2026/06/22 - Amazon GuardDuty - 3 new api methods
Changes Added AI-powered investigations that automatically analyze security findings, correlate related activity, and produce structured summaries with risk assessment, confidence scoring, MITRE technique classification, and actionable next steps.
This API is currently available as a preview. This feature is available in the following Amazon Web Services Regions: US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Stockholm), and Asia Pacific (Tokyo).
Retrieves the results and status of a specific GuardDuty investigation.
An administrator account can retrieve any investigation within the organization. Member accounts can only retrieve investigations that belong to them.
See also: AWS API Documentation
Request Syntax
client.get_investigation(
DetectorId='string',
InvestigationId='string'
)
string
[REQUIRED]
The unique ID of the GuardDuty detector associated with the investigation.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
string
[REQUIRED]
The unique identifier of the investigation to retrieve.
dict
Response Syntax
{
'Investigation': {
'InvestigationId': 'string',
'Status': 'RUNNING'|'COMPLETED'|'FAILED',
'TriggerPrompt': 'string',
'TriggeredBy': 'string',
'Metadata': {
'Version': 'string',
'Product': {
'Name': 'string',
'Feature': 'string'
}
},
'Cloud': {
'Provider': 'AWS',
'Region': 'string',
'Account': 'string'
},
'RiskLevel': 'Info'|'Low'|'Medium'|'High'|'Critical',
'Risk': 'string',
'Confidence': 'Unknown'|'Low'|'Medium'|'High',
'Summary': 'string',
'StartTime': datetime(2015, 1, 1),
'EndTime': datetime(2015, 1, 1),
'Error': 'string'
}
}
Response Structure
(dict) --
Investigation (dict) --
The details and results of the requested investigation.
InvestigationId (string) --
The unique identifier of the investigation.
Status (string) --
The current status of the investigation. Possible values are RUNNING, COMPLETED, and FAILED.
TriggerPrompt (string) --
The natural-language prompt that initiated this investigation.
TriggeredBy (string) --
The account that initiated the investigation.
Metadata (dict) --
Metadata about the product and version that produced the investigation.
Version (string) --
The version of the investigation engine that produced the results.
Product (dict) --
Information about the product that produced the investigation.
Name (string) --
The name of the product.
Feature (string) --
The specific feature within the product that produced the investigation.
Cloud (dict) --
Details about the cloud environment in which the investigation was performed, including the provider, region, and account.
Provider (string) --
The cloud provider. Currently, only AWS is supported.
Region (string) --
The Amazon Web Services Region in which the investigated resource resides.
Account (string) --
The Amazon Web Services account ID of the investigated resource.
RiskLevel (string) --
The assessed risk level of the investigated threat. Possible values are Info, Low, Medium, High, and Critical.
Risk (string) --
A human-readable description of the assessed risk.
Confidence (string) --
The confidence level of the investigation's assessment. Possible values are Unknown, Low, Medium, and High.
Summary (string) --
A structured summary of the investigation findings, including affected resources, threat assessment, and recommended remediation steps.
StartTime (datetime) --
The timestamp at which the investigation started.
EndTime (datetime) --
The timestamp at which the investigation completed.
Error (string) --
Details about the error if the investigation status is FAILED.
This API is currently available as a preview. This feature is available in the following Amazon Web Services Regions: US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Stockholm), and Asia Pacific (Tokyo).
Returns a list of investigations associated with the specified GuardDuty detector.
An administrator account sees all investigations across the organization. Member accounts see only the investigations that belong to them.
See also: AWS API Documentation
Request Syntax
client.list_investigations(
DetectorId='string',
SortCriteria={
'AttributeName': 'START_TIME'|'END_TIME'|'STATUS'|'RISK_LEVEL'|'CONFIDENCE',
'OrderBy': 'ASC'|'DESC'
},
MaxResults=123,
NextToken='string'
)
string
[REQUIRED]
The unique ID of the GuardDuty detector whose investigations you want to list.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
dict
Represents the criteria used for sorting investigations.
AttributeName (string) --
The attribute by which to sort investigations.
OrderBy (string) --
The order in which the sorted results are to be displayed.
integer
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50.
string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
dict
Response Syntax
{
'Investigations': [
{
'InvestigationId': 'string',
'Status': 'RUNNING'|'COMPLETED'|'FAILED',
'TriggerPrompt': 'string',
'RiskLevel': 'Info'|'Low'|'Medium'|'High'|'Critical',
'Confidence': 'Unknown'|'Low'|'Medium'|'High',
'Title': 'string',
'AccountId': 'string',
'StartTime': datetime(2015, 1, 1),
'EndTime': datetime(2015, 1, 1)
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Investigations (list) --
A list of investigation summaries associated with the specified detector.
(dict) --
Contains summary information about a GuardDuty investigation.
InvestigationId (string) --
The unique identifier of the investigation.
Status (string) --
The current status of the investigation.
TriggerPrompt (string) --
The natural-language prompt that initiated this investigation.
RiskLevel (string) --
The assessed risk level of the investigated threat.
Confidence (string) --
The confidence level of the investigation's assessment.
Title (string) --
A short title summarizing the investigation.
AccountId (string) --
The Amazon Web Services account ID associated with the investigation.
StartTime (datetime) --
The timestamp at which the investigation started.
EndTime (datetime) --
The timestamp at which the investigation completed.
NextToken (string) --
The pagination parameter to be used on the next list operation to retrieve more items.
This API is currently available as a preview. During the preview, you can initiate up to 10 investigations per account per day, with a total limit of 100 investigations per account. This feature is available in the following Amazon Web Services Regions: US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Stockholm), and Asia Pacific (Tokyo).
Initiates a GuardDuty investigation that automatically analyzes security findings, correlates related activity, performs account-level analysis, and produces a structured investigation summary with recommended next steps.
Only the administrator account can create an investigation. Member accounts don't have permission to create investigations from their accounts.
To use this operation, the AI_ANALYST feature must be enabled on your detector.
This feature uses Amazon Bedrock models that leverage Cross-Region Inference (CRIS), which automatically selects the optimal Amazon Web Services Region within your geography to process the investigation analysis and generate the investigation report. This maximizes available compute resources, model availability, and delivers the best customer experience. Your data remains stored only in the Region where the investigation request originates, however, investigation data and summary results may be processed outside that Region. All data is transmitted encrypted across Amazon's secure network. For more information, see GuardDuty Investigation.
See also: AWS API Documentation
Request Syntax
client.create_investigation(
DetectorId='string',
TriggerPrompt='string',
ClientToken='string'
)
string
[REQUIRED]
The unique ID of the GuardDuty detector for the account in which the investigation is created.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
string
[REQUIRED]
A natural-language description of what to investigate. For example:
"Investigate finding 1ab2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 in account 123456789012"
"Analyze findings in account with id 123456789012"
"Analyze findings in my organization"
string
The idempotency token for the create request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'InvestigationId': 'string'
}
Response Structure
(dict) --
InvestigationId (string) --
The unique identifier of the newly created investigation.