Splunk® Enterprise Security

REST API Reference

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

The Splunk Enterprise Security API

Splunk Enterprise Security offers a set of REST API endpoints that you can use to interact with the Splunk Enterprise Security frameworks programmatically or from Splunk search. These API endpoints are for Splunk Enterprise Security admins and for developers who are building integration applications for use with Splunk Enterprise Security.

The Splunk Enterprise Security REST API provides methods for accessing selected features in the Enterprise Security framework. The API follows the principles of Representational State Transfer (REST).

There are REST API access and usage differences between Splunk Cloud Platform and Splunk Enterprise. If you are using Splunk Cloud Platform, see Using the REST API with Splunk Cloud Platform in REST API Tutorials.

Navigate to specific endpoints and review available REST operations.

URI
Summary GET PUT POST DEL
Threat Intelligence endpoints
/data/threat_intel/upload Upload a threat intelligence file in STIX, IOC, or CSV format.
/services/data/threat_intel/item/{threat_intel_collection} Create or list rows in a threat intelligence collection.
/services/data/threat_intel/item/{threat_intel_collection} /{item_key} List, update, or delete a row in a threat intelligence collection.
Notable Event endpoints
/services/notable_update Modify notable events.
Analytic Story endpoints
/services/analyticstories/configs/{stanza_type} Acts as a proxy to configs/conf-analyticstories, with validation.
/services/analyticstories/configs/{stanza_type}/{name} Acts as a proxy to configs/conf-analyticstories/{stanza_name}.
/services/analyticstories/configs/{stanza_type}/{name}/acl Returns ACL information.
/services/analyticstories/configs/{stanza_type}/{name}/move Moves stanzas to other apps.
/services/analyticstories/configs/_reload Reloads data for the endpoint.
/services/analyticstories/schemas/{version} Reloads data for the endpoint.
/services/analyticstories/batch Takes a JSON array conforming to the analytic story JSON schema and saves it in proper format into analyticstories.conf.
Last modified on 19 January, 2022
  Threat Intelligence API reference

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters