# Setup proactive response and alert triaging workflows
<a name="setup-monitoring-and-investigation-workflows"></a>

AWS Security Incident Response monitors and investigates threat alerts generated from Amazon GuardDuty and Security Hub CSPM integrations. To use this feature, [Amazon GuardDuty must be enabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html). AWS Security Incident Response triages low-priority alerts with service automation so your team can focus on the most critical issues. For additional information on how AWS Security Incident Response works with Amazon GuardDuty and AWS Security Hub CSPM, please review the [ Detect and Analyze](https://docs.aws.amazon.com/security-ir/latest/userguide/detect-and-analyze.html) section of the user guide.

If you experience onboarding issues, then [ create an AWS Support case](https://docs.aws.amazon.com/awssupport/latest/user/case-management.html#creating-a-support-case) for additional assistance. Make sure to include details including the AWS account ID and any errors you may have seen during the setup process. 

**Note**  
 If you have questions about Amazon GuardDuty suppression rules, alert triaging configurations, or proactive response workflows, you can create an AWS supported case with the case type **Investigations and Inquiries** to consult with the AWS Security Incident Response team. For more information, see [Create an AWS supported case](create-an-aws-supported-case.md). 

This feature enables AWS Security Incident Response to monitor and investigate findings across all covered accounts and active supported AWS Regions in your organization. To facilitate this functionality, AWS Security Incident Response automatically creates a service-linked role in all covered member accounts within your AWS Organizations. However, for the management account, you must manually create the service-linked role to enable monitoring.

*The service cannot create the service-linked role in the management account. You must create this role manually in the management account by [ working with AWS CloudFormation stack sets](https://docs.aws.amazon.com/security-ir/latest/userguide/working-with-stacksets.html).*

# Understanding Automatic Archiving with Proactive Response
<a name="understanding-automatic-archiving"></a>

When you enable proactive response and alert triaging, AWS Security Incident Response automatically monitors and triages security findings from Amazon GuardDuty and Security Hub CSPM. As part of this auto-triage workflow, findings are automatically archived based on the following criteria:

**Automatic archiving behavior:**
+ **Benign findings:** When the auto-triage process determines that a finding is benign (not a true security threat), AWS Security Incident Response automatically archives the finding in Amazon GuardDuty and creates suppression rules to prevent similar findings from generating alerts in the future.
+ **Suppression rules:** The service creates suppression and auto-archive rules in both Amazon GuardDuty and Security Hub CSPM for findings that match your environment's known-good patterns, such as expected IP addresses, IAM entities, and normal operational behaviors.
+ **Reduced alert volume:** Organizations using SIEM technology see significantly reduced Amazon GuardDuty finding volumes over time as the service learns your environment and automatically archives benign findings. This improves efficiency for both the AWS Security Incident Response service and your SIEM.

**Viewing archived findings:**

You can review automatically archived findings and the suppression rules created by AWS Security Incident Response:

1. Navigate to the Amazon GuardDuty console

1. Choose **Findings**

1. Select **Archived** from the findings filter

1. Review the suppression rules by selecting the down arrow next to each rule

**Important considerations:**
+ Archived findings are retained in Amazon GuardDuty for 90 days and can be viewed at any time during that period
+ You can modify or delete suppression rules at any time through the Amazon GuardDuty console
+ The auto-triage process continuously adapts to your environment, improving accuracy over time and reducing false positives

**Containment:** In the event of a security incident, AWS Security Incident Response can execute containment actions to quickly mitigate the impact, such as isolating compromised hosts or rotating credentials. Security Incident Response doesn't enable containment capabilities by default. To execute these containment actions, you must first grant the necessary permissions to the service. This can be done by deploying an [AWS CloudFormation StackSet](https://docs.aws.amazon.com/security-ir/latest/userguide/working-with-stacksets.html), which creates the required roles.