Investigation

get

List investigations (with optional filtering, sorting, and search)

Returns a paginated list of investigations. By default, only completed investigations (state='success') are returned. Use query parameters to filter by state, outcomes, priorities, date ranges, and more.

Authorizations

AuthorizationstringRequired

Query parameters

alert_create_fromstringOptional

Filter by alert creation time (from). ISO 8601 format

alert_create_untilstringOptional

Filter by alert creation time (until). ISO 8601 format

alert_start_fromstringOptional

Filter by alert start time (from). ISO 8601 format (e.g., 2024-01-01 or 2024-01-01T00:00:00Z)

alert_start_untilstringOptional

Filter by alert start time (until). ISO 8601 format

alert_tenantsstring[]Optional

Filter by alert tenant name (can be repeated)

alert_typesstring[]Optional

Filter by alert type/handler key (can be repeated)

direct_source_labelsstring[]Optional

Filter by alert source label (can be repeated)

feedback_updated_fromstringOptional

Filter by feedback last updated time (from). ISO 8601 format

feedback_updated_untilstringOptional

Filter by feedback last updated time (until). ISO 8601 format

insight_tag_namesstring[]Optional

Filter by insight tag name (can be repeated)

inv_complete_fromstringOptional

Filter by investigation completion time (from). ISO 8601 format

inv_complete_untilstringOptional

Filter by investigation completion time (until). ISO 8601 format

investigation_statestring · enumOptional

Filter by investigation state. Valid values: not_asked (queued), loading (running), success (complete), error (stopped). Defaults to 'success'.

Possible values:

limitintegerOptional

Number of results per page

offsetintegerOptional

Number of results to skip

priority_statusesstring[]Optional

Filter by priority status (can be repeated)

searchstringOptional

Free-text search across investigation fields

sort_dirstring · enumOptional

Sort direction. Defaults to 'desc'.

Possible values:

sort_typestring · enumOptional

Sort field. Defaults to 'alert_create'.

Possible values:

stopped_reasonsstring[]Optional

Filter by stopped reason for error/canceled investigations (can be repeated)

tenant_idstringOptional

Filter by tenant ID

tenant_integration_keystringOptional

Filter by tenant integration key

Responses

200

Paginated list of investigations Returns a paginated list of investigations. By default, only completed investigations (state='success') are returned. Use query parameters to filter by state, outcomes, priorities, date ranges, and more. Use next and previous URLs in the response for easy page navigation.

application/json

countintegerRequired

Total number of investigations

nextstring · uri · nullableRequired

URL to next page of results

previousstring · uri · nullableRequired

URL to previous page of results

400

Bad request - invalid input

application/json

401

Unauthorized

application/json

403

Access denied

application/json

500

System error

application/json

503

System not ready for requests

application/json

get

/app/api/v1/investigation

GET /app/api/v1/investigation HTTP/1.1
Authorization: YOUR_API_KEY
Accept: */*

{
  "count": 1,
  "next": "https://example.com",
  "previous": "https://example.com",
  "results": [
    {
      "alert": {
        "alert_type": "text",
        "assets": {
          "ANY_ADDITIONAL_PROPERTY": "anything"
        },
        "coalesce_key": "text",
        "create_time": "2026-03-09T21:44:08.219Z",
        "created_at": "2026-03-09T21:44:08.219Z",
        "direct_source_label": "text",
        "entities": {
          "ANY_ADDITIONAL_PROPERTY": "anything"
        },
        "id": 1,
        "origin_integration": "text",
        "origin_ticket_id": "text",
        "origin_ticket_id_label": "text",
        "origin_ticket_url": "text",
        "original_title": "text",
        "proxy_source_label": "text",
        "raw_alert_content": "text",
        "schema_key": "text",
        "severity": "text",
        "start_time": "2026-03-09T21:44:08.219Z",
        "tenant_id": "text",
        "tenant_integration_key": "text",
        "tenant_label": "text",
        "tenant_union": {
          "created_at": "2026-03-09T21:44:08.219Z",
          "display_name": "text",
          "id": 1,
          "lookup_dict": {
            "ANY_ADDITIONAL_PROPERTY": "anything"
          },
          "updated_at": "2026-03-09T21:44:08.219Z"
        },
        "title": "text",
        "updated_at": "2026-03-09T21:44:08.219Z"
      },
      "alert_summary": "text",
      "attack_surface": "text",
      "canceled": "CANCEL_MANUAL",
      "conclusion": "text",
      "conclusion_summary": "text",
      "created_at": "2026-03-09T21:44:08.219Z",
      "custom_outcome": {
        "ANY_ADDITIONAL_PROPERTY": "anything"
      },
      "error_msg": "text",
      "exec_summary": "text",
      "feedback": {
        "conclusion": "text",
        "conclusion_summary": "text",
        "created_at": "2026-03-09T21:44:08.219Z",
        "findings": {
          "ANY_ADDITIONAL_PROPERTY": "anything"
        },
        "findings_ranking": {
          "ANY_ADDITIONAL_PROPERTY": "anything"
        },
        "id": 1,
        "insight_tags": {
          "ANY_ADDITIONAL_PROPERTY": "anything"
        },
        "key_findings": {
          "ANY_ADDITIONAL_PROPERTY": "anything"
        },
        "outcome": "COMPLETED_BREACHED_CONFIRMED",
        "outcome_note": "text",
        "priority": "informational",
        "remediations_done": {
          "ANY_ADDITIONAL_PROPERTY": "anything"
        },
        "status": "in_review",
        "updated_at": "2026-03-09T21:44:08.219Z"
      },
      "findings": {
        "ANY_ADDITIONAL_PROPERTY": "anything"
      },
      "findings_ranking": {
        "ANY_ADDITIONAL_PROPERTY": "anything"
      },
      "generated_time": "2026-03-09T21:44:08.219Z",
      "id": 1,
      "ignored_for_investigation_id": 1,
      "insight_tags": {
        "ANY_ADDITIONAL_PROPERTY": "anything"
      },
      "interview_proposals": {
        "ANY_ADDITIONAL_PROPERTY": "anything"
      },
      "inv_url": "text",
      "key_findings": {
        "ANY_ADDITIONAL_PROPERTY": "anything"
      },
      "mitre_tactic": "text",
      "outcome": "COMPLETED_BREACHED_CONFIRMED",
      "priority": "informational",
      "recommended_remediations": {
        "ANY_ADDITIONAL_PROPERTY": "anything"
      },
      "remediation_action_runs": [
        {
          "entity": "text",
          "remediation_action": {
            "name": "text"
          }
        }
      ],
      "start_time": "2026-03-09T21:44:08.219Z",
      "status": "not_asked",
      "updated_at": "2026-03-09T21:44:08.219Z"
    }
  ]
}

