Update an entity

PUT /api/security/entity_store/entities/{entityType}

Spaces method and path for this operation:

put /s/{space_id}/api/security/entity_store/entities/{entityType}

Refer to Spaces for more information.

Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the force query parameter to true to update protected fields.

[Required authorization] Route required privileges: securitySolution.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

entityType string Required

The entity type to update.

Values are user, host, service, or generic.

Query parameters

force string | boolean

When true, allows updating protected fields.

Values are true or false. Default value is false.

application/json

Body object

@timestamp string(date-time)

Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
asset object

Additional properties are NOT allowed.
Hide asset attributes Show asset attributes object
- business_unit string
- criticality string
  
  Any of:
  string-1 string 2
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
- environment string
- id string
- model string
- name string
- owner string
- serial_number string
- vendor string
entity object

Additional properties are NOT allowed.
Hide entity attributes Show entity attributes object
- attributes object
  
  Additional properties are NOT allowed.
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  known_redirects array[string]
  
  managed boolean
  
  mfa_enabled boolean
  
  oauth_consent_restriction string
  
  permissions array[string]
  
  storage_class string
  
  watchlists array[string]
- behaviors object
  
  Additional properties are NOT allowed.
  Hide behaviors attributes Show behaviors attributes object
  
  anomaly_job_ids array[string]
  
  rule_names array[string]
- EngineMetadata object
  
  Additional properties are NOT allowed.
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string
- id string
- lifecycle object
  
  Additional properties are NOT allowed.
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_activity string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
- name string
- relationships object
  
  Additional properties are NOT allowed.
  Hide relationships attributes Show relationships attributes object
  
  accesses_frequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_frequently attributes Show accesses_frequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  accesses_infrequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_infrequently attributes Show accesses_infrequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  administers object
  
  Additional properties are NOT allowed.
  
  Hide administers attributes Show administers attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  communicates_with object
  
  Additional properties are NOT allowed.
  
  Hide communicates_with attributes Show communicates_with attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  depends_on object
  
  Additional properties are NOT allowed.
  
  Hide depends_on attributes Show depends_on attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns object
  
  Additional properties are NOT allowed.
  
  Hide owns attributes Show owns attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns_inferred object
  
  Additional properties are NOT allowed.
  
  Hide owns_inferred attributes Show owns_inferred attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  resolution object
  
  Additional properties are NOT allowed.
  
  Hide resolution attributes Show resolution attributes object
  
  resolved_to string
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  supervises object
  
  Additional properties are NOT allowed.
  
  Hide supervises attributes Show supervises attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
- risk object
  
  Additional properties are NOT allowed.
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
- schema_version string
- source array[string]
- sub_type string
- type string
- url string
event object

Additional properties are NOT allowed.
Hide event attribute Show event attribute object
- ingested string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
labels object

Additional properties are allowed.
tags array[string]
user object

Additional properties are NOT allowed.
Hide user attributes Show user attributes object
- domain array[string]
- email array[string]
- full_name array[string]
- hash array[string]
- id array[string]
- name string
- risk object
  
  Additional properties are NOT allowed.
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
- roles array[string]

@timestamp string(date-time)

Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
asset object

Additional properties are NOT allowed.
Hide asset attributes Show asset attributes object
- business_unit string
- criticality string
  
  Any of:
  string-1 string 2
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
- environment string
- id string
- model string
- name string
- owner string
- serial_number string
- vendor string
entity object

Additional properties are NOT allowed.
Hide entity attributes Show entity attributes object
- attributes object
  
  Additional properties are NOT allowed.
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  known_redirects array[string]
  
  managed boolean
  
  mfa_enabled boolean
  
  oauth_consent_restriction string
  
  permissions array[string]
  
  storage_class string
  
  watchlists array[string]
- behaviors object
  
  Additional properties are NOT allowed.
  Hide behaviors attributes Show behaviors attributes object
  
  anomaly_job_ids array[string]
  
  rule_names array[string]
- EngineMetadata object
  
  Additional properties are NOT allowed.
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string
- id string
- lifecycle object
  
  Additional properties are NOT allowed.
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_activity string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
- name string
- relationships object
  
  Additional properties are NOT allowed.
  Hide relationships attributes Show relationships attributes object
  
  accesses_frequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_frequently attributes Show accesses_frequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  accesses_infrequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_infrequently attributes Show accesses_infrequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  administers object
  
  Additional properties are NOT allowed.
  
  Hide administers attributes Show administers attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  communicates_with object
  
  Additional properties are NOT allowed.
  
  Hide communicates_with attributes Show communicates_with attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  depends_on object
  
  Additional properties are NOT allowed.
  
  Hide depends_on attributes Show depends_on attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns object
  
  Additional properties are NOT allowed.
  
  Hide owns attributes Show owns attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns_inferred object
  
  Additional properties are NOT allowed.
  
  Hide owns_inferred attributes Show owns_inferred attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  resolution object
  
  Additional properties are NOT allowed.
  
  Hide resolution attributes Show resolution attributes object
  
  resolved_to string
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  supervises object
  
  Additional properties are NOT allowed.
  
  Hide supervises attributes Show supervises attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
- risk object
  
  Additional properties are NOT allowed.
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
- schema_version string
- source array[string]
- sub_type string
- type string
- url string
event object

Additional properties are NOT allowed.
Hide event attribute Show event attribute object
- ingested string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
host object

Additional properties are NOT allowed.
Hide host attributes Show host attributes object
- architecture array[string]
- domain array[string]
- hostname array[string]
- id array[string]
- ip array[string]
- mac array[string]
- name string
- os object
  
  Additional properties are NOT allowed.
  Hide os attributes Show os attributes object
  
  family string
  
  full string
  
  kernel string
  
  name string | array[string]
  
  Any of:
  string-1 string array-2 array[string]
  
  platform string
  
  type string | array[string]
  
  Any of:
  string-1 string array-2 array[string]
  
  version string
- risk object
  
  Additional properties are NOT allowed.
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
- type array[string]
labels object

Additional properties are allowed.
tags array[string]

@timestamp string(date-time)

Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
asset object

Additional properties are NOT allowed.
Hide asset attributes Show asset attributes object
- business_unit string
- criticality string
  
  Any of:
  string-1 string 2
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
- environment string
- id string
- model string
- name string
- owner string
- serial_number string
- vendor string
entity object

Additional properties are NOT allowed.
Hide entity attributes Show entity attributes object
- attributes object
  
  Additional properties are NOT allowed.
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  known_redirects array[string]
  
  managed boolean
  
  mfa_enabled boolean
  
  oauth_consent_restriction string
  
  permissions array[string]
  
  storage_class string
  
  watchlists array[string]
- behaviors object
  
  Additional properties are NOT allowed.
  Hide behaviors attributes Show behaviors attributes object
  
  anomaly_job_ids array[string]
  
  rule_names array[string]
- EngineMetadata object
  
  Additional properties are NOT allowed.
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string
- id string
- lifecycle object
  
  Additional properties are NOT allowed.
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_activity string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
- name string
- relationships object
  
  Additional properties are NOT allowed.
  Hide relationships attributes Show relationships attributes object
  
  accesses_frequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_frequently attributes Show accesses_frequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  accesses_infrequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_infrequently attributes Show accesses_infrequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  administers object
  
  Additional properties are NOT allowed.
  
  Hide administers attributes Show administers attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  communicates_with object
  
  Additional properties are NOT allowed.
  
  Hide communicates_with attributes Show communicates_with attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  depends_on object
  
  Additional properties are NOT allowed.
  
  Hide depends_on attributes Show depends_on attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns object
  
  Additional properties are NOT allowed.
  
  Hide owns attributes Show owns attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns_inferred object
  
  Additional properties are NOT allowed.
  
  Hide owns_inferred attributes Show owns_inferred attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  resolution object
  
  Additional properties are NOT allowed.
  
  Hide resolution attributes Show resolution attributes object
  
  resolved_to string
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  supervises object
  
  Additional properties are NOT allowed.
  
  Hide supervises attributes Show supervises attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
- risk object
  
  Additional properties are NOT allowed.
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
- schema_version string
- source array[string]
- sub_type string
- type string
- url string
event object

Additional properties are NOT allowed.
Hide event attribute Show event attribute object
- ingested string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
labels object

Additional properties are allowed.
service object

Additional properties are NOT allowed.
Hide service attributes Show service attributes object
- address string
- environment string
- ephemeral_id string
- id string
- name string
- node object
  
  Additional properties are NOT allowed.
  Hide node attributes Show node attributes object
  
  name string
  
  role string
  
  roles array[string]
- risk object
  
  Additional properties are NOT allowed.
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
- state string
- type string
- version string
tags array[string]

@timestamp string(date-time)

Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
asset object

Additional properties are NOT allowed.
Hide asset attributes Show asset attributes object
- business_unit string
- criticality string
  
  Any of:
  string-1 string 2
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
- environment string
- id string
- model string
- name string
- owner string
- serial_number string
- vendor string
cloud object

Additional properties are NOT allowed.
Hide cloud attributes Show cloud attributes object
- account object
  
