--- title: Get Investigation object API description: Use this API to create calls related to get Investigation object keywords: apis, graph api, supported apis, Investigation object search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article --- # Get Investigation API **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description Retrieves specific [Investigation](investigation.md) by its ID.
ID can be the investigation ID or the investigation triggering alert ID. ## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- Application | Alert.Read.All | 'Read all alerts' Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ## HTTP request ``` GET https://api.securitycenter.windows.com/api/investigations/{id} ``` ## Request headers Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. ## Request body Empty ## Response If successful, this method returns 200, Ok response code with a [Investigations](investigation.md) entity.