Intro to Helix API

In this installment of the Tips and Insights series, Bryon Wolcott introduces you to the Helix API, which allows you to quickly and systematically pull data out of Helix into other applications.

Hi my name’s Brian Wolcott. I’m a Senior Security Analyst at FireEye. Today I’m going to introduce you to the Helix API. First we’ll discuss how to generate the API key. Then how to explore the available API endpoints. Using the API will allow you to quickly and systematically pull data out of Helix into other applications.

In order to get started with the API you’re going to generate an API key. So from the profile menu you’re going to go down to Identity Access Management and this is where you’re going to be able to generate an API key. So here you can see any API keys that have previously been created. In this case we’re going to create a new one. I’m going to provide a name for this API key. Call it test. You can set how long it expires in. You can do an indefinite with the quantity of zero or any other value. I’m going to hit next. And here you can choose from any of the entitlements to provide your API keys. So this allows you to be very granular with your permissions. So you can allow some users to read only. Some users to edit other people’s permission. In this case I’m going to do grant all for the demo and I’m going to hit to create API key. So we can see this API key was added successfully and in order to retrieve it we have two options. We can copy it to our clipboard or download it as a text file. If you are going to download this you should be very careful where you save it to because this will allow you to bypass using a password or any two factor authentication. So this is much more sensitive than a password itself. So what I would usually do is copy this to a clipboard and save it directly to my password manager. After we generate the key we can go and look at the API documentation. This is going to bring up our swagger UI which is something that allows us to describe all the API endpoints and allows you to test them out as well. So here we can see all the different API endpoints that are available to you to use with Helix. There is an extremely large amount which is amazing because it allows you to write your own applications against Helix and get all the data out if you need to. So in this example we will look at the alert’s namespace. And you can see this is going to show you all the different parameters that are available to submit your query against the alert’s API. So if you want to return just the last 10 alerts you can type in 10 for limit. And here we will just do try it out.

And when you hit that that’s going to generate a curl command that you can use to run the same exact query on your own workstation or server. So we can see the output from this API shows us that it returned us 10 alerts and it’s all in JSON format. So you’re able to use this. You could take any of these alerts and send them to another ticketing system if you want or just maybe you want to run some analytics against all the different types of alerts that you’ve seen in your instance. Another interesting API namespace would be the sensors. So this is going to show you any input sensor that you have connected to your Helix instance. It’s the same thing with the alerts. We’re just going to run try it out and it will generate the curl command for us. And in this case it’s going to show us that we have 4 input sensors connected to our Helix instance. It’s a really interesting piece of information because you could now track the health of all your sensors and it be able to determine that everything’s healthy. That gives you an overview how you can leverage the API to interface Helix with other applications. Stay tuned for more FireEye tips and insights.

Scroll to Top