GET /api/entity_analytics/monitoring/users/list
Api key auth

Spaces method and path for this operation:

get /s/{space_id}/api/entity_analytics/monitoring/users/list

Refer to Spaces for more information.

Returns a list of all privileged users currently being monitored. Supports optional KQL filtering.

Query parameters

  • kql string

    KQL query to filter the list of monitored users

Responses

  • 200 application/json

    List of monitored users

    Hide response attributes Show response attributes object
    • entity_analytics_monitoring object
      Hide entity_analytics_monitoring attribute Show entity_analytics_monitoring attribute object
      • labels array[object]
        Hide labels attributes Show labels attributes object
        • field string Required
        • source string Required
        • value string Required
    • id string
    • labels object
      Hide labels attributes Show labels attributes object
      • source_ids array[string]
      • source_integrations array[string]
      • sources array

        Values are csv, index_sync, or api.

    • user object
      Hide user attributes Show user attributes object
      • is_privileged boolean

        Indicates if the user is privileged.

      • name string
      • entity object
        Hide entity attribute Show entity attribute object
        • attributes object
          Hide attributes attribute Show attributes attribute object
          • Privileged boolean

            Indicates if the user is privileged.

    • @timestamp string(date-time)
    • event object
      Hide event attributes Show event attributes object
      • @timestamp string(date-time)
      • ingested string(date-time)
GET /api/entity_analytics/monitoring/users/list 
curl \
 --request GET 'https://<KIBANA_URL>/api/entity_analytics/monitoring/users/list' \
 --header "Authorization: $API_KEY"
Response examples (200) 
[
  {
    "@timestamp": "2026-01-28T12:00:00.000Z",
    "entity_analytics_monitoring": {
      "labels": [
        {
          "field": "department",
          "source": "api",
          "value": "IT"
        }
      ]
    },
    "event": {
      "ingested": "2026-01-28T12:00:00.000Z"
    },
    "id": "user-abc-123",
    "user": {
      "is_privileged": true,
      "name": "john.doe"
    }
  },
  {
    "@timestamp": "2026-01-15T09:00:00.000Z",
    "entity_analytics_monitoring": {
      "labels": [
        {
          "field": "department",
          "source": "csv",
          "value": "Security"
        }
      ]
    },
    "event": {
      "ingested": "2026-01-15T09:00:00.000Z"
    },
    "id": "user-def-456",
    "user": {
      "is_privileged": true,
      "name": "jane.smith"
    }
  }
]