AWS security-ir documentation change
Summary
Expanded documentation on security incident reporting, automated triage processes, communication workflows, and service tuning with suppression rules. Added detailed sections about analysis phases and interaction with security teams.
Security assessment
The changes enhance documentation about security incident response processes, including automated triage, suppression rules, and communication protocols. While these updates clarify security practices and features, there is no evidence of addressing a specific vulnerability or security incident. The additions focus on explaining existing security capabilities rather than patching issues.
Diff
diff --git a/security-ir/latest/userguide/detect-and-analyze.md b/security-ir/latest/userguide/detect-and-analyze.md index 169ccab56..12c0f2d57 100644 --- a//security-ir/latest/userguide/detect-and-analyze.md +++ b//security-ir/latest/userguide/detect-and-analyze.md @@ -7 +7,5 @@ -AWS Security Incident Response monitors, triages, investigates security findings from Amazon GuardDuty and integrations through AWS Security Hub CSPM. Additional actions that can significantly enhance the scope and effectiveness of AWS Security Incident Response's monitoring and investigation capabilities include: +AWS Security Incident Response monitors, triages, investigates security findings from Amazon GuardDuty and integrations through AWS Security Hub CSPM. Additional actions that can significantly enhance the scope and effectiveness of AWS Security Incident Response's monitoring and investigation capabilities include: Reporting an event, Enabling supported sources of detection, and Communicating with Security Indcident Response engineers. + +**Reporting an Event** + +You can raise a security event through the AWS Security Incident Response service portal. It's important not to wait during a security event. AWS Security Incident Response uses automated and manual techniques to investigate security events, analyze logs, and look for anomalous patterns. Your partnership and understanding of your environment accelerates this analysis. @@ -44 +48 @@ By enabling these integrations, you can significantly enhance the scope and effe -**Analyzing findings.** +**Detection** @@ -46 +50 @@ By enabling these integrations, you can significantly enhance the scope and effe -AWS Security Incident Response automations and AWS CIRT service team will analyze all findings from the supported tools. We will start learning about your environment by communicating with you using AWS Support Cases. For example, when we need to understand whether a finding is expected behavior or should be escalated to an incident. As we learn more from your environment, we will customize the service and to reduce the number of communications. +AWS Security Incident Response ingests findings from Amazon GuardDuty and AWS Security Hub CSPM through AWS EventBridge rules that are deployed to your accounts during Onboarding. @@ -48 +52 @@ AWS Security Incident Response automations and AWS CIRT service team will analyz -**Reporting an event.** +AWS Security Incident Response automatically archives Amazon GuardDuty findings that are determined during automated triage to be benign or associated with expected activity. You can view archived findings in the Amazon GuardDuty console by selecting Archived from the findings filter. For more information, see [Working with findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_working-with-findings.html). @@ -50 +54,3 @@ AWS Security Incident Response automations and AWS CIRT service team will analyz -You can raise a security event through the AWS Security Incident Response service portal. It's important not to wait during a security event. AWS Security Incident Response uses automated and manual techniques to investigate security events, analyze logs, and look for anomalous patterns. Your partnership and understanding of your environment accelerates this analysis. +When AWS Security Hub CSPM ingests security findings, the system updates each finding with a note indicating that automated triage has begun. The workflow state changes from NEW to NOTIFIED, which removes the finding from the default AWS Security Hub CSPM findings view. If triage determines that a finding is benign or associated with expected activity, the system adds a note to the finding and updates the workflow state to SUPPRESSED. + +**Analysis: Automated Triage** @@ -52 +58 @@ You can raise a security event through the AWS Security Incident Response servic -**Communicate.** +AWS Security Incident Response automatically triages security findings. The triage process determines whether detected activity represents expected behavior by analyzing data from multiple sources, including the finding payload, AWS service metadata, AWS logging and monitoring data (such as AWS CloudTrail and VPC Flow Logs), AWS threat intelligence, and context that you are invited to provide about your AWS and on-premises environments. @@ -54 +60 @@ You can raise a security event through the AWS Security Incident Response servic -AWS Security Incident Response keeps you informed during the investigation by engaging your security contacts through the event case. Multiple teammates may support your event, all using the event ticket for customer-provided content and AWS updates. +If automated triage determines that the detected activity is expected, the system takes no further investigative action. @@ -56 +62 @@ AWS Security Incident Response keeps you informed during the investigation by en -Communication may include automated notifications when a security alert is generated; communication during event analysis; establishing call bridges; the ongoing analysis of artifacts such as log files; and getting investigation results to you during the security event. +**Analysis: Incident Response Security Investigation** @@ -58 +64 @@ Communication may include automated notifications when a security alert is gener -The service will create AWS Security Incident Response cases to communicate with your teams. We will create cases against your membership account. This approach centralizes communication from all your accounts into a single place. The "[Proactive case]" prefix helps identify cases initiated by AWS Security Incident Response. +Security Indcident Response engineers are a global, always-available team of security professionals with expertise in AWS and security incident response. If automated triage cannot determine that the activity is expected, Security Indcident Response engineers are engaged to perform a security investigation. If the event was ingested from Security Hub, a note is posted to the related finding stating that Security Indcident Response engineers' investigation is underway. @@ -60 +66 @@ The service will create AWS Security Incident Response cases to communicate with -By engaging actively with these communications and providing timely responses, you can help the AWS Security Incident Response service to: +AWS Security Indcident Response engineers conduct a hands-on security investigation by analyzing additional service metadata and threat intelligence, reviewing insights from past findings and investigations in your environment, and applying incident response expertise. Depending on your Containment preferences (see Contain) Security Indcident Response engineers may engage your organization's Incident Response team through a AWS Security Incident Response case in the AWS Security Incident Response console to verify whether the detected activity is expected and authorized (see [Responding to an AWS generated case](https://docs.aws.amazon.com/security-ir/latest/userguide/responding-to-an-aws-generated-case.html)). @@ -62 +68 @@ By engaging actively with these communications and providing timely responses, y - * Better understand your environment and expected behaviors. +**Communicate** @@ -64 +70 @@ By engaging actively with these communications and providing timely responses, y - * Reduce false positives over time. +AWS Security Incident Response keeps you informed during security investigations by engaging with your Incident Response team through a AWS Security Incident Response case. Multiple Security Indcident Response engineers may support an investigation. Communication may include: acknowledgement or notification of the creation of a security investigation; establishing a call bridge; analysis of artifacts such as log files; requests for confirmation of expected activity; and sharing of investigation results. @@ -66 +72 @@ By engaging actively with these communications and providing timely responses, y - * Improve the accuracy and relevance of alerts. +When AWS Security Incident Response proactively engages your Incident Response team a case is created in your AWS Security Incident Response Membership account, which centralizes communication for all Organizational accounts in one place. These cases contain the "[Proactive case]" prefix in their title, which identifies them as initiated by AWS Security Incident Response. By actively engaging and providing timely responses to these communications, your Incident Response team can assist AWS Security Incident Response to: @@ -70 +76,8 @@ By engaging actively with these communications and providing timely responses, y - * Remember, the effectiveness of the AWS Security Incident Response service improves with your collaboration, leading to a more secure and efficiently monitored AWS environment. + * Understand your environment and expected behaviors. + + * Reduce false positive detections over time. + + + + +The effectiveness of AWS Security Incident Response improves with your collaboration and results in a more effectively monitored and secure AWS environment. @@ -71,0 +85 @@ By engaging actively with these communications and providing timely responses, y +**Service Tuning** @@ -72,0 +87 @@ By engaging actively with these communications and providing timely responses, y +When your account service quotas permit, AWS Security Incident Response attempts to deploy an Amazon GuardDuty suppression rule ([suppression rules](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html)) or an AWS Security Hub CSPM automation rule ([automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html)). These rules suppress future findings matching the type and source (for example, source IP address, ASN, identity principal, or resource) of known authorized activity. AWS Security Hub CSPM rules are deployed with priority 10, which allows you to override these automations with self-defined rules if needed. @@ -73,0 +89 @@ By engaging actively with these communications and providing timely responses, y +In this way, AWS Security Incident Response tunes detection sources based on expected behavior in your AWS environment. Your Incident Response Team is notified of modifications to these rule-sets, and changes are rolled-back upon request.