Conclusion

Each operations phase has unique goals, techniques, methodologies, and strategies. Table 4 summarizes these phases and some of the techniques and methodologies covered in this section.

Table 4 – Operations phases: Goals, techniques, and methodologies

Phase	Goal	Techniques and methodologies
Detection	Identify a potential security event.	Security controls for detection Behavior and rule-based detection People-based detection
Analysis	Determine if the security event is an incident and assess the scope of the incident.	Validate and scope alert Query logs Threat intelligence Automation
Containment	Minimize and limit the impact of the security event.	Source containment Technique and access containment Destination containment
Eradication	Remove unauthorized resources or artifacts related to the security event.	Compromised or unauthorized credential rotation or deletion Unauthorized resource deletion Malware removal Security scans
Recovery	Restore systems to a known good state and monitor these systems to ensure the threat does not return.	System restoration from backups Systems rebuilt from scratch Compromised files replaced with clean versions

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Recovery

Post-incident activity