Investigation workflow

AWS Security Incident Response engineers follow a structured incident response process aligned with the NIST 800-61r2 framework. During your investigation, you can expect the following phases:

Initial triage - Security Incident Response engineers review your case details and confirm the incident scope
Investigation - Security Incident Response engineers analyze logs, identify indicators of compromise, and determine root cause
Containment - Security Incident Response engineers recommend actions to limit the incident's impact
Eradication and recovery - Security Incident Response engineers help you remove threats and restore normal operations
Post-incident review - Security Incident Response engineers provide findings and recommendations to prevent future incidents

Throughout these phases, your Security Incident Response engineer keeps you informed through case updates and may request additional information or actions from you.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

What to expect

Information Security Incident Response engineers may request