Update an existing Security Incident Response case.

External Documentation

To learn more, visit the AWS documentation.

Parameters

ParameterDescription
AWS Region(s)A comma-separated list of AWS region(s) where this action will be executed.

For example, to execute in US East and Europe, enter us-east-1,eu-west-1.

Alternatively, you can use the asterisk symbol * to run the action in all available AWS Regions.
Actual Incident Start DateThe actual incident start date.
Case IDThe ID of the case to update.
DescriptionA detailed description for the case.
Engagement TypeThe type of engagement for the case.
Impacted Accounts To AddA comma-separated list of accounts to add as impacted by the case.

Note : AWS account IDs must always be exactly 12 digits. IDs with fewer than 12 digits must be zero-padded at the beginning. For example, account ID 123123123 (9 digits) should be formatted as 000123123123.
Impacted Accounts To DeleteA comma-separated list of accounts to remove from impacted accounts.

Note : AWS account IDs must always be exactly 12 digits. IDs with fewer than 12 digits must be zero-padded at the beginning. For example, account ID 123123123 (9 digits) should be formatted as 000123123123. Incorrect formatting will result in API errors.
Impacted Aws Regions To AddA list of AWS regions to add as impacted by the security incident. Each entry should specify a region identifier (e.g., “us-east-1”).

For example:
[
{
"region": "us-east-1"
},
{
"region": "eu-south-1"
}
]

For more information about Impacted AWS Regions, refer to AWS Security Incident Response API documentation.
Impacted Aws Regions To DeleteA list of AWS regions to remove from impacted regions. Each entry should specify a region identifier (e.g., “us-east-1”).

For example:

[
{
"region": "us-east-1"
},
{
"region": "eu-south-1"
}
]

Note: Removing all regions is not allowed - at least one region must remain for each case.

For more information about Impacted AWS Regions, refer to AWS Security Incident Response API documentation.
Impacted Services To AddA comma-separated list of services to add as impacted by the security incident.
Impacted Services To DeleteA comma-separated list of services to remove from impacted by the security incident.
Reported Incident Start DateThe initial start date of the unauthorized activity.
Threat Actor IP Addresses To AddA list of suspicious IP addresses to add as associated with unauthorized activity. Each entry must include ipAddress.

For example:
[
{
"ipAddress": "192.0.2.1",
"userAgent": "Mozilla/5.0"
}
]
Threat Actor IP Addresses To DeleteA list of suspicious IP addresses to remove from associated with unauthorized activity. Each entry must include ipAddress.

For example:
[
{
"ipAddress": "192.0.2.1",
"userAgent": "Mozilla/5.0"
}
]
TitleThe title of the case.
Watchers To AddA list of individuals to add as watchers to the case. Each entry must include email address.

For example:
[
{
"name": "John Doe",
"email": "john.doe@example.com",
"jobTitle": "Security Engineer"
}
]

Note: The maximum number of watchers is 30.
Watchers To DeleteA list of individuals to remove from watchers to the case. Each entry must include email address.

For example:
[
{
"name": "John Doe",
"email": "john.doe@example.com",
"jobTitle": "Security Engineer"
}
]

Example Output

{}

Workflow Library Example

Sir Update Case with Aws and Send Results Via Email

Preview this Workflow on desktop