# Managing Cases Managing Cases **Topics** + [ # Changing the case status ](changing-the-case-status.md) + [ # Changing the resolver ](changing-the-resolver.md) + [ # Action Items ](action-items.md) + [ # Edit a case ](edit-a-case.md) + [ # Communications ](communications.md) + [ # Permissions ](sir-permissions.md) + [ # Attachments ](attachments.md) + [ # Tags ](tags.md) + [ # Case activities ](case-activities.md) + [ # Closing a case ](closing-a-case.md) # Changing the case status Changing the case status A case is in one of the following states: + Submitted: This is the initial status of a case. Cases in this status have been submitted by a requested, but are not yet being worked on. + Detection and Analysis: This status indicates an incident responder has started work on the case. This phase includes data gathering, triaging the event, and performing analysis to create data driven conclusions. + Containment, Eradication and Recovery: In this status the incident responder has identified suspicious activity that requires additional effort to remove. The incident responder will provide recommendations to you for business risk analysis and additional actions. If you have enabled the opt-in features for the service, then an AWS incident responder will seek your consent to perform containment actions with SSM documents in the impacted account(s). + Post-incident activities: In this status the primary security event has been contained. The focus now is to recover and return business operations to normal. A summary and root cause analysis is provided if the resolver for the case is AWS-supported. + Closed: This is the final status of the workflow. Cases in a closed status indicate work has been completed. Closed cases cannot be reopened, so ensure all actions are complete before transitioning to this status. Choose **Action/Update Status** to change the status of the case for self-managed cases. For AWS supported cases, the status is set by the AWS Security Incident Response engineers.  # Changing the resolver Changing the resolver For self-managed cases, your incident response team can request help from AWS. Choose **Get help from AWS** to change the resolver for this case to AWS. Once the case is updated to AWS supported, the status is changed to **Submitted**. The existing case history will be available to AWS Security Incident Response engineers. Once you have requested help from AWS you will not be able to change it back to self-managed.  # Action Items Action Items An AWS Security Incident Response engineer working on the case may request actions from your internal team. Action items that appear after a case has been created include: + Request to provide permissions for an incident responder to access a case  + Request to provide more information about the case Action items when a case is ready to close: + Request to review the case report + Request to close the case # Edit a case Edit a case Choose **Edit** to change the details of a case. **For AWS supported and self-managed cases:** You can change the following case details after a case has been created: + Title + Description **For AWS supported cases only:** You can change the additional fields:  + **Request type:** + **Active Security Incident**: This type is for urgent incident response support and services.   + **Investigations**: Investigations allow you to get support for perceived security incidents where the AWS Security Incident Response engineers can support in log dive and secondary confirmation of the security event. + **Start date estimate**: Change this field if you received indicators for this case that pre-date the initial provided start date. Consider providing additional details in regards to the newly detected indicator in the description field or add a comment in the communications tab. # Communications Communications AWS Security Incident Response engineers can add comments to document their activities when working on a case. Different AWS Security Incident Response engineers can work on a case at the same time. They are represented as **AWS Responder** within the communication log.  # Permissions Permissions The permissions tab lists all individuals that will be notified for any change to the case. You can add and remove individuals from the list until the case is closed. **Note** Individual cases allow you to include up to 30 total stakeholders. Additional permission configuration is required to grant case-level access to these stakeholders. **Provide access to a case in the console** To provide access to the case in the AWS Management Console, you can copy the IAM permission policy template and add this permission to a user or role.  Adding the IAM policy to a user or a role: 1. Copy the IAM permission policy. 1. Open IAM in the via [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane, choose **User** or **Roles.** 1. Select a user or role to open the details page. 1. In the permissions tab, choose **Add permissions.** 1. Choose **Attach policy**. 1. Select the appropriate [AWS Security Incident Response managed policy](https://docs.aws.amazon.com/security-ir/latest/userguide/aws-managed-policies.html). 1. Choose **Add policy**. # Attachments Attachments Your incident responders can add attachments to a case that help other incident responders with their investigation for self-managed cases. **Note** If you choose an AWS supported case, AWS cannot view attachments. All details for AWS supported cases must be shared via case comments or through you providing a screenshare using your preferred communications technology. Choose **Upload** to select a file from your computer to be added to the case. **Note** Any uploaded attachments are deleted seven days after a case has been `Closed`. # Tags Tags A tag is an optional label that you can assign to your cases to hold metadata about that resource. Each tag is a label consisting of a key and an optional value. You can use tags to search, allocate costs, and authenticate permissions for the resource. To add a tag, do the following: 1. Choose **Add new tag**. 1. For **Key**, enter the name of the tag. 1. For **Value**, enter the value of the tag. To remove a tag, choose the **Remove** option for that tag. # Case activities Case activities Audit trails provide detailed chronological records of all case activities. They provide important information in post-event activities and help to identify potential improvements. The time, user, action, and details of any case change are logged in the case audit trail.  # Closing a case Closing a case For AWS supported cases, choose **Close Case** on the case details page to permanently close the case at any status. A case typically reaches the status **Ready to Close** before it is permanently closed. If you close a case prematurely at any other status than **Ready to Close**, you are requesting that AWS Security Incident Response engineers will stop working on this AWS supported case.  If your incident response team is the responder, select **Action/Close Case** on the case details page. **Note** The "Ready to Close" status signifies that a case can be permanently closed and that there is no additional work to be done on a case. A case cannot be re-opened again after it has been permanently closed. All information will be available read-only. To prevent accidental closure, you will be asked to confirm that you want to close the case.