Get Investigation

6 min

description retrieves a specific microsoft defender investigation using the provided id, applicable to both investigation and alert ids endpoint url /api/investigations/{{id}} method get inputs path parameters (object) – required id (string) – required the investigation id output example \[ { "status code" 200, "response headers" { "date" "fri, 07 feb 2025 06 30 27 gmt", "content type" "application/json; odata metadata=minimal; odata streaming=true; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "content encoding" "deflate", "vary" "accept encoding", "mise correlation id" "08ce5338 e4be 4eab a417 d0a5cf40bfac", "odata version" "4 0", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "id" "63004", "starttime" "2020 01 06t13 05 15z", "endtime" "2020 01 06t13 05 15z", "state" "running", "cancelledby" "", "statusdetails" "", "machineid" "e828a0624ed33f919db541065190d2f75e50a071", "computerdnsname" "desktop test123", "triggeringalertid" "da637139127150012465 1011995739" } } ] output parameters status code (number) reason (string) json body (object) id (string) starttime (string) endtime (string) state (string) cancelledby (string) statusdetails (string) machineid (string) computerdnsname (string) triggeringalertid (string) response headers header type date string content type string transfer encoding string connection string content encoding string vary string mise correlation id string odata version string strict transport security string