GetInvestigation
Detective investigations lets you investigate IAM users and IAM roles using indicators of compromise. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. GetInvestigation returns the investigation results of an investigation for a behavior graph.
Request Syntax
POST /investigations/getInvestigation HTTP/1.1
Content-type: application/json
{
"GraphArn": "string",
"InvestigationId": "string"
}URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- GraphArn
-
The Amazon Resource Name (ARN) of the behavior graph.
Type: String
Pattern:
^arn:aws[-\w]{0,10}?:detective:[-\w]{2,20}?:\d{12}?:graph:[abcdef\d]{32}?$Required: Yes
- InvestigationId
-
The investigation ID of the investigation report.
Type: String
Length Constraints: Fixed length of 21.
Pattern:
^[0-9]+$Required: Yes
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"CreatedTime": "string",
"EntityArn": "string",
"EntityType": "string",
"GraphArn": "string",
"InvestigationId": "string",
"ScopeEndTime": "string",
"ScopeStartTime": "string",
"Severity": "string",
"State": "string",
"Status": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- CreatedTime
-
The creation time of the investigation report in UTC time stamp format.
Type: Timestamp
- EntityArn
-
The unique Amazon Resource Name (ARN). Detective supports IAM user ARNs and IAM role ARNs.
Type: String
Pattern:
^arn:.* - EntityType
-
Type of entity. For example, AWS accounts, such as an IAM user and/or IAM role.
Type: String
Valid Values:
IAM_ROLE | IAM_USER - GraphArn
-
The Amazon Resource Name (ARN) of the behavior graph.
Type: String
Pattern:
^arn:aws[-\w]{0,10}?:detective:[-\w]{2,20}?:\d{12}?:graph:[abcdef\d]{32}?$ - InvestigationId
-
The investigation ID of the investigation report.
Type: String
Length Constraints: Fixed length of 21.
Pattern:
^[0-9]+$ - ScopeEndTime
-
The data and time when the investigation began. The value is an UTC ISO8601 formatted string. For example,
2021-08-18T16:35:56.284Z.Type: Timestamp
- ScopeStartTime
-
The start date and time used to set the scope time within which you want to generate the investigation report. The value is an UTC ISO8601 formatted string. For example,
2021-08-18T16:35:56.284Z.Type: Timestamp
- Severity
-
The severity assigned is based on the likelihood and impact of the indicators of compromise discovered in the investigation.
Type: String
Valid Values:
INFORMATIONAL | LOW | MEDIUM | HIGH | CRITICAL - State
-
The current state of the investigation. An archived investigation indicates that you have completed reviewing the investigation.
Type: String
Valid Values:
ACTIVE | ARCHIVED - Status
-
The status based on the completion status of the investigation.
Type: String
Valid Values:
RUNNING | FAILED | SUCCESSFUL
Errors
For information about the errors that are common to all actions, see Common Errors.
- AccessDeniedException
-
The request issuer does not have permission to access this resource or perform this operation.
HTTP Status Code: 403
- InternalServerException
-
The request was valid but failed because of a problem with the service.
HTTP Status Code: 500
- ResourceNotFoundException
-
The request refers to a nonexistent resource.
HTTP Status Code: 404
- TooManyRequestsException
-
The request cannot be completed because too many other requests are occurring at the same time.
HTTP Status Code: 429
- ValidationException
-
The request parameters are invalid.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
