Detective / Client / list_investigations

list_investigations#

Detective.Client.list_investigations(**kwargs)#

Detective investigations lets you investigate IAM users and IAM roles using indicators of compromise. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. ListInvestigations lists all active Detective investigations.

See also: AWS API Documentation

Request Syntax

response = client.list_investigations(
    GraphArn='string',
    NextToken='string',
    MaxResults=123,
    FilterCriteria={
        'Severity': {
            'Value': 'string'
        },
        'Status': {
            'Value': 'string'
        },
        'State': {
            'Value': 'string'
        },
        'EntityArn': {
            'Value': 'string'
        },
        'CreatedTime': {
            'StartInclusive': datetime(2015, 1, 1),
            'EndInclusive': datetime(2015, 1, 1)
        }
    },
    SortCriteria={
        'Field': 'SEVERITY'|'STATUS'|'CREATED_TIME',
        'SortOrder': 'ASC'|'DESC'
    }
)
Parameters:

  • GraphArn (string) –

    [REQUIRED]

    The Amazon Resource Name (ARN) of the behavior graph.

  • NextToken (string) –

    Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.

    Each pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.

  • MaxResults (integer) – Lists the maximum number of investigations in a page.

  • FilterCriteria (dict) –

    Filters the investigation results based on a criteria.

    • Severity (dict) –

      Filter the investigation results based on the severity.

      • Value (string) – [REQUIRED]

        The string filter value.

    • Status (dict) –

      Filter the investigation results based on the status.

      • Value (string) – [REQUIRED]

        The string filter value.

    • State (dict) –

      Filter the investigation results based on the state.

      • Value (string) – [REQUIRED]

        The string filter value.

    • EntityArn (dict) –

      Filter the investigation results based on the Amazon Resource Name (ARN) of the entity.

      • Value (string) – [REQUIRED]

        The string filter value.

    • CreatedTime (dict) –

      Filter the investigation results based on when the investigation was created.

      • StartInclusive (datetime) – [REQUIRED]

        A timestamp representing the start of the time period from when data is filtered, including the start date.

      • EndInclusive (datetime) – [REQUIRED]

        A timestamp representing the end date of the time period until when data is filtered, including the end date.

  • SortCriteria (dict) –

    Sorts the investigation results based on a criteria.

    • Field (string) –

      Represents the Field attribute to sort investigations.

    • SortOrder (string) –

      The order by which the sorted findings are displayed.

Return type:

dict

Returns:

Response Syntax

{
    'InvestigationDetails': [
        {
            'InvestigationId': 'string',
            'Severity': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL',
            'Status': 'RUNNING'|'FAILED'|'SUCCESSFUL',
            'State': 'ACTIVE'|'ARCHIVED',
            'CreatedTime': datetime(2015, 1, 1),
            'EntityArn': 'string',
            'EntityType': 'IAM_ROLE'|'IAM_USER'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) –

    • InvestigationDetails (list) –

      Lists the summary of uncommon behavior or malicious activity which indicates a compromise.

      • (dict) –

        Details about the investigation related to a potential security event identified by Detective.

        • InvestigationId (string) –

          The investigation ID of the investigation report.

        • Severity (string) –

          Severity based on the likelihood and impact of the indicators of compromise discovered in the investigation.

        • Status (string) –

          Status based on the completion status of the investigation.

        • State (string) –

          The current state of the investigation. An archived investigation indicates you have completed reviewing the investigation.

        • CreatedTime (datetime) –

          The time stamp of the creation time of the investigation report. The value is an UTC ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.

        • EntityArn (string) –

          The unique Amazon Resource Name (ARN) of the IAM user and IAM role.

        • EntityType (string) –

          Type of entity. For example, Amazon Web Services accounts, such as IAM user and role.

    • NextToken (string) –

      Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.

      Each pagination token expires after 24 hours.

Exceptions

  • Detective.Client.exceptions.AccessDeniedException

  • Detective.Client.exceptions.InternalServerException

  • Detective.Client.exceptions.ValidationException

  • Detective.Client.exceptions.ResourceNotFoundException

  • Detective.Client.exceptions.TooManyRequestsException