AWS security-ir documentation change
Summary
Restructured section headers, added new 'Updating findings' section with detailed archiving behavior for GuardDuty findings, and added 'Service tuning' section placeholder
Security assessment
The changes clarify security feature behaviors (finding archiving/triage) but don't address vulnerabilities. Added documentation explains security operations without indicating incident response.
Diff
diff --git a/security-ir/latest/userguide/detect-and-analyze.md b/security-ir/latest/userguide/detect-and-analyze.md index 0482492e2..bbed82e11 100644 --- a//security-ir/latest/userguide/detect-and-analyze.md +++ b//security-ir/latest/userguide/detect-and-analyze.md @@ -6,0 +7,2 @@ +Reporting an EventEnabling supported sources of detectionDetectionAnalysis: Automated triageAnalysis: Incident response security investigationCommunicateUpdating findingsService tuning + @@ -9 +11 @@ -**Reporting an Event** +## Reporting an event @@ -13 +15 @@ You can raise a security event through the AWS Security Incident Response portal -**Enabling supported sources of detection** +## Enabling supported sources of detection @@ -48 +50 @@ By enabling these integrations, you can significantly enhance the scope and effe -**Detection** +## Detection @@ -52,7 +54 @@ With [Proactive Response](./setup-monitoring-and-investigation-workflows.html), -AWS Security Incident Response automatically archives Amazon GuardDuty findings that are determined during automated triage to be benign or associated with expected activity. You can view archived findings in the Amazon GuardDuty console by selecting Archived from the findings Status filter. For more information, see [Viewing generated findings in GuardDuty console](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_working-with-findings.html) in the _Amazon GuardDuty User Guide_. - -AWS Security Incident Response automatically archives Amazon GuardDuty findings that are determined during automated triage to be benign or associated with expected activity. This archiving occurs only for findings that have been triaged and have an outcome designated as "archive". Findings under active investigation remain visible in the Amazon GuardDuty console even after an investigation wraps up. You can view archived findings in the Amazon GuardDuty console by selecting **Archived** from the findings filter. For more information about working with archived findings, see [Working with findings](https://docs.aws.amazon.com/guardduty/latest/ug/findings_managing.html) in the _Amazon GuardDuty User Guide_. - -When AWS Security Hub CSPM ingests security findings, the system updates each finding with a note indicating that automated triage has begun. The workflow state changes from NEW to NOTIFIED, which removes the finding from the default AWS Security Hub CSPM findings view. If triage determines that a finding is benign or associated with expected activity, the system adds a note to the finding and updates the workflow state to SUPPRESSED. - -**Analysis: Automated Triage** +## Analysis: Automated triage @@ -64 +60 @@ If automated triage determines that the detected activity is expected, the syste -**Analysis: Incident Response Security Investigation** +## Analysis: Incident response security investigation @@ -104 +100 @@ To use EC2 Triage, you must deploy the **Containment with EC2 Triage** CloudForm -**Communicate** +## Communicate @@ -120,0 +117,2 @@ The effectiveness of AWS Security Incident Response improves with your collabora +## Updating findings + @@ -124,0 +123,34 @@ AWS Security Incident Response manages findings differently depending on their s +**Amazon GuardDuty findings** + +AWS Security Incident Response archives Amazon GuardDuty findings only when triage determines that the detected activity is benign or associated with expected activity. Archiving behavior depends on the triage outcome category of each finding. + +_Findings that are archived:_ + + * **Benign/Expected Activity (automated triage):** Activity determined by automated triage to be benign or associated with expected activity. + + * **Benign/Expected Activity (manual investigation):** Activity confirmed as benign or associated with expected activity after further analysis by AWS Security Incident Response. + + + + +_Findings that aren't archived:_ + + * **Unconfirmed Activity:** Findings determined to require customer engagement and pending customer confirmation on whether the activity is expected or benign. + + * **Inappropriate/Unintended Activity:** Findings determined to represent confirmed inappropriate or unintended activity that requires customer review or action. + + * **Posture Related:** Finding relates to your security posture (for example, overly permissive policies, configuration, or missing encryption). These aren't threat findings, but they're retained without archiving by design. + + + + +Findings that aren't archived remain visible in the GuardDuty console with their current status. The absence of archiving for these finding categories doesn't indicate that AWS Security Incident Response took no action — it reflects the design intent that these findings remain available for your review. + +You can view archived findings in the GuardDuty console by selecting **Archived** on the status drop-down menu. For more information about working with archived findings, see [Working with findings](https://docs.aws.amazon.com/guardduty/latest/ug/findings_managing.html) in the _Amazon GuardDuty User Guide_. + +**AWS Security Hub CSPM findings** + +When Security Hub CSPM findings are ingested, the system updates each finding with a note indicating that automated triage has begun. The workflow state changes from NEW to NOTIFIED, which removes the finding from the default Security Hub CSPM findings view. If triage determines that a finding is benign or associated with expected activity, the system adds a note to the finding and updates the workflow state to SUPPRESSED. + +## Service tuning +