir Update Case with Aws and Send Results Via Email
Preview this Workflow on desktop