AWS Security ChangesHomeSearch

AWS whitepapers documentation change

Service: whitepapers · 2026-06-19 · Documentation low

File: whitepapers/latest/aws-security-incident-response-guide/enrich-security-logs-and-findings.md

Summary

Removed entire content including sections on threat intelligence enrichment, automation for security analysis, and reference to Security Hub findings enrichment

Security assessment

The change removes documentation content but provides no evidence of addressing a specific vulnerability or security incident. While the removed content discussed security processes, the deletion appears to be routine content pruning without security implications. No vulnerabilities or weaknesses are mentioned in the diff.

Diff

diff --git a/whitepapers/latest/aws-security-incident-response-guide/enrich-security-logs-and-findings.md b/whitepapers/latest/aws-security-incident-response-guide/enrich-security-logs-and-findings.md
index 47052a4d4..8b1378917 100644
--- a//whitepapers/latest/aws-security-incident-response-guide/enrich-security-logs-and-findings.md
+++ b//whitepapers/latest/aws-security-incident-response-guide/enrich-security-logs-and-findings.md
@@ -1 +0,0 @@
-[View a markdown version of this page](enrich-security-logs-and-findings.md)
@@ -3,47 +1,0 @@
-[](/pdfs/security-ir/latest/userguide/sir-ug.pdf#enrich-security-logs-and-findings "Open PDF")
-
-[Documentation](/index.html)[Security Incident Response](/security-ir/index.html)[](what-is.html)
-
-Enrichment with threat intelligence and organizational contextEnrichment with automation 
-
-# Enrich security logs and findings
-
-## Enrichment with threat intelligence and organizational context
-
-During the course of analysis, observables of interest require enrichment for enhanced contextualization of the alert. As stated in the Preparation section, integrating and leveraging cyber threat intelligence can be helpful to understand more about a security finding. Threat intelligence services are used to assign reputation and attribute ownership to public IP addresses, domain names, and file hashes. These tools are available as paid and no charge services. 
-
-Customers adopting Amazon Athena as a log querying tool gain the advantage of AWS Glue jobs to load threat intelligence information as tables. The threat intelligence tables can be used in SQL queries to correlate log elements such as IP addresses and domain names, providing an enriched view of the data to be analyzed. 
-
-AWS does not provide threat intelligence directly to customers, but services such as Amazon GuardDuty makes use of threat intelligence for enrichment and finding generation. You can also upload custom threat lists to GuardDuty based on your own threat intelligence. 
-
-## Enrichment with automation
-
-Automation is an integral part of AWS Cloud governance. It can be used throughout the various phases of the incident response lifecycle. 
-
-For the detection phase, rule-based automation matches patterns of interest from the threat model in logs and takes appropriate action, such as sending notifications. The analysis phase can leverage the detection mechanism and forward the alert body to an engine capable of querying logs and enriching observables for contextualization of the event. 
-
-The alert body, in its fundamental form, is comprised of a _resource_ and an _identity_. As an example, you could implement an automation to query CloudTrail for AWS API activity performed by the alert body’s identity or resource around the time of the alert, providing additional insights including `eventSource`, `eventName`, `SourceIPAddress`, and `userAgent` of identified API activity. By performing these queries in an automated way, responders can save time during triage and get additional context to help make better informed decisions. 
-
-Refer to the [How to enrich AWS Security Hub findings with account metadata](https://aws.amazon.com/blogs/security/how-to-enrich-aws-security-hub-findings-with-account-metadata/) blog post for an example on how to use automation to enrich security findings and simplify analysis. 
-
-![Warning](https://d1ge0kk1l5kms0.cloudfront.net/images/G/01/webservices/console/warning.png) **Javascript is disabled or is unavailable in your browser.**
-
-To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.
-
-[Document Conventions](/general/latest/gr/docconventions.html)
-
-Validate, scope, and assess impact of alert 
-
-Collect and analyze forensic evidence
-
-Did this page help you? - Yes
-
-Thanks for letting us know we're doing a good job!
-
-If you've got a moment, please tell us what we did right so we can do more of it.
-
-Did this page help you? - No
-
-Thanks for letting us know this page needs work. We're sorry we let you down.
-
-If you've got a moment, please tell us how we can make the documentation better.