# ListIndicators
<a name="API_ListIndicators"></a>

Gets the indicators from an investigation. You can use the information from the indicators to determine if an IAM user and/or IAM role is involved in an unusual activity that could indicate malicious behavior and its impact.

## Request Syntax
<a name="API_ListIndicators_RequestSyntax"></a>

```
POST /investigations/listIndicators HTTP/1.1
Content-type: application/json

{
   "GraphArn": "string",
   "IndicatorType": "string",
   "InvestigationId": "string",
   "MaxResults": number,
   "NextToken": "string"
}
```

## URI Request Parameters
<a name="API_ListIndicators_RequestParameters"></a>

The request does not use any URI parameters.

## Request Body
<a name="API_ListIndicators_RequestBody"></a>

The request accepts the following data in JSON format.

 ** [GraphArn](#API_ListIndicators_RequestSyntax) **   <a name="detective-ListIndicators-request-GraphArn"></a>
The Amazon Resource Name (ARN) of the behavior graph.  
Type: String  
Pattern: `^arn:aws[-\w]{0,10}?:detective:[-\w]{2,20}?:\d{12}?:graph:[abcdef\d]{32}?$`   
Required: Yes

 ** [IndicatorType](#API_ListIndicators_RequestSyntax) **   <a name="detective-ListIndicators-request-IndicatorType"></a>
For the list of indicators of compromise that are generated by Detective investigations, see [Detective investigations](https://docs.aws.amazon.com/detective/latest/userguide/detective-investigation-about.html).  
Type: String  
Valid Values: `TTP_OBSERVED | IMPOSSIBLE_TRAVEL | FLAGGED_IP_ADDRESS | NEW_GEOLOCATION | NEW_ASO | NEW_USER_AGENT | RELATED_FINDING | RELATED_FINDING_GROUP`   
Required: No

 ** [InvestigationId](#API_ListIndicators_RequestSyntax) **   <a name="detective-ListIndicators-request-InvestigationId"></a>
The investigation ID of the investigation report.  
Type: String  
Length Constraints: Fixed length of 21.  
Pattern: `^[0-9]+$`   
Required: Yes

 ** [MaxResults](#API_ListIndicators_RequestSyntax) **   <a name="detective-ListIndicators-request-MaxResults"></a>
Lists the maximum number of indicators in a page.  
Type: Integer  
Valid Range: Minimum value of 1. Maximum value of 100.  
Required: No

 ** [NextToken](#API_ListIndicators_RequestSyntax) **   <a name="detective-ListIndicators-request-NextToken"></a>
Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.  
Each pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 2048.  
Required: No

## Response Syntax
<a name="API_ListIndicators_ResponseSyntax"></a>

```
HTTP/1.1 200
Content-type: application/json

{
   "GraphArn": "string",
   "Indicators": [ 
      { 
         "IndicatorDetail": { 
            "FlaggedIpAddressDetail": { 
               "IpAddress": "string",
               "Reason": "string"
            },
            "ImpossibleTravelDetail": { 
               "EndingIpAddress": "string",
               "EndingLocation": "string",
               "HourlyTimeDelta": number,
               "StartingIpAddress": "string",
               "StartingLocation": "string"
            },
            "NewAsoDetail": { 
               "Aso": "string",
               "IsNewForEntireAccount": boolean
            },
            "NewGeolocationDetail": { 
               "IpAddress": "string",
               "IsNewForEntireAccount": boolean,
               "Location": "string"
            },
            "NewUserAgentDetail": { 
               "IsNewForEntireAccount": boolean,
               "UserAgent": "string"
            },
            "RelatedFindingDetail": { 
               "Arn": "string",
               "IpAddress": "string",
               "Type": "string"
            },
            "RelatedFindingGroupDetail": { 
               "Id": "string"
            },
            "TTPsObservedDetail": { 
               "APIFailureCount": number,
               "APIName": "string",
               "APISuccessCount": number,
               "IpAddress": "string",
               "Procedure": "string",
               "Tactic": "string",
               "Technique": "string"
            }
         },
         "IndicatorType": "string"
      }
   ],
   "InvestigationId": "string",
   "NextToken": "string"
}
```

## Response Elements
<a name="API_ListIndicators_ResponseElements"></a>

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [GraphArn](#API_ListIndicators_ResponseSyntax) **   <a name="detective-ListIndicators-response-GraphArn"></a>
The Amazon Resource Name (ARN) of the behavior graph.  
Type: String  
Pattern: `^arn:aws[-\w]{0,10}?:detective:[-\w]{2,20}?:\d{12}?:graph:[abcdef\d]{32}?$` 

 ** [Indicators](#API_ListIndicators_ResponseSyntax) **   <a name="detective-ListIndicators-response-Indicators"></a>
Lists the indicators of compromise.  
Type: Array of [Indicator](API_Indicator.md) objects

 ** [InvestigationId](#API_ListIndicators_ResponseSyntax) **   <a name="detective-ListIndicators-response-InvestigationId"></a>
The investigation ID of the investigation report.  
Type: String  
Length Constraints: Fixed length of 21.  
Pattern: `^[0-9]+$` 

 ** [NextToken](#API_ListIndicators_ResponseSyntax) **   <a name="detective-ListIndicators-response-NextToken"></a>
Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.  
Each pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 2048.

## Errors
<a name="API_ListIndicators_Errors"></a>

For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** AccessDeniedException **   
The request issuer does not have permission to access this resource or perform this operation.    
 ** ErrorCode **   
The SDK default error code associated with the access denied exception.  
 ** ErrorCodeReason **   
The SDK default explanation of why access was denied.  
 ** SubErrorCode **   
The error code associated with the access denied exception.  
 ** SubErrorCodeReason **   
 An explanation of why access was denied.
HTTP Status Code: 403

 ** InternalServerException **   
The request was valid but failed because of a problem with the service.  
HTTP Status Code: 500

 ** ResourceNotFoundException **   
The request refers to a nonexistent resource.  
HTTP Status Code: 404

 ** TooManyRequestsException **   
The request cannot be completed because too many other requests are occurring at the same time.  
HTTP Status Code: 429

 ** ValidationException **   
The request parameters are invalid.    
 ** ErrorCode **   
The error code associated with the validation failure.  
 ** ErrorCodeReason **   
 An explanation of why validation failed.
HTTP Status Code: 400

## See Also
<a name="API_ListIndicators_SeeAlso"></a>

For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/detective-2018-10-26/ListIndicators) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/detective-2018-10-26/ListIndicators) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/detective-2018-10-26/ListIndicators) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/detective-2018-10-26/ListIndicators) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/detective-2018-10-26/ListIndicators) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/detective-2018-10-26/ListIndicators) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/detective-2018-10-26/ListIndicators) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/detective-2018-10-26/ListIndicators) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/detective-2018-10-26/ListIndicators) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/detective-2018-10-26/ListIndicators)