Skip to content

/AWS1/IF_GDY=>CREATEINVESTIGATION()

About CreateInvestigation

This API is currently available as a preview. During the preview, you can initiate up to 10 investigations per account per day, with a total limit of 100 investigations per account. This feature is available in the following Amazon Web Services Regions: US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Stockholm), and Asia Pacific (Tokyo).

Initiates a GuardDuty investigation that automatically analyzes security findings, correlates related activity, performs account-level analysis, and produces a structured investigation summary with recommended next steps.

Only the administrator account can create an investigation. Member accounts don't have permission to create investigations from their accounts.

To use this operation, the AI_ANALYST feature must be enabled on your detector.

This feature uses Amazon Bedrock models that leverage Cross-Region Inference (CRIS), which automatically selects the optimal Amazon Web Services Region within your geography to process the investigation analysis and generate the investigation report. This maximizes available compute resources, model availability, and delivers the best customer experience. Your data remains stored only in the Region where the investigation request originates, however, investigation data and summary results may be processed outside that Region. All data is transmitted encrypted across Amazon's secure network. For more information, see GuardDuty Investigation.

Method Signature

METHODS /AWS1/IF_GDY~CREATEINVESTIGATION
  IMPORTING
    !IV_DETECTORID TYPE /AWS1/GDYDETECTORID OPTIONAL
    !IV_TRIGGERPROMPT TYPE /AWS1/GDYTRIGGERPROMPT OPTIONAL
    !IV_CLIENTTOKEN TYPE /AWS1/GDYCLIENTTOKEN OPTIONAL
  RETURNING
    VALUE(OO_OUTPUT) TYPE REF TO /aws1/cl_gdycreateinvestgtnrsp
  RAISING
    /AWS1/CX_GDYACCESSDENIEDEX
    /AWS1/CX_GDYBADREQUESTEX
    /AWS1/CX_GDYINTERNALSERVERER00
    /AWS1/CX_GDYCLIENTEXC
    /AWS1/CX_GDYSERVEREXC
    /AWS1/CX_RT_TECHNICAL_GENERIC
    /AWS1/CX_RT_SERVICE_GENERIC.

IMPORTING

Required arguments:

iv_detectorid TYPE /AWS1/GDYDETECTORID /AWS1/GDYDETECTORID

The unique ID of the GuardDuty detector for the account in which the investigation is created.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

iv_triggerprompt TYPE /AWS1/GDYTRIGGERPROMPT /AWS1/GDYTRIGGERPROMPT

A natural-language description of what to investigate. For example:

  • "Investigate finding 1ab2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 in account 123456789012"

  • "Analyze findings in account with id 123456789012"

  • "Analyze findings in my organization"

Optional arguments:

iv_clienttoken TYPE /AWS1/GDYCLIENTTOKEN /AWS1/GDYCLIENTTOKEN

The idempotency token for the create request.

RETURNING

oo_output TYPE REF TO /aws1/cl_gdycreateinvestgtnrsp /AWS1/CL_GDYCREATEINVESTGTNRSP

Examples

Syntax Example

This is an example of the syntax for calling the method. It includes every possible argument and initializes every possible value. The data provided is not necessarily semantically accurate (for example the value "string" may be provided for something that is intended to be an instance ID, or in some cases two arguments may be mutually exclusive). The syntax shows the ABAP syntax for creating the various data structures.

DATA(lo_result) = lo_client->createinvestigation(
  iv_clienttoken = |string|
  iv_detectorid = |string|
  iv_triggerprompt = |string|
).

This is an example of reading all possible response values

lo_result = lo_result.
IF lo_result IS NOT INITIAL.
  lv_investigationid = lo_result->get_investigationid( ).
ENDIF.