POST /api/entity_analytics/monitoring/users
Api key auth

Spaces method and path for this operation:

post /s/{space_id}/api/entity_analytics/monitoring/users

Refer to Spaces for more information.

Creates a new privileged user to be monitored by the Privilege Monitoring Engine.

application/json

Body Required

  • entity_analytics_monitoring object

    Entity analytics monitoring configuration for the user

    Hide entity_analytics_monitoring attribute Show entity_analytics_monitoring attribute object
    • labels array[object]

      Array of labels associated with the user

      Hide labels attributes Show labels attributes object
      • field string

        The field name for the label

      • source string

        The source where this label was created (api, csv, or index_sync)

        Values are api, csv, or index_sync.

      • value string

        The value of the label

  • user object
    Hide user attribute Show user attribute object
    • name string

      The name of the user.

Responses

  • 200 application/json

    User created successfully

    Hide response attributes Show response attributes object
    • entity_analytics_monitoring object
      Hide entity_analytics_monitoring attribute Show entity_analytics_monitoring attribute object
      • labels array[object]
        Hide labels attributes Show labels attributes object
        • field string Required
        • source string Required
        • value string Required
    • id string
    • labels object
      Hide labels attributes Show labels attributes object
      • source_ids array[string]
      • source_integrations array[string]
      • sources array

        Values are csv, index_sync, or api.

    • user object
      Hide user attributes Show user attributes object
      • is_privileged boolean

        Indicates if the user is privileged.

      • name string
      • entity object
        Hide entity attribute Show entity attribute object
        • attributes object
          Hide attributes attribute Show attributes attribute object
          • Privileged boolean

            Indicates if the user is privileged.

    • @timestamp string(date-time)
    • event object
      Hide event attributes Show event attributes object
      • @timestamp string(date-time)
      • ingested string(date-time)
POST /api/entity_analytics/monitoring/users 
curl \
 --request POST 'https://<KIBANA_URL>/api/entity_analytics/monitoring/users' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"entity_analytics_monitoring":{"labels":[{"field":"department","source":"api","value":"IT"}]},"user":{"name":"john.doe"}}'
Request example 
{
  "entity_analytics_monitoring": {
    "labels": [
      {
        "field": "department",
        "source": "api",
        "value": "IT"
      }
    ]
  },
  "user": {
    "name": "john.doe"
  }
}
Response examples (200) 
{
  "@timestamp": "2026-01-28T12:00:00.000Z",
  "entity_analytics_monitoring": {
    "labels": [
      {
        "field": "department",
        "source": "api",
        "value": "IT"
      }
    ]
  },
  "event": {
    "ingested": "2026-01-28T12:00:00.000Z"
  },
  "id": "user-abc-123",
  "user": {
    "is_privileged": true,
    "name": "john.doe"
  }
}