Alert Logic released the IRIS API in 2018 in conjunction with the Incident Console, and on March 1, 2022, the Public Incident API used by some Cloud Defender / Legacy customers will no longer be available. Customers still using the Public Incident API must begin using the IRIS API before the end of February or you will lose visibility for incidents in your environments supported by the Public Incident API.
Move Integrations from Public Incident API to IRIS API
To move integrations from the Public Incident API to the IRIS API, use the following documentation for each of the following integrations you utilize:
- Cloud Insight - Cloud Insight API Documentation
- Auth Token - AIMS Authentication and Authorization Resources
- Incidents - Get incidents by time
Access Token Requirement
Any interaction with the IRIS API requires an access token, which provides required READ and / or WRITE permissions to an account that is making an API request. To obtain a token, run the following code in command-line:
export AL_USERNAME='<username>'
export AL_PASSWORD='<password>'
auth=$(curl -X POST -s -u $AL_USERNAME:$AL_PASSWORD https://api.global-services.global.alertlogic.com/aims/v1/authenticate);
export AL_ERROR=$(echo $auth | jq -r '.error // ""');
export AL_ACCOUNT_ID=$(echo $auth | jq -r '.authentication.account.id');
export AL_USER_ID=$(echo $auth | jq -r '.authentication.user.id');
export AL_TOKEN=$(echo $auth | jq -r '.authentication.token');
Obtain a List of Incidents from IRIS
Requesting a list of incidents from the IRIS API requires an access token with READ permission. Utilize the Get incidents by time documentation and run the following code in command-line to complete this task:
curl -s -X POST -H "x-aims-auth-token: $AL_TOKEN" "https://api.cloudinsight.alertlogic.com/iris/v3/partner_api/2021-01-01T12:00/2021-01-01T16:00"
For a more specific return of incidents for a specific account, use the Get incidents by time for account documentation.
Obtain a Specific Incident by ID
Requesting a specific incident by ID requires an access token with READ permissions. Utilize the Get incident documentation and run the following code in command-line to complete this task:
export AL_INCIDENT_ID="1ab29e36-394e-11e9-a004-720004270420"
curl -H "x-aims-auth-token: $AL_TOKEN" -X GET \
"https://api.cloudinsight.alertlogic.com/iris/v3/${AL_ACCOUNT_ID}/${AL_INCIDENT_ID}"
Close or Complete an Incident by ID
Closing or completing an incident by ID requires an access token and WRITE permission. Utilize the Complete incident documentation and run the following code in command-line to complete this task:
curl -H "x-aims-auth-token: $AL_TOKEN" -X POST \
"https://api.cloudinsight.alertlogic.com/iris/v3/$AL_ACCOUNT_ID/$AL_INCIDENT_ID/complete" \
-d '{"reason_code": "further_action", "notes": "This incident is closed because of y"}'
Additional Resources
Contact your Customer Success Manager directly to schedule a technical support call if you have questions about the move from the Public Incident API to the IRIS API.
Comments
0 comments
Please sign in to leave a comment.