Skip to main content
Retrieves an investigation using given ID.
External DocumentationTo learn more, visit the Expel documentation.

Parameters

ParameterDescription
IncludeA comma separated list of the relationship records to include in the response.

For example: organization,created_by,updated_by.

This is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls, such as expel_alerts. For further information, please refer to Expel Documentation.
Investigation IDThe ID of the investigation to retrieve. Can be obtained using the List Investigations action.

Example Output

{
	"links": {
		"self": " https://workbench.expel.io/api/v2/investigations/exampleid"
	},
	"data": {
		"analyst_severity": "CRITICAL",
		"attack_lifecycle": "INITIAL_RECON",
		"attack_timing": "HISTORICAL",
		"attack_vector": "DRIVE_BY",
		"close_comment": "string",
		"created_at": "2019-01-15T15:35:00-05:00",
		"critical_comment": "string",
		"decision": "FALSE_POSITIVE",
		"default_plugin_slug": "string",
		"deleted_at": "2019-01-15T15:35:00-05:00",
		"detection_type": "UNKNOWN",
		"has_hunting_status": true,
		"initial_attack_vector": "string",
		"is_downgrade": true,
		"is_incident": true,
		"is_incident_status_updated_at": "2019-01-15T15:35:00-05:00",
		"is_soc_support_required": true,
		"is_surge": true,
		"last_published_at": "2019-01-15T15:35:00-05:00",
		"last_published_value": "string",
		"lead_description": "string",
		"malware_family": "string",
		"next_steps": "string",
		"open_reason": "ACCESS_KEYS",
		"open_summary": "string",
		"review_requested_at": "2019-01-15T15:35:00-05:00",
		"short_link": "string",
		"source_reason": "HUNTING",
		"status_updated_at": "2019-01-15T15:35:00-05:00",
		"threat_type": "TARGETED",
		"title": "string",
		"updated_at": "2019-01-15T15:35:00-05:00"
	}
}

Workflow Library Example

Get Investigation with Expel and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop