List Entity Store Entities

View as Markdown

GET /api/entity_store/entities/list

Api key auth Basic auth

Spaces method and path for this operation:

get /s/{space_id}/api/entity_store/entities/list

Refer to Spaces for more information.

List entities records, paging, sorting and filtering as needed.

Query parameters

sort_field string
sort_order string

Values are asc or desc.
page integer

Minimum value is 1.
per_page integer

Minimum value is 1, maximum value is 10000.
filterQuery string

An ES query to filter by.
entity_types array[string] Required

Values are user, host, or service.

Responses

200 application/json

Entities returned successfully
Hide response attributes Show response attributes object
- inspect object
  
  Hide inspect attributes Show inspect attributes object
  
  dsl array[string] Required
  
  response array[string] Required
- page integer Required
  
  Minimum value is 1.
- per_page integer Required
  
  Minimum value is 1, maximum value is 1000.
- records array[object] Required
  
  One of:
  Security_Entity_Analytics_API_UserEntity object Security_Entity_Analytics_API_HostEntity object Security_Entity_Analytics_API_ServiceEntity object
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  asset object
  
  Hide asset attribute Show asset attribute object
  
  criticality string Required
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  entity object Required
  
  Hide entity attributes Show entity attributes object
  
  name string Required
  
  source string Required
  
  event object
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  user object Required
  
  Hide user attributes Show user attributes object
  
  domain array[string]
  
  email array[string]
  
  full_name array[string]
  
  hash array[string]
  
  id array[string]
  
  name string Required
  
  risk object
  
  Hide risk attributes Show risk attributes object
  
  @timestamp string(date-time) Required
  
  The time at which the risk score was calculated.
  
  calculated_level string Required
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double) Required
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double) Required
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  category_1_count integer Required
  
  The number of risk input documents that contributed to the Category 1 score (category_1_score).
  
  category_1_score number(double) Required
  
  The contribution of Category 1 to the overall risk score (calculated_score). Category 1 contains Detection Engine Alerts.
  
  category_2_count integer
  
  category_2_score number(double)
  
  criticality_level string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  criticality_modifier number(double)
  
  id_field string Required
  
  The identifier field defining this risk score. Coupled with id_value, uniquely identifies the entity being scored.
  
  id_value string Required
  
  The identifier value defining this risk score. Coupled with id_field, uniquely identifies the entity being scored.
  
  inputs array[object] Required
  
  A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.
  
  A generic representation of a document contributing to a Risk Score.
  
  Hide inputs attributes Show inputs attributes object
  
  category string Required
  
  The risk category of the risk input document.
  
  contribution_score number(double)
  
  description string Required
  
  A human-readable description of the risk input document.
  
  id string Required
  
  The unique identifier (_id) of the original source document
  
  index string Required
  
  The unique index (_index) of the original source document
  
  risk_score number(double)
  
  The weighted risk score of the risk input document.
  
  Minimum value is 0, maximum value is 100.
  
  timestamp string
  
  The @timestamp of the risk input document.
  
  notes array[string] Required
  
  roles array[string]
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  asset object
  
  Hide asset attribute Show asset attribute object
  
  criticality string Required
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  entity object Required
  
  Hide entity attributes Show entity attributes object
  
  name string Required
  
  source string Required
  
  event object
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  host object Required
  
  Hide host attributes Show host attributes object
  
  architecture array[string]
  
  domain array[string]
  
  hostname array[string]
  
  id array[string]
  
  ip array[string]
  
  mac array[string]
  
  name string Required
  
  risk object
  
  Hide risk attributes Show risk attributes object
  
  @timestamp string(date-time) Required
  
  The time at which the risk score was calculated.
  
  calculated_level string Required
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double) Required
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double) Required
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  category_1_count integer Required
  
  The number of risk input documents that contributed to the Category 1 score (category_1_score).
  
  category_1_score number(double) Required
  
  The contribution of Category 1 to the overall risk score (calculated_score). Category 1 contains Detection Engine Alerts.
  
  category_2_count integer
  
  category_2_score number(double)
  
  criticality_level string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  criticality_modifier number(double)
  
  id_field string Required
  
  The identifier field defining this risk score. Coupled with id_value, uniquely identifies the entity being scored.
  
  id_value string Required
  
  The identifier value defining this risk score. Coupled with id_field, uniquely identifies the entity being scored.
  
  inputs array[object] Required
  
  A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.
  
  A generic representation of a document contributing to a Risk Score.
  
  Hide inputs attributes Show inputs attributes object
  
  category string Required
  
  The risk category of the risk input document.
  
  contribution_score number(double)
  
  description string Required
  
  A human-readable description of the risk input document.
  
  id string Required
  
  The unique identifier (_id) of the original source document
  
  index string Required
  
  The unique index (_index) of the original source document
  
  risk_score number(double)
  
  The weighted risk score of the risk input document.
  
  Minimum value is 0, maximum value is 100.
  
  timestamp string
  
  The @timestamp of the risk input document.
  
  notes array[string] Required
  
  type array[string]
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  asset object
  
  Hide asset attribute Show asset attribute object
  
  criticality string Required
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  entity object Required
  
  Hide entity attributes Show entity attributes object
  
  name string Required
  
  source string Required
  
  event object
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  service object Required
  
  Hide service attributes Show service attributes object
  
  name string Required
  
  risk object
  
  Hide risk attributes Show risk attributes object
  
  @timestamp string(date-time) Required
  
  The time at which the risk score was calculated.
  
  calculated_level string Required
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double) Required
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double) Required
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  category_1_count integer Required
  
  The number of risk input documents that contributed to the Category 1 score (category_1_score).
  
  category_1_score number(double) Required
  
  The contribution of Category 1 to the overall risk score (calculated_score). Category 1 contains Detection Engine Alerts.
  
  category_2_count integer
  
  category_2_score number(double)
  
  criticality_level string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  criticality_modifier number(double)
  
  id_field string Required
  
  The identifier field defining this risk score. Coupled with id_value, uniquely identifies the entity being scored.
  
  id_value string Required
  
  The identifier value defining this risk score. Coupled with id_field, uniquely identifies the entity being scored.
  
  inputs array[object] Required
  
  A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.
  
  A generic representation of a document contributing to a Risk Score.
  
  Hide inputs attributes Show inputs attributes object
  
  category string Required
  
  The risk category of the risk input document.
  
  contribution_score number(double)
  
  description string Required
  
  A human-readable description of the risk input document.
  
  id string Required
  
  The unique identifier (_id) of the original source document
  
  index string Required
  
  The unique index (_index) of the original source document
  
  risk_score number(double)
  
  The weighted risk score of the risk input document.
  
  Minimum value is 0, maximum value is 100.
  
  timestamp string
  
  The @timestamp of the risk input document.
  
  notes array[string] Required
- total integer Required
  
  Minimum value is 0.

GET /api/entity_store/entities/list

curl \
 --request GET 'https://localhost:5601/api/entity_store/entities/list?entity_types=user' \
 --header "Authorization: $API_KEY"