SIEM (InsightIDR) REST API

Here, you can view the APIs that are available in SIEM (InsightIDR), along with their capabilities. For all other Rapid7 APIs, view the Insight Platform API overview .

Accounts & Users

The Accounts and Users API allows you to search for and find SIEM (InsightIDR) accounts. A user is a container with all the associated account information from SIEM (InsightIDR). An account is what that user logs into, such as Active Directory or an Office 365 user token.

Capabilities

• Search Account
  
• Get Account by RRN
  
• Search Local Accounts
  
• Get Local Account by RRN
  
• Search Users
  
• Get User by RRN

Alerts

If you’re a Managed Detection and Response customer with access to the Alerts experience, the Alerts API allows you to search, view, and modify existing alerts. Read more about alerts.

Capabilities:

• Search alerts
  
• Retrieve a single alert
  
• Update a single alert
  
• Retrieve multiple alerts
  
• Retrieve evidence for a single alert
  
• Retrieve an alert’s actors
  
• Retrieve assignees for a single alert
  
• Retrieve assignees for multiple alerts
  
• Retrieve a single alert field
  
• Retrieve values for a single alert field
  
• Retrieve all alert fields
  
• Update multiple alerts
  
• Create an investigation with alerts
  
• Create a report for alerts
  
• Retrieve alert actions (alert jobs)
  
• Retrieve alert action (alert job) result
  
• Retrieve alert action (alert job) tasks
  
• Retrieve a single process tree
  
• Retrieve all process trees for an alert
  

Assets

The Assets API allows you to find and search SIEM (InsightIDR) assets. An asset is a single device that is connected to your network or under your management, such as a server, laptop, or virtual machine. When you feed data to SIEM (InsightIDR), you are able to see a variety of metrics about your assets, such as data collection issues, the number of assets monitored with the Insight Agent, restricted assets, and unique processes that are happening on assets.

Capabilities

• Search Assets
  
• Get Asset by RRN

Attachments

The Attachments API allows you to upload, list, download, and delete attachments.

Capabilities

• List attachments
  
• Upload attachment
  
• Download attachment
  
• Delete an attachment
  
• Get attachment information

Audit

The Audit API allows you to track and record activity for investigative purposes.

• Audit List All Endpoints 
• Audit Poll a Query In Progress 
• Audit Query Individual Logs Using LEQL 
• Audit Retrieve All Export Jobs 
• Audit Retrieve An Export Job By ID 
• Query Multiple Logs Using LEQL 

Comments

The Comments APIs allows you to create, list, and delete comments.

Capabilities

• Update comment visibility
  
• List comments
  
• Create comment
  
• Get comment by RRN
  
• Delete a comment

Community Threats

These threat APIs allow you to add or replace indicators for Community Threats.

Capabilities

• Create a Community Threat
  
• Delete a Community Threat
  
• Add indicators to a Community Threat
  
• Replace indicators for a Community Threat

Detection Rules

The Detection Rules REST API allows you to programmatically perform the actions available in the SIEM (InsightIDR) Detection Rules UI. Read more about Detection Rules.

• Detection Rules API 

Investigations

The Investigations APIs allows you to view any existing investigations, modify or close investigations, and set the investigation status.

With Version 1 of the API, you can pull data from SIEM (InsightIDR) investigations into your preferred security and case tracking tools. The API can be used to:

• Retrieve a list of investigations
• Close investigations in bulk
• Assign a user to an investigation
• Set the status of an investigation

In addition to all of the tasks you can perform with Version 1 of the API, Version 2 can be used to:

• Create investigations
• Search investigations
• List alerts associated with the specified investigation
• Update an investigation
• Set the disposition
• Set the status or set the priority
• Get a list of Rapid7 product alerts associated with the specified investigation

Version 2

Capabilities

• List investigation
  
• Create investigation
  
• Search for investigations
  
• Close investigations in bulk
  
• List alerts associated with the specified investigation
  
• Get a list of Rapid7 product alerts associated with the specified investigation
  
• Get investigation
  
• Update investigation
  
• Assign user to investigation
  
• Set the disposition of an investigation
  
• Set the priority of an investigation
  
• Set the status of an investigation

Version 1

Capabilities

• List investigation
  
• Close investigations in bulk
  
• Assign user to investigation
  
• Set the status of an investigation

Log Search

The Log Search REST API allows you to perform the majority of the actions available through the IDR Log Search UI, and has some additional functionality that is not available through the UI. You may use this API to automate common tasks (for example, via shell scripts), and to generally interact with Log Management (InsightOps) programmatically.

• Query Log Data 
• Saved Queries 
• Pre-Computed Queries 
• Manage Logs 
• Manage Logsets 
• Manage Basic Detection Rules 
• Manage Basic Detection Rules Notification Settings 
• Manage Basic Detection Rules Notification Targets 
• Basic Detection Rule Labels 
• Manage LEQL Variables 
• Download Log Data 
• Export Log Data To CSV 
• Explore The Size of Your Log Data 
• Backup Your Log Data To S3 
• Retrieve The Most Common Keys Within Your Log Data