Manually unassign entities from a watchlist Technical Preview; added in 9.4.0

POST /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign
Api key auth Basic auth

Spaces method and path for this operation:

post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/unassign

Refer to Spaces for more information.

Unassigns the provided entities from the specified watchlist. This only removes the "manual" assignment. If the entity is also assigned via other sources (for example, index or integration), it will remain on the watchlist.

Path parameters

  • watchlist_id string Required

    The ID of the watchlist to remove entities from

application/json

Body Required

  • euids array[string] Required

    The EUIDs of the entities to unassign

Responses

  • 200 application/json

    Unassignment successful

    Hide response attributes Show response attributes object
    • failed integer Required

      Number of entities that failed to process

    • items array[object] Required
      Hide items attributes Show items attributes object
      • error string

        Error message if the entity failed to process

      • euid string Required

        The EUID of the entity

      • status string Required

        Values are success, failure, or not_found.

    • not_found integer Required

      Number of entities not found in the manual watchlist assignment

    • successful integer Required

      Number of entities successfully unassigned

    • total integer Required

      Total number of entities processed
POST /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign 
curl \
 --request POST 'https://localhost:5601/api/entity_analytics/watchlists/high-risk-vendors/entities/unassign' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"euids":["user:john.doe","host:web-01"]}'
Request example 
{
  "euids": [
    "user:john.doe",
    "host:web-01"
  ]
}
Response examples (200) 
{
  "failed": 0,
  "items": [
    {
      "euid": "user:john.doe",
      "status": "success"
    },
    {
      "euid": "host:web-01",
      "status": "not_found"
    }
  ],
  "not_found": 1,
  "successful": 1,
  "total": 2
}