:doc:`Detective <../../detective>` / Client / get_investigation

*****************
get_investigation
*****************



.. py:method:: Detective.Client.get_investigation(**kwargs)

  

  Detective investigations lets you investigate IAM users and IAM roles using indicators of compromise. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. ``GetInvestigation`` returns the investigation results of an investigation for a behavior graph.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/detective-2018-10-26/GetInvestigation>`_  


  **Request Syntax**
  ::

    response = client.get_investigation(
        GraphArn='string',
        InvestigationId='string'
    )
    
  :type GraphArn: string
  :param GraphArn: **[REQUIRED]** 

    The Amazon Resource Name (ARN) of the behavior graph.

    

  
  :type InvestigationId: string
  :param InvestigationId: **[REQUIRED]** 

    The investigation ID of the investigation report.

    

  
  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'GraphArn': 'string',
          'InvestigationId': 'string',
          'EntityArn': 'string',
          'EntityType': 'IAM_ROLE'|'IAM_USER',
          'CreatedTime': datetime(2015, 1, 1),
          'ScopeStartTime': datetime(2015, 1, 1),
          'ScopeEndTime': datetime(2015, 1, 1),
          'Status': 'RUNNING'|'FAILED'|'SUCCESSFUL',
          'Severity': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL',
          'State': 'ACTIVE'|'ARCHIVED'
      }
      
    **Response Structure**

    

    - *(dict) --* 
      

      - **GraphArn** *(string) --* 

        The Amazon Resource Name (ARN) of the behavior graph.

        
      

      - **InvestigationId** *(string) --* 

        The investigation ID of the investigation report.

        
      

      - **EntityArn** *(string) --* 

        The unique Amazon Resource Name (ARN). Detective supports IAM user ARNs and IAM role ARNs.

        
      

      - **EntityType** *(string) --* 

        Type of entity. For example, Amazon Web Services accounts, such as an IAM user and/or IAM role.

        
      

      - **CreatedTime** *(datetime) --* 

        The creation time of the investigation report in UTC time stamp format.

        
      

      - **ScopeStartTime** *(datetime) --* 

        The start date and time used to set the scope time within which you want to generate the investigation report. The value is an UTC ISO8601 formatted string. For example, ``2021-08-18T16:35:56.284Z``.

        
      

      - **ScopeEndTime** *(datetime) --* 

        The data and time when the investigation began. The value is an UTC ISO8601 formatted string. For example, ``2021-08-18T16:35:56.284Z``.

        
      

      - **Status** *(string) --* 

        The status based on the completion status of the investigation.

        
      

      - **Severity** *(string) --* 

        The severity assigned is based on the likelihood and impact of the indicators of compromise discovered in the investigation.

        
      

      - **State** *(string) --* 

        The current state of the investigation. An archived investigation indicates that you have completed reviewing the investigation.

        
  
  **Exceptions**
  
  *   :py:class:`Detective.Client.exceptions.AccessDeniedException`

  
  *   :py:class:`Detective.Client.exceptions.InternalServerException`

  
  *   :py:class:`Detective.Client.exceptions.ValidationException`

  
  *   :py:class:`Detective.Client.exceptions.ResourceNotFoundException`

  
  *   :py:class:`Detective.Client.exceptions.TooManyRequestsException`

  