Splunk® Enterprise Security

REST API Reference

Acrobat logo Download manual as PDF


Splunk Enterprise Security (ES) versions 6.0.0, 6.0.1, and 6.3.0 are no longer available for download from Splunkbase as of April 15, 2021. Please upgrade to the latest version of Splunk Enterprise Security to avoid any potential issues with Assets and Identity management.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

The Splunk Enterprise Security API

Splunk Enterprise Security offers a set of REST API endpoints that you can use to interact with the Splunk Enterprise Security frameworks programmatically or from Splunk search. These API endpoints are for Splunk Enterprise Security admins and for developers who are building integration applications for use with Splunk Enterprise Security.

The Splunk Enterprise Security REST API provides methods for accessing selected features in the Enterprise Security framework. The API follows the principles of Representational State Transfer (REST).

There are REST API access and usage differences between Splunk Cloud Platform and Splunk Enterprise. If you are using Splunk Cloud Platform, see Using the REST API with Splunk Cloud Platform in REST API Tutorials.

Navigate to specific endpoints and review available REST operations.

URI
Summary GET PUT POST DEL
Threat Intelligence endpoints
/data/threat_intel/upload Upload a threat intelligence file in STIX, IOC, or CSV format.
/services/data/threat_intel/item/{threat_intel_collection} Create or list rows in a threat intelligence collection.
/services/data/threat_intel/item/{threat_intel_collection} /{item_key} List, update, or delete a row in a threat intelligence collection.
Notable Event endpoints
/services/notable_update Modify notable events.
Analytic Story endpoints
/services/analyticstories/configs/{stanza_type} Acts as a proxy to configs/conf-analyticstories, with validation.
/services/analyticstories/configs/{stanza_type}/{name} Acts as a proxy to configs/conf-analyticstories/{stanza_name}.
/services/analyticstories/configs/{stanza_type}/{name}/acl Returns ACL information.
/services/analyticstories/configs/{stanza_type}/{name}/move Moves stanzas to other apps.
/services/analyticstories/configs/_reload Reloads data for the endpoint.
/services/analyticstories/schemas/{version} Reloads data for the endpoint.
/services/analyticstories/batch Takes a JSON array conforming to the analytic story JSON schema and saves it in proper format into analyticstories.conf.
Last modified on 22 November, 2021
  NEXT
Threat Intelligence API reference

This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters