@cyvest/cyvest-js 4.3.0 → 4.4.0

package/dist/index.d.mts

@@ -13,15 +13,15 @@ type Justification = string | null;
  * List of whitelist entries applied to this investigation.
  */
 type Whitelists = InvestigationWhitelist[];
+/**
+ * Append-only investigation audit log. Null when serialization disabled audit.
+ */
+type AuditLog = AuditEvent[] | null;
 type Actor = string | null;
 type Reason = string | null;
 type Tool = string | null;
 type ObjectType = string | null;
 type ObjectKey = string | null;
-/**
- * Append-only investigation audit log.
- */
-type EventLog = AuditEvent[];
 type ThreatIntels = string[];
 /**
  * Direction of a relationship between observables.
@@ -63,10 +63,6 @@ interface CyvestInvestigation {
      */
     investigation_id: string;
     investigation_name?: InvestigationName;
-    /**
-     * Investigation start time (UTC).
-     */
-    started_at: string;
     /**
      * Global investigation score.
      */
@@ -77,7 +73,7 @@ interface CyvestInvestigation {
      */
     whitelisted: boolean;
     whitelists: Whitelists;
-    event_log?: EventLog;
+    audit_log?: AuditLog;
     observables: Observables;
     checks: Checks;
     threat_intels: ThreatIntels1;
@@ -842,6 +838,23 @@ interface InvestigationCounts {
  * @returns Object with counts for each entity type
  */
 declare function getCounts(inv: CyvestInvestigation): InvestigationCounts;
+/**
+ * Get the investigation start time from the event log.
+ *
+ * Looks for the INVESTIGATION_STARTED event and returns its timestamp.
+ *
+ * @param inv - The investigation
+ * @returns The start timestamp string or undefined if not found
+ *
+ * @example
+ * ```ts
+ * const startedAt = getStartedAt(investigation);
+ * if (startedAt) {
+ *   console.log(`Started: ${startedAt}`);
+ * }
+ * ```
+ */
+declare function getStartedAt(inv: CyvestInvestigation): string | undefined;
 
 /**
  * Finder utilities for querying and filtering Cyvest Investigation data.
@@ -1355,4 +1368,4 @@ declare function getRelationshipsForObservable(inv: CyvestInvestigation, observa
     }>;
 };
 
-export { type Actor, type AuditEvent, type Check, type CheckLinks, type Checks, type Checks1, type ChecksByLevel, type ChecksByScope, type Container, type Containers, type CyvestInvestigation, type Data, type DataExtractionSchema, type Details, type Enrichment, type Enrichments, type EventLog, type Extra, type Extra1, type Extra2, type GraphEdge, type GraphNode, type InvestigationCounts, type InvestigationGraph, type InvestigationName, type InvestigationWhitelist, type Justification, type KeyType, LEVEL_COLORS, LEVEL_ORDER, LEVEL_VALUES, type Level, type ObjectKey, type ObjectType, type Observable, type ObservableLink, type ObservableLinks, type Observables, type ObservablesByLevel, type ObservablesByType, type ObservablesByTypeAndLevel, type PropagationMode, type Reason, type Relationship, type RelationshipDirection, type Relationships, type RootType, type ScoreMode, type StatisticsSchema, type SubContainers, type Taxonomies, type Taxonomy, type ThreatIntel, type ThreatIntelByLevel, type ThreatIntelBySource, type ThreatIntels, type ThreatIntels1, type Tool, type Whitelists, areConnected, compareLevels, countRelationshipsByType, findChecksAtLeast, findChecksByCheckId, findChecksByLevel, findChecksByScope, findContainersAtLeast, findContainersByLevel, findExternalObservables, findInternalObservables, findLeafObservables, findObservablesAtLeast, findObservablesByLevel, findObservablesByType, findObservablesByValue, findObservablesContaining, findObservablesMatching, findObservablesWithThreatIntel, findOrphanObservables, findPath, findRootObservables, findThreatIntelAtLeast, findThreatIntelByLevel, findThreatIntelBySource, findWhitelistedObservables, generateCheckKey, generateContainerKey, generateEnrichmentKey, generateObservableKey, generateThreatIntelKey, getAllChecks, getAllContainers, getAllEnrichments, getAllObservableTypes, getAllObservables, getAllRelationshipTypes, getAllScopes, getAllThreatIntelSources, getAllThreatIntels, getCheck, getCheckByIdScope, getChecksForContainer, getChecksForObservable, getColorForLevel, getColorForScore, getContainer, getContainerByPath, getCounts, getDataExtraction, getEnrichment, getEnrichmentByName, getEntityLevel, getHighestScoringChecks, getHighestScoringObservables, getLevelFromScore, getMaliciousChecks, getMaliciousObservables, getObservable, getObservableByTypeValue, getObservableChildren, getObservableGraph, getObservableParents, getObservablesForCheck, getReachableObservables, getRelatedObservables, getRelatedObservablesByDirection, getRelatedObservablesByType, getRelationshipsForObservable, getStats, getSuspiciousChecks, getSuspiciousObservables, getThreatIntel, getThreatIntelBySourceObservable, getThreatIntelsForObservable, getWhitelists, hasLevel, isCyvest, isLevelAtLeast, isLevelHigherThan, isLevelLowerThan, isValidLevel, maxLevel, minLevel, normalizeLevel, parseCheckKey, parseCyvest, parseKeyType, parseObservableKey, parseThreatIntelKey, sortChecksByLevel, sortChecksByScore, sortObservablesByLevel, sortObservablesByScore, validateKey };
+export { type Actor, type AuditEvent, type AuditLog, type Check, type CheckLinks, type Checks, type Checks1, type ChecksByLevel, type ChecksByScope, type Container, type Containers, type CyvestInvestigation, type Data, type DataExtractionSchema, type Details, type Enrichment, type Enrichments, type Extra, type Extra1, type Extra2, type GraphEdge, type GraphNode, type InvestigationCounts, type InvestigationGraph, type InvestigationName, type InvestigationWhitelist, type Justification, type KeyType, LEVEL_COLORS, LEVEL_ORDER, LEVEL_VALUES, type Level, type ObjectKey, type ObjectType, type Observable, type ObservableLink, type ObservableLinks, type Observables, type ObservablesByLevel, type ObservablesByType, type ObservablesByTypeAndLevel, type PropagationMode, type Reason, type Relationship, type RelationshipDirection, type Relationships, type RootType, type ScoreMode, type StatisticsSchema, type SubContainers, type Taxonomies, type Taxonomy, type ThreatIntel, type ThreatIntelByLevel, type ThreatIntelBySource, type ThreatIntels, type ThreatIntels1, type Tool, type Whitelists, areConnected, compareLevels, countRelationshipsByType, findChecksAtLeast, findChecksByCheckId, findChecksByLevel, findChecksByScope, findContainersAtLeast, findContainersByLevel, findExternalObservables, findInternalObservables, findLeafObservables, findObservablesAtLeast, findObservablesByLevel, findObservablesByType, findObservablesByValue, findObservablesContaining, findObservablesMatching, findObservablesWithThreatIntel, findOrphanObservables, findPath, findRootObservables, findThreatIntelAtLeast, findThreatIntelByLevel, findThreatIntelBySource, findWhitelistedObservables, generateCheckKey, generateContainerKey, generateEnrichmentKey, generateObservableKey, generateThreatIntelKey, getAllChecks, getAllContainers, getAllEnrichments, getAllObservableTypes, getAllObservables, getAllRelationshipTypes, getAllScopes, getAllThreatIntelSources, getAllThreatIntels, getCheck, getCheckByIdScope, getChecksForContainer, getChecksForObservable, getColorForLevel, getColorForScore, getContainer, getContainerByPath, getCounts, getDataExtraction, getEnrichment, getEnrichmentByName, getEntityLevel, getHighestScoringChecks, getHighestScoringObservables, getLevelFromScore, getMaliciousChecks, getMaliciousObservables, getObservable, getObservableByTypeValue, getObservableChildren, getObservableGraph, getObservableParents, getObservablesForCheck, getReachableObservables, getRelatedObservables, getRelatedObservablesByDirection, getRelatedObservablesByType, getRelationshipsForObservable, getStartedAt, getStats, getSuspiciousChecks, getSuspiciousObservables, getThreatIntel, getThreatIntelBySourceObservable, getThreatIntelsForObservable, getWhitelists, hasLevel, isCyvest, isLevelAtLeast, isLevelHigherThan, isLevelLowerThan, isValidLevel, maxLevel, minLevel, normalizeLevel, parseCheckKey, parseCyvest, parseKeyType, parseObservableKey, parseThreatIntelKey, sortChecksByLevel, sortChecksByScore, sortObservablesByLevel, sortObservablesByScore, validateKey };

package/dist/index.d.ts

@@ -13,15 +13,15 @@ type Justification = string | null;
  * List of whitelist entries applied to this investigation.
  */
 type Whitelists = InvestigationWhitelist[];
+/**
+ * Append-only investigation audit log. Null when serialization disabled audit.
+ */
+type AuditLog = AuditEvent[] | null;
 type Actor = string | null;
 type Reason = string | null;
 type Tool = string | null;
 type ObjectType = string | null;
 type ObjectKey = string | null;
-/**
- * Append-only investigation audit log.
- */
-type EventLog = AuditEvent[];
 type ThreatIntels = string[];
 /**
  * Direction of a relationship between observables.
@@ -63,10 +63,6 @@ interface CyvestInvestigation {
      */
     investigation_id: string;
     investigation_name?: InvestigationName;
-    /**
-     * Investigation start time (UTC).
-     */
-    started_at: string;
     /**
      * Global investigation score.
      */
@@ -77,7 +73,7 @@ interface CyvestInvestigation {
      */
     whitelisted: boolean;
     whitelists: Whitelists;
-    event_log?: EventLog;
+    audit_log?: AuditLog;
     observables: Observables;
     checks: Checks;
     threat_intels: ThreatIntels1;
@@ -842,6 +838,23 @@ interface InvestigationCounts {
  * @returns Object with counts for each entity type
  */
 declare function getCounts(inv: CyvestInvestigation): InvestigationCounts;
+/**
+ * Get the investigation start time from the event log.
+ *
+ * Looks for the INVESTIGATION_STARTED event and returns its timestamp.
+ *
+ * @param inv - The investigation
+ * @returns The start timestamp string or undefined if not found
+ *
+ * @example
+ * ```ts
+ * const startedAt = getStartedAt(investigation);
+ * if (startedAt) {
+ *   console.log(`Started: ${startedAt}`);
+ * }
+ * ```
+ */
+declare function getStartedAt(inv: CyvestInvestigation): string | undefined;
 
 /**
  * Finder utilities for querying and filtering Cyvest Investigation data.
@@ -1355,4 +1368,4 @@ declare function getRelationshipsForObservable(inv: CyvestInvestigation, observa
     }>;
 };
 
-export { type Actor, type AuditEvent, type Check, type CheckLinks, type Checks, type Checks1, type ChecksByLevel, type ChecksByScope, type Container, type Containers, type CyvestInvestigation, type Data, type DataExtractionSchema, type Details, type Enrichment, type Enrichments, type EventLog, type Extra, type Extra1, type Extra2, type GraphEdge, type GraphNode, type InvestigationCounts, type InvestigationGraph, type InvestigationName, type InvestigationWhitelist, type Justification, type KeyType, LEVEL_COLORS, LEVEL_ORDER, LEVEL_VALUES, type Level, type ObjectKey, type ObjectType, type Observable, type ObservableLink, type ObservableLinks, type Observables, type ObservablesByLevel, type ObservablesByType, type ObservablesByTypeAndLevel, type PropagationMode, type Reason, type Relationship, type RelationshipDirection, type Relationships, type RootType, type ScoreMode, type StatisticsSchema, type SubContainers, type Taxonomies, type Taxonomy, type ThreatIntel, type ThreatIntelByLevel, type ThreatIntelBySource, type ThreatIntels, type ThreatIntels1, type Tool, type Whitelists, areConnected, compareLevels, countRelationshipsByType, findChecksAtLeast, findChecksByCheckId, findChecksByLevel, findChecksByScope, findContainersAtLeast, findContainersByLevel, findExternalObservables, findInternalObservables, findLeafObservables, findObservablesAtLeast, findObservablesByLevel, findObservablesByType, findObservablesByValue, findObservablesContaining, findObservablesMatching, findObservablesWithThreatIntel, findOrphanObservables, findPath, findRootObservables, findThreatIntelAtLeast, findThreatIntelByLevel, findThreatIntelBySource, findWhitelistedObservables, generateCheckKey, generateContainerKey, generateEnrichmentKey, generateObservableKey, generateThreatIntelKey, getAllChecks, getAllContainers, getAllEnrichments, getAllObservableTypes, getAllObservables, getAllRelationshipTypes, getAllScopes, getAllThreatIntelSources, getAllThreatIntels, getCheck, getCheckByIdScope, getChecksForContainer, getChecksForObservable, getColorForLevel, getColorForScore, getContainer, getContainerByPath, getCounts, getDataExtraction, getEnrichment, getEnrichmentByName, getEntityLevel, getHighestScoringChecks, getHighestScoringObservables, getLevelFromScore, getMaliciousChecks, getMaliciousObservables, getObservable, getObservableByTypeValue, getObservableChildren, getObservableGraph, getObservableParents, getObservablesForCheck, getReachableObservables, getRelatedObservables, getRelatedObservablesByDirection, getRelatedObservablesByType, getRelationshipsForObservable, getStats, getSuspiciousChecks, getSuspiciousObservables, getThreatIntel, getThreatIntelBySourceObservable, getThreatIntelsForObservable, getWhitelists, hasLevel, isCyvest, isLevelAtLeast, isLevelHigherThan, isLevelLowerThan, isValidLevel, maxLevel, minLevel, normalizeLevel, parseCheckKey, parseCyvest, parseKeyType, parseObservableKey, parseThreatIntelKey, sortChecksByLevel, sortChecksByScore, sortObservablesByLevel, sortObservablesByScore, validateKey };
+export { type Actor, type AuditEvent, type AuditLog, type Check, type CheckLinks, type Checks, type Checks1, type ChecksByLevel, type ChecksByScope, type Container, type Containers, type CyvestInvestigation, type Data, type DataExtractionSchema, type Details, type Enrichment, type Enrichments, type Extra, type Extra1, type Extra2, type GraphEdge, type GraphNode, type InvestigationCounts, type InvestigationGraph, type InvestigationName, type InvestigationWhitelist, type Justification, type KeyType, LEVEL_COLORS, LEVEL_ORDER, LEVEL_VALUES, type Level, type ObjectKey, type ObjectType, type Observable, type ObservableLink, type ObservableLinks, type Observables, type ObservablesByLevel, type ObservablesByType, type ObservablesByTypeAndLevel, type PropagationMode, type Reason, type Relationship, type RelationshipDirection, type Relationships, type RootType, type ScoreMode, type StatisticsSchema, type SubContainers, type Taxonomies, type Taxonomy, type ThreatIntel, type ThreatIntelByLevel, type ThreatIntelBySource, type ThreatIntels, type ThreatIntels1, type Tool, type Whitelists, areConnected, compareLevels, countRelationshipsByType, findChecksAtLeast, findChecksByCheckId, findChecksByLevel, findChecksByScope, findContainersAtLeast, findContainersByLevel, findExternalObservables, findInternalObservables, findLeafObservables, findObservablesAtLeast, findObservablesByLevel, findObservablesByType, findObservablesByValue, findObservablesContaining, findObservablesMatching, findObservablesWithThreatIntel, findOrphanObservables, findPath, findRootObservables, findThreatIntelAtLeast, findThreatIntelByLevel, findThreatIntelBySource, findWhitelistedObservables, generateCheckKey, generateContainerKey, generateEnrichmentKey, generateObservableKey, generateThreatIntelKey, getAllChecks, getAllContainers, getAllEnrichments, getAllObservableTypes, getAllObservables, getAllRelationshipTypes, getAllScopes, getAllThreatIntelSources, getAllThreatIntels, getCheck, getCheckByIdScope, getChecksForContainer, getChecksForObservable, getColorForLevel, getColorForScore, getContainer, getContainerByPath, getCounts, getDataExtraction, getEnrichment, getEnrichmentByName, getEntityLevel, getHighestScoringChecks, getHighestScoringObservables, getLevelFromScore, getMaliciousChecks, getMaliciousObservables, getObservable, getObservableByTypeValue, getObservableChildren, getObservableGraph, getObservableParents, getObservablesForCheck, getReachableObservables, getRelatedObservables, getRelatedObservablesByDirection, getRelatedObservablesByType, getRelationshipsForObservable, getStartedAt, getStats, getSuspiciousChecks, getSuspiciousObservables, getThreatIntel, getThreatIntelBySourceObservable, getThreatIntelsForObservable, getWhitelists, hasLevel, isCyvest, isLevelAtLeast, isLevelHigherThan, isLevelLowerThan, isValidLevel, maxLevel, minLevel, normalizeLevel, parseCheckKey, parseCyvest, parseKeyType, parseObservableKey, parseThreatIntelKey, sortChecksByLevel, sortChecksByScore, sortObservablesByLevel, sortObservablesByScore, validateKey };

