Detective / Client / list_investigations

list_investigations#

Detective.Client.list_investigations(**kwargs)#

List all Investigations.

See also: AWS API Documentation

Request Syntax

response = client.list_investigations(
    GraphArn='string',
    NextToken='string',
    MaxResults=123,
    FilterCriteria={
        'Severity': {
            'Value': 'string'
        },
        'Status': {
            'Value': 'string'
        },
        'State': {
            'Value': 'string'
        },
        'EntityArn': {
            'Value': 'string'
        },
        'CreatedTime': {
            'StartInclusive': datetime(2015, 1, 1),
            'EndInclusive': datetime(2015, 1, 1)
        }
    },
    SortCriteria={
        'Field': 'SEVERITY'|'STATUS'|'CREATED_TIME',
        'SortOrder': 'ASC'|'DESC'
    }
)
Parameters:

  • GraphArn (string) –

    [REQUIRED]

    The ARN of the behavior graph.

  • NextToken (string) –

    List if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.

    Each pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.

  • MaxResults (integer) – List the maximum number of investigations in a page.

  • FilterCriteria (dict) –

    Filter the investigation results based on a criteria.

    • Severity (dict) –

      Filter the investigation results based on the severity.

      • Value (string) – [REQUIRED]

        The string filter value.

    • Status (dict) –

      Filter the investigation results based on the status.

      • Value (string) – [REQUIRED]

        The string filter value.

    • State (dict) –

      Filter the investigation results based on the state.

      • Value (string) – [REQUIRED]

        The string filter value.

    • EntityArn (dict) –

      Filter the investigation results based on the Amazon Resource Name (ARN) of the entity.

      • Value (string) – [REQUIRED]

        The string filter value.

    • CreatedTime (dict) –

      Filter the investigation results based on when the investigation was created.

      • StartInclusive (datetime) – [REQUIRED]

        A timestamp representing the start of the time period from when data is filtered, including the start date.

      • EndInclusive (datetime) – [REQUIRED]

        A timestamp representing the end date of the time period until when data is filtered , including the end date.

  • SortCriteria (dict) –

    Sorts the investigation results based on a criteria.

    • Field (string) –

      Represents the Field attribute to sort investigations.

    • SortOrder (string) –

      The order by which the sorted findings are displayed.

Return type:

dict

Returns:

Response Syntax

{
    'InvestigationDetails': [
        {
            'InvestigationId': 'string',
            'Severity': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL',
            'Status': 'RUNNING'|'FAILED'|'SUCCESSFUL',
            'State': 'ACTIVE'|'ARCHIVED',
            'CreatedTime': datetime(2015, 1, 1),
            'EntityArn': 'string',
            'EntityType': 'IAM_ROLE'|'IAM_USER'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) –

    • InvestigationDetails (list) –

      Investigations details lists the summary of uncommon behavior or malicious activity which indicates a compromise.

      • (dict) –

        Details about the investigation related to a potential security event identified by Detective

        • InvestigationId (string) –

          The investigation ID of the investigation report.

        • Severity (string) –

          Severity based on the likelihood and impact of the indicators of compromise discovered in the investigation.

        • Status (string) –

          Status based on the completion status of the investigation.

        • State (string) –

          The current state of the investigation. An archived investigation indicates you have completed reviewing the investigation.

        • CreatedTime (datetime) –

          The UTC time stamp of the creation time of the investigation report.

        • EntityArn (string) –

          The unique Amazon Resource Name (ARN) of the IAM user and IAM role.

        • EntityType (string) –

          Type of entity. For example, Amazon Web Services accounts, such as IAM user and role.

    • NextToken (string) –

      List if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.

      Each pagination token expires after 24 hours. Using an expired pagination token will return an HTTP 400 InvalidToken error.

Exceptions

  • Detective.Client.exceptions.AccessDeniedException

  • Detective.Client.exceptions.InternalServerException

  • Detective.Client.exceptions.ValidationException

  • Detective.Client.exceptions.ResourceNotFoundException

  • Detective.Client.exceptions.TooManyRequestsException