REST API Reference
The KYRA MDR REST API provides programmatic access to alerts, incidents, collectors, compliance, and other platform resources. Use it to integrate KYRA MDR with your existing tools, automate workflows, or build custom dashboards.
Base URL: https://console.kyramdr.com/api/v1
Authentication
All API requests require a Bearer token in the Authorization header.
Generate an API Key
- Open the KYRA MDR Console
- Go to Settings > API Keys
- Click Create API Key
- Give the key a name (e.g., “SIEM Integration”)
- Select the permission scope (read-only or read-write)
- Copy the key — it will not be shown again
Using the API Key
Include the key in every request:
curl -H "Authorization: Bearer YOUR_API_KEY" \ https://console.kyramdr.com/api/v1/alertsAuthentication Errors
| Status | Meaning |
|---|---|
401 Unauthorized | Missing or invalid API key |
403 Forbidden | API key lacks required permissions |
429 Too Many Requests | Rate limit exceeded (see below) |
Rate Limits
| Plan | Rate Limit |
|---|---|
| FREE | 60 requests/minute |
| MDR | 300 requests/minute |
| PRO | 1,000 requests/minute |
| CUSTOM | Custom |
Rate limit headers are included in every response:
X-RateLimit-Limit: 300X-RateLimit-Remaining: 297X-RateLimit-Reset: 1700000060Common Parameters
| Parameter | Type | Description |
|---|---|---|
page | integer | Page number (default: 0) |
size | integer | Items per page (default: 20, max: 100) |
sort | string | Sort field (e.g., createdAt) |
direction | string | Sort order: asc or desc |
Alerts
List Alerts
GET /api/v1/alertsQuery parameters:
| Parameter | Type | Description |
|---|---|---|
severity | string | Filter by severity: critical, high, medium, low, info |
status | string | Filter by status: OPEN, IN_PROGRESS, RESOLVED, FALSE_POSITIVE |
search | string | Search in title, description |
Example:
curl -H "Authorization: Bearer YOUR_API_KEY" \ "https://console.kyramdr.com/api/v1/alerts?severity=critical&status=OPEN&size=5"Response:
{ "content": [ { "id": "550e8400-e29b-41d4-a716-446655440000", "title": "Brute Force Authentication Attempt", "severity": "high", "status": "OPEN", "source": "sshd", "mitreTactic": "credential-access", "mitreTechnique": "T1110", "createdAt": "2026-04-22T08:15:30Z", "description": "47 failed logon attempts from 10.0.1.55 targeting root account" } ], "totalElements": 232695, "totalPages": 11635, "number": 0, "size": 20}Get Alert Detail
GET /api/v1/alerts/{id}Get Alert Stats
GET /api/v1/alerts/statsReturns aggregated alert statistics:
{ "total_alerts": 232695, "open_alerts": 232685, "critical_alerts": 60, "high_alerts": 2359, "alerts_today": 33, "alerts_this_week": 586, "resolved_alerts": 2, "false_positive_alerts": 3}Incidents
List Incidents
GET /api/v1/incidents| Parameter | Type | Description |
|---|---|---|
severity | string | Filter by severity |
status | string | OPEN, CONTAINED, ERADICATED, RECOVERED, CLOSED |
curl -H "Authorization: Bearer YOUR_API_KEY" \ "https://console.kyramdr.com/api/v1/incidents?status=OPEN"Response:
{ "content": [ { "id": "7c9e6679-a1f4-4b3c-80ba-e44f95541174", "title": "[Auto] TCP SYN Scan Detection", "severity": "high", "status": "OPEN", "alertCount": 5, "createdAt": "2026-04-22T07:00:00Z", "assignedTo": null, "mitreTactic": "discovery", "mitreTechnique": "T1046" } ], "totalElements": 127, "totalPages": 7}Get Incident Detail
GET /api/v1/incidents/{id}Add Incident Comment
POST /api/v1/incidents/{id}/commentscurl -X POST \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{"content": "Isolated host from network. Investigating root cause."}' \ https://console.kyramdr.com/api/v1/incidents/7c9e6679-a1f4/commentsLog Search
Search Events
POST /api/v1/siem/searchcurl -X POST \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "query": "program:sshd AND user:root", "fromTime": "2026-04-24T00:00:00Z", "toTime": "2026-04-25T00:00:00Z", "limit": 50 }' \ https://console.kyramdr.com/api/v1/siem/searchResponse:
{ "events": [ { "timestamp": "2026-04-24T14:22:10Z", "source": "sshd", "host": "10.0.1.55", "severity": "high", "message": "Failed password for root from 192.168.1.100 port 22 ssh2" } ], "total": 342, "histogram": [ { "time": "2026-04-24T00:00:00Z", "count": 28, "breakdown": {"high": 5, "medium": 23} } ], "queryTime": 684}Detection Rules
List Rules
GET /api/v1/siem/rules| Parameter | Type | Description |
|---|---|---|
search | string | Search in name, description, MITRE tactic/technique |
severity | string | Filter by severity |
status | string | ACTIVE, INACTIVE, DRAFT |
mitre | string | Filter by MITRE tactic or technique ID |
curl -H "Authorization: Bearer YOUR_API_KEY" \ "https://console.kyramdr.com/api/v1/siem/rules?mitre=T1110&size=5"Collectors
List Collectors
GET /api/v1/collectorscurl -H "Authorization: Bearer YOUR_API_KEY" \ https://console.kyramdr.com/api/v1/collectorsResponse:
[ { "id": "d353abff-db8b-483b-9b77-67638402544b", "hostname": "collector-01", "status": "online", "version": "0.1.0", "osFamily": "linux", "lastHeartbeat": "2026-04-25T09:00:15Z", "eventsIngested": 1261953 }]Compliance
List Frameworks
GET /api/v1/compliance/frameworksReturns all 9 compliance frameworks: ISMS-P, ISO 27001, SOC 2, PCI-DSS, TISAX, CMMC, GDPR, CCPA, NIST CSF.
Get Controls with Status
GET /api/v1/compliance/{framework}/controlscurl -H "Authorization: Bearer YOUR_API_KEY" \ "https://console.kyramdr.com/api/v1/compliance/ISMSP/controls"Get Framework Coverage
GET /api/v1/compliance/{framework}/coverage{ "framework": "ISMSP", "totalControls": 31, "compliant": 24, "partial": 0, "nonCompliant": 0, "notAssessed": 7, "score": 77.42}Auto-Collect Evidence
POST /api/v1/compliance/evidence/collectExport PDF Report
GET /api/v1/compliance/{framework}/reportReturns a PDF binary with Content-Type application/pdf.
Assets
List Assets
GET /api/v1/assets| Parameter | Type | Description |
|---|---|---|
search | string | Search by IP, hostname |
type | string | Filter by asset type |
sort | string | Sort field |
direction | string | asc or desc |
Export
Export Data as CSV/JSON
GET /api/v1/export/{resource}?format={csv|json}Available resources: alerts, incidents, detection-rules, assets, audit-logs, identities, compliance-controls, connectors, playbooks, notifications, subdomains, threat-intel-iocs, risk-intelligence, dsr.
curl -H "Authorization: Bearer YOUR_API_KEY" \ "https://console.kyramdr.com/api/v1/export/alerts?format=csv" \ -o alerts.csvWebhooks
Create Webhook
POST /api/v1/webhookscurl -X POST \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "name": "Slack Critical Alerts", "url": "https://hooks.slack.com/services/T00/B00/xxx", "events": ["alert.created"], "filters": { "severity": ["critical", "high"] } }' \ https://console.kyramdr.com/api/v1/webhooksWebhook Events
| Event | Description |
|---|---|
alert.created | New alert detected |
alert.updated | Alert status changed |
incident.created | New incident created |
incident.updated | Incident status changed |
collector.disconnected | Collector went offline |
Webhook Payload
{ "event": "alert.created", "timestamp": "2026-04-22T08:15:30Z", "data": { "id": "550e8400-e29b-41d4-a716-446655440000", "title": "Brute Force Authentication Attempt", "severity": "high", "url": "https://console.kyramdr.com/alerts/550e8400-e29b" }}Error Responses
All errors follow a consistent format:
{ "error": "Invalid severity value", "message": "Allowed: critical, high, medium, low, info", "status": 400}| HTTP Status | Description |
|---|---|
| 400 | Invalid request parameter |
| 401 | Missing or invalid API key |
| 403 | Insufficient permissions |
| 404 | Resource not found |
| 409 | Conflict (duplicate resource) |
| 429 | Rate limit exceeded |
| 500 | Server error — contact support |
SDKs and Libraries
The REST API works with any HTTP client. Below are examples in common languages:
# Python exampleimport requests
API_KEY = "your-api-key"BASE_URL = "https://console.kyramdr.com/api/v1"
headers = {"Authorization": f"Bearer {API_KEY}"}
# Get open critical alertsresponse = requests.get( f"{BASE_URL}/alerts", headers=headers, params={"severity": "critical", "status": "OPEN"})
for alert in response.json()["content"]: print(f"[{alert['severity']}] {alert['title']}")Need Help?
- API Issues: kyra@seekerslab.com
- Documentation: docs.kyramdr.com
- Console: console.kyramdr.com