package/dist/index.js

@@ -102,6 +102,7 @@ __export(index_exports, {
   getRelatedObservablesByDirection: () => getRelatedObservablesByDirection,
   getRelatedObservablesByType: () => getRelatedObservablesByType,
   getRelationshipsForObservable: () => getRelationshipsForObservable,
+  getStartedAt: () => getStartedAt,
   getStats: () => getStats,
   getSuspiciousChecks: () => getSuspiciousChecks,
   getSuspiciousObservables: () => getSuspiciousObservables,
@@ -840,12 +841,6 @@ var cyvest_schema_default = {
       description: "Optional human-readable investigation name.",
       title: "Investigation Name"
     },
-    started_at: {
-      description: "Investigation start time (UTC).",
-      format: "date-time",
-      title: "Started At",
-      type: "string"
-    },
     score: {
       description: "Global investigation score.",
       title: "Score",
@@ -868,13 +863,20 @@ var cyvest_schema_default = {
       title: "Whitelists",
       type: "array"
     },
-    event_log: {
-      description: "Append-only investigation audit log.",
-      items: {
-        $ref: "#/$defs/AuditEvent"
-      },
-      title: "Event Log",
-      type: "array"
+    audit_log: {
+      anyOf: [
+        {
+          items: {
+            $ref: "#/$defs/AuditEvent"
+          },
+          type: "array"
+        },
+        {
+          type: "null"
+        }
+      ],
+      description: "Append-only investigation audit log. Null when serialization disabled audit.",
+      title: "Audit Log"
     },
     observables: {
       additionalProperties: {
@@ -936,7 +938,6 @@ var cyvest_schema_default = {
   },
   required: [
     "investigation_id",
-    "started_at",
     "score",
     "level",
     "whitelisted",
@@ -1332,6 +1333,12 @@ function getCounts(inv) {
     whitelists: inv.whitelists.length
   };
 }
+function getStartedAt(inv) {
+  const event = inv.audit_log?.find(
+    (e) => e.event_type === "INVESTIGATION_STARTED"
+  );
+  return event?.timestamp;
+}
 
 // src/finders.ts
 function findObservablesByType(inv, type) {
@@ -1942,6 +1949,7 @@ function getRelationshipsForObservable(inv, observableKey) {
   getRelatedObservablesByDirection,
   getRelatedObservablesByType,
   getRelationshipsForObservable,
+  getStartedAt,
   getStats,
   getSuspiciousChecks,
   getSuspiciousObservables,

package/dist/index.mjs

@@ -707,12 +707,6 @@ var cyvest_schema_default = {
       description: "Optional human-readable investigation name.",
       title: "Investigation Name"
     },
-    started_at: {
-      description: "Investigation start time (UTC).",
-      format: "date-time",
-      title: "Started At",
-      type: "string"
-    },
     score: {
       description: "Global investigation score.",
       title: "Score",
@@ -735,13 +729,20 @@ var cyvest_schema_default = {
       title: "Whitelists",
       type: "array"
     },
-    event_log: {
-      description: "Append-only investigation audit log.",
-      items: {
-        $ref: "#/$defs/AuditEvent"
-      },
-      title: "Event Log",
-      type: "array"
+    audit_log: {
+      anyOf: [
+        {
+          items: {
+            $ref: "#/$defs/AuditEvent"
+          },
+          type: "array"
+        },
+        {
+          type: "null"
+        }
+      ],
+      description: "Append-only investigation audit log. Null when serialization disabled audit.",
+      title: "Audit Log"
     },
     observables: {
       additionalProperties: {
@@ -803,7 +804,6 @@ var cyvest_schema_default = {
   },
   required: [
     "investigation_id",
-    "started_at",
     "score",
     "level",
     "whitelisted",
@@ -1199,6 +1199,12 @@ function getCounts(inv) {
     whitelists: inv.whitelists.length
   };
 }
+function getStartedAt(inv) {
+  const event = inv.audit_log?.find(
+    (e) => e.event_type === "INVESTIGATION_STARTED"
+  );
+  return event?.timestamp;
+}
 
 // src/finders.ts
 function findObservablesByType(inv, type) {
@@ -1808,6 +1814,7 @@ export {
   getRelatedObservablesByDirection,
   getRelatedObservablesByType,
   getRelationshipsForObservable,
+  getStartedAt,
   getStats,
   getSuspiciousChecks,
   getSuspiciousObservables,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyvest/cyvest-js",
-  "version": "4.3.0",
+  "version": "4.4.0",
   "main": "dist/index.cjs",
   "module": "dist/index.mjs",
   "types": "dist/index.d.ts",

package/src/getters.ts

@@ -397,3 +397,26 @@ export function getCounts(inv: CyvestInvestigation): InvestigationCounts {
     whitelists: inv.whitelists.length,
   };
 }
+
+/**
+ * Get the investigation start time from the event log.
+ *
+ * Looks for the INVESTIGATION_STARTED event and returns its timestamp.
+ *
+ * @param inv - The investigation
+ * @returns The start timestamp string or undefined if not found
+ *
+ * @example
+ * ```ts
+ * const startedAt = getStartedAt(investigation);
+ * if (startedAt) {
+ *   console.log(`Started: ${startedAt}`);
+ * }
+ * ```
+ */
+export function getStartedAt(inv: CyvestInvestigation): string | undefined {
+  const event = inv.audit_log?.find(
+    (e) => e.event_type === "INVESTIGATION_STARTED"
+  );
+  return event?.timestamp;
+}

