Get Investigation
Retrieves an investigation using given ID.
External Documentation
To learn more, visit the Expel documentation.
Parameters
| Parameter | Description |
|---|---|
| Include | A comma separated list of the relationship records to include in the response. For example: organization,created_by,updated_by.This is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls, such as expel_alerts. For further information, please refer to Expel Documentation. |
| Investigation ID | The ID of the investigation to retrieve. Can be obtained using the List Investigations action. |
Example Output
{
"links": {
"self": " https://workbench.expel.io/api/v2/investigations/exampleid"
},
"data": {
"analyst_severity": "CRITICAL",
"attack_lifecycle": "INITIAL_RECON",
"attack_timing": "HISTORICAL",
"attack_vector": "DRIVE_BY",
"close_comment": "string",
"created_at": "2019-01-15T15:35:00-05:00",
"critical_comment": "string",
"decision": "FALSE_POSITIVE",
"default_plugin_slug": "string",
"deleted_at": "2019-01-15T15:35:00-05:00",
"detection_type": "UNKNOWN",
"has_hunting_status": true,
"initial_attack_vector": "string",
"is_downgrade": true,
"is_incident": true,
"is_incident_status_updated_at": "2019-01-15T15:35:00-05:00",
"is_soc_support_required": true,
"is_surge": true,
"last_published_at": "2019-01-15T15:35:00-05:00",
"last_published_value": "string",
"lead_description": "string",
"malware_family": "string",
"next_steps": "string",
"open_reason": "ACCESS_KEYS",
"open_summary": "string",
"review_requested_at": "2019-01-15T15:35:00-05:00",
"short_link": "string",
"source_reason": "HUNTING",
"status_updated_at": "2019-01-15T15:35:00-05:00",
"threat_type": "TARGETED",
"title": "string",
"updated_at": "2019-01-15T15:35:00-05:00"
}
}
Workflow Library Example
Get Investigation with Expel and Send Results Via Email
Preview this Workflow on desktop