InsightIDR REST API
Available InsightIDR APIs
Below are the available InsightIDR APIs and the capabilities of each. To learn more about Authentication and basic concepts, see Insight Platform API.
Only the APIs listed below will work for InsightIDR
The Investigations resource allows you to see any existing investigations, close investigations, and set the investigation status.
- List investigations
- Create investigation
- Search for investigations
- Close investigations in bulk
- List alerts associated with the specified investigation
- Get investigation
- Update investigation
- Assign user to investigation
- Set the disposition of an investigation
- Set the priority of an investigation
- Set the status of an investigation
- List Investigation
- Close Investigations in Bulk
- Set the Status of an Investigation
- Assign User to Investigation
The Threats resource allows you to add or replace threat indicators.
Log Search API
Use the Core Log Search API to perform LEQL queries on any collection of logs or log sets, either by providing a query, or by using a saved query.
- List All Query API Endpoints
- Query Individual Logs
- Query Multiple Logs
- Query Individual Log Sets
- Query Multiple Log Sets
- Use a Saved Query (logs specified)
- Use a Saved Query (logs not specified)
- Poll a Query in Progress
The Saved Queries API allows you to view, modify, create, and delete the saved queries for your account.
A Saved Query consists of 3 parts:
- a LEQL statement
- a Time Range (optional)
- the Logs for the Query (optional)
If the time range, or the logs for a saved query are unspecified, then they must be specified when the saved query is used.
- Create A Saved Query
- Replace A Saved Query
- Modify A Saved Query
- Delete A Saved Query
- List All Your Saved Queries
- View An Individual Saved Query
Use the Context API to retrieve the log entries immediately before and after some log entry.
Reserved Queries API
You can use the Reserved Queries API
to perform LEQL queries on a log in a reserved log set
(also known as an "audit log", or a "reserved log").
For example, you can use the Reserved Queries API to perform a query on logs in the
Internal Logs log set common to every account.
It has the same functionality as a subset of the Core Query API,
however logs are queried by name instead of by log key.
You can use either the Reserved Queries API or the Core Query API to query reserved logs.
Log Derived Metrics
Use the Log Derived Metrics Query API to view Log Derived Metrics as time series data. (Log Derived Metrics are customer defined LEQL calculations applied to logs in real time, created via the management/metrics/ endpoints.)
Logs and Logsets Management API
Use the Logs and Logsets Management API to view, modify, create and delete logs or log sets metadata.