Back to Blogs

How to Take Advantage of the New Observations API

Posted on July 24, 2023


Replacing the Enriched Events API, the new Observations API lets you search through all Observations, which are noteworthy activity reported by your organization’s sensors, to find one or more specific Observations that match the search criteria. You can:

  • See tactics, techniques and procedures (TTPs) and the MITRE CVEs associated with potentially malicious activity
  • Get visibility into the cyber kill chain stage at which attacks were stopped
  • Identify the family and name of malware observed and stopped on your organization’s endpoints
  • Utilize new data types included with XDR
  • Richer search, easy aggregation, and faster filtering to isolate type and distribution of classes of detections, such as Intrusion Detection System
  • Deeper unpacking of network traffic to catch malicious activity masquerading as “benign” protocols
  • For developers, the Observations API adds aggregation tooling to quickly evaluate the blast radius of suspicious activity without having to first ingest all Observations into your own data lake or SIEM


  • Endpoint Standard or Enterprise EDR product
  • All API calls require an API key with appropriate permissions, see Authentication for details

How to Migrate

Read the Observations API Migration Guide to migrate your integrations and automation to take advantage of the new API and be ready to extend when new features are added.

Deactivation timeline

The Enriched Events Search API will be deactivated on July 31, 2024. (Updated September 2023.)


Have questions or feedback?

  • Stay up to date with the latest news by subscribing to the Developer Network Newsletter.