post

Creates a new alert investigation, returning investigation_id Returns existing id if alert already exists (unless force_reinvestigation=True) Then: Use GET /app/api/v1/investigation/{investigation_id} for updates

Authorizations

AuthorizationstringRequired

Body

force_reinvestigationbooleanOptionalDefault: false

raw_alert_contentobjectOptional

schema_keystringOptional

tenant_union_idnumber · nullableOptionalDefault: null

Responses

200

Existing investigation found

application/json

investigation_idnumberOptional

201

New investigation created

application/json

400

Bad request - invalid input

application/json

401

Unauthorized

application/json

403

Access denied

application/json

422

Alert skipped due to missing data (e.g., propagation delay)

application/json

500

System error

application/json

503

System not ready for requests

application/json

post

/app/api/v1/investigation/create

POST /app/api/v1/investigation/create HTTP/1.1
Authorization: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 94

{
  "force_reinvestigation": false,
  "raw_alert_content": {},
  "schema_key": "text",
  "tenant_union_id": 1
}

{
  "investigation_id": 1
}

post

Request body = arbitrary alert JSON to be parsed & investigated Response = investigation_id if successful, error_msg otherwise Returns existing id if alert already exists (unless ?force_reinvestigation=True) Then: Use GET /app/api/v1/investigation/{investigation_id} for updates

Authorizations

AuthorizationstringRequired

Query parameters

force_reinvestigationbooleanOptional

Force reinvestigation

tenant_union_idintegerOptional

Tenant union ID

Body

objectOptional

Responses

200

Existing investigation found

application/json

investigation_idnumberOptional

201

New investigation created

application/json

400

Bad request - invalid input

application/json

401

Unauthorized

application/json

403

Access denied

application/json

413

Content Too Large

application/json

500

System error

application/json

503

System not ready for requests

application/json

post

/app/api/v1/investigation/create/custom

POST /app/api/v1/investigation/create/custom HTTP/1.1
Authorization: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 2

{}

{
  "investigation_id": 1
}

get

Returns an alert investigation

Authorizations

AuthorizationstringRequired

Path parameters

investigation_idstringRequired

Responses

200

Investigation data object. For progress: investigation.status=

application/json

For customers (api_external, ...and also core /investigation_contextual_chat)

no feedback
no outcome_tip
yes alert.raw_alert_content

alert_summarystring · nullableOptional

attack_surfacestring · nullableOptional

backfillinteger · nullableOptional

canceledone of · nullableOptional

string · enumOptional

CANCEL_MANUAL - CANCEL_MANUAL
CANCEL_THRESHOLD - CANCEL_THRESHOLD

Possible values:

undefined · enumOptionalPossible values:

conclusionstringRead-onlyRequired

conclusion_summarystring · nullableOptional

created_atstring · date-timeRead-onlyRequired

email_screenshotstring · nullableOptional

error_msgstring · nullableOptional

exec_summarystring · nullableOptional

generated_timestring · date-time · nullableOptional

idintegerRead-onlyRequired

ignored_forinteger · nullableOptional

inv_urlstringRead-onlyRequired

is_retriedbooleanOptional

mitre_tacticstring · nullableOptional

outcomeone of · nullableOptional

string · enumOptional

COMPLETED_BREACHED_CONFIRMED - COMPLETED_BREACHED_CONFIRMED
COMPLETED_BREACHED_SUSPICIOUS - COMPLETED_BREACHED_SUSPICIOUS
COMPLETED_FALSE_ALERT - COMPLETED_FALSE_ALERT
INCOMPLETE - INCOMPLETE
IGNORED - IGNORED

Possible values:

undefined · enumOptionalPossible values:

priorityone of · nullableOptional

string · enumOptional

informational - Informational
notable - Notable
urgent - Urgent

Possible values:

undefined · enumOptionalPossible values:

readybooleanOptional

recommended_remediationsstring[]Optional

start_timestring · date-time · nullableOptional

statusstring · enumOptional

not_asked - not_asked
loading - loading
success - success
error - error

Possible values:

updated_atstring · date-timeRead-onlyRequired

401

Unauthorized

application/json

403

Access denied

application/json

404

Resource not found

application/json

500

System error

application/json

503

System not ready for requests

application/json

get

/app/api/v1/investigation/{investigation_id}

GET /app/api/v1/investigation/{investigation_id} HTTP/1.1
Authorization: YOUR_API_KEY
Accept: */*

{
  "alert": {
    "alert_type": "text",
    "assets": {
      "ANY_ADDITIONAL_PROPERTY": "anything"
    },
    "coalesce_key": "text",
    "create_time": "2026-03-09T21:44:08.219Z",
    "created_at": "2026-03-09T21:44:08.219Z",
    "direct_source_label": "text",
    "enrich_result": {
      "ANY_ADDITIONAL_PROPERTY": "anything"
    },
    "entities": [
      {
        "type": "text",
        "value": "text"
      }
    ],
    "handler_version": "v1",
    "id": 1,
    "origin_integration": "text",
    "origin_integration_display_name": "text",
    "origin_ticket_id": "text",
    "origin_ticket_id_label": "text",
    "origin_ticket_url": "text",
    "original_title": "text",
    "proxy_source_label": "text",
    "raw_alert_content": "text",
    "schema_key": "text",
    "severity": "text",
    "start_time": "2026-03-09T21:44:08.219Z",
    "tenant_id": "text",
    "tenant_integration_key": "text",
    "tenant_label": "text",
    "tenant_union": {
      "created_at": "2026-03-09T21:44:08.219Z",
      "display_name": "text",
      "id": 1,
      "last_modified_by": {
        "email": "[email protected]",
        "first_name": "text",
        "id": 1,
        "last_name": "text",
        "oidc_user_id": "text",
        "role": "admin"
      },
      "lookup_dict": {
        "ANY_ADDITIONAL_PROPERTY": "anything"
      },
      "updated_at": "2026-03-09T21:44:08.219Z"
    },
    "title": "text",
    "updated_at": "2026-03-09T21:44:08.219Z"
  },
  "alert_summary": "text",
  "attack_surface": "text",
  "backfill": 1,
  "canceled": "CANCEL_MANUAL",
  "conclusion": "text",
  "conclusion_summary": "text",
  "created_at": "2026-03-09T21:44:08.219Z",
  "email_screenshot": "text",
  "error_msg": "text",
  "exec_summary": "text",
  "findings": [
    {
      "artifacts": [
        "text"
      ],
      "evidences": [
        {
          "data": "text",
          "evidence_type": "text",
          "tag": "text"
        }
      ],
      "finding": "text",
      "headline": "text",
      "outcome": "COMPLETED_BREACHED_CONFIRMED"
    }
  ],
  "findings_ranking": {
    "ANY_ADDITIONAL_PROPERTY": "anything"
  },
  "generated_time": "2026-03-09T21:44:08.219Z",
  "id": 1,
  "ignored_for": 1,
  "insight_tags": {
    "ANY_ADDITIONAL_PROPERTY": "anything"
  },
  "interview_proposals": {
    "ANY_ADDITIONAL_PROPERTY": "anything"
  },
  "inv_url": "text",
  "is_retried": true,
  "key_findings": {
    "ANY_ADDITIONAL_PROPERTY": "anything"
  },
  "mitre_tactic": "text",
  "outcome": "COMPLETED_BREACHED_CONFIRMED",
  "priority": "informational",
  "ready": true,
  "recommended_remediations": [
    "text"
  ],
  "related_alert_hypothesis": {
    "ANY_ADDITIONAL_PROPERTY": "anything"
  },
  "start_time": "2026-03-09T21:44:08.219Z",
  "status": "not_asked",
  "updated_at": "2026-03-09T21:44:08.219Z"
}

PreviousEmail NextInvestigation Bulk Feedback

Last updated 3 months ago

Was this helpful?