Start Investigation

6 min

description initiates an automated investigation on a device by using the provided id and comment in microsoft defender endpoint url /api/machines/{{id}}/startinvestigation method post inputs path parameters (object) – required id (string) – required the machine id json body (object) – required comment (string) – required comment to associate with the action output example \[ { "status code" 201, "response headers" { "date" "fri, 07 feb 2025 06 30 27 gmt", "content type" "application/json; odata metadata=minimal; odata streaming=true; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "content encoding" "deflate", "vary" "accept encoding", "mise correlation id" "08ce5338 e4be 4eab a417 d0a5cf40bfac", "odata version" "4 0", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "id" "63004", "starttime" "2020 01 06t13 05 15z", "endtime" "2020 01 06t13 05 15z", "state" "running", "cancelledby" "", "statusdetails" "", "machineid" "e828a0624ed33f919db541065190d2f75e50a071", "computerdnsname" "desktop test123", "triggeringalertid" "da637139127150012465 1011995739" } } ] output parameters status code (number) reason (string) json body (object) id (string) starttime (string) endtime (string) state (string) cancelledby (string) statusdetails (string) machineid (string) computerdnsname (string) triggeringalertid (string) response headers header type date string content type string transfer encoding string connection string content encoding string vary string mise correlation id string odata version string strict transport security string