Amazon Detective · Schema
GetInvestigationResponse
Response from getting investigation details
ForensicsInvestigationSecurity
Properties
| Name | Type | Description |
|---|---|---|
| GraphArn | string | The ARN of the behavior graph. |
| InvestigationId | string | The investigation ID of the investigation report. |
| EntityArn | string | The unique Amazon Resource Name (ARN) of the IAM user and IAM role. |
| EntityType | string | Type of entity. For example, IAM_ROLE or IAM_USER. |
| CreatedTime | string | The creation time of the investigation report in UTC time stamp format. |
| ScopeStartTime | string | The start date and time used to set the scope time within which you want Detective to investigate. |
| ScopeEndTime | string | The end date and time used to set the scope time within which you want Detective to investigate. |
| Status | string | The status based on the completion status of the investigation. |
| Severity | string | The severity assigned is based on the likelihood and impact of the indicators of compromise discovered in the investigation. |
| State | string | The current state of the investigation. An archived investigation indicates you have completed reviewing the investigation. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://raw.githubusercontent.com/api-evangelist/amazon-detective/refs/heads/main/json-schema/amazon-detective-get-investigation-response-schema.json",
"title": "GetInvestigationResponse",
"description": "Response from getting investigation details",
"type": "object",
"properties": {
"GraphArn": {
"type": "string",
"description": "The ARN of the behavior graph.",
"example": "arn:aws:detective:us-east-1:123456789012:graph:abc123def456"
},
"InvestigationId": {
"type": "string",
"description": "The investigation ID of the investigation report.",
"example": "invest-abc123def456"
},
"EntityArn": {
"type": "string",
"description": "The unique Amazon Resource Name (ARN) of the IAM user and IAM role.",
"example": "arn:aws:iam::123456789012:user/jsmith"
},
"EntityType": {
"type": "string",
"description": "Type of entity. For example, IAM_ROLE or IAM_USER.",
"enum": [
"IAM_ROLE",
"IAM_USER"
],
"example": "IAM_ROLE"
},
"CreatedTime": {
"type": "string",
"format": "date-time",
"description": "The creation time of the investigation report in UTC time stamp format.",
"example": "2025-01-15T10:00:00Z"
},
"ScopeStartTime": {
"type": "string",
"format": "date-time",
"description": "The start date and time used to set the scope time within which you want Detective to investigate.",
"example": "2025-01-01T00:00:00Z"
},
"ScopeEndTime": {
"type": "string",
"format": "date-time",
"description": "The end date and time used to set the scope time within which you want Detective to investigate.",
"example": "2025-01-15T23:59:59Z"
},
"Status": {
"type": "string",
"description": "The status based on the completion status of the investigation.",
"enum": [
"RUNNING",
"FAILED",
"SUCCESSFUL"
],
"example": "RUNNING"
},
"Severity": {
"type": "string",
"description": "The severity assigned is based on the likelihood and impact of the indicators of compromise discovered in the investigation.",
"enum": [
"INFORMATIONAL",
"LOW",
"MEDIUM",
"HIGH",
"CRITICAL"
],
"example": "HIGH"
},
"State": {
"type": "string",
"description": "The current state of the investigation. An archived investigation indicates you have completed reviewing the investigation.",
"enum": [
"ACTIVE",
"ARCHIVED"
],
"example": "ACTIVE"
}
}
}