StartInvestigation
Detective investigations lets you investigate IAM users and IAM roles using indicators of compromise. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. StartInvestigation initiates an investigation on an entity in a behavior graph. 
Request Syntax
POST /investigations/startInvestigation HTTP/1.1
Content-type: application/json
{
   "EntityArn": "string",
   "GraphArn": "string",
   "ScopeEndTime": "string",
   "ScopeStartTime": "string"
}URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- EntityArn
- 
               The unique Amazon Resource Name (ARN) of the IAM user and IAM role. Type: String Pattern: ^arn:.*Required: Yes 
- GraphArn
- 
               The Amazon Resource Name (ARN) of the behavior graph. Type: String Pattern: ^arn:aws[-\w]{0,10}?:detective:[-\w]{2,20}?:\d{12}?:graph:[abcdef\d]{32}?$Required: Yes 
- ScopeEndTime
- 
               The data and time when the investigation ended. The value is an UTC ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.Type: Timestamp Required: Yes 
- ScopeStartTime
- 
               The data and time when the investigation began. The value is an UTC ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.Type: Timestamp Required: Yes 
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
   "InvestigationId": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- InvestigationId
- 
               The investigation ID of the investigation report. Type: String Length Constraints: Fixed length of 21. Pattern: ^[0-9]+$
Errors
For information about the errors that are common to all actions, see Common Errors.
- AccessDeniedException
- 
               The request issuer does not have permission to access this resource or perform this operation. - ErrorCode
- 
                        The SDK default error code associated with the access denied exception. 
- ErrorCodeReason
- 
                        The SDK default explanation of why access was denied. 
- SubErrorCode
- 
                        The error code associated with the access denied exception. 
- SubErrorCodeReason
- 
                        An explanation of why access was denied. 
 HTTP Status Code: 403 
- InternalServerException
- 
               The request was valid but failed because of a problem with the service. HTTP Status Code: 500 
- ResourceNotFoundException
- 
               The request refers to a nonexistent resource. HTTP Status Code: 404 
- TooManyRequestsException
- 
               The request cannot be completed because too many other requests are occurring at the same time. HTTP Status Code: 429 
- ValidationException
- 
               The request parameters are invalid. - ErrorCode
- 
                        The error code associated with the validation failure. 
- ErrorCodeReason
- 
                        An explanation of why validation failed. 
 HTTP Status Code: 400 
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: