AWS Security Incident Response events
Security Incident Response sends service events directly to EventBridge, as well as via AWS CloudTrail.
Security Incident Response service events
Security Incident Response sends the following events directly to EventBridge:
Case Created
Case Updated
Case Comment Added
Case Comment Updated
Case Closed
Membership Created
Membership Updated
Membership Cancelled
Membership Terminated
Delivery type: Durable
To match against all events from this service, create an event pattern that matches against the following event attribute:
source: aws.security-ir
{ "source": ["aws.security-ir"] }
To match against specific events, include a detail-type attribute
specifying an array of event names to match. For example:
{ "source": ["aws.security-ir"], "detail-type": ["Case Created"] }
For more information, see Creating event patterns in the Amazon EventBridge User Guide.
Security Incident Response events delivered via AWS CloudTrail
AWS CloudTrail sends events originating from Security Incident Response to EventBridge. AWS services deliver events to CloudTrail on a best effort basis. For more information, see AWS service events delivered via AWS CloudTrail in the Amazon EventBridge User Guide.
To match events from this service delivered by AWS CloudTrail, create an event pattern that matches against the following event attributes:
source: aws.security-ireventSource: security-ir.amazonaws.com
{ "source": ["aws.security-ir"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["security-ir.amazonaws.com"] } }
To match against a specific API calls from this service, include an
eventName attribute specifying an array of API calls to match:
{ "source": ["aws.security-ir"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["security-ir.amazonaws.com"], "eventName": ["api-action-name"] } }
