Skip to main content
Send a DELETE request to /api/sessions to wipe log data from one or more SIEM indexes. ThreatLab clears the data from each target SIEM and automatically re-fires any noise jobs configured to repopulate the SIEM after a wipe. Method: DELETE
Path: /api/sessions
Auth: Session cookie with manage_exercises capability
This permanently deletes data from your SIEM indexes. Use carefully in production environments — wiped data cannot be recovered through ThreatLab.

Query Parameters

siem
string
required
The SIEM name to wipe, exactly as configured in Admin > Resources. Repeat the parameter to wipe multiple SIEMs simultaneously: ?siem=Splunk&siem=Elastic

Wipe Behavior per Driver

ThreatLab handles each driver type differently during a wipe:
DriverWipe Mechanism
splunk_hecRuns search index=<name> | delete via the Splunk management API
elastic_bulkRuns _delete_by_query against the configured index
syslog_tcpSkipped — no wipe mechanism exists for raw TCP destinations
SIEMs that are skipped appear in the skipped array of the response rather than the wiped array.

Noise Job Re-fire

After wiping, ThreatLab automatically re-fires any noise jobs that have propagate_on_wipe = true and target one or more of the wiped SIEMs. This repopulates background noise data so the SIEM is not left empty after the wipe. Re-fired job IDs are returned per SIEM in the re_fired array.

Response Fields

ok
boolean
true on success.
wiped
array
List of SIEM names that were successfully wiped.
skipped
array
List of SIEM names that were skipped (for example, syslog_tcp destinations with no wipe mechanism).
re_fired
array
Array of objects describing noise jobs re-fired after the wipe.
re_fire_errors
array
Array of error messages for any noise jobs that failed to re-fire. An empty array means all re-fires succeeded.

Example

curl -X DELETE 'https://threatlab.your-org.com/api/sessions?siem=Splunk&siem=Elastic' \
  -H 'Cookie: sb-access-token=YOUR_TOKEN'