Spaces method and path for this operation:
Refer to Spaces for more information.
List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.
[Required authorization] Route required privileges: securitySolution.
Query parameters
-
A Kibana Query Language (KQL) filter for the search-after mode.
-
Number of entities to return in search-after mode.
Minimum value is
1, maximum value is9007199254740991. -
JSON-encoded search_after value for cursor-based pagination.
-
Fields to include in the response source.
-
Fields to include in the response.
-
Field to sort results by in page mode.
-
Sort order in page mode.
Values are
ascordesc. -
Page number to return (1-indexed) in page mode.
Minimum value is
1, maximum value is9007199254740991. -
Number of entities per page in page mode.
Minimum value is
1, maximum value is10000. -
An Elasticsearch query string to filter entities in page mode.
-
Entity types to include in the results.
Values are
user,host,service, orgeneric.
curl -X GET -H "Authorization: ApiKey ${API_KEY}" \
"${KIBANA_URL}/api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=%40timestamp&sort_order=desc"
GET kbn://api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=@timestamp&sort_order=desc
{
"page": 1,
"per_page": 10,
"records": [],
"total": 0
}{
"inspect": {
"dsl": [
"{\"index\":[\"entities-latest-default\"],\"body\":{\"terms\":{\"entity.EngineMetadata.Type\":[\"host\"]}}}"
],
"response": [
"{\"took\":1,\"timed_out\":false,\"hits\":{\"total\":{\"value\":1,\"relation\":\"eq\"}}}"
]
},
"page": 1,
"per_page": 10,
"records": [
{
"@timestamp": "2026-04-10T08:30:00.000Z",
"asset": {
"criticality": "high_impact",
"environment": "production"
},
"entity": {
"attributes": {
"asset": true,
"managed": true
},
"id": "host:web-server-prod-01",
"lifecycle": {
"first_seen": "2026-01-15T10:00:00.000Z",
"last_activity": "2026-04-10T08:30:00.000Z"
},
"name": "web-server-prod-01",
"risk": {
"calculated_level": "Moderate",
"calculated_score": 47.5,
"calculated_score_norm": 47.5
},
"source": [
"logs"
],
"type": "host"
},
"host": {
"hostname": [
"web-server-prod-01.example.com"
],
"ip": [
"10.0.1.42"
],
"name": "web-server-prod-01",
"os": {
"name": "Ubuntu",
"type": "linux"
}
}
}
],
"total": 1
}{
"entities": [
{
"@timestamp": "2026-04-10T08:30:00.000Z",
"entity": {
"id": "user:jane.doe@example.com",
"name": "jane.doe",
"type": "user"
},
"user": {
"email": [
"jane.doe@example.com"
],
"name": "jane.doe"
}
}
],
"nextSearchAfter": [
1712736600000,
1
]
}{
"error": "Bad Request",
"message": "Invalid filter: Expected \"(\", \"{\", value, whitespace but \":\" found.\ninvalid :: query\n---------^",
"statusCode": 400
}{
"error": "Bad Request",
"message": "[request query]: Cannot combine page/per_page with searchAfter",
"statusCode": 400
}