List Entity Store Entities

GET /api/entity_store/entities/list

Api key auth

Spaces method and path for this operation:

get /s/{space_id}/api/entity_store/entities/list

Refer to Spaces for more information.

List entities records, paging, sorting and filtering as needed.

Query parameters

sort_field string

Field to sort results by.
sort_order string

Sort order.

Values are asc or desc.
page integer

Page number to return (1-indexed).

Minimum value is 1.
per_page integer

Number of entities per page.

Minimum value is 1, maximum value is 10000.
filterQuery string

An ES query to filter by.
entity_types array[string] Required

Entity types to include in the results.

Values are user, host, service, or generic.

Responses

200 application/json

Entities returned successfully
Hide response attributes Show response attributes object
- inspect object
  
  Debug information about the Elasticsearch query executed.
  
  Hide inspect attributes Show inspect attributes object
  
  dsl array[string] Required
  
  Elasticsearch query DSL that was executed.
  
  response array[string] Required
  
  Raw Elasticsearch responses.
- page integer Required
  
  Current page number.
  
  Minimum value is 1.
- per_page integer Required
  
  Number of entities per page.
  
  Minimum value is 1, maximum value is 1000.
- records array[object] Required
  
  The entity records for this page.
  
  An entity record from the Entity Store. The entity namespace is a root-level field in the latest index, unlike source logs where it is nested under host, user, or service.
  
  One of:
  Security_Entity_Analytics_API_UserEntity object Security_Entity_Analytics_API_HostEntity object Security_Entity_Analytics_API_ServiceEntity object Security_Entity_Analytics_API_GenericEntity object
  
  An entity record representing a user, stored in the Entity Store latest index.
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  The time the entity record was last updated.
  
  asset object
  
  Asset metadata associated with the entity.
  
  Additional properties are NOT allowed.
  
  Hide asset attributes Show asset attributes object
  
  business_unit string
  
  Business unit the asset belongs to.
  
  criticality string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  environment string
  
  Deployment environment (for example, production, staging).
  
  id string
  
  Unique identifier for the asset.
  
  model string
  
  Model name or number.
  
  name string
  
  Human-readable asset name.
  
  owner string
  
  The owner of the asset.
  
  serial_number string
  
  Serial number of the asset.
  
  vendor string
  
  Vendor or manufacturer.
  
  entity object Required
  
  Core entity fields shared across all entity types. The entity namespace is a root-level field in the Entity Store latest index.
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Boolean flags describing characteristics of the entity.
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  Whether the entity is classified as an asset.
  
  managed boolean
  
  Whether the entity is managed (for example, via a directory service).
  
  mfa_enabled boolean
  
  Whether multi-factor authentication is enabled for the entity.
  
  privileged boolean
  
  Whether the entity has elevated privileges.
  
  behaviors object
  
  Boolean flags indicating observed behavioral signals.
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  brute_force_victim boolean
  
  Whether the entity has been targeted by brute-force attacks.
  
  new_country_login boolean
  
  Whether the entity has logged in from a new country.
  
  used_usb_device boolean
  
  Whether the entity has used a USB device.
  
  EngineMetadata object
  
  Internal metadata attached to an entity by the engine that produced it.
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  The engine type that produced this entity record.
  
  id string Required
  
  Unique identifier for this entity.
  
  lifecycle object
  
  Timestamps tracking the entity lifecycle.
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  When the entity was first observed.
  
  last_activity string(date-time)
  
  When the entity last generated activity.
  
  last_seen string(date-time)
  
  When the entity was last observed.
  
  name string
  
  Human-readable name of the entity.
  
  relationships object
  
  Connections between this entity and other entities.
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accessed_frequently_by array[string]
  
  Entity IDs that frequently access this entity.
  
  accesses_frequently array[string]
  
  Entity IDs this entity accesses frequently.
  
  accesses_infrequently array[string]
  
  Entity IDs this entity accesses infrequently.
  
  communicates_with array[string]
  
  Entity IDs this entity communicates with.
  
  dependent_of array[string]
  
  Entity IDs that depend on this entity.
  
  depends_on array[string]
  
  Entity IDs this entity depends on.
  
  owned_by array[string]
  
  Entity IDs that own this entity.
  
  owns array[string]
  
  Entity IDs owned by this entity.
  
  supervised_by array[string]
  
  Entity IDs that supervise this entity.
  
  supervises array[string]
  
  Entity IDs supervised by this entity.
  
  risk object
  
  Risk scoring information for the entity.
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double)
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double)
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  source string
  
  The source that produced this entity record.
  
  sub_type string
  
  Optional sub-type classification for the entity.
  
  type string
  
  The entity type.
  
  event object
  
  Additional properties are NOT allowed.
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  When the event was ingested into Elasticsearch.
  
  user object
  
  Elastic Common Schema (ECS) user fields collected on the entity.
  
  Additional properties are NOT allowed.
  
  Hide user attributes Show user attributes object
  
  domain array[string]
  
  Observed user domains.
  
  email array[string]
  
  Observed email addresses.
  
  full_name array[string]
  
  Observed full names of the user.
  
  hash array[string]
  
  Observed user hashes.
  
  id array[string]
  
  Observed user IDs.
  
  name string Required
  
  Primary user name.
  
  risk object
  
  Hide risk attributes Show risk attributes object
  
  @timestamp string(date-time) Required
  
  The time at which the risk score was calculated.
  
  calculated_level string Required
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double) Required
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double) Required
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  calculation_run_id string
  
  Unique identifier for the scoring run that produced this document.
  
  category_1_count integer Required
  
  The number of risk input documents that contributed to the Category 1 score (category_1_score).
  
  category_1_score number(double) Required
  
  The contribution of Category 1 to the overall risk score (calculated_score). Category 1 contains Detection Engine Alerts.
  
  category_2_count integer
  
  category_2_score number(double)
  
  criticality_level string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  criticality_modifier number(double)
  
  id_field string Required
  
  The identifier field defining this risk score. Coupled with id_value, uniquely identifies the entity being scored.
  
  id_value string Required
  
  The identifier value defining this risk score. Coupled with id_field, uniquely identifies the entity being scored.
  
  inputs array[object] Required
  
  A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.
  
  Hide inputs attributes Show inputs attributes object
  
  A generic representation of a document contributing to a Risk Score.
  
  category string Required
  
  The risk category of the risk input document.
  
  contribution_score number(double)
  
  description string Required
  
  A human-readable description of the risk input document.
  
  entity_id string
  
  The EUID of the entity within the graph that generated this alert.
  
  id string Required
  
  The unique identifier (_id) of the original source document
  
  index string Required
  
  The unique index (_index) of the original source document
  
  risk_score number(double)
  
  The weighted risk score of the risk input document.
  
  Minimum value is 0, maximum value is 100.
  
  timestamp string
  
  The @timestamp of the risk input document.
  
  modifiers array[object]
  
  A list of modifiers that were applied to the risk score calculation.
  
  Hide modifiers attributes Show modifiers attributes object
  
  contribution number(double) Required
  
  metadata object
  
  Additional properties are allowed.
  
  modifier_value number(double)
  
  subtype string
  
  type string Required
  
  notes array[string] Required
  
  related_entities array[object]
  
  Hide related_entities attributes Show related_entities attributes object
  
  entity_id string
  
  relationship_type string
  
  score_type string
  
  Distinguishes base, propagated, and resolution scores.
  
  Values are base, propagated, or resolution.
  
  roles array[string]
  
  Observed roles assigned to the user.
  
  An entity record representing a host, stored in the Entity Store latest index.
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  The time the entity record was last updated.
  
  asset object
  
  Asset metadata associated with the entity.
  
  Additional properties are NOT allowed.
  
  Hide asset attributes Show asset attributes object
  
  business_unit string
  
  Business unit the asset belongs to.
  
  criticality string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  environment string
  
  Deployment environment (for example, production, staging).
  
  id string
  
  Unique identifier for the asset.
  
  model string
  
  Model name or number.
  
  name string
  
  Human-readable asset name.
  
  owner string
  
  The owner of the asset.
  
  serial_number string
  
  Serial number of the asset.
  
  vendor string
  
  Vendor or manufacturer.
  
  entity object Required
  
  Core entity fields shared across all entity types. The entity namespace is a root-level field in the Entity Store latest index.
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Boolean flags describing characteristics of the entity.
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  Whether the entity is classified as an asset.
  
  managed boolean
  
  Whether the entity is managed (for example, via a directory service).
  
  mfa_enabled boolean
  
  Whether multi-factor authentication is enabled for the entity.
  
  privileged boolean
  
  Whether the entity has elevated privileges.
  
  behaviors object
  
  Boolean flags indicating observed behavioral signals.
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  brute_force_victim boolean
  
  Whether the entity has been targeted by brute-force attacks.
  
  new_country_login boolean
  
  Whether the entity has logged in from a new country.
  
  used_usb_device boolean
  
  Whether the entity has used a USB device.
  
  EngineMetadata object
  
  Internal metadata attached to an entity by the engine that produced it.
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  The engine type that produced this entity record.
  
  id string Required
  
  Unique identifier for this entity.
  
  lifecycle object
  
  Timestamps tracking the entity lifecycle.
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  When the entity was first observed.
  
  last_activity string(date-time)
  
  When the entity last generated activity.
  
  last_seen string(date-time)
  
  When the entity was last observed.
  
  name string
  
  Human-readable name of the entity.
  
  relationships object
  
  Connections between this entity and other entities.
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accessed_frequently_by array[string]
  
  Entity IDs that frequently access this entity.
  
  accesses_frequently array[string]
  
  Entity IDs this entity accesses frequently.
  
  accesses_infrequently array[string]
  
  Entity IDs this entity accesses infrequently.
  
  communicates_with array[string]
  
  Entity IDs this entity communicates with.
  
  dependent_of array[string]
  
  Entity IDs that depend on this entity.
  
  depends_on array[string]
  
  Entity IDs this entity depends on.
  
  owned_by array[string]
  
  Entity IDs that own this entity.
  
  owns array[string]
  
  Entity IDs owned by this entity.
  
  supervised_by array[string]
  
  Entity IDs that supervise this entity.
  
  supervises array[string]
  
  Entity IDs supervised by this entity.
  
  risk object
  
  Risk scoring information for the entity.
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double)
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double)
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  source string
  
  The source that produced this entity record.
  
  sub_type string
  
  Optional sub-type classification for the entity.
  
  type string
  
  The entity type.
  
  event object
  
  Additional properties are NOT allowed.
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  When the event was ingested into Elasticsearch.
  
  host object
  
  Elastic Common Schema (ECS) host fields collected on the entity.
  
  Additional properties are NOT allowed.
  
  Hide host attributes Show host attributes object
  
  architecture array[string]
  
  Observed CPU architectures.
  
  domain array[string]
  
  Observed host domains.
  
  entity object
  
  Core entity fields shared across all entity types. The entity namespace is a root-level field in the Entity Store latest index.
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Boolean flags describing characteristics of the entity.
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  Whether the entity is classified as an asset.
  
  managed boolean
  
  Whether the entity is managed (for example, via a directory service).
  
  mfa_enabled boolean
  
  Whether multi-factor authentication is enabled for the entity.
  
  privileged boolean
  
  Whether the entity has elevated privileges.
  
  behaviors object
  
  Boolean flags indicating observed behavioral signals.
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  brute_force_victim boolean
  
  Whether the entity has been targeted by brute-force attacks.
  
  new_country_login boolean
  
  Whether the entity has logged in from a new country.
  
  used_usb_device boolean
  
  Whether the entity has used a USB device.
  
  EngineMetadata object
  
  Internal metadata attached to an entity by the engine that produced it.
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  The engine type that produced this entity record.
  
  id string Required
  
  Unique identifier for this entity.
  
  lifecycle object
  
  Timestamps tracking the entity lifecycle.
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  When the entity was first observed.
  
  last_activity string(date-time)
  
  When the entity last generated activity.
  
  last_seen string(date-time)
  
  When the entity was last observed.
  
  name string
  
  Human-readable name of the entity.
  
  relationships object
  
  Connections between this entity and other entities.
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accessed_frequently_by array[string]
  
  Entity IDs that frequently access this entity.
  
  accesses_frequently array[string]
  
  Entity IDs this entity accesses frequently.
  
  accesses_infrequently array[string]
  
  Entity IDs this entity accesses infrequently.
  
  communicates_with array[string]
  
  Entity IDs this entity communicates with.
  
  dependent_of array[string]
  
  Entity IDs that depend on this entity.
  
  depends_on array[string]
  
  Entity IDs this entity depends on.
  
  owned_by array[string]
  
  Entity IDs that own this entity.
  
  owns array[string]
  
  Entity IDs owned by this entity.
  
  supervised_by array[string]
  
  Entity IDs that supervise this entity.
  
  supervises array[string]
  
  Entity IDs supervised by this entity.
  
  risk object
  
  Risk scoring information for the entity.
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double)
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double)
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  source string
  
  The source that produced this entity record.
  
  sub_type string
  
  Optional sub-type classification for the entity.
  
  type string
  
  The entity type.
  
  hostname array[string]
  
  Observed hostnames.
  
  id array[string]
  
  Observed host IDs.
  
  ip array[string]
  
  Observed IP addresses.
  
  mac array[string]
  
  Observed MAC addresses.
  
  name string Required
  
  Primary host name.
  
  os object
  
  Elastic Common Schema (ECS) host.os fields collected on the entity latest index.
  
  Additional properties are NOT allowed.
  
  Hide os attributes Show os attributes object
  
  family string
  
  full string
  
  kernel string
  
  name string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  platform string
  
  type string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  version string
  
  risk object
  
  Hide risk attributes Show risk attributes object
  
  @timestamp string(date-time) Required
  
  The time at which the risk score was calculated.
  
  calculated_level string Required
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double) Required
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double) Required
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  calculation_run_id string
  
  Unique identifier for the scoring run that produced this document.
  
  category_1_count integer Required
  
  The number of risk input documents that contributed to the Category 1 score (category_1_score).
  
  category_1_score number(double) Required
  
  The contribution of Category 1 to the overall risk score (calculated_score). Category 1 contains Detection Engine Alerts.
  
  category_2_count integer
  
  category_2_score number(double)
  
  criticality_level string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  criticality_modifier number(double)
  
  id_field string Required
  
  The identifier field defining this risk score. Coupled with id_value, uniquely identifies the entity being scored.
  
  id_value string Required
  
  The identifier value defining this risk score. Coupled with id_field, uniquely identifies the entity being scored.
  
  inputs array[object] Required
  
  A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.
  
  Hide inputs attributes Show inputs attributes object
  
  A generic representation of a document contributing to a Risk Score.
  
  category string Required
  
  The risk category of the risk input document.
  
  contribution_score number(double)
  
  description string Required
  
  A human-readable description of the risk input document.
  
  entity_id string
  
  The EUID of the entity within the graph that generated this alert.
  
  id string Required
  
  The unique identifier (_id) of the original source document
  
  index string Required
  
  The unique index (_index) of the original source document
  
  risk_score number(double)
  
  The weighted risk score of the risk input document.
  
  Minimum value is 0, maximum value is 100.
  
  timestamp string
  
  The @timestamp of the risk input document.
  
  modifiers array[object]
  
  A list of modifiers that were applied to the risk score calculation.
  
  Hide modifiers attributes Show modifiers attributes object
  
  contribution number(double) Required
  
  metadata object
  
  Additional properties are allowed.
  
  modifier_value number(double)
  
  subtype string
  
  type string Required
  
  notes array[string] Required
  
  related_entities array[object]
  
  Hide related_entities attributes Show related_entities attributes object
  
  entity_id string
  
  relationship_type string
  
  score_type string
  
  Distinguishes base, propagated, and resolution scores.
  
  Values are base, propagated, or resolution.
  
  type array[string]
  
  Observed host types.
  
  An entity record representing a service, stored in the Entity Store latest index.
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  The time the entity record was last updated.
  
  asset object
  
  Asset metadata associated with the entity.
  
  Additional properties are NOT allowed.
  
  Hide asset attributes Show asset attributes object
  
  business_unit string
  
  Business unit the asset belongs to.
  
  criticality string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  environment string
  
  Deployment environment (for example, production, staging).
  
  id string
  
  Unique identifier for the asset.
  
  model string
  
  Model name or number.
  
  name string
  
  Human-readable asset name.
  
  owner string
  
  The owner of the asset.
  
  serial_number string
  
  Serial number of the asset.
  
  vendor string
  
  Vendor or manufacturer.
  
  entity object Required
  
  Core entity fields shared across all entity types. The entity namespace is a root-level field in the Entity Store latest index.
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Boolean flags describing characteristics of the entity.
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  Whether the entity is classified as an asset.
  
  managed boolean
  
  Whether the entity is managed (for example, via a directory service).
  
  mfa_enabled boolean
  
  Whether multi-factor authentication is enabled for the entity.
  
  privileged boolean
  
  Whether the entity has elevated privileges.
  
  behaviors object
  
  Boolean flags indicating observed behavioral signals.
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  brute_force_victim boolean
  
  Whether the entity has been targeted by brute-force attacks.
  
  new_country_login boolean
  
  Whether the entity has logged in from a new country.
  
  used_usb_device boolean
  
  Whether the entity has used a USB device.
  
  EngineMetadata object
  
  Internal metadata attached to an entity by the engine that produced it.
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  The engine type that produced this entity record.
  
  id string Required
  
  Unique identifier for this entity.
  
  lifecycle object
  
  Timestamps tracking the entity lifecycle.
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  When the entity was first observed.
  
  last_activity string(date-time)
  
  When the entity last generated activity.
  
  last_seen string(date-time)
  
  When the entity was last observed.
  
  name string
  
  Human-readable name of the entity.
  
  relationships object
  
  Connections between this entity and other entities.
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accessed_frequently_by array[string]
  
  Entity IDs that frequently access this entity.
  
  accesses_frequently array[string]
  
  Entity IDs this entity accesses frequently.
  
  accesses_infrequently array[string]
  
  Entity IDs this entity accesses infrequently.
  
  communicates_with array[string]
  
  Entity IDs this entity communicates with.
  
  dependent_of array[string]
  
  Entity IDs that depend on this entity.
  
  depends_on array[string]
  
  Entity IDs this entity depends on.
  
  owned_by array[string]
  
  Entity IDs that own this entity.
  
  owns array[string]
  
  Entity IDs owned by this entity.
  
  supervised_by array[string]
  
  Entity IDs that supervise this entity.
  
  supervises array[string]
  
  Entity IDs supervised by this entity.
  
  risk object
  
  Risk scoring information for the entity.
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double)
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double)
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  source string
  
  The source that produced this entity record.
  
  sub_type string
  
  Optional sub-type classification for the entity.
  
  type string
  
  The entity type.
  
  event object
  
  Additional properties are NOT allowed.
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  When the event was ingested into Elasticsearch.
  
  service object
  
  Elastic Common Schema (ECS) service fields collected on the entity.
  
  Additional properties are NOT allowed.
  
  Hide service attributes Show service attributes object
  
  entity object
  
  Core entity fields shared across all entity types. The entity namespace is a root-level field in the Entity Store latest index.
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Boolean flags describing characteristics of the entity.
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  Whether the entity is classified as an asset.
  
  managed boolean
  
  Whether the entity is managed (for example, via a directory service).
  
  mfa_enabled boolean
  
  Whether multi-factor authentication is enabled for the entity.
  
  privileged boolean
  
  Whether the entity has elevated privileges.
  
  behaviors object
  
  Boolean flags indicating observed behavioral signals.
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  brute_force_victim boolean
  
  Whether the entity has been targeted by brute-force attacks.
  
  new_country_login boolean
  
  Whether the entity has logged in from a new country.
  
  used_usb_device boolean
  
  Whether the entity has used a USB device.
  
  EngineMetadata object
  
  Internal metadata attached to an entity by the engine that produced it.
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  The engine type that produced this entity record.
  
  id string Required
  
  Unique identifier for this entity.
  
  lifecycle object
  
  Timestamps tracking the entity lifecycle.
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  When the entity was first observed.
  
  last_activity string(date-time)
  
  When the entity last generated activity.
  
  last_seen string(date-time)
  
  When the entity was last observed.
  
  name string
  
  Human-readable name of the entity.
  
  relationships object
  
  Connections between this entity and other entities.
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accessed_frequently_by array[string]
  
  Entity IDs that frequently access this entity.
  
  accesses_frequently array[string]
  
  Entity IDs this entity accesses frequently.
  
  accesses_infrequently array[string]
  
  Entity IDs this entity accesses infrequently.
  
  communicates_with array[string]
  
  Entity IDs this entity communicates with.
  
  dependent_of array[string]
  
  Entity IDs that depend on this entity.
  
  depends_on array[string]
  
  Entity IDs this entity depends on.
  
  owned_by array[string]
  
  Entity IDs that own this entity.
  
  owns array[string]
  
  Entity IDs owned by this entity.
  
  supervised_by array[string]
  
  Entity IDs that supervise this entity.
  
  supervises array[string]
  
  Entity IDs supervised by this entity.
  
  risk object
  
  Risk scoring information for the entity.
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double)
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double)
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  source string
  
  The source that produced this entity record.
  
  sub_type string
  
  Optional sub-type classification for the entity.
  
  type string
  
  The entity type.
  
  name string Required
  
  Primary service name.
  
  risk object
  
  Hide risk attributes Show risk attributes object
  
  @timestamp string(date-time) Required
  
  The time at which the risk score was calculated.
  
  calculated_level string Required
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double) Required
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double) Required
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  calculation_run_id string
  
  Unique identifier for the scoring run that produced this document.
  
  category_1_count integer Required
  
  The number of risk input documents that contributed to the Category 1 score (category_1_score).
  
  category_1_score number(double) Required
  
  The contribution of Category 1 to the overall risk score (calculated_score). Category 1 contains Detection Engine Alerts.
  
  category_2_count integer
  
  category_2_score number(double)
  
  criticality_level string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  criticality_modifier number(double)
  
  id_field string Required
  
  The identifier field defining this risk score. Coupled with id_value, uniquely identifies the entity being scored.
  
  id_value string Required
  
  The identifier value defining this risk score. Coupled with id_field, uniquely identifies the entity being scored.
  
  inputs array[object] Required
  
  A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.
  
  Hide inputs attributes Show inputs attributes object
  
  A generic representation of a document contributing to a Risk Score.
  
  category string Required
  
  The risk category of the risk input document.
  
  contribution_score number(double)
  
  description string Required
  
  A human-readable description of the risk input document.
  
  entity_id string
  
  The EUID of the entity within the graph that generated this alert.
  
  id string Required
  
  The unique identifier (_id) of the original source document
  
  index string Required
  
  The unique index (_index) of the original source document
  
  risk_score number(double)
  
  The weighted risk score of the risk input document.
  
  Minimum value is 0, maximum value is 100.
  
  timestamp string
  
  The @timestamp of the risk input document.
  
  modifiers array[object]
  
  A list of modifiers that were applied to the risk score calculation.
  
  Hide modifiers attributes Show modifiers attributes object
  
  contribution number(double) Required
  
  metadata object
  
  Additional properties are allowed.
  
  modifier_value number(double)
  
  subtype string
  
  type string Required
  
  notes array[string] Required
  
  related_entities array[object]
  
  Hide related_entities attributes Show related_entities attributes object
  
  entity_id string
  
  relationship_type string
  
  score_type string
  
  Distinguishes base, propagated, and resolution scores.
  
  Values are base, propagated, or resolution.
  
  A generic entity record. Maps only the entity and asset namespaces. Add additional field mappings here as needed.
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  The time the entity record was last updated.
  
  asset object
  
  Asset metadata associated with the entity.
  
  Additional properties are NOT allowed.
  
  Hide asset attributes Show asset attributes object
  
  business_unit string
  
  Business unit the asset belongs to.
  
  criticality string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  environment string
  
  Deployment environment (for example, production, staging).
  
  id string
  
  Unique identifier for the asset.
  
  model string
  
  Model name or number.
  
  name string
  
  Human-readable asset name.
  
  owner string
  
  The owner of the asset.
  
  serial_number string
  
  Serial number of the asset.
  
  vendor string
  
  Vendor or manufacturer.
  
  entity object Required
  
  Core entity fields shared across all entity types. The entity namespace is a root-level field in the Entity Store latest index.
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Boolean flags describing characteristics of the entity.
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  Whether the entity is classified as an asset.
  
  managed boolean
  
  Whether the entity is managed (for example, via a directory service).
  
  mfa_enabled boolean
  
  Whether multi-factor authentication is enabled for the entity.
  
  privileged boolean
  
  Whether the entity has elevated privileges.
  
  behaviors object
  
  Boolean flags indicating observed behavioral signals.
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  brute_force_victim boolean
  
  Whether the entity has been targeted by brute-force attacks.
  
  new_country_login boolean
  
  Whether the entity has logged in from a new country.
  
  used_usb_device boolean
  
  Whether the entity has used a USB device.
  
  EngineMetadata object
  
  Internal metadata attached to an entity by the engine that produced it.
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  The engine type that produced this entity record.
  
  id string Required
  
  Unique identifier for this entity.
  
  lifecycle object
  
  Timestamps tracking the entity lifecycle.
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  When the entity was first observed.
  
  last_activity string(date-time)
  
  When the entity last generated activity.
  
  last_seen string(date-time)
  
  When the entity was last observed.
  
  name string
  
  Human-readable name of the entity.
  
  relationships object
  
  Connections between this entity and other entities.
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accessed_frequently_by array[string]
  
  Entity IDs that frequently access this entity.
  
  accesses_frequently array[string]
  
  Entity IDs this entity accesses frequently.
  
  accesses_infrequently array[string]
  
  Entity IDs this entity accesses infrequently.
  
  communicates_with array[string]
  
  Entity IDs this entity communicates with.
  
  dependent_of array[string]
  
  Entity IDs that depend on this entity.
  
  depends_on array[string]
  
  Entity IDs this entity depends on.
  
  owned_by array[string]
  
  Entity IDs that own this entity.
  
  owns array[string]
  
  Entity IDs owned by this entity.
  
  supervised_by array[string]
  
  Entity IDs that supervise this entity.
  
  supervises array[string]
  
  Entity IDs supervised by this entity.
  
  risk object
  
  Risk scoring information for the entity.
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double)
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double)
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  source string
  
  The source that produced this entity record.
  
  sub_type string
  
  Optional sub-type classification for the entity.
  
  type string
  
  The entity type.
- total integer Required
  
  Total number of entities matching the query.
  
  Minimum value is 0.

GET /api/entity_store/entities/list

curl \
 --request GET 'https://<KIBANA_URL>/api/entity_store/entities/list?entity_types=user' \
 --header "Authorization: $API_KEY"

List Entity Store Entities

Query parameters

Responses

name string | array[string]

type string | array[string]