/AWS1/CL_GDYINVESTIGATION¶
Contains the details and results of a GuardDuty investigation.
CONSTRUCTOR¶
IMPORTING¶
Required arguments:¶
iv_investigationid TYPE /AWS1/GDYINVESTIGATIONID /AWS1/GDYINVESTIGATIONID¶
The unique identifier of the investigation.
iv_status TYPE /AWS1/GDYINVESTIGATIONSTATUS /AWS1/GDYINVESTIGATIONSTATUS¶
The current status of the investigation. Possible values are
RUNNING,COMPLETED, andFAILED.
iv_triggerprompt TYPE /AWS1/GDYTRIGGERPROMPT /AWS1/GDYTRIGGERPROMPT¶
The natural-language prompt that initiated this investigation.
iv_triggeredby TYPE /AWS1/GDYTRIGGEREDBY /AWS1/GDYTRIGGEREDBY¶
The account that initiated the investigation.
Optional arguments:¶
io_metadata TYPE REF TO /AWS1/CL_GDYINVESTGTNMETADATA /AWS1/CL_GDYINVESTGTNMETADATA¶
Metadata about the product and version that produced the investigation.
io_cloud TYPE REF TO /AWS1/CL_GDYCLOUDDETAILS /AWS1/CL_GDYCLOUDDETAILS¶
Details about the cloud environment in which the investigation was performed, including the provider, region, and account.
iv_risklevel TYPE /AWS1/GDYRISKLEVEL /AWS1/GDYRISKLEVEL¶
The assessed risk level of the investigated threat. Possible values are
Info,Low,Medium,High, andCritical.
iv_risk TYPE /AWS1/GDYRISKDETAILS /AWS1/GDYRISKDETAILS¶
A human-readable description of the assessed risk.
iv_confidence TYPE /AWS1/GDYCONFIDENCE /AWS1/GDYCONFIDENCE¶
The confidence level of the investigation's assessment. Possible values are
Unknown,Low,Medium, andHigh.
iv_summary TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING¶
A structured summary of the investigation findings, including affected resources, threat assessment, and recommended remediation steps.
iv_starttime TYPE /AWS1/GDYTIMESTAMP /AWS1/GDYTIMESTAMP¶
The timestamp at which the investigation started.
iv_endtime TYPE /AWS1/GDYTIMESTAMP /AWS1/GDYTIMESTAMP¶
The timestamp at which the investigation completed.
iv_error TYPE /AWS1/GDYINVESTGTNERRORDETAILS /AWS1/GDYINVESTGTNERRORDETAILS¶
Details about the error if the investigation status is
FAILED.
Queryable Attributes¶
InvestigationId¶
The unique identifier of the investigation.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_INVESTIGATIONID() |
Getter for INVESTIGATIONID, with configurable default |
ASK_INVESTIGATIONID() |
Getter for INVESTIGATIONID w/ exceptions if field has no val |
HAS_INVESTIGATIONID() |
Determine if INVESTIGATIONID has a value |
Status¶
The current status of the investigation. Possible values are
RUNNING,COMPLETED, andFAILED.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_STATUS() |
Getter for STATUS, with configurable default |
ASK_STATUS() |
Getter for STATUS w/ exceptions if field has no value |
HAS_STATUS() |
Determine if STATUS has a value |
TriggerPrompt¶
The natural-language prompt that initiated this investigation.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_TRIGGERPROMPT() |
Getter for TRIGGERPROMPT, with configurable default |
ASK_TRIGGERPROMPT() |
Getter for TRIGGERPROMPT w/ exceptions if field has no value |
HAS_TRIGGERPROMPT() |
Determine if TRIGGERPROMPT has a value |
TriggeredBy¶
The account that initiated the investigation.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_TRIGGEREDBY() |
Getter for TRIGGEREDBY, with configurable default |
ASK_TRIGGEREDBY() |
Getter for TRIGGEREDBY w/ exceptions if field has no value |
HAS_TRIGGEREDBY() |
Determine if TRIGGEREDBY has a value |
Metadata¶
Metadata about the product and version that produced the investigation.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_METADATA() |
Getter for METADATA |
Cloud¶
Details about the cloud environment in which the investigation was performed, including the provider, region, and account.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_CLOUD() |
Getter for CLOUD |
RiskLevel¶
The assessed risk level of the investigated threat. Possible values are
Info,Low,Medium,High, andCritical.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_RISKLEVEL() |
Getter for RISKLEVEL, with configurable default |
ASK_RISKLEVEL() |
Getter for RISKLEVEL w/ exceptions if field has no value |
HAS_RISKLEVEL() |
Determine if RISKLEVEL has a value |
Risk¶
A human-readable description of the assessed risk.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_RISK() |
Getter for RISK, with configurable default |
ASK_RISK() |
Getter for RISK w/ exceptions if field has no value |
HAS_RISK() |
Determine if RISK has a value |
Confidence¶
The confidence level of the investigation's assessment. Possible values are
Unknown,Low,Medium, andHigh.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_CONFIDENCE() |
Getter for CONFIDENCE, with configurable default |
ASK_CONFIDENCE() |
Getter for CONFIDENCE w/ exceptions if field has no value |
HAS_CONFIDENCE() |
Determine if CONFIDENCE has a value |
Summary¶
A structured summary of the investigation findings, including affected resources, threat assessment, and recommended remediation steps.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_SUMMARY() |
Getter for SUMMARY, with configurable default |
ASK_SUMMARY() |
Getter for SUMMARY w/ exceptions if field has no value |
HAS_SUMMARY() |
Determine if SUMMARY has a value |
StartTime¶
The timestamp at which the investigation started.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_STARTTIME() |
Getter for STARTTIME, with configurable default |
ASK_STARTTIME() |
Getter for STARTTIME w/ exceptions if field has no value |
HAS_STARTTIME() |
Determine if STARTTIME has a value |
EndTime¶
The timestamp at which the investigation completed.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_ENDTIME() |
Getter for ENDTIME, with configurable default |
ASK_ENDTIME() |
Getter for ENDTIME w/ exceptions if field has no value |
HAS_ENDTIME() |
Determine if ENDTIME has a value |
Error¶
Details about the error if the investigation status is
FAILED.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_ERROR() |
Getter for ERROR, with configurable default |
ASK_ERROR() |
Getter for ERROR w/ exceptions if field has no value |
HAS_ERROR() |
Determine if ERROR has a value |