API Overview¶
OpenSOAR exposes a FastAPI-based API for alerts, playbooks, runs, integrations, incidents, authentication, and supporting workflows.
Local API Docs¶
When the stack is running locally:
Relevant Playbook Endpoints¶
Examples:
GET /api/v1/playbooksGET /api/v1/playbooks/{playbook_id}PATCH /api/v1/playbooks/{playbook_id}POST /api/v1/playbooks/{playbook_id}/run
Important Limitation¶
These endpoints operate on discovered playbook definitions. They do not replace the code-on-disk workflow for authoring and loading playbooks.
In other words:
- you can list playbooks through the API
- you can toggle enablement through the API
- you can inspect the persisted
execution_orderused for multi-playbook sequencing - you can trigger a discovered playbook through the API
- you cannot upload a new Python playbook through the API today
For the operational loading model, read Loading and Syncing Playbooks.
Relevant Incident Endpoints¶
Examples:
GET /api/v1/incidentsPOST /api/v1/incidentsPATCH /api/v1/incidents/{incident_id}GET /api/v1/incidents/{incident_id}/activitiesPOST /api/v1/incidents/{incident_id}/commentsPATCH /api/v1/incidents/{incident_id}/comments/{comment_id}GET /api/v1/incidents/{incident_id}/alertsPOST /api/v1/incidents/{incident_id}/alertsDELETE /api/v1/incidents/{incident_id}/alerts/{alert_id}GET /api/v1/incidents/{incident_id}/observablesPOST /api/v1/incidents/{incident_id}/observablesGET /api/v1/incidents/suggestions
For the operator workflow around those endpoints, read Incident Workflow.
Webhook Ingestion¶
OpenSOAR can ingest alerts through webhook endpoints under /api/v1/webhooks/..., then normalize and route them into playbook execution.