FireEye Endpoint Security API

FireEye Endpoint Security API is a RESTful API that enables automation of endpoint security operations and integration with security information and event management (SIEM) solutions. The API provides programmatic access to endpoint data, acquisitions, alerts, conditions, indicators, and containment capabilities. The API supports multiple acquisition types for host investigation including file acquisitions (password-protected zip files), triage acquisitions (lookback cache and forensic audit data), bulk acquisitions (audit scripts against host sets), and live acquisitions (volatile and non-volatile forensic data from running systems). Users can manage alerts generated from indicator condition matches, create and manage conditions to test for specific activity, and control host containment to restrict compromised system communications. The API implements role-based access control (RBAC) with two primary roles: api_admin (full access including agent configuration, containment approval, and host set management) and api_analyst (view and analysis capabilities without administrative functions). Authentication is token-based for session management. Additional capabilities include host information retrieval, custom configuration channel management for agent settings, enterprise search execution, and audit log access. The API allows users to create host lists and host sets, manage indicators, and perform forensic data collection operations on endpoints.