Amazon Detective · Arazzo Workflow

Amazon Detective Run an Investigation and Collect Indicators

Version 1.0.0

Start an investigation on an entity, poll until it completes, then list its indicators.

1 workflow 1 source API 1 provider
View Spec View on GitHub ForensicsInvestigationSecurityArazzoWorkflows

Provider

amazon-detective

Workflows

run-investigation
Start an investigation, poll to completion, and list the resulting indicators.
Starts an investigation on an entity, captures the investigation ID, polls getInvestigation until the status leaves RUNNING, and then lists the indicators for a successful investigation. Branches on the terminal status.
3 steps inputs: entityArn, graphArn, indicatorType, scopeEndTime, scopeStartTime outputs: indicators, investigationId, severity, status
1
startInvestigation
startInvestigation
Initiate a Detective investigation on the target entity within the behavior graph and capture the returned investigation ID.
2
pollInvestigation
getInvestigation
Fetch the current investigation results. While the status is still RUNNING the step loops back on itself; once the status is SUCCESSFUL it proceeds to collect indicators, and on FAILED it ends the workflow.
3
listIndicators
listIndicators
Retrieve the indicators of compromise surfaced by the completed investigation, optionally narrowed by indicator type.

Source API Descriptions

openapi
detectiveApi https://raw.githubusercontent.com/api-evangelist/amazon-detective/refs/heads/main/openapi/amazon-detective-openapi.yml

Arazzo Workflow Specification

amazon-detective-run-investigation-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Amazon Detective Run an Investigation and Collect Indicators
  summary: Start an investigation on an entity, poll until it completes, then list its indicators.
  description: >-
    Drives a full Amazon Detective investigation. The workflow starts an
    investigation on a target IAM entity within a behavior graph for a given
    scope window, polls the investigation until its status reaches a terminal
    value, and then retrieves the indicators of compromise that the
    investigation surfaced. The poll loop reruns the status check while the
    investigation is still RUNNING and branches to collect indicators only once
    it succeeds. Every step spells out its request inline so the flow can be read
    and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: detectiveApi
  url: ../openapi/amazon-detective-openapi.yml
  type: openapi
workflows:
- workflowId: run-investigation
  summary: Start an investigation, poll to completion, and list the resulting indicators.
  description: >-
    Starts an investigation on an entity, captures the investigation ID, polls
    getInvestigation until the status leaves RUNNING, and then lists the
    indicators for a successful investigation. Branches on the terminal status.
  inputs:
    type: object
    required:
    - graphArn
    - entityArn
    - scopeStartTime
    - scopeEndTime
    properties:
      graphArn:
        type: string
        description: The ARN of the behavior graph to investigate within.
      entityArn:
        type: string
        description: The ARN of the IAM user or IAM role entity to investigate.
      scopeStartTime:
        type: string
        description: The start of the investigation scope window (ISO 8601 date-time).
      scopeEndTime:
        type: string
        description: The end of the investigation scope window (ISO 8601 date-time).
      indicatorType:
        type: string
        description: Optional indicator type used to filter the listed indicators.
  steps:
  - stepId: startInvestigation
    description: >-
      Initiate a Detective investigation on the target entity within the
      behavior graph and capture the returned investigation ID.
    operationId: startInvestigation
    requestBody:
      contentType: application/json
      payload:
        GraphArn: $inputs.graphArn
        EntityArn: $inputs.entityArn
        ScopeStartTime: $inputs.scopeStartTime
        ScopeEndTime: $inputs.scopeEndTime
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      investigationId: $response.body#/InvestigationId
  - stepId: pollInvestigation
    description: >-
      Fetch the current investigation results. While the status is still RUNNING
      the step loops back on itself; once the status is SUCCESSFUL it proceeds to
      collect indicators, and on FAILED it ends the workflow.
    operationId: getInvestigation
    requestBody:
      contentType: application/json
      payload:
        GraphArn: $inputs.graphArn
        InvestigationId: $steps.startInvestigation.outputs.investigationId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      status: $response.body#/Status
      severity: $response.body#/Severity
      state: $response.body#/State
    onSuccess:
    - name: stillRunning
      type: goto
      stepId: pollInvestigation
      criteria:
      - context: $response.body
        condition: $.Status == "RUNNING"
        type: jsonpath
    - name: succeeded
      type: goto
      stepId: listIndicators
      criteria:
      - context: $response.body
        condition: $.Status == "SUCCESSFUL"
        type: jsonpath
    - name: failed
      type: end
      criteria:
      - context: $response.body
        condition: $.Status == "FAILED"
        type: jsonpath
  - stepId: listIndicators
    description: >-
      Retrieve the indicators of compromise surfaced by the completed
      investigation, optionally narrowed by indicator type.
    operationId: listIndicators
    requestBody:
      contentType: application/json
      payload:
        GraphArn: $inputs.graphArn
        InvestigationId: $steps.startInvestigation.outputs.investigationId
        IndicatorType: $inputs.indicatorType
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      indicators: $response.body#/Indicators
  outputs:
    investigationId: $steps.startInvestigation.outputs.investigationId
    status: $steps.pollInvestigation.outputs.status
    severity: $steps.pollInvestigation.outputs.severity
    indicators: $steps.listIndicators.outputs.indicators