InsightIDR REST API

Available InsightIDR APIs

Below are the available InsightIDR APIs and the capabilities of each. To learn more about Authentication and basic concepts, see Insight Platform API.

Investigations

The Investigations resource allows you to see any existing investigations, close investigations, and set the investigation status.

Version 2

• List investigations
• Create investigation
• Search for investigations
• Close investigations in bulk
• List alerts associated with the specified investigation
• Get a list of Rapid7 product alerts associated with the specified investigation
• Get investigation
• Update investigation
• Assign user to investigation
• Set the disposition of an investigation
• Set the priority of an investigation
• Set the status of an investigation

Version 1

• List Investigation
• Close Investigations in Bulk
• Set the Status of an Investigation
• Assign User to Investigation

Threats

The Threats resource allows you to add or replace threat indicators.

• Add Indicators to a Threat
• Create a Threat
• Replace Indicators for a Threat

Log Search API

Core API

Use the Core Log Search API to perform LEQL queries on any collection of logs or log sets, either by providing a query, or by using a saved query.

• List All Query API Endpoints
• Query Individual Logs
• Query Multiple Logs
• Query Individual Log Sets
• Query Multiple Log Sets
• Use a Saved Query (logs specified)
• Use a Saved Query (logs not specified)
• Poll a Query in Progress

Saved Queries

The Saved Queries API allows you to view, modify, create, and delete the saved queries for your account.

A Saved Query consists of 3 parts:

• a LEQL statement
• a Time Range (optional)
• the Logs for the Query (optional)

If the time range, or the logs for a saved query are unspecified, then they must be specified when the saved query is used.

• Create A Saved Query
• Replace A Saved Query
• Modify A Saved Query
• Delete A Saved Query
• List All Your Saved Queries
• View An Individual Saved Query

Context API

Use the Context API to retrieve the log entries immediately before and after some log entry.

• Retrieve Contextual Log Entries

Reserved Queries API

You can use the Reserved Queries API to perform LEQL queries on a log in a reserved log set (also known as an "audit log", or a "reserved log"). For example, you can use the Reserved Queries API to perform a query on logs in the Internal Logs log set common to every account. It has the same functionality as a subset of the Core Query API, however logs are queried by name instead of by log key. You can use either the Reserved Queries API or the Core Query API to query reserved logs.

• Query Reserved Logs (via GET or POST)

Log Derived Metrics

Use the Log Derived Metrics Query API to view Log Derived Metrics as time series data. (Log Derived Metrics are customer defined LEQL calculations applied to logs in real time, created via the management/metrics/ endpoints.)

• Retrieve Log Derived Metrics

Logs and Logsets Management API

Use the Logs and Logsets Management API to view, modify, create and delete logs or log sets metadata.

Logs management

• Retrieve log event sources

Logsets management

• List All Logsets
• View an Individual Logset

Archiving API

Use the Archiving API to configure S3 archiving for Logs.

• Create an S3 Archiving Setup
• Retrieve an S3 Archiving Setup
• Replace an S3 Archiving Setup
• Modify an S3 Archiving Setup
• Delete an S3 Archiving Setup

Download Logs

Use the Download Logs resource to retrieve Log Events for specific Logs.

• Retrieve Logs Events For Log Ids

Export To CSV

Use the Export To CSV resource to view or delete export jobs.

• Retrieve All Export Jobs
• Retrieve An Export Job By Id
• Delete An Export Job By Id