ListInvestigations
Detective investigations lets you investigate IAM users and
IAM roles using indicators of compromise. An indicator of compromise
(IOC) is an artifact observed in or on a network, system, or environment that can (with a
high level of confidence) identify malicious activity or a security incident.
ListInvestigations lists all active Detective
investigations.
Request Syntax
POST /investigations/listInvestigations HTTP/1.1
Content-type: application/json
{
"FilterCriteria": {
"CreatedTime": {
"EndInclusive": "string",
"StartInclusive": "string"
},
"EntityArn": {
"Value": "string"
},
"Severity": {
"Value": "string"
},
"State": {
"Value": "string"
},
"Status": {
"Value": "string"
}
},
"GraphArn": "string",
"MaxResults": number,
"NextToken": "string",
"SortCriteria": {
"Field": "string",
"SortOrder": "string"
}
}URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- FilterCriteria
-
Filters the investigation results based on a criteria.
Type: FilterCriteria object
Required: No
- GraphArn
-
The Amazon Resource Name (ARN) of the behavior graph.
Type: String
Pattern:
^arn:aws[-\w]{0,10}?:detective:[-\w]{2,20}?:\d{12}?:graph:[abcdef\d]{32}?$Required: Yes
- MaxResults
-
Lists the maximum number of investigations in a page.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 100.
Required: No
- NextToken
-
Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
Each pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 2048.
Required: No
- SortCriteria
-
Sorts the investigation results based on a criteria.
Type: SortCriteria object
Required: No
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"InvestigationDetails": [
{
"CreatedTime": "string",
"EntityArn": "string",
"EntityType": "string",
"InvestigationId": "string",
"Severity": "string",
"State": "string",
"Status": "string"
}
],
"NextToken": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- InvestigationDetails
-
Lists the summary of uncommon behavior or malicious activity which indicates a compromise.
Type: Array of InvestigationDetail objects
- NextToken
-
Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
Each pagination token expires after 24 hours.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 2048.
Errors
For information about the errors that are common to all actions, see Common Errors.
- AccessDeniedException
-
The request issuer does not have permission to access this resource or perform this operation.
HTTP Status Code: 403
- InternalServerException
-
The request was valid but failed because of a problem with the service.
HTTP Status Code: 500
- ResourceNotFoundException
-
The request refers to a nonexistent resource.
HTTP Status Code: 404
- TooManyRequestsException
-
The request cannot be completed because too many other requests are occurring at the same time.
HTTP Status Code: 429
- ValidationException
-
The request parameters are invalid.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
