Investigation resource type
Applies to:
- ../microsoft-defender-endpoint.md
- ../microsoft-defender-endpoint.md
- Microsoft Defender XDR
Want to experience Defender for Endpoint? Sign up for a free trial.
Note
If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.
Tip
For better performance, you can use server closer to your geo location:
- api-us.securitycenter.microsoft.com
- api-eu.securitycenter.microsoft.com
- api-uk.securitycenter.microsoft.com
- api-au.securitycenter.microsoft.com
Represent an Automated Investigation entity in Defender for Endpoint.
For more information, see Overview of automated investigations.
Methods
| Method | Return Type | Description |
|---|---|---|
| List Investigations | Investigation collection | Get collection of Investigation |
| Get single Investigation | Investigation entity | Gets single Investigation entity. |
| Start Investigation | Investigation entity | Starts Investigation on a device. |
Properties
| Property | Type | Description |
|---|---|---|
| ID | String | Identity of the investigation entity. |
| startTime | DateTime Nullable | The date and time when the investigation was created. |
| endTime | DateTime Nullable | The date and time when the investigation was completed. |
| cancelledBy | String | The ID of the user/application that canceled that investigation. |
| State | Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'. |
| statusDetails | String | Additional information about the state of the investigation. |
| machineId | String | The ID of the device on which the investigation is executed. |
| computerDnsName | String | The name of the device on which the investigation is executed. |
| triggeringAlertId | String | The ID of the alert that triggered the investigation. |
Json representation
{
"id": "63004",
"startTime": "2020-01-06T13:05:15Z",
"endTime": null,
"state": "Running",
"cancelledBy": null,
"statusDetails": null,
"machineId": "e828a0624ed33f919db541065190d2f75e50a071",
"computerDnsName": "desktop-test123",
"triggeringAlertId": "da637139127150012465_1011995739"
}
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for