List Entity Store Entities

GET /api/entity_store/entities/list

Api key auth

List entities records, paging, sorting and filtering as needed.

Query parameters

sort_field string
sort_order string

Values are asc or desc.
page integer

Minimum value is 1.
per_page integer

Minimum value is 1, maximum value is 10000.
filterQuery string

An ES query to filter by.
entity_types array[string] Required

Values are user, host, service, or generic.

Responses

200 application/json

Entities returned successfully
Hide response attributes Show response attributes object
- inspect object
  
  Hide inspect attributes Show inspect attributes object
  
  dsl array[string] Required
  
  response array[string] Required
- page integer Required
  
  Minimum value is 1.
- per_page integer Required
  
  Minimum value is 1, maximum value is 1000.
- records array[object] Required
  
  One of:
  Security_Entity_Analytics_API_UserEntity object Security_Entity_Analytics_API_HostEntity object Security_Entity_Analytics_API_ServiceEntity object Security_Entity_Analytics_API_GenericEntity object
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  asset object
  
  Hide asset attribute Show asset attribute object
  
  criticality string Required
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  entity object Required
  
  Hide entity attributes Show entity attributes object
  
  EngineMetadata object
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  name string Required
  
  source string Required
  
  type string Required
  
  event object
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  user object Required
  
  Hide user attributes Show user attributes object
  
  domain array[string]
  
  email array[string]
  
  full_name array[string]
  
  hash array[string]
  
  id array[string]
  
  name string Required
  
  risk object
  
  Hide risk attributes Show risk attributes object
  
  @timestamp string(date-time) Required
  
  The time at which the risk score was calculated.
  
  calculated_level string Required
  
  Lexical description of the entity's risk.
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double) Required
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double) Required
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  category_1_count number(integer) Required
  
  The number of risk input documents that contributed to the Category 1 score (category_1_score).
  
  category_1_score number(double) Required
  
  The contribution of Category 1 to the overall risk score (calculated_score). Category 1 contains Detection Engine Alerts.
  
  category_2_count number(integer)
  
  category_2_score number(double)
  
  criticality_level string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  criticality_modifier number(double)
  
  id_field string Required
  
  The identifier field defining this risk score. Coupled with id_value, uniquely identifies the entity being scored.
  
  id_value string Required
  
  The identifier value defining this risk score. Coupled with id_field, uniquely identifies the entity being scored.
  
  inputs array[object] Required
  
  A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.
  
  A generic representation of a document contributing to a Risk Score.
  
  Hide inputs attributes Show inputs attributes object
  
  category string Required
  
  The risk category of the risk input document.
  
  contribution_score number(double)
  
  description string Required
  
  A human-readable description of the risk input document.
  
  id string Required
  
  The unique identifier (_id) of the original source document
  
  index string Required
  
  The unique index (_index) of the original source document
  
  risk_score number(double)
  
  The weighted risk score of the risk input document.
  
  Minimum value is 0, maximum value is 100.
  
  timestamp string
  
  The @timestamp of the risk input document.
  
  notes array[string] Required
  
  roles array[string]
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  asset object
  
  Hide asset attribute Show asset attribute object
  
  criticality string Required
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  entity object Required
  
  Hide entity attributes Show entity attributes object
  
  EngineMetadata object
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  name string Required
  
  source string Required
  
  type string Required
  
  event object
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  host object Required
  
  Hide host attributes Show host attributes object
  
  architecture array[string]
  
  domain array[string]
  
  hostname array[string]
  
  id array[string]
  
  ip array[string]
  
  mac array[string]
  
  name string Required
  
  risk object
  
  Hide risk attributes Show risk attributes object
  
  @timestamp string(date-time) Required
  
  The time at which the risk score was calculated.
  
  calculated_level string Required
  
  Lexical description of the entity's risk.
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double) Required
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double) Required
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  category_1_count number(integer) Required
  
  The number of risk input documents that contributed to the Category 1 score (category_1_score).
  
  category_1_score number(double) Required
  
  The contribution of Category 1 to the overall risk score (calculated_score). Category 1 contains Detection Engine Alerts.
  
  category_2_count number(integer)
  
  category_2_score number(double)
  
  criticality_level string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  criticality_modifier number(double)
  
  id_field string Required
  
  The identifier field defining this risk score. Coupled with id_value, uniquely identifies the entity being scored.
  
  id_value string Required
  
  The identifier value defining this risk score. Coupled with id_field, uniquely identifies the entity being scored.
  
  inputs array[object] Required
  
  A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.
  
  A generic representation of a document contributing to a Risk Score.
  
  Hide inputs attributes Show inputs attributes object
  
  category string Required
  
  The risk category of the risk input document.
  
  contribution_score number(double)
  
  description string Required
  
  A human-readable description of the risk input document.
  
  id string Required
  
  The unique identifier (_id) of the original source document
  
  index string Required
  
  The unique index (_index) of the original source document
  
  risk_score number(double)
  
  The weighted risk score of the risk input document.
  
  Minimum value is 0, maximum value is 100.
  
  timestamp string
  
  The @timestamp of the risk input document.
  
  notes array[string] Required
  
  type array[string]
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  asset object
  
  Hide asset attribute Show asset attribute object
  
  criticality string Required
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  entity object Required
  
  Hide entity attributes Show entity attributes object
  
  EngineMetadata object
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  name string Required
  
  source string Required
  
  type string Required
  
  event object
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  service object Required
  
  Hide service attributes Show service attributes object
  
  name string Required
  
  risk object
  
  Hide risk attributes Show risk attributes object
  
  @timestamp string(date-time) Required
  
  The time at which the risk score was calculated.
  
  calculated_level string Required
  
  Lexical description of the entity's risk.
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double) Required
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double) Required
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  category_1_count number(integer) Required
  
  The number of risk input documents that contributed to the Category 1 score (category_1_score).
  
  category_1_score number(double) Required
  
  The contribution of Category 1 to the overall risk score (calculated_score). Category 1 contains Detection Engine Alerts.
  
  category_2_count number(integer)
  
  category_2_score number(double)
  
  criticality_level string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  criticality_modifier number(double)
  
  id_field string Required
  
  The identifier field defining this risk score. Coupled with id_value, uniquely identifies the entity being scored.
  
  id_value string Required
  
  The identifier value defining this risk score. Coupled with id_field, uniquely identifies the entity being scored.
  
  inputs array[object] Required
  
  A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.
  
  A generic representation of a document contributing to a Risk Score.
  
  Hide inputs attributes Show inputs attributes object
  
  category string Required
  
  The risk category of the risk input document.
  
  contribution_score number(double)
  
  description string Required
  
  A human-readable description of the risk input document.
  
  id string Required
  
  The unique identifier (_id) of the original source document
  
  index string Required
  
  The unique index (_index) of the original source document
  
  risk_score number(double)
  
  The weighted risk score of the risk input document.
  
  Minimum value is 0, maximum value is 100.
  
  timestamp string
  
  The @timestamp of the risk input document.
  
  notes array[string] Required
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  asset object
  
  Hide asset attribute Show asset attribute object
  
  criticality string Required
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  entity object Required
  
  Hide entity attributes Show entity attributes object
  
  category string
  
  EngineMetadata object
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  id string Required
  
  name string Required
  
  source string
  
  type string Required
- total integer Required
  
  Minimum value is 0.

GET /api/entity_store/entities/list

curl \
 --request GET 'https://<KIBANA_URL>/api/entity_store/entities/list?entity_types=user' \
 --header "Authorization: $API_KEY"