PUT /api/security/entity_store
Api key auth

Spaces method and path for this operation:

put /s/{space_id}/api/security/entity_store

Refer to Spaces for more information.

Update the Entity Store log extraction configuration.

[Required authorization] Route required privileges: securitySolution.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • logExtraction object Required

    Additional properties are NOT allowed.

    Hide logExtraction attributes Show logExtraction attributes object
    • additionalIndexPatterns array[string]
    • delay string

      Format should match the following pattern: [smdh]$.

    • docsLimit integer

      Minimum value is 1, maximum value is 9007199254740991.

    • fieldHistoryLength integer

      Minimum value is -9007199254740991, maximum value is 9007199254740991.

    • filter string
    • frequency string

      Format should match the following pattern: [smdh]$.

    • lookbackPeriod string

      Format should match the following pattern: [smdh]$.

    • maxLogsPerPage integer

      Minimum value is 1, maximum value is 9007199254740991.

Responses

  • 200 application/json

    Indicates a successful response.

  • 400 application/json

    Bad request.

  • 404 application/json

    Entity Store not found.

PUT /api/security/entity_store 
curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{"logExtraction":{"lookbackPeriod":"6h","frequency":"10m","fieldHistoryLength":15}}' \
  "${KIBANA_URL}/api/security/entity_store"

PUT kbn://api/security/entity_store
{
  "logExtraction": {
    "lookbackPeriod": "6h",
    "frequency": "10m",
    "fieldHistoryLength": 15
  }
}
Request example
Update the log extraction configuration with a new lookback period and frequency. 
{
  "logExtraction": {
    "fieldHistoryLength": 15,
    "frequency": "10m",
    "lookbackPeriod": "6h"
  }
}
Response examples (200)
The Entity Store configuration was successfully updated. 
{
  "ok": true
}
Response examples (400)
A log extraction parameter has an invalid duration format. 
{
  "error": "Bad Request",
  "message": "[request body]: logExtraction.frequency: must be a valid duration of at least 30 seconds (e.g. 1m, 30s)",
  "statusCode": 400
}
Response examples (404)
The Entity Store has not been installed yet. 
{
  "error": "Not Found",
  "message": "Entity store is not installed",
  "statusCode": 404
}