StartInvestigation - Amazon Detective

StartInvestigation

Detective investigations lets you investigate IAM users and IAM roles using indicators of compromise. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. StartInvestigation initiates an investigation on an entity in a behavior graph.

Request Syntax

POST /investigations/startInvestigation HTTP/1.1 Content-type: application/json { "EntityArn": "string", "GraphArn": "string", "ScopeEndTime": "string", "ScopeStartTime": "string" }

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

EntityArn

The unique Amazon Resource Name (ARN) of the IAM user and IAM role.

Type: String

Pattern: ^arn:.*

Required: Yes

GraphArn

The Amazon Resource Name (ARN) of the behavior graph.

Type: String

Pattern: ^arn:aws[-\w]{0,10}?:detective:[-\w]{2,20}?:\d{12}?:graph:[abcdef\d]{32}?$

Required: Yes

ScopeEndTime

The data and time when the investigation ended. The value is an UTC ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.

Type: Timestamp

Required: Yes

ScopeStartTime

The data and time when the investigation began. The value is an UTC ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.

Type: Timestamp

Required: Yes

Response Syntax

HTTP/1.1 200 Content-type: application/json { "InvestigationId": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

InvestigationId

The investigation ID of the investigation report.

Type: String

Length Constraints: Fixed length of 21.

Pattern: ^[0-9]+$

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

The request issuer does not have permission to access this resource or perform this operation.

HTTP Status Code: 403

InternalServerException

The request was valid but failed because of a problem with the service.

HTTP Status Code: 500

ResourceNotFoundException

The request refers to a nonexistent resource.

HTTP Status Code: 404

TooManyRequestsException

The request cannot be completed because too many other requests are occurring at the same time.

HTTP Status Code: 429

ValidationException

The request parameters are invalid.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: