# Investigation

## GET /app/api/v1/investigation

> List investigations (with optional filtering, sorting, and search)\
> \
> Returns a paginated list of investigations. By default, only completed investigations\
> (state='success') are returned. Use query parameters to filter by state, outcomes,\
> priorities, date ranges, and more.<br>

```json
{"openapi":"3.0.3","info":{"title":"Dropzone AI","version":"0.1.0"},"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"in":"header","name":"Authorization","type":"apiKey"}},"schemas":{"PaginatedInvestigationList":{"properties":{"count":{"description":"Total number of investigations","type":"integer"},"next":{"description":"URL to next page of results","format":"uri","nullable":true,"type":"string"},"previous":{"description":"URL to previous page of results","format":"uri","nullable":true,"type":"string"},"results":{"items":{"$ref":"#/components/schemas/ScriptVarSerializer_Investigation"},"type":"array"}},"required":["count","next","previous","results"],"type":"object"},"ScriptVarSerializer_Investigation":{"properties":{"alert":{"$ref":"#/components/schemas/ScriptVarSerializer_Alert"},"alert_summary":{"nullable":true,"type":"string"},"attack_surface":{"nullable":true,"type":"string"},"canceled":{"nullable":true,"oneOf":[{"$ref":"#/components/schemas/CanceledEnum"},{"$ref":"#/components/schemas/NullEnum"}]},"conclusion":{"readOnly":true,"type":"string"},"conclusion_summary":{"nullable":true,"type":"string"},"created_at":{"format":"date-time","readOnly":true,"type":"string"},"custom_outcome":{"additionalProperties":{},"nullable":true,"readOnly":true,"type":"object"},"error_msg":{"nullable":true,"type":"string"},"exec_summary":{"nullable":true,"type":"string"},"feedback":{"$ref":"#/components/schemas/ScriptVarSerializer_InvestigationFeedback"},"findings":{"additionalProperties":{},"type":"object"},"findings_ranking":{"additionalProperties":{},"type":"object"},"generated_time":{"format":"date-time","nullable":true,"type":"string"},"id":{"readOnly":true,"type":"integer"},"ignored_for_investigation_id":{"nullable":true,"readOnly":true,"type":"integer"},"insight_tags":{"additionalProperties":{},"type":"object"},"interview_proposals":{"additionalProperties":{},"type":"object"},"inv_url":{"readOnly":true,"type":"string"},"key_findings":{"additionalProperties":{},"type":"object"},"mitre_tactic":{"nullable":true,"type":"string"},"outcome":{"nullable":true,"oneOf":[{"$ref":"#/components/schemas/Outcome05cEnum"},{"$ref":"#/components/schemas/NullEnum"}]},"priority":{"nullable":true,"oneOf":[{"$ref":"#/components/schemas/PriorityEnum"},{"$ref":"#/components/schemas/NullEnum"}]},"recommended_remediations":{"additionalProperties":{},"type":"object"},"remediation_action_runs":{"items":{"$ref":"#/components/schemas/ScriptVarSerializer_RemediationActionRun"},"readOnly":true,"type":"array"},"start_time":{"format":"date-time","nullable":true,"type":"string"},"status":{"$ref":"#/components/schemas/StatusF08Enum"},"updated_at":{"format":"date-time","readOnly":true,"type":"string"}},"required":["alert","conclusion","created_at","custom_outcome","feedback","id","ignored_for_investigation_id","inv_url","remediation_action_runs","updated_at"],"type":"object"},"ScriptVarSerializer_Alert":{"properties":{"alert_type":{"type":"string"},"assets":{"additionalProperties":{},"type":"object"},"coalesce_key":{"nullable":true,"type":"string"},"create_time":{"format":"date-time","type":"string"},"created_at":{"format":"date-time","readOnly":true,"type":"string"},"direct_source_label":{"type":"string"},"entities":{"additionalProperties":{},"type":"object"},"id":{"readOnly":true,"type":"integer"},"origin_integration":{"nullable":true,"type":"string"},"origin_ticket_id":{"nullable":true,"type":"string"},"origin_ticket_id_label":{"nullable":true,"type":"string"},"origin_ticket_url":{"nullable":true,"type":"string"},"original_title":{"type":"string"},"proxy_source_label":{"nullable":true,"type":"string"},"raw_alert_content":{"type":"string"},"schema_key":{"type":"string"},"severity":{"nullable":true,"type":"string"},"start_time":{"format":"date-time","nullable":true,"type":"string"},"tenant_id":{"nullable":true,"type":"string"},"tenant_integration_key":{"nullable":true,"type":"string"},"tenant_label":{"nullable":true,"type":"string"},"tenant_union":{"$ref":"#/components/schemas/ScriptVarSerializer_TenantUnion"},"title":{"type":"string"},"updated_at":{"format":"date-time","readOnly":true,"type":"string"}},"required":["alert_type","create_time","created_at","direct_source_label","id","raw_alert_content","schema_key","tenant_union","title","updated_at"],"type":"object"},"ScriptVarSerializer_TenantUnion":{"properties":{"created_at":{"format":"date-time","readOnly":true,"type":"string"},"display_name":{"type":"string"},"id":{"readOnly":true,"type":"integer"},"lookup_dict":{"additionalProperties":{},"type":"object"},"updated_at":{"format":"date-time","readOnly":true,"type":"string"}},"required":["created_at","display_name","id","updated_at"],"type":"object"},"CanceledEnum":{"description":"* `CANCEL_MANUAL` - CANCEL_MANUAL\n* `CANCEL_THRESHOLD` - CANCEL_THRESHOLD","enum":["CANCEL_MANUAL","CANCEL_THRESHOLD"],"type":"string"},"NullEnum":{"enum":[null]},"ScriptVarSerializer_InvestigationFeedback":{"properties":{"conclusion":{"readOnly":true,"type":"string"},"conclusion_summary":{"nullable":true,"type":"string"},"created_at":{"format":"date-time","readOnly":true,"type":"string"},"findings":{"additionalProperties":{},"type":"object"},"findings_ranking":{"additionalProperties":{},"nullable":true,"type":"object"},"id":{"readOnly":true,"type":"integer"},"insight_tags":{"additionalProperties":{},"nullable":true,"type":"object"},"key_findings":{"additionalProperties":{},"nullable":true,"type":"object"},"outcome":{"nullable":true,"oneOf":[{"$ref":"#/components/schemas/Outcome05cEnum"},{"$ref":"#/components/schemas/NullEnum"}]},"outcome_note":{"nullable":true,"type":"string"},"priority":{"nullable":true,"oneOf":[{"$ref":"#/components/schemas/PriorityEnum"},{"$ref":"#/components/schemas/NullEnum"}]},"remediations_done":{"additionalProperties":{},"type":"object"},"status":{"$ref":"#/components/schemas/ScriptVarSerializerInvestigationFeedbackStatusEnum"},"updated_at":{"format":"date-time","readOnly":true,"type":"string"}},"required":["conclusion","created_at","id","updated_at"],"type":"object"},"Outcome05cEnum":{"description":"* `COMPLETED_BREACHED_CONFIRMED` - COMPLETED_BREACHED_CONFIRMED\n* `COMPLETED_BREACHED_SUSPICIOUS` - COMPLETED_BREACHED_SUSPICIOUS\n* `COMPLETED_FALSE_ALERT` - COMPLETED_FALSE_ALERT\n* `INCOMPLETE` - INCOMPLETE\n* `IGNORED` - IGNORED","enum":["COMPLETED_BREACHED_CONFIRMED","COMPLETED_BREACHED_SUSPICIOUS","COMPLETED_FALSE_ALERT","INCOMPLETE","IGNORED"],"type":"string"},"PriorityEnum":{"description":"* `informational` - Informational\n* `notable` - Notable\n* `urgent` - Urgent","enum":["informational","notable","urgent"],"type":"string"},"ScriptVarSerializerInvestigationFeedbackStatusEnum":{"description":"* `in_review` - In Review\n* `reviewed` - Reviewed","enum":["in_review","reviewed"],"type":"string"},"ScriptVarSerializer_RemediationActionRun":{"properties":{"entity":{"type":"string"},"remediation_action":{"$ref":"#/components/schemas/ScriptVarSerializer_RemediationAction"}},"required":["remediation_action"],"type":"object"},"ScriptVarSerializer_RemediationAction":{"properties":{"name":{"type":"string"}},"required":["name"],"type":"object"},"StatusF08Enum":{"description":"* `not_asked` - not_asked\n* `loading` - loading\n* `success` - success\n* `error` - error","enum":["not_asked","loading","success","error"],"type":"string"}}},"paths":{"/app/api/v1/investigation":{"get":{"description":"List investigations (with optional filtering, sorting, and search)\n\nReturns a paginated list of investigations. By default, only completed investigations\n(state='success') are returned. Use query parameters to filter by state, outcomes,\npriorities, date ranges, and more.\n","operationId":"investigation_retrieve","parameters":[{"description":"Filter by alert creation time (from). ISO 8601 format","in":"query","name":"alert_create_from","schema":{"type":"string"}},{"description":"Filter by alert creation time (until). ISO 8601 format","in":"query","name":"alert_create_until","schema":{"type":"string"}},{"description":"Filter by alert start time (from). ISO 8601 format (e.g., 2024-01-01 or 2024-01-01T00:00:00Z)","in":"query","name":"alert_start_from","schema":{"type":"string"}},{"description":"Filter by alert start time (until). ISO 8601 format","in":"query","name":"alert_start_until","schema":{"type":"string"}},{"description":"Filter by alert tenant name (can be repeated)","in":"query","name":"alert_tenants","schema":{"items":{"type":"string"},"type":"array"}},{"description":"Filter by alert type/handler key (can be repeated)","in":"query","name":"alert_types","schema":{"items":{"type":"string"},"type":"array"}},{"description":"Filter by attack surface (can be repeated)","in":"query","name":"attack_surfaces","schema":{"items":{"enum":["Cloud Infrastructure","Endpoint","Identity","Kubernetes","Network","Phishing","SaaS"],"type":"string"},"type":"array"}},{"description":"Filter by alert source label (can be repeated)","in":"query","name":"direct_source_labels","schema":{"items":{"type":"string"},"type":"array"}},{"description":"Filter by feedback last updated time (from). ISO 8601 format","in":"query","name":"feedback_updated_from","schema":{"type":"string"}},{"description":"Filter by feedback last updated time (until). ISO 8601 format","in":"query","name":"feedback_updated_until","schema":{"type":"string"}},{"description":"Filter by insight tag name (can be repeated)","in":"query","name":"insight_tag_names","schema":{"items":{"type":"string"},"type":"array"}},{"description":"Filter by interview status (can be repeated)","in":"query","name":"interview_statuses","schema":{"items":{"enum":["active","approved","canceled","declined","failed","finished","finished_with_referral","pending","timed_out"],"type":"string"},"type":"array"}},{"description":"Filter by investigation completion time (from). ISO 8601 format","in":"query","name":"inv_complete_from","schema":{"type":"string"}},{"description":"Filter by investigation completion time (until). ISO 8601 format","in":"query","name":"inv_complete_until","schema":{"type":"string"}},{"description":"Filter by investigation state. Valid values: not_asked (queued), loading (running), success (complete), error (stopped). Defaults to 'success'.","in":"query","name":"investigation_state","schema":{"enum":["error","loading","not_asked","success"],"type":"string"}},{"description":"Number of results per page","in":"query","name":"limit","schema":{"type":"integer"}},{"description":"Filter by MITRE ATT&CK tactic (can be repeated)","in":"query","name":"mitre_tactics","schema":{"items":{"enum":["Collection","Command and Control","Credential Access","Defense Evasion","Discovery","Execution","Exfiltration","Impact","Initial Access","Lateral Movement","Persistence","Privilege Escalation"],"type":"string"},"type":"array"}},{"description":"Number of results to skip","in":"query","name":"offset","schema":{"type":"integer"}},{"description":"Filter by investigation outcome/conclusion (can be repeated)","in":"query","name":"outcomes","schema":{"items":{"enum":["COMPLETED_BREACHED_CONFIRMED","COMPLETED_BREACHED_SUSPICIOUS","COMPLETED_FALSE_ALERT","IGNORED","INCOMPLETE"],"type":"string"},"type":"array"}},{"description":"Filter by investigation priority (can be repeated)","in":"query","name":"priorities","schema":{"items":{"enum":["informational","notable","urgent"],"type":"string"},"type":"array"}},{"description":"Filter by priority status (can be repeated)","in":"query","name":"priority_statuses","schema":{"items":{"type":"string"},"type":"array"}},{"description":"Free-text search across investigation fields","in":"query","name":"search","schema":{"type":"string"}},{"description":"Sort direction. Defaults to 'desc'.","in":"query","name":"sort_dir","schema":{"enum":["asc","desc"],"type":"string"}},{"description":"Sort field. Defaults to 'alert_create'.","in":"query","name":"sort_type","schema":{"enum":["activity","alert_create","alert_source","alert_title","alert_type","feedback_status","investigation_create","outcome","priority_status","stopped_reason"],"type":"string"}},{"description":"Filter by stopped reason for error/canceled investigations (can be repeated)","in":"query","name":"stopped_reasons","schema":{"items":{"type":"string"},"type":"array"}},{"description":"Filter by tenant ID","in":"query","name":"tenant_id","schema":{"type":"string"}},{"description":"Filter by tenant integration key","in":"query","name":"tenant_integration_key","schema":{"type":"string"}},{"description":"Filter by user feedback status (can be repeated)","in":"query","name":"user_statuses","schema":{"items":{"enum":["in_review","reviewed"],"type":"string"},"type":"array"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PaginatedInvestigationList"}}},"description":"<strong>Paginated list of investigations</strong>\n<br><br>\nReturns a paginated list of investigations. By default, only completed investigations\n(state='success') are returned. Use query parameters to filter by state, outcomes,\npriorities, date ranges, and more.\n<br><br>\nUse <code>next</code> and <code>previous</code>\nURLs in the response for easy page navigation.\n<br><br>\n"},"400":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"Bad request - invalid input"},"401":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"Unauthorized"},"403":{"content":{"application/json":{"schema":{"properties":{"detail":{"type":"string"}},"type":"object"}}},"description":"Access denied"},"500":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"System error"},"503":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"System not ready for requests"}},"tags":["investigation"]}}}}
```

## POST /app/api/v1/investigation/create

> Creates a new alert investigation, returning \<code>investigation\_id\</code>\
> \<br>\<br>\
> \<i>Returns existing id if alert already exists (unless \<code>force\_reinvestigation=True\</code>)\</i>\
> \<br>\<br>\
> \<strong>Then:\</strong> Use \<code>GET /app/api/v1/investigation/{investigation\_id}\</code> for updates<br>

```json
{"openapi":"3.0.3","info":{"title":"Dropzone AI","version":"0.1.0"},"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"in":"header","name":"Authorization","type":"apiKey"}}},"paths":{"/app/api/v1/investigation/create":{"post":{"description":"Creates a new alert investigation, returning <code>investigation_id</code>\n<br><br>\n<i>Returns existing id if alert already exists (unless <code>force_reinvestigation=True</code>)</i>\n<br><br>\n<strong>Then:</strong> Use <code>GET /app/api/v1/investigation/{investigation_id}</code> for updates\n","operationId":"investigation_create_create","requestBody":{"content":{"application/json":{"schema":{"properties":{"force_reinvestigation":{"default":false,"type":"boolean"},"raw_alert_content":{"type":"object"},"schema_key":{"type":"string"},"tenant_union_id":{"default":null,"nullable":true,"type":"number"}},"type":"object"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"properties":{"investigation_id":{"type":"number"}},"type":"object"}}},"description":"Existing investigation found"},"201":{"content":{"application/json":{"schema":{"properties":{"investigation_id":{"type":"number"}},"type":"object"}}},"description":"New investigation created"},"400":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"Bad request - invalid input"},"401":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"Unauthorized"},"403":{"content":{"application/json":{"schema":{"properties":{"detail":{"type":"string"}},"type":"object"}}},"description":"Access denied"},"422":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"},"skip_reason":{"type":"string"}},"type":"object"}}},"description":"Alert skipped due to missing data (e.g., propagation delay)"},"500":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"System error"},"503":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"System not ready for requests"}},"tags":["investigation"]}}}}
```

## POST /app/api/v1/investigation/create/custom

> Request body = arbitrary alert JSON to be parsed & investigated\
> \<br>\<br>\
> Response = \<code>investigation\_id\</code> if successful, \<code>error\_msg\</code> otherwise\
> \<br>\<br>\
> \<i>Returns existing id if alert already exists (unless \<code>?force\_reinvestigation=True\</code>)\</i>\
> \<br>\<br>\
> \<strong>Then:\</strong> Use \<code>GET /app/api/v1/investigation/{investigation\_id}\</code> for updates<br>

```json
{"openapi":"3.0.3","info":{"title":"Dropzone AI","version":"0.1.0"},"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"in":"header","name":"Authorization","type":"apiKey"}}},"paths":{"/app/api/v1/investigation/create/custom":{"post":{"description":"Request body = arbitrary alert JSON to be parsed & investigated\n<br><br>\nResponse = <code>investigation_id</code> if successful, <code>error_msg</code> otherwise\n<br><br>\n<i>Returns existing id if alert already exists (unless <code>?force_reinvestigation=True</code>)</i>\n<br><br>\n<strong>Then:</strong> Use <code>GET /app/api/v1/investigation/{investigation_id}</code> for updates\n","operationId":"investigation_create_custom_create","parameters":[{"description":"Force reinvestigation","in":"query","name":"force_reinvestigation","schema":{"type":"boolean"}},{"description":"Tenant union ID","in":"query","name":"tenant_union_id","schema":{"type":"integer"}}],"requestBody":{"content":{"application/json":{"schema":{"type":"object"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"properties":{"investigation_id":{"type":"number"}},"type":"object"}}},"description":"Existing investigation found"},"201":{"content":{"application/json":{"schema":{"properties":{"investigation_id":{"type":"number"}},"type":"object"}}},"description":"New investigation created"},"400":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"Bad request - invalid input"},"401":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"Unauthorized"},"403":{"content":{"application/json":{"schema":{"properties":{"detail":{"type":"string"}},"type":"object"}}},"description":"Access denied"},"413":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"},"skip_reason":{"type":"string"}},"type":"object"}}},"description":"Content Too Large"},"500":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"System error"},"503":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"System not ready for requests"}},"tags":["investigation"]}}}}
```

## GET /app/api/v1/investigation/{investigation\_id}

> Returns an alert investigation

```json
{"openapi":"3.0.3","info":{"title":"Dropzone AI","version":"0.1.0"},"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"in":"header","name":"Authorization","type":"apiKey"}},"schemas":{"Investigation":{"description":"For customers (api_external, ...and also core /investigation_contextual_chat)\n- no feedback\n- no outcome_tip\n- yes alert.raw_alert_content","properties":{"alert":{"$ref":"#/components/schemas/FullAlert"},"alert_summary":{"nullable":true,"type":"string"},"attack_surface":{"nullable":true,"type":"string"},"backfill":{"nullable":true,"type":"integer"},"canceled":{"nullable":true,"oneOf":[{"$ref":"#/components/schemas/CanceledEnum"},{"$ref":"#/components/schemas/NullEnum"}]},"conclusion":{"readOnly":true,"type":"string"},"conclusion_summary":{"nullable":true,"type":"string"},"created_at":{"format":"date-time","readOnly":true,"type":"string"},"email_screenshot":{"nullable":true,"type":"string"},"error_msg":{"nullable":true,"type":"string"},"exec_summary":{"nullable":true,"type":"string"},"findings":{"items":{"properties":{"artifacts":{"items":{"type":"string"},"type":"array"},"evidences":{"items":{"properties":{"data":{"oneOf":[{"type":"string"},{"type":"object"},{"type":"array"}]},"evidence_type":{"type":"string"},"tag":{"nullable":true,"type":"string"}},"type":"object"},"type":"array"},"finding":{"type":"string"},"headline":{"type":"string"},"outcome":{"enum":["COMPLETED_BREACHED_CONFIRMED","COMPLETED_BREACHED_SUSPICIOUS","COMPLETED_FALSE_ALERT","COMPLETED_ACTION_INFO","INCOMPLETE"],"type":"string"}},"type":"object"},"type":"array"},"findings_ranking":{"additionalProperties":{},"type":"object"},"generated_time":{"format":"date-time","nullable":true,"type":"string"},"id":{"readOnly":true,"type":"integer"},"ignored_for":{"nullable":true,"type":"integer"},"insight_tags":{"additionalProperties":{},"type":"object"},"interview_proposals":{"additionalProperties":{},"type":"object"},"inv_url":{"readOnly":true,"type":"string"},"is_retried":{"type":"boolean"},"key_findings":{"additionalProperties":{},"type":"object"},"mitre_tactic":{"nullable":true,"type":"string"},"outcome":{"nullable":true,"oneOf":[{"$ref":"#/components/schemas/Outcome05cEnum"},{"$ref":"#/components/schemas/NullEnum"}]},"priority":{"nullable":true,"oneOf":[{"$ref":"#/components/schemas/PriorityEnum"},{"$ref":"#/components/schemas/NullEnum"}]},"ready":{"type":"boolean"},"recommended_remediations":{"items":{"type":"string"},"type":"array"},"related_alert_hypothesis":{"additionalProperties":{},"nullable":true,"type":"object"},"start_time":{"format":"date-time","nullable":true,"type":"string"},"status":{"$ref":"#/components/schemas/StatusF08Enum"},"updated_at":{"format":"date-time","readOnly":true,"type":"string"}},"required":["alert","conclusion","created_at","id","inv_url","updated_at"],"type":"object"},"FullAlert":{"properties":{"alert_type":{"type":"string"},"assets":{"additionalProperties":{},"type":"object"},"coalesce_key":{"nullable":true,"type":"string"},"create_time":{"format":"date-time","type":"string"},"created_at":{"format":"date-time","readOnly":true,"type":"string"},"direct_source_label":{"type":"string"},"enrich_result":{"additionalProperties":{},"nullable":true,"type":"object"},"entities":{"items":{"properties":{"type":{"type":"string"},"value":{"type":"string"}},"type":"object"},"type":"array"},"handler_version":{"$ref":"#/components/schemas/HandlerVersionEnum"},"id":{"readOnly":true,"type":"integer"},"origin_integration":{"nullable":true,"type":"string"},"origin_integration_display_name":{"readOnly":true,"type":"string"},"origin_ticket_id":{"nullable":true,"type":"string"},"origin_ticket_id_label":{"nullable":true,"type":"string"},"origin_ticket_url":{"nullable":true,"type":"string"},"original_title":{"type":"string"},"proxy_source_label":{"nullable":true,"type":"string"},"raw_alert_content":{"type":"string"},"schema_key":{"type":"string"},"severity":{"nullable":true,"type":"string"},"start_time":{"format":"date-time","nullable":true,"type":"string"},"tenant_id":{"nullable":true,"type":"string"},"tenant_integration_key":{"nullable":true,"type":"string"},"tenant_label":{"nullable":true,"type":"string"},"tenant_union":{"allOf":[{"$ref":"#/components/schemas/TenantUnion"}],"nullable":true},"title":{"type":"string"},"updated_at":{"format":"date-time","readOnly":true,"type":"string"}},"required":["alert_type","create_time","created_at","direct_source_label","id","origin_integration_display_name","raw_alert_content","schema_key","title","updated_at"],"type":"object"},"HandlerVersionEnum":{"description":"* `v1` - v1\n* `v2` - v2","enum":["v1","v2"],"type":"string"},"TenantUnion":{"description":"Adds