Detective / Client / get_investigation

get_investigation

Detective.Client.get_investigation(**kwargs)

Detective investigations lets you investigate IAM users and IAM roles using indicators of compromise. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. GetInvestigation returns the investigation results of an investigation for a behavior graph.

See also: AWS API Documentation

Request Syntax

response = client.get_investigation(
    GraphArn='string',
    InvestigationId='string'
)

Parameters:

• GraphArn (string) –

  [REQUIRED]

  The Amazon Resource Name (ARN) of the behavior graph.

• InvestigationId (string) –

  [REQUIRED]

  The investigation ID of the investigation report.

Return type:

dict

Returns:

Response Syntax

{
    'GraphArn': 'string',
    'InvestigationId': 'string',
    'EntityArn': 'string',
    'EntityType': 'IAM_ROLE'|'IAM_USER',
    'CreatedTime': datetime(2015, 1, 1),
    'ScopeStartTime': datetime(2015, 1, 1),
    'ScopeEndTime': datetime(2015, 1, 1),
    'Status': 'RUNNING'|'FAILED'|'SUCCESSFUL',
    'Severity': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL',
    'State': 'ACTIVE'|'ARCHIVED'
}

Response Structure

• (dict) –

  • GraphArn (string) –

    The Amazon Resource Name (ARN) of the behavior graph.

  • InvestigationId (string) –

    The investigation ID of the investigation report.

  • EntityArn (string) –

    The unique Amazon Resource Name (ARN). Detective supports IAM user ARNs and IAM role ARNs.

  • EntityType (string) –

    Type of entity. For example, Amazon Web Services accounts, such as an IAM user and/or IAM role.

  • CreatedTime (datetime) –

    The creation time of the investigation report in UTC time stamp format.

  • ScopeStartTime (datetime) –

    The start date and time used to set the scope time within which you want to generate the investigation report. The value is an UTC ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.

  • ScopeEndTime (datetime) –

    The data and time when the investigation began. The value is an UTC ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.

  • Status (string) –

    The status based on the completion status of the investigation.

  • Severity (string) –

    The severity assigned is based on the likelihood and impact of the indicators of compromise discovered in the investigation.

  • State (string) –

    The current state of the investigation. An archived investigation indicates that you have completed reviewing the investigation.

Exceptions

• Detective.Client.exceptions.AccessDeniedException

• Detective.Client.exceptions.InternalServerException

• Detective.Client.exceptions.ValidationException

• Detective.Client.exceptions.ResourceNotFoundException

• Detective.Client.exceptions.TooManyRequestsException