Create an entity

POST /api/security/entity_store/entities/{entityType}

Spaces method and path for this operation:

post /s/{space_id}/api/security/entity_store/entities/{entityType}

Refer to Spaces for more information.

Create a new entity record in the Entity Store for the specified entity type.

[Required authorization] Route required privileges: securitySolution.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

entityType string Required

The entity type to create.

Values are user, host, service, or generic.

application/json

Body object

@timestamp string(date-time)

Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
asset object

Additional properties are NOT allowed.
Hide asset attributes Show asset attributes object
- business_unit string
- criticality string
  
  Any of:
  string-1 string 2
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
- environment string
- id string
- model string
- name string
- owner string
- serial_number string
- vendor string
entity object

Additional properties are NOT allowed.
Hide entity attributes Show entity attributes object
- attributes object
  
  Additional properties are NOT allowed.
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  known_redirects array[string]
  
  managed boolean
  
  mfa_enabled boolean
  
  oauth_consent_restriction string
  
  permissions array[string]
  
  storage_class string
  
  watchlists array[string]
- behaviors object
  
  Additional properties are NOT allowed.
  Hide behaviors attributes Show behaviors attributes object
  
  anomaly_job_ids array[string]
  
  rule_names array[string]
- EngineMetadata object
  
  Additional properties are NOT allowed.
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string
- id string
- lifecycle object
  
  Additional properties are NOT allowed.
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_activity string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
- name string
- relationships object
  
  Additional properties are NOT allowed.
  Hide relationships attributes Show relationships attributes object
  
  accesses_frequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_frequently attributes Show accesses_frequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  accesses_infrequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_infrequently attributes Show accesses_infrequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  administers object
  
  Additional properties are NOT allowed.
  
  Hide administers attributes Show administers attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  communicates_with object
  
  Additional properties are NOT allowed.
  
  Hide communicates_with attributes Show communicates_with attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  depends_on object
  
  Additional properties are NOT allowed.
  
  Hide depends_on attributes Show depends_on attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns object
  
  Additional properties are NOT allowed.
  
  Hide owns attributes Show owns attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns_inferred object
  
  Additional properties are NOT allowed.
  
  Hide owns_inferred attributes Show owns_inferred attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  resolution object
  
  Additional properties are NOT allowed.
  
  Hide resolution attributes Show resolution attributes object
  
  resolved_to string
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  supervises object
  
  Additional properties are NOT allowed.
  
  Hide supervises attributes Show supervises attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
- risk object
  
  Additional properties are NOT allowed.
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
- schema_version string
- source array[string]
- sub_type string
- type string
- url string
event object

Additional properties are NOT allowed.
Hide event attribute Show event attribute object
- ingested string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
labels object

Additional properties are allowed.
tags array[string]
user object

Additional properties are NOT allowed.
Hide user attributes Show user attributes object
- domain array[string]
- email array[string]
- full_name array[string]
- hash array[string]
- id array[string]
- name string
- risk object
  
  Additional properties are NOT allowed.
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
- roles array[string]

@timestamp string(date-time)

Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
asset object

Additional properties are NOT allowed.
Hide asset attributes Show asset attributes object
- business_unit string
- criticality string
  
  Any of:
  string-1 string 2
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
- environment string
- id string
- model string
- name string
- owner string
- serial_number string
- vendor string
entity object

Additional properties are NOT allowed.
Hide entity attributes Show entity attributes object
- attributes object
  
  Additional properties are NOT allowed.
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  known_redirects array[string]
  
  managed boolean
  
  mfa_enabled boolean
  
  oauth_consent_restriction string
  
  permissions array[string]
  
  storage_class string
  
  watchlists array[string]
- behaviors object
  
  Additional properties are NOT allowed.
  Hide behaviors attributes Show behaviors attributes object
  
  anomaly_job_ids array[string]
  
  rule_names array[string]
- EngineMetadata object
  
  Additional properties are NOT allowed.
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string
- id string
- lifecycle object
  
  Additional properties are NOT allowed.
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_activity string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
- name string
- relationships object
  
  Additional properties are NOT allowed.
  Hide relationships attributes Show relationships attributes object
  
  accesses_frequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_frequently attributes Show accesses_frequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  accesses_infrequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_infrequently attributes Show accesses_infrequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  administers object
  
  Additional properties are NOT allowed.
  
  Hide administers attributes Show administers attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  communicates_with object
  
  Additional properties are NOT allowed.
  
  Hide communicates_with attributes Show communicates_with attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  depends_on object
  
  Additional properties are NOT allowed.
  
  Hide depends_on attributes Show depends_on attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns object
  
  Additional properties are NOT allowed.
  
  Hide owns attributes Show owns attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns_inferred object
  
  Additional properties are NOT allowed.
  
  Hide owns_inferred attributes Show owns_inferred attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  resolution object
  
  Additional properties are NOT allowed.
  
  Hide resolution attributes Show resolution attributes object
  
  resolved_to string
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  supervises object
  
  Additional properties are NOT allowed.
  
