Skip to content

/AWS1/CL_GDYINVESTIGATION

Contains the details and results of a GuardDuty investigation.

CONSTRUCTOR

IMPORTING

Required arguments:

iv_investigationid TYPE /AWS1/GDYINVESTIGATIONID /AWS1/GDYINVESTIGATIONID

The unique identifier of the investigation.

iv_status TYPE /AWS1/GDYINVESTIGATIONSTATUS /AWS1/GDYINVESTIGATIONSTATUS

The current status of the investigation. Possible values are RUNNING, COMPLETED, and FAILED.

iv_triggerprompt TYPE /AWS1/GDYTRIGGERPROMPT /AWS1/GDYTRIGGERPROMPT

The natural-language prompt that initiated this investigation.

iv_triggeredby TYPE /AWS1/GDYTRIGGEREDBY /AWS1/GDYTRIGGEREDBY

The account that initiated the investigation.

Optional arguments:

io_metadata TYPE REF TO /AWS1/CL_GDYINVESTGTNMETADATA /AWS1/CL_GDYINVESTGTNMETADATA

Metadata about the product and version that produced the investigation.

io_cloud TYPE REF TO /AWS1/CL_GDYCLOUDDETAILS /AWS1/CL_GDYCLOUDDETAILS

Details about the cloud environment in which the investigation was performed, including the provider, region, and account.

iv_risklevel TYPE /AWS1/GDYRISKLEVEL /AWS1/GDYRISKLEVEL

The assessed risk level of the investigated threat. Possible values are Info, Low, Medium, High, and Critical.

iv_risk TYPE /AWS1/GDYRISKDETAILS /AWS1/GDYRISKDETAILS

A human-readable description of the assessed risk.

iv_confidence TYPE /AWS1/GDYCONFIDENCE /AWS1/GDYCONFIDENCE

The confidence level of the investigation's assessment. Possible values are Unknown, Low, Medium, and High.

iv_summary TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

A structured summary of the investigation findings, including affected resources, threat assessment, and recommended remediation steps.

iv_starttime TYPE /AWS1/GDYTIMESTAMP /AWS1/GDYTIMESTAMP

The timestamp at which the investigation started.

iv_endtime TYPE /AWS1/GDYTIMESTAMP /AWS1/GDYTIMESTAMP

The timestamp at which the investigation completed.

iv_error TYPE /AWS1/GDYINVESTGTNERRORDETAILS /AWS1/GDYINVESTGTNERRORDETAILS

Details about the error if the investigation status is FAILED.


Queryable Attributes

InvestigationId

The unique identifier of the investigation.

Accessible with the following methods

Method Description
GET_INVESTIGATIONID() Getter for INVESTIGATIONID, with configurable default
ASK_INVESTIGATIONID() Getter for INVESTIGATIONID w/ exceptions if field has no val
HAS_INVESTIGATIONID() Determine if INVESTIGATIONID has a value

Status

The current status of the investigation. Possible values are RUNNING, COMPLETED, and FAILED.

Accessible with the following methods

Method Description
GET_STATUS() Getter for STATUS, with configurable default
ASK_STATUS() Getter for STATUS w/ exceptions if field has no value
HAS_STATUS() Determine if STATUS has a value

TriggerPrompt

The natural-language prompt that initiated this investigation.

Accessible with the following methods

Method Description
GET_TRIGGERPROMPT() Getter for TRIGGERPROMPT, with configurable default
ASK_TRIGGERPROMPT() Getter for TRIGGERPROMPT w/ exceptions if field has no value
HAS_TRIGGERPROMPT() Determine if TRIGGERPROMPT has a value

TriggeredBy

The account that initiated the investigation.

Accessible with the following methods

Method Description
GET_TRIGGEREDBY() Getter for TRIGGEREDBY, with configurable default
ASK_TRIGGEREDBY() Getter for TRIGGEREDBY w/ exceptions if field has no value
HAS_TRIGGEREDBY() Determine if TRIGGEREDBY has a value

Metadata

Metadata about the product and version that produced the investigation.

Accessible with the following methods

Method Description
GET_METADATA() Getter for METADATA

Cloud

Details about the cloud environment in which the investigation was performed, including the provider, region, and account.

Accessible with the following methods

Method Description
GET_CLOUD() Getter for CLOUD

RiskLevel

The assessed risk level of the investigated threat. Possible values are Info, Low, Medium, High, and Critical.

Accessible with the following methods

Method Description
GET_RISKLEVEL() Getter for RISKLEVEL, with configurable default
ASK_RISKLEVEL() Getter for RISKLEVEL w/ exceptions if field has no value
HAS_RISKLEVEL() Determine if RISKLEVEL has a value

Risk

A human-readable description of the assessed risk.

Accessible with the following methods

Method Description
GET_RISK() Getter for RISK, with configurable default
ASK_RISK() Getter for RISK w/ exceptions if field has no value
HAS_RISK() Determine if RISK has a value

Confidence

The confidence level of the investigation's assessment. Possible values are Unknown, Low, Medium, and High.

Accessible with the following methods

Method Description
GET_CONFIDENCE() Getter for CONFIDENCE, with configurable default
ASK_CONFIDENCE() Getter for CONFIDENCE w/ exceptions if field has no value
HAS_CONFIDENCE() Determine if CONFIDENCE has a value

Summary

A structured summary of the investigation findings, including affected resources, threat assessment, and recommended remediation steps.

Accessible with the following methods

Method Description
GET_SUMMARY() Getter for SUMMARY, with configurable default
ASK_SUMMARY() Getter for SUMMARY w/ exceptions if field has no value
HAS_SUMMARY() Determine if SUMMARY has a value

StartTime

The timestamp at which the investigation started.

Accessible with the following methods

Method Description
GET_STARTTIME() Getter for STARTTIME, with configurable default
ASK_STARTTIME() Getter for STARTTIME w/ exceptions if field has no value
HAS_STARTTIME() Determine if STARTTIME has a value

EndTime

The timestamp at which the investigation completed.

Accessible with the following methods

Method Description
GET_ENDTIME() Getter for ENDTIME, with configurable default
ASK_ENDTIME() Getter for ENDTIME w/ exceptions if field has no value
HAS_ENDTIME() Determine if ENDTIME has a value

Error

Details about the error if the investigation status is FAILED.

Accessible with the following methods

Method Description
GET_ERROR() Getter for ERROR, with configurable default
ASK_ERROR() Getter for ERROR w/ exceptions if field has no value
HAS_ERROR() Determine if ERROR has a value