Actions
SIR Update Case
Update an existing Security Incident Response case.
External Documentation
To learn more, visit the AWS documentation.
Parameters
Parameter | Description |
---|---|
AWS Region(s) | A comma-separated list of AWS region(s) where this action will be executed. For example, to execute in US East and Europe, enter us-east-1,eu-west-1 .Alternatively, you can use the asterisk symbol * to run the action in all available AWS Regions. |
Actual Incident Start Date | The actual incident start date. |
Case ID | The ID of the case to update. |
Description | A detailed description for the case. |
Engagement Type | The type of engagement for the case. |
Impacted Accounts To Add | A comma-separated list of accounts to add as impacted by the case. Note : AWS account IDs must always be exactly 12 digits. IDs with fewer than 12 digits must be zero-padded at the beginning. For example, account ID 123123123 (9 digits) should be formatted as 000123123123 . |
Impacted Accounts To Delete | A comma-separated list of accounts to remove from impacted accounts. Note : AWS account IDs must always be exactly 12 digits. IDs with fewer than 12 digits must be zero-padded at the beginning. For example, account ID 123123123 (9 digits) should be formatted as 000123123123 . Incorrect formatting will result in API errors. |
Impacted Aws Regions To Add | A list of AWS regions to add as impacted by the security incident. Each entry should specify a region identifier (e.g., “us-east-1”).For example: [ { "region": "us-east-1" }, { "region": "eu-south-1" } ] For more information about Impacted AWS Regions , refer to AWS Security Incident Response API documentation. |
Impacted Aws Regions To Delete | A list of AWS regions to remove from impacted regions. Each entry should specify a region identifier (e.g., “us-east-1”).For example: [ { "region": "us-east-1" }, { "region": "eu-south-1" } ] Note: Removing all regions is not allowed - at least one region must remain for each case. For more information about Impacted AWS Regions , refer to AWS Security Incident Response API documentation. |
Impacted Services To Add | A comma-separated list of services to add as impacted by the security incident. |
Impacted Services To Delete | A comma-separated list of services to remove from impacted by the security incident. |
Reported Incident Start Date | The initial start date of the unauthorized activity. |
Threat Actor IP Addresses To Add | A list of suspicious IP addresses to add as associated with unauthorized activity. Each entry must include ipAddress .For example: [ { "ipAddress": "192.0.2.1", "userAgent": "Mozilla/5.0" } ] |
Threat Actor IP Addresses To Delete | A list of suspicious IP addresses to remove from associated with unauthorized activity. Each entry must include ipAddress .For example: [ { "ipAddress": "192.0.2.1", "userAgent": "Mozilla/5.0" } ] |
Title | The title of the case. |
Watchers To Add | A list of individuals to add as watchers to the case. Each entry must include email address.For example: [ { "name": "John Doe", "email": "john.doe@example.com", "jobTitle": "Security Engineer" } ] Note: The maximum number of watchers is 30. |
Watchers To Delete | A list of individuals to remove from watchers to the case. Each entry must include email address.For example: [ { "name": "John Doe", "email": "john.doe@example.com", "jobTitle": "Security Engineer" } ] |
Example Output
Workflow Library Example
Sir Update Case with Aws and Send Results Via Email
Preview this Workflow on desktop