# Amazon EventBridge Using Amazon EventBridge, you can to react, monitor, and orchestrate events associated with AWS Security Incident Response cases and memberships. You can either route these events via Rules (for fan-out scenarios to one or more targets) or through Pipes (for point-to-point integrations with enhanced filtering, enrichment, and transformation capabilities). You can create integrations between Security Incident Response and third-party tooling or aggregate data to analyze using generative AI and other AWS tooling. For example, when Security Incident Response proactively creates a case, you can use EventBridge automations to trigger systems to notify stakeholders. Additionally, if you manage multiple AWS environments, you can use the Amazon EventBridge integration to monitor AWS Security Incident Response memberships to ensure all environments maintain a strong security posture. For more information you can review the [What is Amazon EventBridge?](https://docs.aws.amazon.com/eventbridge/latest/userguide/what-is-amazon-eventbridge.html) **Note** For the latest updates on Amazon EventBridge integration with AWS Security Incident Response, including ITSM integrations, see [AWS Security Incident Response now supports ITSM integrations](https://aws.amazon.com/about-aws/whats-new/2025/08/aws-security-incident-response-itsm-integrations/) on the AWS What's New page. **Topics** + [ # Managing Security Incident Response events using Amazon EventBridge ](eventbridge-integration-full.md) + [ # Using AWS Security Incident Response Events ](using-events.md) + [ # Tutorial: Sending Amazon Simple Notification Service alerts for `Membership Updated` events ](service_sns_tutorial.md) # Managing Security Incident Response events using Amazon EventBridge Managing events using EventBridge Amazon EventBridge is a serverless service that uses events to connect application components together, making it easier for you to build scalable event-driven applications. Event-driven architecture is a style of building loosely-coupled software systems that work together by emitting and responding to events. Events represent a change in a resource or environment. Here's how it works: As with many AWS services, Security Incident Response generates and sends events to the EventBridge default event bus. (The default event bus is automatically provisioned in your AWS account.) An event bus is a router that receives events and delivers them to zero or more destinations, or *targets*. Rules you specify for the event bus evaluate events as they arrive. Each rule checks whether an event matches the rule's *event pattern*. If the event does match, the event bus sends the event to the specified target(s). ![\[AWS services send events to the EventBridge default event bus. If the event matches a rule's event pattern, EventBridge sends the event to the targets specified for that rule.\]](http://docs.aws.amazon.com/security-ir/latest/userguide/images/eventbridge-integration-how-it-works.png) ## Delivering Security Incident Response events using EventBridge rules Sending Security Incident Response events To have the EventBridge default event bus send Security Incident Response events to a target, you must create a rule. Each rule contains an event pattern, which EventBridge matches against each event received on the event bus. If the event data matches the specified event pattern, EventBridge delivers that event to the rule's target(s). For comprehensive instructions on creating event bus rules, see [Creating rules that react to events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule.html) in the *Amazon EventBridge User Guide*. ### Creating event pattern that match Security Incident Response events Creating event patterns Each event pattern is a JSON object that contains: + A `source` attribute that identifies the service sending the event. For Security Incident Response events, the source is `"aws.security-ir"`. + (Optional): A `detail-type` attribute that contains an array of the event types to match. + (Optional): A `detail` attribute containing any other event data on which to match. For example, the following event pattern matches against all `Case Updated by AWS Security Incident Response Service` events for a specified AWS account: ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Case Updated", "source": "aws.security-ir", "account": "111122223333", "time": "2023-05-12T03:45:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:case/1234567890" ], "detail": { "caseId": "1234567890", "updatedBy": "security-ir.amazonaws.com" } } ``` For more information on writing event patterns, see [Event patterns](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns.html) in the *EventBridge User Guide*. # Security Incident Response events detail reference Events detail reference All events from AWS services have a common set of fields containing metadata about the event, such as the AWS service that is the source of the event, the time the event was generated, the account and region in which the event took place, and others. For definitions of these general fields, see [Event structure reference](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-events-structure.html) in the *Amazon EventBridge User Guide*. In addition, each event has a `detail` field that contains data specific to that particular event. The reference below defines the detail fields for the various Security Incident Response events. When using EventBridge to select and manage Security Incident Response events, it's useful to keep the following in mind: + The `source` field for all events from Security Incident Response is set to `"aws.security-ir"`. + The `detail-type` field specifies the event type. For example, `"Case Updated"`. + The `detail` field contains the data that is specific to that particular event. For information on constructing event patterns that enable rules to match Security Incident Response events, see [Event patterns](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns.html) in the *Amazon EventBridge User Guide*. For more information on events and how EventBridge processes them, see [EventBridge events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-events.html) in the *Amazon EventBridge User Guide*. **Common Fields:** All AWS Security Incident Response events include these standard Amazon EventBridge fields + *version:* EventBridge event format version + *id:* Unique identifier for the event + *detail-type:* Human-readable description of the event type + *source:* Always "aws.security-ir" for Security Incident Response events + *account:* AWS account ID where the event occurred + *time:* ISO 8601 timestamp when the event occurred + *region:* AWS Region where the resource exists + *resources:* Array containing the ARN of the affected resource **Detail Fields:** The `detail` object contains Security Incident Response-specific information + *caseId:* Unique identifier for the case (case events only) + *membershipId:* Unique identifier for the membership (membership events only) + *updatedBy:* Who performed the update (case and comment update events only) + *createdBy:* Who created the entity (case and comment creation events only) **Actor Values:** The `updatedBy` and `createdBy` fields can contain + *AWS Responder:* Action performed by an AWS security responder + *`security-ir.amazonaws.com`:* Action performed automatically by the service + *Account ID:* Action performed by the customer (e.g., "111122223333") **Resource ARN values:** AWS Security Incident Response resources use these ARN formats + *Cases: *`arn:aws:security-ir:{region}:{account-id}:case/{case-id}` + *Memberships: *`arn:aws:security-ir:{region}:{account-id}:membership/{membership-id}` # Case Events Case Events Case Created by AWS Responder ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Case Created", "source": "aws.security-ir", "account": "111122223333", "time": "2023-05-12T00:00:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:case/1234567890" ], "detail": { "caseId": "1234567890", "createdBy": "AWS Responder" } } ``` Case Created by Service ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Case Created", "source": "aws.security-ir", "account": "111122223333", "time": "2023-05-12T00:00:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:case/1234567890" ], "detail": { "caseId": "1234567890", "createdBy": "security-ir.amazonaws.com" } } ``` Case Created by Customer ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Case Created", "source": "aws.security-ir", "account": "111122223333", "time": "2023-05-12T00:00:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:case/1234567890" ], "detail": { "caseId": "1234567890", "createdBy": "111122223333" } } ``` Case Updated by AWS Responder ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Case Updated", "source": "aws.security-ir", "account": "111122223333", "time": "2023-05-12T01:30:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:case/1234567890" ], "detail": { "caseId": "1234567890", "updatedBy": "AWS Responder" } } ``` Case Updated by AWS Customer ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Case Updated", "source": "aws.security-ir", "account": "111122223333", "time": "2023-05-12T02:15:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:case/1234567890" ], "detail": { "caseId": "1234567890", "updatedBy": "111122223333" } } ``` Case Updated by AWS Security Incident Response Service ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Case Updated", "source": "aws.security-ir", "account": "111122223333", "time": "2023-05-12T03:45:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:case/1234567890" ], "detail": { "caseId": "1234567890", "updatedBy": "security-ir.amazonaws.com" } } ``` Case Closed ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Case Closed", "source": "aws.security-ir", "account": "111122223333", "time": "2023-05-15T14:22:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:case/1234567890" ], "detail": { "caseId": "1234567890" } } ``` # Case Comment Events Case Comment Events Case Comment Created by AWS Responder ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Case Comment Created", "source": "aws.security-ir", "account": "111122223333", "time": "2023-05-12T04:30:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:case/1234567890" ], "detail": { "caseId": "1234567890", "createdBy": "AWS Responder" } } ``` Case Comment Created by Customer ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Case Comment Created", "source": "aws.security-ir", "account": "111122223333", "time": "2023-05-12T02:15:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:case/1234567890" ], "detail": { "caseId": "1234567890", "createdBy": "111122223333" } } ``` Case Comment Created by AWS Security Incident Response Service ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Case Comment Created", "source": "aws.security-ir", "account": "111122223333", "time": "2023-05-12T02:15:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:case/1234567890" ], "detail": { "caseId": "1234567890", "createdBy": "security-ir.amazonaws.com" } } ``` Case Comment Updated by Customer ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Case Comment Updated", "source": "aws.security-ir", "account": "111122223333", "time": "2023-05-12T02:45:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:case/1234567890" ], "detail": { "caseId": "1234567890", "updatedBy": "111122223333" } } ``` Case Comment Updated by AWS Security Incident Response Service ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Case Comment Updated", "source": "aws.security-ir", "account": "111122223333", "time": "2023-05-12T02:45:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:case/1234567890" ], "detail": { "caseId": "1234567890", "updatedBy": "security-ir.amazonaws.com" } } ``` Case Comment Created by AWS Responder ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Case Comment Updated", "source": "aws.security-ir", "account": "111122223333", "time": "2023-05-12T02:45:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:case/1234567890" ], "detail": { "caseId": "1234567890", "updatedBy": "AWS Responder" } } ``` # Membership Events Membership Events Membership Created ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Membership Created", "source": "aws.security-ir", "account": "111122223333", "time": "2023-04-01T10:00:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:membership/m-1234567890abcdef0" ], "detail": { "membershipId": "m-1234567890abcdef0" } } ``` Membership Updated ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Membership Updated", "source": "aws.security-ir", "account": "111122223333", "time": "2023-04-15T16:30:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:membership/m-1234567890abcdef0" ], "detail": { "membershipId": "m-1234567890abcdef0" } } ``` Membership Cancelled ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Membership Closed", "source": "aws.security-ir", "account": "111122223333", "time": "2023-06-30T23:59:59Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:membership/m-1234567890abcdef0" ], "detail": { "membershipId": "m-1234567890abcdef0" } } ``` Membership Terminated ``` { "version": "0", "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "detail-type": "Membership Terminated", "source": "aws.security-ir", "account": "111122223333", "time": "2023-07-01T00:00:00Z", "region": "us-west-2", "resources": [ "arn:aws:security-ir:us-west-2:111122223333:membership/m-123456s7890abcdef0" ], "detail": { "membershipId": "m-1234567890abcdef0" } } ``` # Using AWS Security Incident Response Events Using AWS Security Incident Response Events You can create EventBridge rules to match these events and trigger automated actions. Here are some example use cases: *Match all AWS Security Incident Response events:* ``` { "source": ["aws.security-ir"] } ``` *Match only case events:* ``` { "source": ["aws.security-ir"], "detail-type": [ "Case Created", "Case Updated", "Case Closed", "Case Comment Added", "Case Comment Updated" ] } ``` *Match cases updated by AWS Responders:* ``` { "source": ["aws.security-ir"], "detail-type": ["Case Updated"], "detail": { "updatedBy": ["AWS Responder"] } } ``` *Match events for a specific case:* ``` { "source": ["aws.security-ir"], "detail": { "caseId": ["1234567890"] } } ``` # Tutorial: Sending Amazon Simple Notification Service alerts for `Membership Updated` events In this tutorial, you configure an Amazon EventBridge event rule that only captures events where the your subscription enters a `Membership Updated` status. ## Prerequisites This tutorial assumes that you have a working subscription and active AWS accounts in your membership. **Topics** + [ ## Prerequisites ](#service_sns_prereq) + [ # Tutorial: Create and subscribe to an Amazon SNS topic ](service_sns_create_topic.md) + [ # Tutorial: Register an event rule ](service_sns_reg_rule.md) + [ # Tutorial: Test your rule ](service_sns_test_rule.md) + [ # Alternate rule: Security Incident Response Case Updates ](service_case_updates_queue.md) # Tutorial: Create and subscribe to an Amazon SNS topic For this tutorial, you configure an Amazon SNS topic to serve as an event target for your new event rule. **To create an Amazon SNS topic** 1. Open the Amazon SNS console at [https://console.aws.amazon.com/sns/v3/home](https://console.aws.amazon.com/sns/v3/home). 