| title | description | ms.service | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic | ms.subservice | ms.custom | search.appverid | ms.date | |||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Investigation resource type |
Microsoft Defender for Endpoint Investigation entity. |
defender-endpoint |
siosulli |
siosulli |
medium |
deniseb |
ITPro |
|
reference |
reference |
api |
met150 |
12/18/2020 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
Want to experience Defender for Endpoint? Sign up for a free trial.
[!IncludeMicrosoft Defender for Endpoint API URIs for US Government]
[!IncludeImprove request performance]
Represent an Automated Investigation entity in Defender for Endpoint.
For more information, see Overview of automated investigations.
| Method | Return Type | Description |
|---|---|---|
| List Investigations | Investigation collection | Get collection of Investigation |
| Get single Investigation | Investigation entity | Gets single Investigation entity. |
| Start Investigation | Investigation entity | Starts Investigation on a device. |
| Property | Type | Description |
|---|---|---|
| ID | String | Identity of the investigation entity. |
| startTime | DateTime Nullable | The date and time when the investigation was created. |
| endTime | DateTime Nullable | The date and time when the investigation was completed. |
| cancelledBy | String | The ID of the user/application that canceled that investigation. |
| State | Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'. |
| statusDetails | String | Additional information about the state of the investigation. |
| machineId | String | The ID of the device on which the investigation is executed. |
| computerDnsName | String | The name of the device on which the investigation is executed. |
| triggeringAlertId | String | The ID of the alert that triggered the investigation. |
{
"id": "63004",
"startTime": "2020-01-06T13:05:15Z",
"endTime": null,
"state": "Running",
"cancelledBy": null,
"statusDetails": null,
"machineId": "e828a0624ed33f919db541065190d2f75e50a071",
"computerDnsName": "desktop-test123",
"triggeringAlertId": "da637139127150012465_1011995739"
}