Bulk update entities

PUT /api/security/entity_store/entities/bulk

Spaces method and path for this operation:

put /s/{space_id}/api/security/entity_store/entities/bulk

Refer to Spaces for more information.

Update multiple entity records in the Entity Store in a single request.

[Required authorization] Route required privileges: securitySolution.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Query parameters

force string | boolean

When true, allows updating protected fields.

Values are true or false. Default value is false.

application/json

Body

entities array[object] Required

The entities to update.
Hide entities attributes Show entities attributes object
- doc object Required
  
  Any of:
  object-1 object object-2 object object-3 object object-4 object
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  asset object
  
  Additional properties are NOT allowed.
  
  Hide asset attributes Show asset attributes object
  
  business_unit string
  
  criticality string
  
  Any of:
  string-1 string 2
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  environment string
  
  id string
  
  model string
  
  name string
  
  owner string
  
  serial_number string
  
  vendor string
  
  entity object
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  known_redirects array[string]
  
  managed boolean
  
  mfa_enabled boolean
  
  oauth_consent_restriction string
  
  permissions array[string]
  
  storage_class string
  
  watchlists array[string]
  
  behaviors object
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  anomaly_job_ids array[string]
  
  rule_names array[string]
  
  EngineMetadata object
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string
  
  id string
  
  lifecycle object
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_activity string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  name string
  
  relationships object
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accesses_frequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_frequently attributes Show accesses_frequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  accesses_infrequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_infrequently attributes Show accesses_infrequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  administers object
  
  Additional properties are NOT allowed.
  
  Hide administers attributes Show administers attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  communicates_with object
  
  Additional properties are NOT allowed.
  
  Hide communicates_with attributes Show communicates_with attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  depends_on object
  
  Additional properties are NOT allowed.
  
  Hide depends_on attributes Show depends_on attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns object
  
  Additional properties are NOT allowed.
  
  Hide owns attributes Show owns attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns_inferred object
  
  Additional properties are NOT allowed.
  
  Hide owns_inferred attributes Show owns_inferred attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  resolution object
  
  Additional properties are NOT allowed.
  
  Hide resolution attributes Show resolution attributes object
  
  resolved_to string
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  supervises object
  
  Additional properties are NOT allowed.
  
  Hide supervises attributes Show supervises attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  schema_version string
  
  source array[string]
  
  sub_type string
  
  type string
  
  url string
  
  event object
  
  Additional properties are NOT allowed.
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  labels object
  
  Additional properties are allowed.
  
  tags array[string]
  
  user object
  
  Additional properties are NOT allowed.
  
  Hide user attributes Show user attributes object
  
  domain array[string]
  
  email array[string]
  
  full_name array[string]
  
  hash array[string]
  
  id array[string]
  
  name string
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  roles array[string]
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  asset object
  
  Additional properties are NOT allowed.
  
  Hide asset attributes Show asset attributes object
  
  business_unit string
  
  criticality string
  
  Any of:
  string-1 string 2
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  environment string
  
  id string
  
  model string
  
  name string
  
  owner string
  
  serial_number string
  
  vendor string
  
  entity object
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  known_redirects array[string]
  
  managed boolean
  
  mfa_enabled boolean
  
  oauth_consent_restriction string
  
  permissions array[string]
  
  storage_class string
  
  watchlists array[string]
  
  behaviors object
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  anomaly_job_ids array[string]
  
  rule_names array[string]
  
  EngineMetadata object
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string
  
  id string
  
  lifecycle object
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_activity string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  name string
  
  relationships object
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accesses_frequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_frequently attributes Show accesses_frequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  accesses_infrequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_infrequently attributes Show accesses_infrequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  administers object
  
  Additional properties are NOT allowed.
  
  Hide administers attributes Show administers attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  communicates_with object
  
  Additional properties are NOT allowed.
  
  Hide communicates_with attributes Show communicates_with attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  depends_on object
  
  Additional properties are NOT allowed.
  
  Hide depends_on attributes Show depends_on attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns object
  
  Additional properties are NOT allowed.
  
  Hide owns attributes Show owns attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns_inferred object
  
  Additional properties are NOT allowed.
  
  Hide owns_inferred attributes Show owns_inferred attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  resolution object
  
  Additional properties are NOT allowed.
  
  Hide resolution attributes Show resolution attributes object
  
  resolved_to string
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  supervises object
  
  Additional properties are NOT allowed.
  
  Hide supervises attributes Show supervises attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  schema_version string
  
  source array[string]
  
  sub_type string
  
  type string
  
  url string
  
  event object
  
  Additional properties are NOT allowed.
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  host object
  
  Additional properties are NOT allowed.
  
  Hide host attributes Show host attributes object
  
  architecture array[string]
  
  domain array[string]
  
  hostname array[string]
  
  id array[string]
  
  ip array[string]
  
  mac array[string]
  
  name string
  
  os object
  
  Additional properties are NOT allowed.
  
  Hide os attributes Show os attributes object
  
  family string
  
  full string
  
  kernel string
  
  name string | array[string]
  
  Any of:
  string-1 string array-2 array[string]
  
  platform string
  
  type string | array[string]
  
  Any of:
  string-1 string array-2 array[string]
  
  version string
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  type array[string]
  
  labels object
  
  Additional properties are allowed.
  
  tags array[string]
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  asset object
  
  Additional properties are NOT allowed.
  
  Hide asset attributes Show asset attributes object
  
  business_unit string
  
  criticality string
  
  Any of:
  string-1 string 2
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  environment string
  
  id string
  
  model string
  
  name string
  
  owner string
  
  serial_number string
  
  vendor string
  
  entity object
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  known_redirects array[string]
  
  managed boolean
  
  mfa_enabled boolean
  
  oauth_consent_restriction string
  
  permissions array[string]
  
  storage_class string
  
  watchlists array[string]
  
  behaviors object
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  anomaly_job_ids array[string]
  
  rule_names array[string]
  
  EngineMetadata object
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string
  
  id string
  
  lifecycle object
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_activity string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  name string
  
  relationships object
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accesses_frequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_frequently attributes Show accesses_frequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  accesses_infrequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_infrequently attributes Show accesses_infrequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  administers object
  
  Additional properties are NOT allowed.
  
  Hide administers attributes Show administers attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  communicates_with object
  
  Additional properties are NOT allowed.
  
  Hide communicates_with attributes Show communicates_with attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  depends_on object
  
  Additional properties are NOT allowed.
  
  Hide depends_on attributes Show depends_on attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns object
  
  Additional properties are NOT allowed.
  
  Hide owns attributes Show owns attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns_inferred object
  
  Additional properties are NOT allowed.
  
  Hide owns_inferred attributes Show owns_inferred attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  resolution object
  
  Additional properties are NOT allowed.
  
  Hide resolution attributes Show resolution attributes object
  
  resolved_to string
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  supervises object
  
  Additional properties are NOT allowed.
  
  Hide supervises attributes Show supervises attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  schema_version string
  
  source array[string]
  
  sub_type string
  
  type string
  
  url string
  
  event object
  
  Additional properties are NOT allowed.
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  labels object
  
  Additional properties are allowed.
  
  service object
  
  Additional properties are NOT allowed.
  
  Hide service attributes Show service attributes object
  
  address string
  
  environment string
  
  ephemeral_id string
  
  id string
  
  name string
  
  node object
  
  Additional properties are NOT allowed.
  
  Hide node attributes Show node attributes object
  
  name string
  
  role string
  
  roles array[string]
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  state string
  
  type string
  
  version string
  
  tags array[string]
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  asset object
  
  Additional properties are NOT allowed.
  
  Hide asset attributes Show asset attributes object
  
  business_unit string
  
  criticality string
  
  Any of:
  string-1 string 2
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  environment string
  
  id string
  
  model string
  
  name string
  
  owner string
  
  serial_number string
  
  vendor string
  
  cloud object
  
  Additional properties are NOT allowed.
  
  Hide cloud attributes Show cloud attributes object
  
  account object
  
  Additional properties are NOT allowed.
  
  Hide account attributes Show account attributes object
  
  id string
  
  name string
  
  availability_zone string
  
  instance object
  
  Additional properties are NOT allowed.
  
  Hide instance attributes Show instance attributes object
  
  id string
  
  name string
  
  machine object
  
  Additional properties are NOT allowed.
  
  Hide machine attribute Show machine attribute object
  
  type string
  
  project object
  
  Additional properties are NOT allowed.
  
  Hide project attributes Show project attributes object
  
  id string
  
  name string
  
  provider string
  
  region string
  
  service object
  
  Additional properties are NOT allowed.
  
  Hide service attribute Show service attribute object
  
  name string
  
  entity object
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  known_redirects array[string]
  
  managed boolean
  
  mfa_enabled boolean
  
  oauth_consent_restriction string
  
  permissions array[string]
  
  storage_class string
  
  watchlists array[string]
  
  behaviors object
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  anomaly_job_ids array[string]
  
  rule_names array[string]
  
  EngineMetadata object
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string
  
  id string
  
  lifecycle object
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_activity string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  name string
  
  relationships object
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accesses_frequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_frequently attributes Show accesses_frequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  accesses_infrequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_infrequently attributes Show accesses_infrequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  administers object
  
  Additional properties are NOT allowed.
  
  Hide administers attributes Show administers attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  communicates_with object
  
  Additional properties are NOT allowed.
  
  Hide communicates_with attributes Show communicates_with attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  depends_on object
  
  Additional properties are NOT allowed.
  
  Hide depends_on attributes Show depends_on attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns object
  
  Additional properties are NOT allowed.
  
  Hide owns attributes Show owns attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns_inferred object
  
  Additional properties are NOT allowed.
  
  Hide owns_inferred attributes Show owns_inferred attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  resolution object
  
  Additional properties are NOT allowed.
  
  Hide resolution attributes Show resolution attributes object
  
  resolved_to string
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  supervises object
  
  Additional properties are NOT allowed.
  
  Hide supervises attributes Show supervises attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  schema_version string
  
  source array[string]
  
  sub_type string
  
  type string
  
  url string
  
  event object
  
  Additional properties are NOT allowed.
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  labels object
  
  Additional properties are allowed.
  
  orchestrator object
  
  Additional properties are NOT allowed.
  
  Hide orchestrator attributes Show orchestrator attributes object
  
  api_version string
  
  cluster object
  
  Additional properties are NOT allowed.
  
  Hide cluster attributes Show cluster attributes object
  
  id string
  
  name string
  
  url string
  
  version string
  
  namespace string
  
  organization string
  
  resource object
  
  Additional properties are NOT allowed.
  
  Hide resource attributes Show resource attributes object
  
  annotation string
  
  id string
  
  ip string
  
  label string
  
  name string
  
  parent object
  
  Additional properties are NOT allowed.
  
  Hide parent attribute Show parent attribute object
  
  type string
  
  type string
  
  type string
  
  tags array[string]
- type string Required
  
  The entity type of this record.
  
  Values are user, host, service, or generic.

Responses

200 application/json

Indicates a successful response.
400 application/json

Bad request.

PUT /api/security/entity_store/entities/bulk

curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{"entities":[{"type":"host","doc":{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","attributes":{"asset":true}},"host":{"name":"web-server-prod-01"}}}]}' \
  "${KIBANA_URL}/api/security/entity_store/entities/bulk?force=true"

PUT kbn://api/security/entity_store/entities/bulk?force=true
{
  "entities": [
    {
      "type": "host",
      "doc": {
        "entity": {
          "id": "host:web-server-prod-01",
          "name": "web-server-prod-01",
          "type": "host",
          "attributes": { "asset": true }
        },
        "host": { "name": "web-server-prod-01" }
      }
    }
  ]
}

Request example

Update a host entity and a user entity in a single request.

{
  "entities": [
    {
      "doc": {
        "entity": {
          "attributes": {
            "asset": true
          },
          "id": "host:web-server-prod-01",
          "name": "web-server-prod-01",
          "type": "host"
        },
        "host": {
          "name": "web-server-prod-01"
        }
      },
      "type": "host"
    },
    {
      "doc": {
        "entity": {
          "attributes": {
            "managed": true
          },
          "id": "user:jane.doe@example.com",
          "name": "jane.doe",
          "type": "user"
        },
        "user": {
          "name": "jane.doe"
        }
      },
      "type": "user"
    }
  ]
}

Response examples (200)

Some entities were updated but others encountered Elasticsearch-level errors.

{
  "errors": [
    {
      "_id": "5de9f93a68a72532e736bf5a6184b06300b9cabf",
      "reason": "[5de9f93a68a72532e736bf5a6184b06300b9cabf]: document missing",
      "status": 404,
      "type": "document_missing_exception"
    }
  ],
  "ok": true
}

All entities were successfully updated with no errors.

{
  "errors": [],
  "ok": true
}

Response examples (400)

The request attempts to update protected fields without the force query parameter.

{
  "error": "Bad Request",
  "message": "Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type",
  "statusCode": 400
}