update nested feature","properties":{"created_at":{"format":"date-time","readOnly":true,"type":"string"},"display_name":{"type":"string"},"id":{"readOnly":true,"type":"integer"},"last_modified_by":{"allOf":[{"$ref":"#/components/schemas/CustomUser"}],"nullable":true},"lookup_dict":{"additionalProperties":{},"type":"object"},"updated_at":{"format":"date-time","readOnly":true,"type":"string"}},"required":["created_at","display_name","id","updated_at"],"type":"object"},"CustomUser":{"description":"Basic serializer to pass CustomUser details to the front end.\nExtend with any fields your app needs.","properties":{"email":{"format":"email","maxLength":254,"title":"Email address","type":"string"},"first_name":{"maxLength":150,"type":"string"},"id":{"readOnly":true,"type":"integer"},"last_name":{"maxLength":150,"type":"string"},"oidc_user_id":{"nullable":true,"type":"string"},"role":{"$ref":"#/components/schemas/RoleEnum"}},"required":["id"],"type":"object"},"RoleEnum":{"description":"* `admin` - Admin\n* `member` - Member\n* `restricted-read-only` - RRO","enum":["admin","member","restricted-read-only"],"type":"string"},"CanceledEnum":{"description":"* `CANCEL_MANUAL` - CANCEL_MANUAL\n* `CANCEL_THRESHOLD` - CANCEL_THRESHOLD","enum":["CANCEL_MANUAL","CANCEL_THRESHOLD"],"type":"string"},"NullEnum":{"enum":[null]},"Outcome05cEnum":{"description":"* `COMPLETED_BREACHED_CONFIRMED` - COMPLETED_BREACHED_CONFIRMED\n* `COMPLETED_BREACHED_SUSPICIOUS` - COMPLETED_BREACHED_SUSPICIOUS\n* `COMPLETED_FALSE_ALERT` - COMPLETED_FALSE_ALERT\n* `INCOMPLETE` - INCOMPLETE\n* `IGNORED` - IGNORED","enum":["COMPLETED_BREACHED_CONFIRMED","COMPLETED_BREACHED_SUSPICIOUS","COMPLETED_FALSE_ALERT","INCOMPLETE","IGNORED"],"type":"string"},"PriorityEnum":{"description":"* `informational` - Informational\n* `notable` - Notable\n* `urgent` - Urgent","enum":["informational","notable","urgent"],"type":"string"},"StatusF08Enum":{"description":"* `not_asked` - not_asked\n* `loading` - loading\n* `success` - success\n* `error` - error","enum":["not_asked","loading","success","error"],"type":"string"}}},"paths":{"/app/api/v1/investigation/{investigation_id}":{"get":{"description":"Returns an alert investigation","operationId":"investigation_retrieve_2","parameters":[{"in":"path","name":"investigation_id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Investigation"}}},"description":"Investigation data object. For progress: <code>investigation.status=</code>\n<ul>\n  <li>\n      <code>not_asked</code> : queued\n  </li>\n  <li>\n      <code>loading</code> : running AI analyst\n  </li>\n  <li>\n      <code>success</code> : AI analyst finished with result\n  </li>\n  <li>\n      <code>error</code> : AI analyst finished with error\n      — See <code>investigation.error_msg</code>\n  </li>\n</ul>\n"},"401":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"Unauthorized"},"403":{"content":{"application/json":{"schema":{"properties":{"detail":{"type":"string"}},"type":"object"}}},"description":"Access denied"},"404":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"Resource not found"},"500":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"System error"},"503":{"content":{"application/json":{"schema":{"properties":{"error_msg":{"type":"string"}},"type":"object"}}},"description":"System not ready for requests"}},"tags":["investigation"]}}}}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.dropzone.ai/api/investigation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.