  Additional properties are NOT allowed.
  Hide account attributes Show account attributes object
  
  id string
  
  name string
- availability_zone string
- instance object
  
  Additional properties are NOT allowed.
  Hide instance attributes Show instance attributes object
  
  id string
  
  name string
- machine object
  
  Additional properties are NOT allowed.
  Hide machine attribute Show machine attribute object
  
  type string
- project object
  
  Additional properties are NOT allowed.
  Hide project attributes Show project attributes object
  
  id string
  
  name string
- provider string
- region string
- service object
  
  Additional properties are NOT allowed.
  Hide service attribute Show service attribute object
  
  name string
entity object

Additional properties are NOT allowed.
Hide entity attributes Show entity attributes object
- attributes object
  
  Additional properties are NOT allowed.
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  known_redirects array[string]
  
  managed boolean
  
  mfa_enabled boolean
  
  oauth_consent_restriction string
  
  permissions array[string]
  
  storage_class string
  
  watchlists array[string]
- behaviors object
  
  Additional properties are NOT allowed.
  Hide behaviors attributes Show behaviors attributes object
  
  anomaly_job_ids array[string]
  
  rule_names array[string]
- EngineMetadata object
  
  Additional properties are NOT allowed.
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string
- id string
- lifecycle object
  
  Additional properties are NOT allowed.
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_activity string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
- name string
- relationships object
  
  Additional properties are NOT allowed.
  Hide relationships attributes Show relationships attributes object
  
  accesses_frequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_frequently attributes Show accesses_frequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  accesses_infrequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_infrequently attributes Show accesses_infrequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  administers object
  
  Additional properties are NOT allowed.
  
  Hide administers attributes Show administers attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  communicates_with object
  
  Additional properties are NOT allowed.
  
  Hide communicates_with attributes Show communicates_with attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  depends_on object
  
  Additional properties are NOT allowed.
  
  Hide depends_on attributes Show depends_on attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns object
  
  Additional properties are NOT allowed.
  
  Hide owns attributes Show owns attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns_inferred object
  
  Additional properties are NOT allowed.
  
  Hide owns_inferred attributes Show owns_inferred attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  resolution object
  
  Additional properties are NOT allowed.
  
  Hide resolution attributes Show resolution attributes object
  
  resolved_to string
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  supervises object
  
  Additional properties are NOT allowed.
  
  Hide supervises attributes Show supervises attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
- risk object
  
  Additional properties are NOT allowed.
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
- schema_version string
- source array[string]
- sub_type string
- type string
- url string
event object

Additional properties are NOT allowed.
Hide event attribute Show event attribute object
- ingested string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
labels object

Additional properties are allowed.
orchestrator object

Additional properties are NOT allowed.
Hide orchestrator attributes Show orchestrator attributes object
- api_version string
- cluster object
  
  Additional properties are NOT allowed.
  Hide cluster attributes Show cluster attributes object
  
  id string
  
  name string
  
  url string
  
  version string
- namespace string
- organization string
- resource object
  
  Additional properties are NOT allowed.
  Hide resource attributes Show resource attributes object
  
  annotation string
  
  id string
  
  ip string
  
  label string
  
  name string
  
  parent object
  
  Additional properties are NOT allowed.
  
  Hide parent attribute Show parent attribute object
  
  type string
  
  type string
- type string
tags array[string]

Responses

200 application/json

Indicates the entity was successfully updated.
400 application/json

Bad request.
404 application/json

Entity not found.

PUT /api/security/entity_store/entities/{entityType}

curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{"entity":{"id":"user:jane.doe@example.com","name":"jane.doe","type":"user","attributes":{"managed":true,"mfa_enabled":true}},"user":{"name":"jane.doe"}}' \
  "${KIBANA_URL}/api/security/entity_store/entities/user?force=true"

PUT kbn://api/security/entity_store/entities/user?force=true
{
  "entity": {
    "id": "user:jane.doe@example.com",
    "name": "jane.doe",
    "type": "user",
    "attributes": { "managed": true, "mfa_enabled": true }
  },
  "user": { "name": "jane.doe" }
}

Request example

Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter.

{
  "entity": {
    "attributes": {
      "managed": true,
      "mfa_enabled": true
    },
    "id": "user:jane.doe@example.com",
    "lifecycle": {
      "last_activity": "2026-04-10T14:30:00.000Z"
    },
    "name": "jane.doe",
    "type": "user"
  },
  "user": {
    "email": [
      "jane.doe@example.com"
    ],
    "name": "jane.doe",
    "roles": [
      "admin",
      "analyst"
    ]
  }
}

Response examples (200)

The entity record was successfully updated.

{
  "ok": true
}

Response examples (400)

The request attempts to update protected fields without the force query parameter.

{
  "error": "Bad Request",
  "message": "Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type",
  "statusCode": 400
}

Response examples (404)

No entity with the specified identifier exists.

{
  "error": "Not Found",
  "message": "Entity ID 'user:jane.doe@example.com' not found",
  "statusCode": 404
}