InsightIDR REST API
Available InsightIDR APIs
Below are the available InsightIDR APIs and the capabilities of each. To learn more about Authentication and basic concepts, see Insight Platform API.
InsightIDR APIs
Only the APIs listed below will work for InsightIDR
Investigations
The Investigations resource allows you to see any existing investigations, close investigations, and set the investigation status.
Version 2
- List investigations
- Create investigation
- Search for investigations
- Close investigations in bulk
- List alerts associated with the specified investigation
- Get a list of Rapid7 product alerts associated with the specified investigation
- Get investigation
- Update investigation
- Assign user to investigation
- Set the disposition of an investigation
- Set the priority of an investigation
- Set the status of an investigation
Version 1
- List Investigation
- Close Investigations in Bulk
- Set the Status of an Investigation
- Assign User to Investigation
Threats
The Threats resource allows you to add or replace threat indicators.
Log Search API
Core API
Use the Core Log Search API to perform LEQL queries on any collection of logs or log sets, either by providing a query, or by using a saved query.
- List All Query API Endpoints
- Query Individual Logs
- Query Multiple Logs
- Query Individual Log Sets
- Query Multiple Log Sets
- Use a Saved Query (logs specified)
- Use a Saved Query (logs not specified)
- Poll a Query in Progress
Saved Queries
The Saved Queries API allows you to view, modify, create, and delete the saved queries for your account.
A Saved Query consists of 3 parts:
- a LEQL statement
- a Time Range (optional)
- the Logs for the Query (optional)
If the time range, or the logs for a saved query are unspecified, then they must be specified when the saved query is used.
- Create A Saved Query
- Replace A Saved Query
- Modify A Saved Query
- Delete A Saved Query
- List All Your Saved Queries
- View An Individual Saved Query
Context API
Use the Context API to retrieve the log entries immediately before and after some log entry.
Reserved Queries API
You can use the Reserved Queries API
to perform LEQL queries on a log in a reserved log set
(also known as an "audit log", or a "reserved log").
For example, you can use the Reserved Queries API to perform a query on logs in the Internal Logs
log set common to every account.
It has the same functionality as a subset of the Core Query API,
however logs are queried by name instead of by log key.
You can use either the Reserved Queries API or the Core Query API to query reserved logs.
Log Derived Metrics
Use the Log Derived Metrics Query API to view Log Derived Metrics as time series data. (Log Derived Metrics are customer defined LEQL calculations applied to logs in real time, created via the management/metrics/ endpoints.)
Logs and Logsets Management API
Use the Logs and Logsets Management API to view, modify, create and delete logs or log sets metadata.
Logs management
Logsets management
Archiving API
Use the Archiving API to configure S3 archiving for Logs.
- Create an S3 Archiving Setup
- Retrieve an S3 Archiving Setup
- Replace an S3 Archiving Setup
- Modify an S3 Archiving Setup
- Delete an S3 Archiving Setup
Download Logs
Use the Download Logs resource to retrieve Log Events for specific Logs.
Export To CSV
Use the Export To CSV resource to view or delete export jobs.