View a markdown version of this page

CreateInvestigation - Amazon GuardDuty
Request SyntaxURI Request ParametersRequest BodyResponse SyntaxResponse ElementsErrorsSee Also

CreateInvestigation

This API is currently available as a preview. During the preview, you can initiate up to 10 investigations per account per day, with a total limit of 100 investigations per account. This feature is available in the following AWS Regions: US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Stockholm), and Asia Pacific (Tokyo).

Initiates a GuardDuty investigation that automatically analyzes security findings, correlates related activity, performs account-level analysis, and produces a structured investigation summary with recommended next steps.

Only the administrator account can create an investigation. Member accounts don't have permission to create investigations from their accounts.

To use this operation, the AI_ANALYST feature must be enabled on your detector.

This feature uses Amazon Bedrock models that leverage Cross-Region Inference (CRIS), which automatically selects the optimal AWS Region within your geography to process the investigation analysis and generate the investigation report. This maximizes available compute resources, model availability, and delivers the best customer experience. Your data remains stored only in the Region where the investigation request originates, however, investigation data and summary results may be processed outside that Region. All data is transmitted encrypted across Amazon's secure network. For more information, see GuardDuty Investigation.

Request Syntax

POST /detector/DetectorId/investigation HTTP/1.1
Content-type: application/json

{
   "clientToken": "string",
   "triggerPrompt": "string"
}

URI Request Parameters

The request uses the following URI parameters.

DetectorId

The unique ID of the GuardDuty detector for the account in which the investigation is created.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Length Constraints: Minimum length of 1. Maximum length of 300.

Required: Yes

Request Body

The request accepts the following data in JSON format.

clientToken

The idempotency token for the create request.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 64.

Required: No

triggerPrompt

A natural-language description of what to investigate. For example:

  • "Investigate finding 1ab2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 in account 123456789012"

  • "Analyze findings in account with id 123456789012"

  • "Analyze findings in my organization"

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Response Syntax

HTTP/1.1 202
Content-type: application/json

{
   "investigationId": "string"
}

Response Elements

If the action is successful, the service sends back an HTTP 202 response.

The following data is returned in JSON format by the service.

investigationId

The unique identifier of the newly created investigation.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 64.

Pattern: [a-fA-F0-9\-]+

Errors

For information about the errors that are common to all actions, see Common Error Types.

AccessDeniedException

An access denied exception object.

Message

The error message.

Type

The error type.

HTTP Status Code: 403

BadRequestException

A bad request exception object.

Message

The error message.

Type

The error type.

HTTP Status Code: 400

InternalServerErrorException

An internal server error exception object.

Message

The error message.

Type

The error type.

HTTP Status Code: 500

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: