Detective / Client / start_investigation

start_investigation#

Detective.Client.start_investigation(**kwargs)#

Detective investigations lets you investigate IAM users and IAM roles using indicators of compromise. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. StartInvestigation initiates an investigation on an entity in a behavior graph.

See also: AWS API Documentation

Request Syntax

response = client.start_investigation(
    GraphArn='string',
    EntityArn='string',
    ScopeStartTime=datetime(2015, 1, 1),
    ScopeEndTime=datetime(2015, 1, 1)
)
Parameters:
  • GraphArn (string) –

    [REQUIRED]

    The Amazon Resource Name (ARN) of the behavior graph.

  • EntityArn (string) –

    [REQUIRED]

    The unique Amazon Resource Name (ARN) of the IAM user and IAM role.

  • ScopeStartTime (datetime) –

    [REQUIRED]

    The data and time when the investigation began. The value is an UTC ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.

  • ScopeEndTime (datetime) –

    [REQUIRED]

    The data and time when the investigation ended. The value is an UTC ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.

Return type:

dict

Returns:

Response Syntax

{
    'InvestigationId': 'string'
}

Response Structure

  • (dict) –

    • InvestigationId (string) –

      The investigation ID of the investigation report.

Exceptions

  • Detective.Client.exceptions.AccessDeniedException

  • Detective.Client.exceptions.InternalServerException

  • Detective.Client.exceptions.ValidationException

  • Detective.Client.exceptions.TooManyRequestsException

  • Detective.Client.exceptions.ResourceNotFoundException