1. Choose **Topics**, **Create topic**. 1. For **Type**, choose **Standard**. 1. For **Name**, enter **MembershipUpdated** and choose **Create topic**. 1. On the **MembershipUpdated** screen, choose **Create subscription**. 1. For **Protocol**, choose **Email**. 1. For **Endpoint**, enter an email address that you currently have access to and choose **Create subscription**. 1. Check your email account, and wait to receive a subscription confirmation email message. When you receive it, choose **Confirm subscription**. # Tutorial: Register an event rule Next, register an event rule that captures only `Membership Updated` events. **To register your EventBridge rule** 1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/). 1. In the navigation pane, choose **Rules**. 1. Choose **Create rule**. 1. Enter a name and description for the rule. **Note** A rule can't have the same name as another rule in the same Region and on the same event bus. 1. For **Event bus**, choose the event bus that you want to associate with this rule. If you want this rule to match events that come from your account, select **AWS default event bus**. When an AWS service in your account emits an event, it always goes to your account's default event bus. **Note** This should be setup in your AWS Organizations or delegated administrator account you created the AWS Security Incident Response membership in. 1. For **Rule type**, choose **Rule with an event pattern**. 1. Choose **Next**. 1. For **Event source**, choose **Other**. 1. For **Event pattern**, select **Custom patterns (JSON editor)**. 1. Paste the following event pattern into the text area. ``` { "source": ["aws.security-ir"], "detail-type": ["Membership Updated"] } ``` This code defines an EventBridge rule that matches any event where your service membership is updated or modified. For more information about event patterns, see [Events and Event Patterns](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-events.html) in the *Amazon EventBridge User Guide*. 1. Choose **Next**. 1. For **Target types**, choose **AWS service**. 1. For **Select a target**, choose **SNS topic**, and for **Topic**, choose **MembershipUpdated**. 1. (Optional) For **Additional settings**, do the following: 1. For **Maximum age of event**, enter a value between one minute (00:01) and 24 hours (24:00). 1. For **Retry attempts**, enter a number between 0 and 185. 1. For **Dead-letter queue**, choose whether to use a standard Amazon SQS queue as a dead-letter queue. EventBridge sends events that match this rule to the dead-letter queue if they are not successfully delivered to the target. Do one of the following: + Choose **None** to not use a dead-letter queue. + Choose **Select an Amazon SQS queue in the current AWS account to use as the dead-letter queue** and then select the queue to use from the dropdown. + Choose **Select an Amazon SQS queue in an other AWS account as a dead-letter queue** and then enter the ARN of the queue to use. You must attach a resource-based policy to the queue that grants EventBridge permission to send messages to it. For more information, see [Granting permissions to the dead-letter queue](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rule-dlq.html#eb-dlq-perms) in the *Amazon EventBridge User Guide*. 1. Choose **Next**. 1. (Optional) Enter one or more tags for the rule. For more information, see [Amazon EventBridge tags](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-tagging.html) in the *Amazon EventBridge User Guide*. 1. Choose **Next**. 1. Review the details of the rule and choose **Create rule**. # Tutorial: Test your rule To test your rule, submit an update yo your AWS Security Incident Response membership. If your rule is configured correctly, you should receive an email message within a few minutes with the event text. # Alternate rule: Security Incident Response Case Updates To create an event rule that monitors for all case updates, repeat these tutorials with the following alterations: 1. **In [Tutorial: Create and subscribe to an Amazon SNS topic](service_sns_create_topic.md) **, use *CaseUpdates* as the topic name. 1. **In [Tutorial: Register an event rule](service_sns_reg_rule.md) **, use the following pattern in the JSON editor: ``` { "source": ["aws.security-ir"], "detail-type": [ "Case Created", "Case Updated", "Case Closed", "Case Comment Created", "Case Comment Updated" ] } ```