# SIEM Accessed Provider Endpoints ## CrowdStrike FalconĀ® Next-Gen SIEM | Operation | Provider Endpoints | | --- | --- | | Post Events | POST /services/collector | | Query Alerts | GET /incidents/queries/incidents/v1 | | Query Events | GET /humio/api/v1/repositories/search-all/queryjobs/{jobId} POST /humio/api/v1/repositories/investigate_view/queryjobs POST /humio/api/v1/repositories/search-all/queryjobs | ## Elastic SIEM | Operation | Provider Endpoints | | --- | --- | | Post Events | POST /{index}/_bulk | | Query Alerts | POST /api/detection_engine/signals/search | | Query Events | POST /{index}/_async_search | | Query Log Providers | GET /{index} | ## OpenSearch SIEM | Operation | Provider Endpoints | | --- | --- | | Post Events | POST /{index}/_bulk | | Query Events | POST /{index}/_plugins/_asynchronous_search | | Query Log Providers | GET /{index} | ## IBM QRadar SIEM | Operation | Provider Endpoints | | --- | --- | | Get Investigation | GET /api/siem/offenses/{id} | | Post Events | POST | | Query Events | GET /api/ariel/searches/{searchId} GET /api/ariel/searches/{searchId}/results POST /api/ariel/searches | | Query Investigations | GET /api/siem/offenses | | Query Log Providers | GET /api/config/event_sources/log_source_management/log_sources | ## Rapid7 InsightIDR | Operation | Provider Endpoints | | --- | --- | | Get Evidence | GET /idr/v1/restricted/investigations/{id}/evidence | | Get Investigation | GET /idr/v2/investigations/{id} | | Patch Investigation | GET /idr/v2/investigations/{id} PATCH /idr/v2/investigations/{id} | | Query Events | GET /log_search/query/logs/{logId} GET /log_search/query/{logId} GET /management/logsets GET /query/logsets | | Query Investigations | POST /idr/v2/investigations/_search | | Query Log Providers | GET /management/logsets | ## Microsoft Sentinel | Operation | Provider Endpoints | | --- | --- | | Get Investigation | GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{id} | | Patch Investigation | GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{id} PUT /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{id} | | Post Events | POST /dataCollectionRules/{ruleId}/streams/{streamName} | | Query Alerts | GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules | | Query Events | POST /v1/workspaces/{workspaceId}/query | | Query Investigations | GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents | | Query Log Providers | GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/tables | ## Splunk Enterprise Security | Operation | Provider Endpoints | | --- | --- | | Post Events | POST POST /services/collector/event | | Query Alerts | GET /servicesNS/-/-/saved/searches | | Query Events | GET /services/search/jobs/{jobId} GET /services/search/jobs/{jobId}/results POST /services/search/jobs | | Query Log Providers | GET /services/search/jobs/{jobId} GET /services/search/jobs/{jobId}/results POST /services/search/jobs | ## Sumo Logic Cloud SIEM | Operation | Provider Endpoints | | --- | --- | | Get Evidence | GET /api/sec/v1/insights/{id} | | Get Investigation | GET /api/sec/v1/insights/{id} | | Post Events | POST /receiver/v1/http/{httpCollectorCode} | | Query Events | GET /api/v1/search/jobs/{jobId} GET /api/v1/search/jobs/{jobId}/messages GET /api/v1/search/jobs/{jobId}/records POST /api/v1/search/jobs | | Query Investigations | GET /api/sec/v1/insights | | Query Log Providers | GET /api/v1/search/jobs/{jobId} GET /api/v1/search/jobs/{jobId}/records POST /api/v1/search/jobs |