AWS Security Incident Response features

Security Incident Response monitors, triages, and investigates security findings from Amazon GuardDuty and supported third-party tools through AWS Security Hub. The service uses automation and customer-specific information to automatically filter findings based on expected behavior and escalate those that require immediate attention.

Gain access to a service dashboard featuring key metrics to assess and enhance their security incident response performance. The dashboard displays essential data such as mean time to resolution (MTTR), active and closed cases within specified timeframes, and the number of triaged findings. This centralized view removes the need for manual data collection or custom report creation.

Reduce the time to coordinate stakeholders by creating a personalized incident response team. This team will receive immediate email notification whenever a security case is created through the service. Grant these team members with the necessary permissions to control case access and maintain least privilege.

Access the same security playbooks the AWS CIRT uses. Playbooks cover common scenarios including detecting a privileged container launched on a Kubernetes cluster, identifying unusual identity and access management behavior, responding to ransomware events, and more.

Whenever you create a security case, a dedicated team member from the incident response team will respond to the case within 15 minutes. The AWS CIRT has years of experience helping customers recover from security events, building up deep institutional knowledge based on real-world scenarios.

After a security event, obtain a comprehensive case history of all incident-related activities. This comprehensive history facilitates a structured post-incident review, allowing you to evaluate the effectiveness of your response and identify opportunities to improve your security posture.