Monitoring and investigation

AWS Security Incident Response reviews and triages security alerts from Amazon GuardDuty and AWS Security Hub, then configures suppression rules based on your environment to prevent unnecessary alerts. The AWS CIRT team investigates non-triaged findings and quickly escalates and guides your team to rapidly contain potential issues. If desired, you can grant AWS Security Incident Response permission to implement containment actions on your behalf.

AWS Security Incident Response aligns to the NIST 800-61r2 Computer Security event Handling Guide for Security event Response. By aligning to this industry standard, AWS Security Incident Response provides a consistent approach to security event management and adhere to best practices in securing and responding to security events in your AWS environment.

When the AWS Security Incident Response service identifies a security alert or you request security assistance, the AWS CIRT investigates. The team collects log events and service data such as GuardDuty alerts, triages and analyzes that data, performs remediation and containment activities, and provides post-incident reporting.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Account association to AWS Organizations

Prepare

Monitoring and investigation

Contents