POST /api/security/entity_store/install
Api key auth Basic auth

Spaces method and path for this operation:

post /s/{space_id}/api/security/entity_store/install

Refer to Spaces for more information.

Install the Entity Store, creating engines for the specified entity types and configuring log extraction.

[Required authorization] Route required privileges: securitySolution.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • entityTypes array[string]

    Values are user, host, service, or generic. Default value is ["user", "host", "service", "generic"].

  • historySnapshot object

    Additional properties are NOT allowed.

    Hide historySnapshot attribute Show historySnapshot attribute object
    • frequency string

      Format should match the following pattern: [smdh]$. Default value is 24h.

  • logExtraction object

    Additional properties are NOT allowed.

    Hide logExtraction attributes Show logExtraction attributes object
    • additionalIndexPatterns array[string]

      Default value is [] (empty).

    • delay string

      Format should match the following pattern: [smdh]$. Default value is 1m.

    • docsLimit integer

      Minimum value is 1, maximum value is 9007199254740991. Default value is 10000.

    • fieldHistoryLength integer

      Minimum value is -9007199254740991, maximum value is 9007199254740991. Default value is 10.

    • filter string

      Default value is empty.

    • frequency string

      Format should match the following pattern: [smdh]$. Default value is 30s.

    • lookbackPeriod string

      Format should match the following pattern: [smdh]$. Default value is 3h.

    • maxLogsPerPage integer

      Minimum value is 1, maximum value is 9007199254740991. Default value is 40000.

Responses

  • 200 application/json

    Indicates all requested entity types are already installed.

  • 201 application/json

    Indicates the Entity Store was successfully installed.

  • 403 application/json

    Insufficient privileges.

POST /api/security/entity_store/install 
curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{"entityTypes":["user","host","service","generic"],"logExtraction":{}}' \
  "${KIBANA_URL}/api/security/entity_store/install"

POST kbn://api/security/entity_store/install
{
  "entityTypes": ["user", "host", "service", "generic"],
  "logExtraction": {}
}
Request examples
Install the Entity Store for all entity types with default log extraction settings. 
{
  "entityTypes": [
    "user",
    "host",
    "service",
    "generic"
  ],
  "logExtraction": {}
}
Install the Entity Store for host entities only with a custom lookback period and field history length. 
{
  "entityTypes": [
    "host"
  ],
  "logExtraction": {
    "delay": "2m",
    "fieldHistoryLength": 20,
    "filter": "host.os.type: linux",
    "frequency": "5m",
    "lookbackPeriod": "12h"
  }
}
Response examples (200)
All requested entity types were already installed. 
{
  "ok": true
}
Response examples (201)
The Entity Store was installed and engines are being created. 
{
  "ok": true
}
Response examples (403)
The user does not have the required Elasticsearch privileges. 
{
  "error": "Forbidden",
  "message": "User 'analyst' has insufficient privileges",
  "statusCode": 403
}