PUT /api/entity_store/entities/{entityType}
Api key auth

Spaces method and path for this operation:

put /s/{space_id}/api/entity_store/entities/{entityType}

Refer to Spaces for more information.

Update or create an entity in Entity Store. If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. By default, only the following fields can be updated: * entity.attributes.* * entity.lifecycle.* * entity.behavior.* To update other fields, set the force query parameter to true. > info > Some fields always retain the first observed value. Updates to these fields will not appear in the final index.

Due to technical limitations, not all updates are guaranteed to appear in the final list of observed values. Due to technical limitations, create is an async operation. The time for a document to be present in the > final index depends on the entity store transform and usually takes more than 1 minute.

Path parameters

  • entityType string Required

    The type of entity.

    Values are user, host, service, or generic.

Query parameters

  • force boolean

    When true, allows updating protected fields.

    Default value is false.

application/json

Body object Required

An entity record from the Entity Store. The entity namespace is a root-level field in the latest index, unlike source logs where it is nested under host, user, or service.

One of:
Security_Entity_Analytics_API_UserEntity object Security_Entity_Analytics_API_HostEntity object Security_Entity_Analytics_API_ServiceEntity object Security_Entity_Analytics_API_GenericEntity object

Responses

  • 200 application/json

    Entity updated or created

    An entity record from the Entity Store. The entity namespace is a root-level field in the latest index, unlike source logs where it is nested under host, user, or service.

    One of:
    Security_Entity_Analytics_API_UserEntity object Security_Entity_Analytics_API_HostEntity object Security_Entity_Analytics_API_ServiceEntity object Security_Entity_Analytics_API_GenericEntity object
  • 403

    Operation on a restricted field

  • 409

    Conflict. The entity was updated while another update was happening in ElasticSearch

  • 503

    Operation on an uninitialized Engine or in a cluster without CRUD API Enabled

PUT /api/entity_store/entities/{entityType} 
curl \
 --request PUT 'https://<KIBANA_URL>/api/entity_store/entities/user' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"@timestamp":"2026-05-04T09:42:00Z","asset":{"business_unit":"string","criticality":"low_impact","environment":"string","id":"string","model":"string","name":"string","owner":"string","serial_number":"string","vendor":"string"},"entity":{"attributes":{"asset":true,"managed":true,"mfa_enabled":true,"privileged":true},"behaviors":{"brute_force_victim":true,"new_country_login":true,"used_usb_device":true},"EngineMetadata":{"Type":"string"},"id":"arn:aws:iam::123456789012:user/jane.doe","lifecycle":{"first_seen":"2026-05-04T09:42:00Z","last_activity":"2026-05-04T09:42:00Z","last_seen":"2026-05-04T09:42:00Z"},"name":"jane.doe","relationships":{"accessed_frequently_by":["string"],"accesses_frequently":["string"],"accesses_infrequently":["string"],"communicates_with":["string"],"dependent_of":["string"],"depends_on":["string"],"owned_by":["string"],"owns":["string"],"supervised_by":["string"],"supervises":["string"]},"risk":{"calculated_level":"Unknown","calculated_score":42.0,"calculated_score_norm":42.0},"source":"string","sub_type":"string","type":"user"},"event":{"ingested":"2026-05-04T09:42:00Z"},"user":{"domain":["string"],"email":["string"],"full_name":["string"],"hash":["string"],"id":["string"],"name":"string","risk":{"@timestamp":"2017-07-21T17:32:28Z","calculated_level":"Unknown","calculated_score":42.0,"calculated_score_norm":42.0,"calculation_run_id":"string","category_1_count":42,"category_1_score":42.0,"category_2_count":42,"category_2_score":42.0,"criticality_level":"low_impact","criticality_modifier":42.0,"id_field":"host.name","id_value":"example.host","inputs":[{"category":"category_1","contribution_score":42.0,"description":"Generated from Detection Engine Rule: Malware Prevention Alert","entity_id":"string","id":"91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c","index":".internal.alerts-security.alerts-default-000001","risk_score":42.0,"timestamp":"2017-07-21T17:32:28Z"}],"modifiers":[{"contribution":42.0,"metadata":{},"modifier_value":42.0,"subtype":"string","type":"string"}],"notes":["string"],"related_entities":[{"entity_id":"string","relationship_type":"string"}],"score_type":"base"},"roles":["string"]}}'