  Hide supervises attributes Show supervises attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
- risk object
  
  Additional properties are NOT allowed.
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
- schema_version string
- source array[string]
- sub_type string
- type string
- url string
event object

Additional properties are NOT allowed.
Hide event attribute Show event attribute object
- ingested string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
host object

Additional properties are NOT allowed.
Hide host attributes Show host attributes object
- architecture array[string]
- domain array[string]
- hostname array[string]
- id array[string]
- ip array[string]
- mac array[string]
- name string
- os object
  
  Additional properties are NOT allowed.
  Hide os attributes Show os attributes object
  
  family string
  
  full string
  
  kernel string
  
  name string | array[string]
  
  Any of:
  string-1 string array-2 array[string]
  
  platform string
  
  type string | array[string]
  
  Any of:
  string-1 string array-2 array[string]
  
  version string
- risk object
  
  Additional properties are NOT allowed.
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
- type array[string]
labels object

Additional properties are allowed.
tags array[string]

@timestamp string(date-time)

Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
asset object

Additional properties are NOT allowed.
Hide asset attributes Show asset attributes object
- business_unit string
- criticality string
  
  Any of:
  string-1 string 2
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
- environment string
- id string
- model string
- name string
- owner string
- serial_number string
- vendor string
entity object

Additional properties are NOT allowed.
Hide entity attributes Show entity attributes object
- attributes object
  
  Additional properties are NOT allowed.
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  known_redirects array[string]
  
  managed boolean
  
  mfa_enabled boolean
  
  oauth_consent_restriction string
  
  permissions array[string]
  
  storage_class string
  
  watchlists array[string]
- behaviors object
  
  Additional properties are NOT allowed.
  Hide behaviors attributes Show behaviors attributes object
  
  anomaly_job_ids array[string]
  
  rule_names array[string]
- EngineMetadata object
  
  Additional properties are NOT allowed.
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string
- id string
- lifecycle object
  
  Additional properties are NOT allowed.
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_activity string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
- name string
- relationships object
  
  Additional properties are NOT allowed.
  Hide relationships attributes Show relationships attributes object
  
  accesses_frequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_frequently attributes Show accesses_frequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  accesses_infrequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_infrequently attributes Show accesses_infrequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  administers object
  
  Additional properties are NOT allowed.
  
  Hide administers attributes Show administers attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  communicates_with object
  
  Additional properties are NOT allowed.
  
  Hide communicates_with attributes Show communicates_with attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  depends_on object
  
  Additional properties are NOT allowed.
  
  Hide depends_on attributes Show depends_on attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns object
  
  Additional properties are NOT allowed.
  
  Hide owns attributes Show owns attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns_inferred object
  
  Additional properties are NOT allowed.
  
  Hide owns_inferred attributes Show owns_inferred attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  resolution object
  
  Additional properties are NOT allowed.
  
  Hide resolution attributes Show resolution attributes object
  
  resolved_to string
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  supervises object
  
  Additional properties are NOT allowed.
  
  Hide supervises attributes Show supervises attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
- risk object
  
  Additional properties are NOT allowed.
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
- schema_version string
- source array[string]
- sub_type string
- type string
- url string
event object

Additional properties are NOT allowed.
Hide event attribute Show event attribute object
- ingested string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
labels object

Additional properties are allowed.
service object

Additional properties are NOT allowed.
Hide service attributes Show service attributes object
- address string
- environment string
- ephemeral_id string
- id string
- name string
- node object
  
  Additional properties are NOT allowed.
  Hide node attributes Show node attributes object
  
  name string
  
  role string
  
  roles array[string]
- risk object
  
  Additional properties are NOT allowed.
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
- state string
- type string
- version string
tags array[string]

@timestamp string(date-time)

Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
asset object

Additional properties are NOT allowed.
Hide asset attributes Show asset attributes object
- business_unit string
- criticality string
  
  Any of:
  string-1 string 2
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
- environment string
- id string
- model string
- name string
- owner string
- serial_number string
- vendor string
cloud object

Additional properties are NOT allowed.
Hide cloud attributes Show cloud attributes object
- account object
  
  Additional properties are NOT allowed.
  Hide account attributes Show account attributes object
  
  id string
  
  name string
- availability_zone string
- instance object
  
  Additional properties are NOT allowed.
  Hide instance attributes Show instance attributes object
  
  id string
  
  name string
- machine object
  
  Additional properties are NOT allowed.
  Hide machine attribute Show machine attribute object
  
  type string
- project object
  
  Additional properties are NOT allowed.
  Hide project attributes Show project attributes object
  
  id string
  
  name string
- provider string
- region string
- service object
  
  Additional properties are NOT allowed.
  Hide service attribute Show service attribute object
  
  name string
entity object

Additional properties are NOT allowed.
Hide entity attributes Show entity attributes object
- attributes object
  
  Additional properties are NOT allowed.
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  known_redirects array[string]
  
  managed boolean
  
  mfa_enabled boolean
  
  oauth_consent_restriction string
  
  permissions array[string]
  
  storage_class string
  
  watchlists array[string]
- behaviors object
  
  Additional properties are NOT allowed.
  Hide behaviors attributes Show behaviors attributes object
  
  anomaly_job_ids array[string]
  
  rule_names array[string]
- EngineMetadata object
  
  Additional properties are NOT allowed.
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string
- id string
- lifecycle object
  
  Additional properties are NOT allowed.
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_activity string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
  
  last_seen string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
- name string
- relationships object
  
  Additional properties are NOT allowed.
  Hide relationships attributes Show relationships attributes object
  
  accesses_frequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_frequently attributes Show accesses_frequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  accesses_infrequently object
  
  Additional properties are NOT allowed.
  
  Hide accesses_infrequently attributes Show accesses_infrequently attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  administers object
  
  Additional properties are NOT allowed.
  
  Hide administers attributes Show administers attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  communicates_with object
  
  Additional properties are NOT allowed.
  
  Hide communicates_with attributes Show communicates_with attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  depends_on object
  
  Additional properties are NOT allowed.
  
  Hide depends_on attributes Show depends_on attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns object
  
  Additional properties are NOT allowed.
  
  Hide owns attributes Show owns attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  owns_inferred object
  
  Additional properties are NOT allowed.
  
  Hide owns_inferred attributes Show owns_inferred attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
  
  resolution object
  
  Additional properties are NOT allowed.
  
  Hide resolution attributes Show resolution attributes object
  
  resolved_to string
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
  
  supervises object
  
  Additional properties are NOT allowed.
  
  Hide supervises attributes Show supervises attributes object
  
  ids array[string]
  
  raw_identifiers object
  
  Additional properties are NOT allowed.
  
  Hide raw_identifiers attributes Show raw_identifiers attributes object
  
  entity.id array[string]
  
  host.id array[string]
  
  host.name array[string]
  
  service.name array[string]
  
  user.email array[string]
  
  user.id array[string]
  
  user.name array[string]
- risk object
  
  Additional properties are NOT allowed.
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number
  
  calculated_score_norm number
  
  Minimum value is 0, maximum value is 100.
- schema_version string
- source array[string]
- sub_type string
- type string
- url string
event object

Additional properties are NOT allowed.
Hide event attribute Show event attribute object
- ingested string(date-time)
  
  Format should match the following pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$.
labels object

Additional properties are allowed.
orchestrator object

Additional properties are NOT allowed.
Hide orchestrator attributes Show orchestrator attributes object
- api_version string
- cluster object
  
  Additional properties are NOT allowed.
  Hide cluster attributes Show cluster attributes object
  
  id string
  
  name string
  
  url string
  
  version string
- namespace string
- organization string
- resource object
  
  Additional properties are NOT allowed.
  Hide resource attributes Show resource attributes object
  
  annotation string
  
  id string
  
  ip string
  
  label string
  
  name string
  
  parent object
  
  Additional properties are NOT allowed.
  
  Hide parent attribute Show parent attribute object
  
  type string
  
  type string
- type string
tags array[string]

Responses

200 application/json

Indicates the entity was successfully created.
400 application/json

Bad request.
409 application/json

Conflict.

POST /api/security/entity_store/entities/{entityType}

curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \
  "${KIBANA_URL}/api/security/entity_store/entities/host"

POST kbn://api/security/entity_store/entities/host
{
  "entity": {
    "id": "host:web-server-prod-01",
    "name": "web-server-prod-01",
    "type": "host",
    "source": ["manual"],
    "attributes": { "asset": true }
  },
  "host": {
    "name": "web-server-prod-01",
    "ip": ["10.0.1.42"]
  }
}

Request example

Create a new host entity record with basic host and entity fields. The entity identifier must match the auto-generated format for the entity type.

{
  "asset": {
    "business_unit": "Engineering",
    "criticality": "high_impact",
    "environment": "production"
  },
  "entity": {
    "attributes": {
      "asset": true,
      "managed": true
    },
    "id": "host:web-server-prod-01",
    "name": "web-server-prod-01",
    "source": [
      "manual"
    ],
    "type": "host"
  },
  "host": {
    "hostname": [
      "web-server-prod-01.example.com"
    ],
    "ip": [
      "10.0.1.42"
    ],
    "name": "web-server-prod-01"
  }
}

Response examples (200)

The entity record was successfully created in the Entity Store.

{
  "ok": true
}

Response examples (400)

The supplied entity identifier does not match the auto-generated identifier derived from the entity fields.

{
  "error": "Bad Request",
  "message": "Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01",
  "statusCode": 400
}

Response examples (409)

An entity with the specified identifier already exists.

{
  "error": "Conflict",
  "message": "Entity ID 'host:web-server-prod-01' already exists",
  "statusCode": 409
}

Create an entity

Headers

Path parameters

Body object

name string | array[string]

type string | array[string]

Responses