package/src/types.generated.ts

@@ -15,15 +15,15 @@ export type Justification = string | null;
  * List of whitelist entries applied to this investigation.
  */
 export type Whitelists = InvestigationWhitelist[];
+/**
+ * Append-only investigation audit log. Null when serialization disabled audit.
+ */
+export type AuditLog = AuditEvent[] | null;
 export type Actor = string | null;
 export type Reason = string | null;
 export type Tool = string | null;
 export type ObjectType = string | null;
 export type ObjectKey = string | null;
-/**
- * Append-only investigation audit log.
- */
-export type EventLog = AuditEvent[];
 export type ThreatIntels = string[];
 /**
  * Direction of a relationship between observables.
@@ -66,10 +66,6 @@ export interface CyvestInvestigation {
    */
   investigation_id: string;
   investigation_name?: InvestigationName;
-  /**
-   * Investigation start time (UTC).
-   */
-  started_at: string;
   /**
    * Global investigation score.
    */
@@ -80,7 +76,7 @@ export interface CyvestInvestigation {
    */
   whitelisted: boolean;
   whitelists: Whitelists;
-  event_log?: EventLog;
+  audit_log?: AuditLog;
   observables: Observables;
   checks: Checks;
   threat_intels: ThreatIntels1;

package/tests/getters-finders.test.ts

@@ -18,6 +18,7 @@ import {
   getAllContainers,
   getAllObservables,
   getCounts,
+  getStartedAt,
   // Finders
   findObservablesByType,
   findObservablesByLevel,
@@ -43,11 +44,19 @@ function createTestInvestigation(): CyvestInvestigation {
   return {
     investigation_id: "01HXYZTESTINVESTIGATION",
     investigation_name: "Test Investigation",
-    started_at: "2024-01-01T00:00:00Z",
     score: 7.5,
     score_display: "7.50",
     level: "MALICIOUS",
     whitelisted: false,
+    audit_log: [
+      {
+        event_id: "01HXYZTESTEVENT001",
+        timestamp: "2024-01-01T00:00:00Z",
+        event_type: "INVESTIGATION_STARTED",
+        object_type: "investigation",
+        object_key: "01HXYZTESTINVESTIGATION",
+      },
+    ],
     whitelists: [
       {
         identifier: "wl-1",
@@ -340,6 +349,25 @@ describe("Getters", () => {
       expect(counts.whitelists).toBe(1);
     });
   });
+
+  describe("getStartedAt", () => {
+    it("returns timestamp from INVESTIGATION_STARTED event", () => {
+      const startedAt = getStartedAt(inv);
+      expect(startedAt).toBe("2024-01-01T00:00:00Z");
+    });
+
+    it("returns undefined when no audit_log", () => {
+      const invWithoutAuditLog = { ...inv, audit_log: undefined };
+      const startedAt = getStartedAt(invWithoutAuditLog);
+      expect(startedAt).toBeUndefined();
+    });
+
+    it("returns undefined when no INVESTIGATION_STARTED event", () => {
+      const invWithEmptyLog = { ...inv, audit_log: [] };
+      const startedAt = getStartedAt(invWithEmptyLog);
+      expect(startedAt).toBeUndefined();
+    });
+  });
 });
 
 describe("Finders", () => {

package/tests/graph.test.ts

@@ -22,11 +22,19 @@ function createGraphTestInvestigation(): CyvestInvestigation {
   return {
     investigation_id: "01HXYZGRAPHINVESTIGATION",
     investigation_name: "Graph Test Investigation",
-    started_at: "2024-01-01T00:00:00Z",
     score: 5,
     score_display: "5.00",
     level: "MALICIOUS",
     whitelisted: false,
+    audit_log: [
+      {
+        event_id: "01HXYZTESTEVENT001",
+        timestamp: "2024-01-01T00:00:00Z",
+        event_type: "INVESTIGATION_STARTED",
+        object_type: "investigation",
+        object_key: "01HXYZGRAPHINVESTIGATION",
+      },
+    ],
     whitelists: [],
     observables: {
       "obs:email-message:msg1": {