POST /api/entity_analytics/watchlists
Api key auth

Spaces method and path for this operation:

post /s/{space_id}/api/entity_analytics/watchlists

Refer to Spaces for more information.

Creates a new entity analytics watchlist with an optional set of entity sources. Watchlists apply a risk score modifier to matched entities.

application/json

Body Required

  • description string

    Description of the watchlist

  • entitySources array[object]

    Optional entity sources to create and link to the watchlist

    Hide entitySources attributes Show entitySources attributes object
    • enabled boolean
    • filter object
      Hide filter attribute Show filter attribute object
    • identifierField string

      Field used to query the entity store for index-type sources

    • indexPattern string
    • integrationName string

      Required when type is entity_analytics_integration. One of entityanalytics_okta, entityanalytics_ad.

    • matchers array[object]
      Hide matchers attributes Show matchers attributes object
      • fields array[string] Required

      • values array[string] | array[boolean] Required

        Matcher values. Must be either an array of strings (e.g. group or role names) or an array of booleans (e.g. integration-derived flags like privileged_group_member). Mixed types are intentionally not supported for simplicity and predictability.

        One of:
        array-1 array[string] array-2 array[boolean]
    • name string Required
    • queryRule string

      KQL query used to filter data from the provided index patterns

    • range object

      Defines the lookback period for filtering source data by timestamp.

      Hide range attributes Show range attributes object
      • end string Required

        End of the lookback period (date math or ISO string, e.g. "now")

      • start string Required

        Start of the lookback period (date math or ISO string, e.g. "now-10d")

    • type string Required

      Values are index, entity_analytics_integration, or store.

  • managed boolean

    Indicates if the watchlist is managed by the system

  • name string Required

    Unique name for the watchlist

  • riskModifier number Required

    Risk score modifier associated with the watchlist

    Minimum value is 0, maximum value is 2.

Responses

  • 200 application/json

    Watchlist created successfully

    Hide response attributes Show response attributes object
    • createdAt string(date-time)

      Timestamp indicating when the watchlist was created

    • description string

      Description of the watchlist

    • entityCount number

      Number of entities in the watchlist

    • entitySourceIds array[string]

      List of entity source IDs associated with the watchlist

    • id string

      The unique ID of the watchlist

    • managed boolean Required

      Indicates if the watchlist is managed by the system

    • name string Required

      The name of the watchlist

    • riskModifier number Required

      Risk score modifier associated with the watchlist

    • updatedAt string(date-time)

      Timestamp indicating when the watchlist was last updated

    • entitySources array[object]
      Hide entitySources attributes Show entitySources attributes object
      • enabled boolean
      • filter object
        Hide filter attribute Show filter attribute object
      • identifierField string

        Field used to query the entity store for index-type sources

      • indexPattern string
      • integrationName string
      • integrations object
        Hide integrations attributes Show integrations attributes object
        • syncData object

          integrations latest full sync and update syncData

          Hide syncData attributes Show syncData attributes object
          • lastFullSync string(date-time)

            Timestamp of the last full sync from integrations

          • lastUpdateProcessed string(date-time)

            Timestamp of the last update processed from integrations

        • syncMarkerIndex string

          Index to read latest sync markers from

      • matchers array[object]
        Hide matchers attributes Show matchers attributes object
        • fields array[string] Required

        • values array[string] | array[boolean] Required

          Matcher values. Must be either an array of strings (e.g. group or role names) or an array of booleans (e.g. integration-derived flags like privileged_group_member). Mixed types are intentionally not supported for simplicity and predictability.

          One of:
          array-1 array[string] array-2 array[boolean]
      • name string
      • queryRule string

        KQL query used to filter data from the provided index patterns

      • range object

        Defines the lookback period for filtering source data by timestamp.

        Hide range attributes Show range attributes object
        • end string Required

          End of the lookback period (date math or ISO string, e.g. "now")

        • start string Required

          Start of the lookback period (date math or ISO string, e.g. "now-10d")

      • type string

        Values are index, entity_analytics_integration, or store.

      • managed boolean
      • id string Required
POST /api/entity_analytics/watchlists 
curl \
 --request POST 'https://<KIBANA_URL>/api/entity_analytics/watchlists' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"description":"High risk vendor watchlist","managed":false,"name":"High Risk Vendors","riskModifier":1.5}'
Request examples 
{
  "description": "High risk vendor watchlist",
  "managed": false,
  "name": "High Risk Vendors",
  "riskModifier": 1.5
}
{
  "description": "High risk vendor watchlist",
  "entitySources": [
    {
      "enabled": true,
      "identifierField": "user.name",
      "indexPattern": "my-sync-index",
      "name": "My User Index Source",
      "type": "index"
    }
  ],
  "managed": false,
  "name": "High Risk Vendors",
  "riskModifier": 1.5
}
Response examples (200) 
{
  "createdAt": "2026-01-28T12:00:00.000Z",
  "description": "High risk vendor watchlist",
  "id": "watchlist-123",
  "managed": false,
  "name": "High Risk Vendors",
  "riskModifier": 1.5,
  "updatedAt": "2026-01-28T12:00:00.000Z"
}