AWS Security ChangesHomeSearch

AWS security-ir documentation change

Service: security-ir · 2026-01-28 · Documentation low

File: security-ir/latest/userguide/detect-and-analyze.md

Summary

Updated documentation for AWS Security Incident Response service with clarifications about proactive response setup, finding archiving behavior, team references, and suppression rule deployment.

Security assessment

Changes clarify operational processes (finding archiving, suppression rules) and update team nomenclature without evidence of addressing specific vulnerabilities. The additions enhance documentation of existing security features like automated triage and finding suppression.

Diff

diff --git a/security-ir/latest/userguide/detect-and-analyze.md b/security-ir/latest/userguide/detect-and-analyze.md
index afba9db52..10e5933af 100644
--- a//security-ir/latest/userguide/detect-and-analyze.md
+++ b//security-ir/latest/userguide/detect-and-analyze.md
@@ -7,2 +6,0 @@
-AWS Security Incident Response monitors, triages, investigates security findings from Amazon GuardDuty and integrations through AWS Security Hub CSPM. Additional actions that can significantly enhance the scope and effectiveness of AWS Security Incident Response's monitoring and investigation capabilities include: Reporting an event, Enabling supported sources of detection, and Communicating with Security Incident Response engineers. 
-
@@ -11 +9 @@ AWS Security Incident Response monitors, triages, investigates security findings
-You can raise a security event through the AWS Security Incident Response service portal. It's important not to wait during a security event. AWS Security Incident Response uses automated and manual techniques to investigate security events, analyze logs, and look for anomalous patterns. Your partnership and understanding of your environment accelerates this analysis.
+You can raise a security event through the AWS Security Incident Response portal. It's important not to wait during a security event. AWS Security Incident Response uses automated and manual techniques to investigate security events, analyze logs, and look for anomalous patterns. Your partnership and understanding of your environment accelerates this analysis.
@@ -50 +48,3 @@ By enabling these integrations, you can significantly enhance the scope and effe
-AWS Security Incident Response ingests findings from Amazon GuardDuty and AWS Security Hub CSPM through AWS EventBridge rules that are deployed to your accounts during Onboarding. 
+If "Proactive Response" is enabled <https://docs.aws.amazon.com/security-ir/latest/userguide/setup-monitoring-and-investigation-workflows.html> AWS Security Incident Response ingests findings from Amazon GuardDuty and AWS Security Hub through AWS EventBridge rules that are deployed to your accounts during Onboarding. 
+
+AWS Security Incident Response automatically archives Amazon GuardDuty findings that are determined during automated triage to be benign or associated with expected activity. You can view archived findings in the Amazon GuardDuty console by selecting Archived from the findings Status filter. For more information, see [docs.aws.amazon.com/guardduty/latest/ug/guardduty_working-with-findings.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_working-with-findings.html). 
@@ -52 +52 @@ AWS Security Incident Response ingests findings from Amazon GuardDuty and AWS Se
-AWS Security Incident Response automatically archives Amazon GuardDuty findings that are determined during automated triage to be benign or associated with expected activity. You can view archived findings in the Amazon GuardDuty console by selecting Archived from the findings filter. For more information, see [Working with findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_working-with-findings.html). 
+AWS Security Incident Response automatically archives Amazon GuardDuty findings that are determined during automated triage to be benign or associated with expected activity. This archiving occurs only for findings that have been triaged and have an outcome designated as "archive". Findings under active investigation remain visible in the Amazon GuardDuty console even after an investigation wraps up. You can view archived findings in the Amazon GuardDuty console by selecting **Archived** from the findings filter. For more information about working with archived findings, see [Working with findings](https://docs.aws.amazon.com/guardduty/latest/ug/findings_managing.html) in the _Amazon GuardDuty User Guide_. 
@@ -54 +54 @@ AWS Security Incident Response automatically archives Amazon GuardDuty findings
-When AWS Security Hub CSPM ingests security findings, the system updates each finding with a note indicating that automated triage has begun. The workflow state changes from NEW to NOTIFIED, which removes the finding from the default AWS Security Hub CSPM findings view. If triage determines that a finding is benign or associated with expected activity, the system adds a note to the finding and updates the workflow state to SUPPRESSED. 
+When AWS Security Hub ingests security findings, the system updates each finding with a note indicating that automated triage has begun. The workflow state changes from NEW to NOTIFIED, which removes the finding from the default AWS Security Hub findings view. If triage determines that a finding is benign or associated with expected activity, the system adds a note to the finding and updates the workflow state to SUPPRESSED. 
@@ -58 +58 @@ When AWS Security Hub CSPM ingests security findings, the system updates each fi
-AWS Security Incident Response automatically triages security findings. The triage process determines whether detected activity represents expected behavior by analyzing data from multiple sources, including the finding payload, AWS service metadata, AWS logging and monitoring data (such as AWS CloudTrail and VPC Flow Logs), AWS threat intelligence, and context that you are invited to provide about your AWS and on-premises environments. 
+AWS Security Incident Response automatically triages security findings. The triage process determines whether detected activity represents expected behavior, by analyzing data from multiple sources including the finding payload, AWS service metadata, AWS logging and monitoring data (such as AWS CloudTrail and VPC Flow Logs), AWS threat intelligence, and context that you are invited to provide about your AWS and on-premises environments. 
@@ -64 +64 @@ If automated triage determines that the detected activity is expected, the syste
-Security Incident Response engineers are a global, always-available team of security professionals with expertise in AWS and security incident response. If automated triage cannot determine that the activity is expected, Security Incident Response engineers are engaged to perform a security investigation. If the event was ingested from Security Hub, a note is posted to the related finding stating that Security Incident Response engineers' investigation is underway. 
+AWS Security Incident Response Engineering is a global, always-available team of security professionals with expertise in AWS and security incident response. If automated triage cannot determine that the activity is expected, AWS Security Incident Response Engineering is engaged to perform a security investigation. If the event was ingested from Security Hub, a note is posted to the related finding stating that AWS Security Incident Response Engineering's investigation is underway. 
@@ -66 +66 @@ Security Incident Response engineers are a global, always-available team of secu
-AWS Security Incident Response engineers conduct a hands-on security investigation by analyzing additional service metadata and threat intelligence, reviewing insights from past findings and investigations in your environment, and applying incident response expertise. Depending on your Containment preferences (see Contain) Security Incident Response engineers may engage your organization's Incident Response team through a AWS Security Incident Response case in the AWS Security Incident Response console to verify whether the detected activity is expected and authorized (see [Responding to an AWS generated case](https://docs.aws.amazon.com/security-ir/latest/userguide/responding-to-an-aws-generated-case.html)). 
+AWS Security Incident Response Engineering conducts a hands-on security investigation by analyzing additional service metadata and threat intelligence, reviewing insights from past findings and investigations in your environment, and applying incident response expertise. Depending on your Containment preferences (see Contain) AWS Security Incident Response Engineering may engage your organization's Incident Response team through a Security Incident Response case in the AWS Security Incident Response console to verify whether the detected activity is expected and authorized [Responding to an AWS generated case](https://docs.aws.amazon.com/security-ir/latest/userguide/responding-to-an-aws-generated-case.html). 
@@ -70 +70 @@ AWS Security Incident Response engineers conduct a hands-on security investigati
-AWS Security Incident Response keeps you informed during security investigations by engaging with your Incident Response team through a AWS Security Incident Response case. Multiple Security Incident Response engineers may support an investigation. Communication may include: acknowledgement or notification of the creation of a security investigation; establishing a call bridge; analysis of artifacts such as log files; requests for confirmation of expected activity; and sharing of investigation results. 
+AWS Security Incident Response keeps you informed during security investigations by engaging with your Incident Response team through a Security Incident Response case. Multiple AWS Security Incident Response Engineering members may support an investigation. Communication may include: acknowledgement or notification of the creation of a security investigation; establishing a call bridge; analysis of artifacts such as log files; requests for confirmation of expected activity; and sharing of investigation results. 
@@ -72 +72 @@ AWS Security Incident Response keeps you informed during security investigations
-When AWS Security Incident Response proactively engages your Incident Response team a case is created in your AWS Security Incident Response Membership account, which centralizes communication for all Organizational accounts in one place. These cases contain the "[Proactive case]" prefix in their title, which identifies them as initiated by AWS Security Incident Response. By actively engaging and providing timely responses to these communications, your Incident Response team can assist AWS Security Incident Response to: 
+When AWS Security Incident Response proactively engages your Incident Response team, a case is created in your AWS Security Incident Response Membership account, which centralizes communication for all Organizational accounts in one place. These cases contain the "[Proactive case]" prefix in their title, which identifies them as initiated by AWS Security Incident Response. By actively engaging and providing timely responses to these communications, your Incident Response team can assist AWS Security Incident Response to: 
@@ -89,4 +88,0 @@ AWS Security Incident Response manages findings differently depending on their s
-**Amazon GuardDuty Findings**
-
-AWS Security Incident Response automatically archives Amazon GuardDuty findings that are determined during automated triage to be benign or associated with expected activity. This archiving occurs only for findings that have been triaged and have an outcome designated as "archive". Findings under active investigation remain visible in the Amazon GuardDuty console even after an investigation wraps up. You can view archived findings in the Amazon GuardDuty console by selecting **Archived** from the findings filter. For more information about working with archived findings, see [Working with findings](https://docs.aws.amazon.com/guardduty/latest/ug/findings_managing.html) in the _Amazon GuardDuty User Guide_. 
-
@@ -95 +91 @@ AWS Security Incident Response automatically archives Amazon GuardDuty findings
-When your account service quotas permit, AWS Security Incident Response attempts to deploy an Amazon GuardDuty suppression rule ([suppression rules](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html)) or an AWS Security Hub CSPM automation rule ([automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html)). These rules suppress future findings matching the type and source (for example, source IP address, ASN, identity principal, or resource) of known authorized activity. AWS Security Hub CSPM rules are deployed with priority 10, which allows you to override these automations with self-defined rules if needed. 
+When your account service quotas permit, AWS Security Incident Response attempts to deploy an [Amazon GuardDuty suppression rule](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html) or an [AWS Security Hub automation rule ](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html). These rules suppress future findings matching the type and source of known authorized activity (for example, source IP address, ASN, identity principal, or resource). AWS Security Hub rules are deployed with priority 10, which allows you to override these automations with self-defined rules if needed.