InsightIDR REST API

Available InsightIDR APIs

Below are the available InsightIDR APIs and the capabilities of each. To learn more about Authentication and basic concepts, see Insight Platform API.

InsightIDR APIs

Only the APIs listed below will work for InsightIDR

Investigations

The Investigations resource allows you to see any existing investigations, close investigations, and set the investigation status.

Threats

The Threats resource allows you to add or replace threat indicators.

Log Search API

Core API

Use the Core Log Search API to perform LEQL queries on any collection of logs or log sets, either by providing a query, or by using a saved query.

Saved Queries

The Saved Queries API allows you to view, modify, create, and delete the saved queries for your account.

A Saved Query consists of 3 parts:

  • a LEQL statement
  • a Time Range (optional)
  • the Logs for the Query (optional)

If the time range, or the logs for a saved query are unspecified, then they must be specified when the saved query is used.

Context API

Use the Context API to retrieve the log entries immediately before and after some log entry.

Reserved Queries API

You can use the Reserved Queries API to perform LEQL queries on a log in a reserved log set (also known as an "audit log", or a "reserved log"). For example, you can use the Reserved Queries API to perform a query on logs in the Internal Logs log set common to every account. It has the same functionality as a subset of the Core Query API, however logs are queried by name instead of by log key. You can use either the Reserved Queries API or the Core Query API to query reserved logs.

  • Query Reserved Logs (via GET or POST)

Log Derived Metrics

Use the Log Derived Metrics Query API to view Log Derived Metrics as time series data. (Log Derived Metrics are customer defined LEQL calculations applied to logs in real time, created via the management/metrics/ endpoints.)