Get risk score history for an entity

GET /api/risk_score/history
Api key auth Basic auth

Spaces method and path for this operation:

get /s/{space_id}/api/risk_score/history

Refer to Spaces for more information.

Returns time-ordered historical risk score entries from the risk score time-series index for a given entity.

Query parameters

  • entity_type string Required

    The type of entity to retrieve history for.

    Values are host, user, service, or generic.

  • entity_id string Required

    The identifier of the entity to retrieve history for.

    Maximum length is 1000.

  • from string

    Start of the time range, in date-math syntax. Defaults to 90 days ago.

    Maximum length is 100. Default value is now-90d.

  • to string

    End of the time range, in date-math syntax. Defaults to now.

    Maximum length is 100. Default value is now.

  • score_type string

    Filter entries by the type of score recorded (base, propagated, or resolution).

    Values are base, propagated, or resolution.

  • page_size integer

    Maximum number of history entries to return per request.

    Minimum value is 1, maximum value is 1000. Default value is 100.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • entity_id string Required

      Maximum length is 1000.

    • entity_type string Required

      Values are host, user, service, or generic.

    • entries array[object] Required
      Hide entries attributes Show entries attributes object
      • @timestamp string(date-time) Required

        Maximum length is 33.

      • calculated_level string Required

        Values are Unknown, Low, Moderate, High, or Critical.

      • calculated_score number(double)
      • calculated_score_norm number(double) Required

        Minimum value is 0, maximum value is 100.

      • category_1_count integer
      • category_1_score number(double)
      • score_type string

        Values are base, propagated, or resolution.
  • 400

    Invalid request

GET /api/risk_score/history 
curl \
 --request GET 'https://localhost:5601/api/risk_score/history?entity_type=host&entity_id=string' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "entity_id": "alice",
  "entity_type": "user",
  "entries": [
    {
      "@timestamp": "2026-05-20T12:00:00.000Z",
      "calculated_level": "High",
      "calculated_score": 145.2,
      "calculated_score_norm": 72.4,
      "category_1_count": 18,
      "category_1_score": 102,
      "score_type": "base"
    }
  ]
}