diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml
index af98c99391754..a2f3a66e0dc63 100644
--- a/oas_docs/output/kibana.serverless.yaml
+++ b/oas_docs/output/kibana.serverless.yaml
@@ -63889,7 +63889,43 @@ paths:
fieldHistoryLength: 15
frequency: 10m
lookbackPeriod: 6h
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ logExtraction:
+ additionalProperties: false
+ type: object
+ properties:
+ additionalIndexPatterns:
+ items:
+ type: string
+ type: array
+ delay:
+ pattern: '[smdh]$'
+ type: string
+ docsLimit:
+ maximum: 9007199254740991
+ minimum: 1
+ type: integer
+ fieldHistoryLength:
+ maximum: 9007199254740991
+ minimum: -9007199254740991
+ type: integer
+ filter:
+ type: string
+ frequency:
+ pattern: '[smdh]$'
+ type: string
+ lookbackPeriod:
+ pattern: '[smdh]$'
+ type: string
+ maxLogsPerPage:
+ maximum: 9007199254740991
+ minimum: 1
+ type: integer
+ required:
+ - logExtraction
responses:
'200':
content:
@@ -63959,7 +63995,93 @@ paths:
List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.
[Required authorization] Route required privileges: securitySolution.
operationId: get-security-entity-store-entities
- parameters: []
+ parameters:
+ - description: A Kibana Query Language (KQL) filter for the search-after mode.
+ in: query
+ name: filter
+ required: false
+ schema:
+ type: string
+ - description: Number of entities to return in search-after mode.
+ in: query
+ name: size
+ required: false
+ schema:
+ maximum: 9007199254740991
+ minimum: 1
+ type: integer
+ - description: JSON-encoded search_after value for cursor-based pagination.
+ in: query
+ name: searchAfter
+ required: false
+ schema:
+ type: string
+ - description: Fields to include in the response source.
+ in: query
+ name: source
+ required: false
+ schema:
+ items:
+ type: string
+ type: array
+ - description: Fields to include in the response.
+ in: query
+ name: fields
+ required: false
+ schema:
+ items:
+ type: string
+ type: array
+ - description: Field to sort results by in page mode.
+ in: query
+ name: sort_field
+ required: false
+ schema:
+ type: string
+ - description: Sort order in page mode.
+ in: query
+ name: sort_order
+ required: false
+ schema:
+ enum:
+ - asc
+ - desc
+ type: string
+ - description: Page number to return (1-indexed) in page mode.
+ in: query
+ name: page
+ required: false
+ schema:
+ maximum: 9007199254740991
+ minimum: 1
+ type: integer
+ - description: Number of entities per page in page mode.
+ in: query
+ name: per_page
+ required: false
+ schema:
+ maximum: 10000
+ minimum: 1
+ type: integer
+ - description: An Elasticsearch query string to filter entities in page mode.
+ in: query
+ name: filterQuery
+ required: false
+ schema:
+ type: string
+ - description: Entity types to include in the results.
+ in: query
+ name: entity_types
+ required: false
+ schema:
+ items:
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
+ type: array
responses:
'200':
content:
@@ -64097,7 +64219,15 @@ paths:
summary: Delete an entity by identifier
value:
entityId: host:web-server-prod-01
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entityId:
+ description: The identifier of the entity to delete.
+ type: string
+ required:
+ - entityId
responses:
'200':
content:
@@ -64159,6 +64289,17 @@ paths:
schema:
example: 'true'
type: string
+ - description: The entity type to create.
+ in: path
+ name: entityType
+ required: true
+ schema:
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
requestBody:
content:
application/json:
@@ -64186,154 +64327,4699 @@ paths:
ip:
- 10.0.1.42
name: web-server-prod-01
- schema: {}
- responses:
- '200':
- content:
- application/json:
- examples:
- createSuccessExample:
- description: The entity record was successfully created in the Entity Store.
- summary: Entity created
- value:
- ok: true
- description: Indicates the entity was successfully created.
- '400':
- content:
- application/json:
- examples:
- euidMismatchExample:
- description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields.
- summary: Entity identifier mismatch
- value:
- error: Bad Request
- message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01'
- statusCode: 400
- description: Bad request.
- '409':
- content:
- application/json:
- examples:
- conflictExample:
- description: An entity with the specified identifier already exists.
- summary: Entity already exists
- value:
- error: Conflict
- message: Entity ID 'host:web-server-prod-01' already exists
- statusCode: 409
- description: Conflict.
- summary: Create an entity
- tags:
- - Security entity store
- x-codeSamples:
- - lang: curl
- source: |
- curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
- -H "Content-Type: application/json" \
- -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \
- "${KIBANA_URL}/api/security/entity_store/entities/host"
- - lang: Console
- source: |
- POST kbn://api/security/entity_store/entities/host
- {
- "entity": {
- "id": "host:web-server-prod-01",
- "name": "web-server-prod-01",
- "type": "host",
- "source": ["manual"],
- "attributes": { "asset": true }
- },
- "host": {
- "name": "web-server-prod-01",
- "ip": ["10.0.1.42"]
- }
- }
- x-metaTags:
- - content: Kibana, Elastic Cloud Serverless
- name: product_name
- put:
- description: |-
- **Spaces method and path for this operation:**
-
- put /s/{space_id}/api/security/entity_store/entities/{entityType}
-
- Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
-
- Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.
[Required authorization] Route required privileges: securitySolution.
- operationId: put-security-entity-store-entities-entitytype
- parameters:
- - description: A required header to protect against CSRF attacks
- in: header
- name: kbn-xsrf
- required: true
- schema:
- example: 'true'
- type: string
- requestBody:
- content:
- application/json:
- examples:
- updateEntityAttributesExample:
- description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter.
- summary: Update entity attributes
- value:
- entity:
- attributes:
- managed: true
- mfa_enabled: true
- id: user:jane.doe@example.com
- lifecycle:
- last_activity: '2026-04-10T14:30:00.000Z'
- name: jane.doe
- type: user
- user:
- email:
- - jane.doe@example.com
- name: jane.doe
- roles:
- - admin
- - analyst
- schema: {}
- responses:
- '200':
- content:
- application/json:
- examples:
- updateSuccessExample:
- description: The entity record was successfully updated.
- summary: Entity updated
- value:
- ok: true
- description: Indicates the entity was successfully updated.
- '400':
- content:
- application/json:
- examples:
- protectedFieldsExample:
- description: The request attempts to update protected fields without the force query parameter.
- summary: Protected fields without force
- value:
- error: Bad Request
- message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type'
- statusCode: 400
- description: Bad request.
- '404':
- content:
- application/json:
- examples:
- notFoundExample:
- description: No entity with the specified identifier exists.
- summary: Entity not found
- value:
- error: Not Found
- message: Entity ID 'user:jane.doe@example.com' not found
- statusCode: 404
- description: Entity not found.
- summary: Update an entity
- tags:
- - Security entity store
- x-codeSamples:
- - lang: curl
+ schema:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ tags:
+ items:
+ type: string
+ type: array
+ user:
+ additionalProperties: false
+ type: object
+ properties:
+ domain:
+ items:
+ type: string
+ type: array
+ email:
+ items:
+ type: string
+ type: array
+ full_name:
+ items:
+ type: string
+ type: array
+ hash:
+ items:
+ type: string
+ type: array
+ id:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ roles:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ host:
+ additionalProperties: false
+ type: object
+ properties:
+ architecture:
+ items:
+ type: string
+ type: array
+ domain:
+ items:
+ type: string
+ type: array
+ hostname:
+ items:
+ type: string
+ type: array
+ id:
+ items:
+ type: string
+ type: array
+ ip:
+ items:
+ type: string
+ type: array
+ mac:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ os:
+ additionalProperties: false
+ type: object
+ properties:
+ family:
+ type: string
+ full:
+ type: string
+ kernel:
+ type: string
+ name:
+ anyOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ platform:
+ type: string
+ type:
+ anyOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ version:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ type:
+ items:
+ type: string
+ type: array
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ tags:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ service:
+ additionalProperties: false
+ type: object
+ properties:
+ address:
+ type: string
+ environment:
+ type: string
+ ephemeral_id:
+ type: string
+ id:
+ type: string
+ name:
+ type: string
+ node:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ role:
+ type: string
+ roles:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ state:
+ type: string
+ type:
+ type: string
+ version:
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ cloud:
+ additionalProperties: false
+ type: object
+ properties:
+ account:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ availability_zone:
+ type: string
+ instance:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ machine:
+ additionalProperties: false
+ type: object
+ properties:
+ type:
+ type: string
+ project:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ provider:
+ type: string
+ region:
+ type: string
+ service:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ orchestrator:
+ additionalProperties: false
+ type: object
+ properties:
+ api_version:
+ type: string
+ cluster:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ url:
+ type: string
+ version:
+ type: string
+ namespace:
+ type: string
+ organization:
+ type: string
+ resource:
+ additionalProperties: false
+ type: object
+ properties:
+ annotation:
+ type: string
+ id:
+ type: string
+ ip:
+ type: string
+ label:
+ type: string
+ name:
+ type: string
+ parent:
+ additionalProperties: false
+ type: object
+ properties:
+ type:
+ type: string
+ type:
+ type: string
+ type:
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ responses:
+ '200':
+ content:
+ application/json:
+ examples:
+ createSuccessExample:
+ description: The entity record was successfully created in the Entity Store.
+ summary: Entity created
+ value:
+ ok: true
+ description: Indicates the entity was successfully created.
+ '400':
+ content:
+ application/json:
+ examples:
+ euidMismatchExample:
+ description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields.
+ summary: Entity identifier mismatch
+ value:
+ error: Bad Request
+ message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01'
+ statusCode: 400
+ description: Bad request.
+ '409':
+ content:
+ application/json:
+ examples:
+ conflictExample:
+ description: An entity with the specified identifier already exists.
+ summary: Entity already exists
+ value:
+ error: Conflict
+ message: Entity ID 'host:web-server-prod-01' already exists
+ statusCode: 409
+ description: Conflict.
+ summary: Create an entity
+ tags:
+ - Security entity store
+ x-codeSamples:
+ - lang: curl
+ source: |
+ curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
+ -H "Content-Type: application/json" \
+ -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \
+ "${KIBANA_URL}/api/security/entity_store/entities/host"
+ - lang: Console
+ source: |
+ POST kbn://api/security/entity_store/entities/host
+ {
+ "entity": {
+ "id": "host:web-server-prod-01",
+ "name": "web-server-prod-01",
+ "type": "host",
+ "source": ["manual"],
+ "attributes": { "asset": true }
+ },
+ "host": {
+ "name": "web-server-prod-01",
+ "ip": ["10.0.1.42"]
+ }
+ }
+ x-metaTags:
+ - content: Kibana, Elastic Cloud Serverless
+ name: product_name
+ put:
+ description: |-
+ **Spaces method and path for this operation:**
+
+ put /s/{space_id}/api/security/entity_store/entities/{entityType}
+
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
+
+ Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.
[Required authorization] Route required privileges: securitySolution.
+ operationId: put-security-entity-store-entities-entitytype
+ parameters:
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: The entity type to update.
+ in: path
+ name: entityType
+ required: true
+ schema:
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
+ - description: When true, allows updating protected fields.
+ in: query
+ name: force
+ required: false
+ schema:
+ anyOf:
+ - enum:
+ - 'true'
+ - 'false'
+ type: string
+ - type: boolean
+ default: false
+ requestBody:
+ content:
+ application/json:
+ examples:
+ updateEntityAttributesExample:
+ description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter.
+ summary: Update entity attributes
+ value:
+ entity:
+ attributes:
+ managed: true
+ mfa_enabled: true
+ id: user:jane.doe@example.com
+ lifecycle:
+ last_activity: '2026-04-10T14:30:00.000Z'
+ name: jane.doe
+ type: user
+ user:
+ email:
+ - jane.doe@example.com
+ name: jane.doe
+ roles:
+ - admin
+ - analyst
+ schema:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ tags:
+ items:
+ type: string
+ type: array
+ user:
+ additionalProperties: false
+ type: object
+ properties:
+ domain:
+ items:
+ type: string
+ type: array
+ email:
+ items:
+ type: string
+ type: array
+ full_name:
+ items:
+ type: string
+ type: array
+ hash:
+ items:
+ type: string
+ type: array
+ id:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ roles:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ host:
+ additionalProperties: false
+ type: object
+ properties:
+ architecture:
+ items:
+ type: string
+ type: array
+ domain:
+ items:
+ type: string
+ type: array
+ hostname:
+ items:
+ type: string
+ type: array
+ id:
+ items:
+ type: string
+ type: array
+ ip:
+ items:
+ type: string
+ type: array
+ mac:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ os:
+ additionalProperties: false
+ type: object
+ properties:
+ family:
+ type: string
+ full:
+ type: string
+ kernel:
+ type: string
+ name:
+ anyOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ platform:
+ type: string
+ type:
+ anyOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ version:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ type:
+ items:
+ type: string
+ type: array
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ tags:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ service:
+ additionalProperties: false
+ type: object
+ properties:
+ address:
+ type: string
+ environment:
+ type: string
+ ephemeral_id:
+ type: string
+ id:
+ type: string
+ name:
+ type: string
+ node:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ role:
+ type: string
+ roles:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ state:
+ type: string
+ type:
+ type: string
+ version:
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ cloud:
+ additionalProperties: false
+ type: object
+ properties:
+ account:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ availability_zone:
+ type: string
+ instance:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ machine:
+ additionalProperties: false
+ type: object
+ properties:
+ type:
+ type: string
+ project:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ provider:
+ type: string
+ region:
+ type: string
+ service:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ orchestrator:
+ additionalProperties: false
+ type: object
+ properties:
+ api_version:
+ type: string
+ cluster:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ url:
+ type: string
+ version:
+ type: string
+ namespace:
+ type: string
+ organization:
+ type: string
+ resource:
+ additionalProperties: false
+ type: object
+ properties:
+ annotation:
+ type: string
+ id:
+ type: string
+ ip:
+ type: string
+ label:
+ type: string
+ name:
+ type: string
+ parent:
+ additionalProperties: false
+ type: object
+ properties:
+ type:
+ type: string
+ type:
+ type: string
+ type:
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ responses:
+ '200':
+ content:
+ application/json:
+ examples:
+ updateSuccessExample:
+ description: The entity record was successfully updated.
+ summary: Entity updated
+ value:
+ ok: true
+ description: Indicates the entity was successfully updated.
+ '400':
+ content:
+ application/json:
+ examples:
+ protectedFieldsExample:
+ description: The request attempts to update protected fields without the force query parameter.
+ summary: Protected fields without force
+ value:
+ error: Bad Request
+ message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type'
+ statusCode: 400
+ description: Bad request.
+ '404':
+ content:
+ application/json:
+ examples:
+ notFoundExample:
+ description: No entity with the specified identifier exists.
+ summary: Entity not found
+ value:
+ error: Not Found
+ message: Entity ID 'user:jane.doe@example.com' not found
+ statusCode: 404
+ description: Entity not found.
+ summary: Update an entity
+ tags:
+ - Security entity store
+ x-codeSamples:
+ - lang: curl
source: |
curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
-H "Content-Type: application/json" \
@@ -64373,6 +69059,18 @@ paths:
schema:
example: 'true'
type: string
+ - description: When true, allows updating protected fields.
+ in: query
+ name: force
+ required: false
+ schema:
+ anyOf:
+ - enum:
+ - 'true'
+ - 'false'
+ type: string
+ - type: boolean
+ default: false
requestBody:
content:
application/json:
@@ -64402,7 +69100,2291 @@ paths:
user:
name: jane.doe
type: user
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entities:
+ description: The entities to update.
+ items:
+ type: object
+ properties:
+ doc:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ tags:
+ items:
+ type: string
+ type: array
+ user:
+ additionalProperties: false
+ type: object
+ properties:
+ domain:
+ items:
+ type: string
+ type: array
+ email:
+ items:
+ type: string
+ type: array
+ full_name:
+ items:
+ type: string
+ type: array
+ hash:
+ items:
+ type: string
+ type: array
+ id:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ roles:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ host:
+ additionalProperties: false
+ type: object
+ properties:
+ architecture:
+ items:
+ type: string
+ type: array
+ domain:
+ items:
+ type: string
+ type: array
+ hostname:
+ items:
+ type: string
+ type: array
+ id:
+ items:
+ type: string
+ type: array
+ ip:
+ items:
+ type: string
+ type: array
+ mac:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ os:
+ additionalProperties: false
+ type: object
+ properties:
+ family:
+ type: string
+ full:
+ type: string
+ kernel:
+ type: string
+ name:
+ anyOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ platform:
+ type: string
+ type:
+ anyOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ version:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ type:
+ items:
+ type: string
+ type: array
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ tags:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ service:
+ additionalProperties: false
+ type: object
+ properties:
+ address:
+ type: string
+ environment:
+ type: string
+ ephemeral_id:
+ type: string
+ id:
+ type: string
+ name:
+ type: string
+ node:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ role:
+ type: string
+ roles:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ state:
+ type: string
+ type:
+ type: string
+ version:
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ cloud:
+ additionalProperties: false
+ type: object
+ properties:
+ account:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ availability_zone:
+ type: string
+ instance:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ machine:
+ additionalProperties: false
+ type: object
+ properties:
+ type:
+ type: string
+ project:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ provider:
+ type: string
+ region:
+ type: string
+ service:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ orchestrator:
+ additionalProperties: false
+ type: object
+ properties:
+ api_version:
+ type: string
+ cluster:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ url:
+ type: string
+ version:
+ type: string
+ namespace:
+ type: string
+ organization:
+ type: string
+ resource:
+ additionalProperties: false
+ type: object
+ properties:
+ annotation:
+ type: string
+ id:
+ type: string
+ ip:
+ type: string
+ label:
+ type: string
+ name:
+ type: string
+ parent:
+ additionalProperties: false
+ type: object
+ properties:
+ type:
+ type: string
+ type:
+ type: string
+ type:
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ type:
+ description: The entity type of this record.
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
+ required:
+ - type
+ - doc
+ type: array
+ required:
+ - entities
responses:
'200':
content:
@@ -64514,7 +71496,71 @@ paths:
filter: 'host.os.type: linux'
frequency: 5m
lookbackPeriod: 12h
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entityTypes:
+ default:
+ - user
+ - host
+ - service
+ - generic
+ items:
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
+ type: array
+ historySnapshot:
+ additionalProperties: false
+ type: object
+ properties:
+ frequency:
+ default: 24h
+ pattern: '[smdh]$'
+ type: string
+ logExtraction:
+ additionalProperties: false
+ type: object
+ properties:
+ additionalIndexPatterns:
+ default: []
+ items:
+ type: string
+ type: array
+ delay:
+ default: 1m
+ pattern: '[smdh]$'
+ type: string
+ docsLimit:
+ default: 10000
+ maximum: 9007199254740991
+ minimum: 1
+ type: integer
+ fieldHistoryLength:
+ default: 10
+ maximum: 9007199254740991
+ minimum: -9007199254740991
+ type: integer
+ filter:
+ default: ''
+ type: string
+ frequency:
+ default: 30s
+ pattern: '[smdh]$'
+ type: string
+ lookbackPeriod:
+ default: 3h
+ pattern: '[smdh]$'
+ type: string
+ maxLogsPerPage:
+ default: 40000
+ maximum: 9007199254740991
+ minimum: 1
+ type: integer
responses:
'200':
content:
@@ -64579,7 +71625,13 @@ paths:
Get the resolution group for a given entity, returning all linked entities. Requires an enterprise license.
[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics.
operationId: get-security-entity-store-resolution-group
- parameters: []
+ parameters:
+ - description: The entity identifier to look up the resolution group for.
+ in: query
+ name: entity_id
+ required: true
+ schema:
+ type: string
responses:
'200':
content:
@@ -64681,7 +71733,23 @@ paths:
- user:jdoe@example.com
- user:j.doe@example.com
target_id: user:jane.doe@example.com
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entity_ids:
+ description: Entity identifiers to link to the target entity. Minimum 1, maximum 1000.
+ items:
+ type: string
+ maxItems: 1000
+ minItems: 1
+ type: array
+ target_id:
+ description: The entity identifier to resolve the linked entities to.
+ type: string
+ required:
+ - target_id
+ - entity_ids
responses:
'200':
content:
@@ -64778,7 +71846,19 @@ paths:
entity_ids:
- user:jdoe@example.com
- user:j.doe@example.com
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entity_ids:
+ description: Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000.
+ items:
+ type: string
+ maxItems: 1000
+ minItems: 1
+ type: array
+ required:
+ - entity_ids
responses:
'200':
content:
@@ -64862,7 +71942,25 @@ paths:
value:
entityTypes:
- host
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entityTypes:
+ default:
+ - user
+ - host
+ - service
+ - generic
+ description: Entity types to start. Defaults to all installed types.
+ items:
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
+ type: array
responses:
'200':
content:
@@ -64904,7 +72002,19 @@ paths:
Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.
[Required authorization] Route required privileges: securitySolution.
operationId: get-security-entity-store-status
- parameters: []
+ parameters:
+ - description: If true, returns a detailed status of each engine including all its components.
+ in: query
+ name: include_components
+ required: false
+ schema:
+ anyOf:
+ - enum:
+ - 'true'
+ - 'false'
+ type: string
+ - type: boolean
+ default: false
responses:
'200':
content:
@@ -64997,7 +72107,25 @@ paths:
- host
- service
- generic
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entityTypes:
+ default:
+ - user
+ - host
+ - service
+ - generic
+ description: Entity types to stop. Defaults to all running types.
+ items:
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
+ type: array
responses:
'200':
content:
@@ -65066,7 +72194,25 @@ paths:
value:
entityTypes:
- host
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entityTypes:
+ default:
+ - user
+ - host
+ - service
+ - generic
+ description: Entity types to uninstall. Defaults to all installed types.
+ items:
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
+ type: array
responses:
'200':
content:
diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml
index ce4a49c3ffa51..ec38cecdc5e45 100644
--- a/oas_docs/output/kibana.yaml
+++ b/oas_docs/output/kibana.yaml
@@ -67733,7 +67733,43 @@ paths:
fieldHistoryLength: 15
frequency: 10m
lookbackPeriod: 6h
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ logExtraction:
+ additionalProperties: false
+ type: object
+ properties:
+ additionalIndexPatterns:
+ items:
+ type: string
+ type: array
+ delay:
+ pattern: '[smdh]$'
+ type: string
+ docsLimit:
+ maximum: 9007199254740991
+ minimum: 1
+ type: integer
+ fieldHistoryLength:
+ maximum: 9007199254740991
+ minimum: -9007199254740991
+ type: integer
+ filter:
+ type: string
+ frequency:
+ pattern: '[smdh]$'
+ type: string
+ lookbackPeriod:
+ pattern: '[smdh]$'
+ type: string
+ maxLogsPerPage:
+ maximum: 9007199254740991
+ minimum: 1
+ type: integer
+ required:
+ - logExtraction
responses:
'200':
content:
@@ -67803,7 +67839,93 @@ paths:
List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.
[Required authorization] Route required privileges: securitySolution.
operationId: get-security-entity-store-entities
- parameters: []
+ parameters:
+ - description: A Kibana Query Language (KQL) filter for the search-after mode.
+ in: query
+ name: filter
+ required: false
+ schema:
+ type: string
+ - description: Number of entities to return in search-after mode.
+ in: query
+ name: size
+ required: false
+ schema:
+ maximum: 9007199254740991
+ minimum: 1
+ type: integer
+ - description: JSON-encoded search_after value for cursor-based pagination.
+ in: query
+ name: searchAfter
+ required: false
+ schema:
+ type: string
+ - description: Fields to include in the response source.
+ in: query
+ name: source
+ required: false
+ schema:
+ items:
+ type: string
+ type: array
+ - description: Fields to include in the response.
+ in: query
+ name: fields
+ required: false
+ schema:
+ items:
+ type: string
+ type: array
+ - description: Field to sort results by in page mode.
+ in: query
+ name: sort_field
+ required: false
+ schema:
+ type: string
+ - description: Sort order in page mode.
+ in: query
+ name: sort_order
+ required: false
+ schema:
+ enum:
+ - asc
+ - desc
+ type: string
+ - description: Page number to return (1-indexed) in page mode.
+ in: query
+ name: page
+ required: false
+ schema:
+ maximum: 9007199254740991
+ minimum: 1
+ type: integer
+ - description: Number of entities per page in page mode.
+ in: query
+ name: per_page
+ required: false
+ schema:
+ maximum: 10000
+ minimum: 1
+ type: integer
+ - description: An Elasticsearch query string to filter entities in page mode.
+ in: query
+ name: filterQuery
+ required: false
+ schema:
+ type: string
+ - description: Entity types to include in the results.
+ in: query
+ name: entity_types
+ required: false
+ schema:
+ items:
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
+ type: array
responses:
'200':
content:
@@ -67941,7 +68063,15 @@ paths:
summary: Delete an entity by identifier
value:
entityId: host:web-server-prod-01
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entityId:
+ description: The identifier of the entity to delete.
+ type: string
+ required:
+ - entityId
responses:
'200':
content:
@@ -68003,6 +68133,17 @@ paths:
schema:
example: 'true'
type: string
+ - description: The entity type to create.
+ in: path
+ name: entityType
+ required: true
+ schema:
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
requestBody:
content:
application/json:
@@ -68030,153 +68171,4698 @@ paths:
ip:
- 10.0.1.42
name: web-server-prod-01
- schema: {}
- responses:
- '200':
- content:
- application/json:
- examples:
- createSuccessExample:
- description: The entity record was successfully created in the Entity Store.
- summary: Entity created
- value:
- ok: true
- description: Indicates the entity was successfully created.
- '400':
- content:
- application/json:
- examples:
- euidMismatchExample:
- description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields.
- summary: Entity identifier mismatch
- value:
- error: Bad Request
- message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01'
- statusCode: 400
- description: Bad request.
- '409':
- content:
- application/json:
- examples:
- conflictExample:
- description: An entity with the specified identifier already exists.
- summary: Entity already exists
- value:
- error: Conflict
- message: Entity ID 'host:web-server-prod-01' already exists
- statusCode: 409
- description: Conflict.
- summary: Create an entity
- tags:
- - Security entity store
- x-codeSamples:
- - lang: curl
- source: |
- curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
- -H "Content-Type: application/json" \
- -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \
- "${KIBANA_URL}/api/security/entity_store/entities/host"
- - lang: Console
- source: |
- POST kbn://api/security/entity_store/entities/host
- {
- "entity": {
- "id": "host:web-server-prod-01",
- "name": "web-server-prod-01",
- "type": "host",
- "source": ["manual"],
- "attributes": { "asset": true }
- },
- "host": {
- "name": "web-server-prod-01",
- "ip": ["10.0.1.42"]
- }
- }
- x-metaTags:
- - content: Kibana
- name: product_name
- put:
- description: |-
- **Spaces method and path for this operation:**
-
- put /s/{space_id}/api/security/entity_store/entities/{entityType}
-
- Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
-
- Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.
[Required authorization] Route required privileges: securitySolution.
- operationId: put-security-entity-store-entities-entitytype
- parameters:
- - description: A required header to protect against CSRF attacks
- in: header
- name: kbn-xsrf
- required: true
- schema:
- example: 'true'
- type: string
- requestBody:
- content:
- application/json:
- examples:
- updateEntityAttributesExample:
- description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter.
- summary: Update entity attributes
- value:
- entity:
- attributes:
- managed: true
- mfa_enabled: true
- id: user:jane.doe@example.com
- lifecycle:
- last_activity: '2026-04-10T14:30:00.000Z'
- name: jane.doe
- type: user
- user:
- email:
- - jane.doe@example.com
- name: jane.doe
- roles:
- - admin
- - analyst
- schema: {}
- responses:
- '200':
- content:
- application/json:
- examples:
- updateSuccessExample:
- description: The entity record was successfully updated.
- summary: Entity updated
- value:
- ok: true
- description: Indicates the entity was successfully updated.
- '400':
- content:
- application/json:
- examples:
- protectedFieldsExample:
- description: The request attempts to update protected fields without the force query parameter.
- summary: Protected fields without force
- value:
- error: Bad Request
- message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type'
- statusCode: 400
- description: Bad request.
- '404':
- content:
- application/json:
- examples:
- notFoundExample:
- description: No entity with the specified identifier exists.
- summary: Entity not found
- value:
- error: Not Found
- message: Entity ID 'user:jane.doe@example.com' not found
- statusCode: 404
- description: Entity not found.
- summary: Update an entity
- tags:
- - Security entity store
- x-codeSamples:
+ schema:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ tags:
+ items:
+ type: string
+ type: array
+ user:
+ additionalProperties: false
+ type: object
+ properties:
+ domain:
+ items:
+ type: string
+ type: array
+ email:
+ items:
+ type: string
+ type: array
+ full_name:
+ items:
+ type: string
+ type: array
+ hash:
+ items:
+ type: string
+ type: array
+ id:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ roles:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ host:
+ additionalProperties: false
+ type: object
+ properties:
+ architecture:
+ items:
+ type: string
+ type: array
+ domain:
+ items:
+ type: string
+ type: array
+ hostname:
+ items:
+ type: string
+ type: array
+ id:
+ items:
+ type: string
+ type: array
+ ip:
+ items:
+ type: string
+ type: array
+ mac:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ os:
+ additionalProperties: false
+ type: object
+ properties:
+ family:
+ type: string
+ full:
+ type: string
+ kernel:
+ type: string
+ name:
+ anyOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ platform:
+ type: string
+ type:
+ anyOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ version:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ type:
+ items:
+ type: string
+ type: array
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ tags:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ service:
+ additionalProperties: false
+ type: object
+ properties:
+ address:
+ type: string
+ environment:
+ type: string
+ ephemeral_id:
+ type: string
+ id:
+ type: string
+ name:
+ type: string
+ node:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ role:
+ type: string
+ roles:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ state:
+ type: string
+ type:
+ type: string
+ version:
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ cloud:
+ additionalProperties: false
+ type: object
+ properties:
+ account:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ availability_zone:
+ type: string
+ instance:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ machine:
+ additionalProperties: false
+ type: object
+ properties:
+ type:
+ type: string
+ project:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ provider:
+ type: string
+ region:
+ type: string
+ service:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ orchestrator:
+ additionalProperties: false
+ type: object
+ properties:
+ api_version:
+ type: string
+ cluster:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ url:
+ type: string
+ version:
+ type: string
+ namespace:
+ type: string
+ organization:
+ type: string
+ resource:
+ additionalProperties: false
+ type: object
+ properties:
+ annotation:
+ type: string
+ id:
+ type: string
+ ip:
+ type: string
+ label:
+ type: string
+ name:
+ type: string
+ parent:
+ additionalProperties: false
+ type: object
+ properties:
+ type:
+ type: string
+ type:
+ type: string
+ type:
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ responses:
+ '200':
+ content:
+ application/json:
+ examples:
+ createSuccessExample:
+ description: The entity record was successfully created in the Entity Store.
+ summary: Entity created
+ value:
+ ok: true
+ description: Indicates the entity was successfully created.
+ '400':
+ content:
+ application/json:
+ examples:
+ euidMismatchExample:
+ description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields.
+ summary: Entity identifier mismatch
+ value:
+ error: Bad Request
+ message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01'
+ statusCode: 400
+ description: Bad request.
+ '409':
+ content:
+ application/json:
+ examples:
+ conflictExample:
+ description: An entity with the specified identifier already exists.
+ summary: Entity already exists
+ value:
+ error: Conflict
+ message: Entity ID 'host:web-server-prod-01' already exists
+ statusCode: 409
+ description: Conflict.
+ summary: Create an entity
+ tags:
+ - Security entity store
+ x-codeSamples:
+ - lang: curl
+ source: |
+ curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
+ -H "Content-Type: application/json" \
+ -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \
+ "${KIBANA_URL}/api/security/entity_store/entities/host"
+ - lang: Console
+ source: |
+ POST kbn://api/security/entity_store/entities/host
+ {
+ "entity": {
+ "id": "host:web-server-prod-01",
+ "name": "web-server-prod-01",
+ "type": "host",
+ "source": ["manual"],
+ "attributes": { "asset": true }
+ },
+ "host": {
+ "name": "web-server-prod-01",
+ "ip": ["10.0.1.42"]
+ }
+ }
+ x-metaTags:
+ - content: Kibana
+ name: product_name
+ put:
+ description: |-
+ **Spaces method and path for this operation:**
+
+ put /s/{space_id}/api/security/entity_store/entities/{entityType}
+
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
+
+ Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.
[Required authorization] Route required privileges: securitySolution.
+ operationId: put-security-entity-store-entities-entitytype
+ parameters:
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: The entity type to update.
+ in: path
+ name: entityType
+ required: true
+ schema:
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
+ - description: When true, allows updating protected fields.
+ in: query
+ name: force
+ required: false
+ schema:
+ anyOf:
+ - enum:
+ - 'true'
+ - 'false'
+ type: string
+ - type: boolean
+ default: false
+ requestBody:
+ content:
+ application/json:
+ examples:
+ updateEntityAttributesExample:
+ description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter.
+ summary: Update entity attributes
+ value:
+ entity:
+ attributes:
+ managed: true
+ mfa_enabled: true
+ id: user:jane.doe@example.com
+ lifecycle:
+ last_activity: '2026-04-10T14:30:00.000Z'
+ name: jane.doe
+ type: user
+ user:
+ email:
+ - jane.doe@example.com
+ name: jane.doe
+ roles:
+ - admin
+ - analyst
+ schema:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ tags:
+ items:
+ type: string
+ type: array
+ user:
+ additionalProperties: false
+ type: object
+ properties:
+ domain:
+ items:
+ type: string
+ type: array
+ email:
+ items:
+ type: string
+ type: array
+ full_name:
+ items:
+ type: string
+ type: array
+ hash:
+ items:
+ type: string
+ type: array
+ id:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ roles:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ host:
+ additionalProperties: false
+ type: object
+ properties:
+ architecture:
+ items:
+ type: string
+ type: array
+ domain:
+ items:
+ type: string
+ type: array
+ hostname:
+ items:
+ type: string
+ type: array
+ id:
+ items:
+ type: string
+ type: array
+ ip:
+ items:
+ type: string
+ type: array
+ mac:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ os:
+ additionalProperties: false
+ type: object
+ properties:
+ family:
+ type: string
+ full:
+ type: string
+ kernel:
+ type: string
+ name:
+ anyOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ platform:
+ type: string
+ type:
+ anyOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ version:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ type:
+ items:
+ type: string
+ type: array
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ tags:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ service:
+ additionalProperties: false
+ type: object
+ properties:
+ address:
+ type: string
+ environment:
+ type: string
+ ephemeral_id:
+ type: string
+ id:
+ type: string
+ name:
+ type: string
+ node:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ role:
+ type: string
+ roles:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ state:
+ type: string
+ type:
+ type: string
+ version:
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ cloud:
+ additionalProperties: false
+ type: object
+ properties:
+ account:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ availability_zone:
+ type: string
+ instance:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ machine:
+ additionalProperties: false
+ type: object
+ properties:
+ type:
+ type: string
+ project:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ provider:
+ type: string
+ region:
+ type: string
+ service:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ orchestrator:
+ additionalProperties: false
+ type: object
+ properties:
+ api_version:
+ type: string
+ cluster:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ url:
+ type: string
+ version:
+ type: string
+ namespace:
+ type: string
+ organization:
+ type: string
+ resource:
+ additionalProperties: false
+ type: object
+ properties:
+ annotation:
+ type: string
+ id:
+ type: string
+ ip:
+ type: string
+ label:
+ type: string
+ name:
+ type: string
+ parent:
+ additionalProperties: false
+ type: object
+ properties:
+ type:
+ type: string
+ type:
+ type: string
+ type:
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ responses:
+ '200':
+ content:
+ application/json:
+ examples:
+ updateSuccessExample:
+ description: The entity record was successfully updated.
+ summary: Entity updated
+ value:
+ ok: true
+ description: Indicates the entity was successfully updated.
+ '400':
+ content:
+ application/json:
+ examples:
+ protectedFieldsExample:
+ description: The request attempts to update protected fields without the force query parameter.
+ summary: Protected fields without force
+ value:
+ error: Bad Request
+ message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type'
+ statusCode: 400
+ description: Bad request.
+ '404':
+ content:
+ application/json:
+ examples:
+ notFoundExample:
+ description: No entity with the specified identifier exists.
+ summary: Entity not found
+ value:
+ error: Not Found
+ message: Entity ID 'user:jane.doe@example.com' not found
+ statusCode: 404
+ description: Entity not found.
+ summary: Update an entity
+ tags:
+ - Security entity store
+ x-codeSamples:
- lang: curl
source: |
curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
@@ -68217,6 +72903,18 @@ paths:
schema:
example: 'true'
type: string
+ - description: When true, allows updating protected fields.
+ in: query
+ name: force
+ required: false
+ schema:
+ anyOf:
+ - enum:
+ - 'true'
+ - 'false'
+ type: string
+ - type: boolean
+ default: false
requestBody:
content:
application/json:
@@ -68246,7 +72944,2291 @@ paths:
user:
name: jane.doe
type: user
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entities:
+ description: The entities to update.
+ items:
+ type: object
+ properties:
+ doc:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ tags:
+ items:
+ type: string
+ type: array
+ user:
+ additionalProperties: false
+ type: object
+ properties:
+ domain:
+ items:
+ type: string
+ type: array
+ email:
+ items:
+ type: string
+ type: array
+ full_name:
+ items:
+ type: string
+ type: array
+ hash:
+ items:
+ type: string
+ type: array
+ id:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ roles:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ host:
+ additionalProperties: false
+ type: object
+ properties:
+ architecture:
+ items:
+ type: string
+ type: array
+ domain:
+ items:
+ type: string
+ type: array
+ hostname:
+ items:
+ type: string
+ type: array
+ id:
+ items:
+ type: string
+ type: array
+ ip:
+ items:
+ type: string
+ type: array
+ mac:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ os:
+ additionalProperties: false
+ type: object
+ properties:
+ family:
+ type: string
+ full:
+ type: string
+ kernel:
+ type: string
+ name:
+ anyOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ platform:
+ type: string
+ type:
+ anyOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ version:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ type:
+ items:
+ type: string
+ type: array
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ tags:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ service:
+ additionalProperties: false
+ type: object
+ properties:
+ address:
+ type: string
+ environment:
+ type: string
+ ephemeral_id:
+ type: string
+ id:
+ type: string
+ name:
+ type: string
+ node:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ role:
+ type: string
+ roles:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ state:
+ type: string
+ type:
+ type: string
+ version:
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ asset:
+ additionalProperties: false
+ type: object
+ properties:
+ business_unit:
+ type: string
+ criticality:
+ anyOf:
+ - enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ - nullable: true
+ environment:
+ type: string
+ id:
+ type: string
+ model:
+ type: string
+ name:
+ type: string
+ owner:
+ type: string
+ serial_number:
+ type: string
+ vendor:
+ type: string
+ cloud:
+ additionalProperties: false
+ type: object
+ properties:
+ account:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ availability_zone:
+ type: string
+ instance:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ machine:
+ additionalProperties: false
+ type: object
+ properties:
+ type:
+ type: string
+ project:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ provider:
+ type: string
+ region:
+ type: string
+ service:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ entity:
+ additionalProperties: false
+ type: object
+ properties:
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ asset:
+ type: boolean
+ known_redirects:
+ items:
+ type: string
+ type: array
+ managed:
+ type: boolean
+ mfa_enabled:
+ type: boolean
+ oauth_consent_restriction:
+ type: string
+ permissions:
+ items:
+ type: string
+ type: array
+ storage_class:
+ type: string
+ watchlists:
+ items:
+ type: string
+ type: array
+ behaviors:
+ additionalProperties: false
+ type: object
+ properties:
+ anomaly_job_ids:
+ items:
+ type: string
+ type: array
+ rule_names:
+ items:
+ type: string
+ type: array
+ EngineMetadata:
+ additionalProperties: false
+ type: object
+ properties:
+ Type:
+ type: string
+ id:
+ type: string
+ lifecycle:
+ additionalProperties: false
+ type: object
+ properties:
+ first_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_activity:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ last_seen:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ name:
+ type: string
+ relationships:
+ additionalProperties: false
+ type: object
+ properties:
+ accesses_frequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ accesses_infrequently:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ administers:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ communicates_with:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ depends_on:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ owns_inferred:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ resolution:
+ additionalProperties: false
+ type: object
+ properties:
+ resolved_to:
+ type: string
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ supervises:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ type: array
+ raw_identifiers:
+ additionalProperties: false
+ type: object
+ properties:
+ entity.id:
+ items:
+ type: string
+ type: array
+ host.id:
+ items:
+ type: string
+ type: array
+ host.name:
+ items:
+ type: string
+ type: array
+ service.name:
+ items:
+ type: string
+ type: array
+ user.email:
+ items:
+ type: string
+ type: array
+ user.id:
+ items:
+ type: string
+ type: array
+ user.name:
+ items:
+ type: string
+ type: array
+ risk:
+ additionalProperties: false
+ type: object
+ properties:
+ calculated_level:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ calculated_score:
+ type: number
+ calculated_score_norm:
+ maximum: 100
+ minimum: 0
+ type: number
+ schema_version:
+ type: string
+ source:
+ items:
+ type: string
+ type: array
+ sub_type:
+ type: string
+ type:
+ type: string
+ url:
+ type: string
+ event:
+ additionalProperties: false
+ type: object
+ properties:
+ ingested:
+ format: date-time
+ pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
+ type: string
+ labels:
+ additionalProperties: {}
+ type: object
+ properties: {}
+ orchestrator:
+ additionalProperties: false
+ type: object
+ properties:
+ api_version:
+ type: string
+ cluster:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ url:
+ type: string
+ version:
+ type: string
+ namespace:
+ type: string
+ organization:
+ type: string
+ resource:
+ additionalProperties: false
+ type: object
+ properties:
+ annotation:
+ type: string
+ id:
+ type: string
+ ip:
+ type: string
+ label:
+ type: string
+ name:
+ type: string
+ parent:
+ additionalProperties: false
+ type: object
+ properties:
+ type:
+ type: string
+ type:
+ type: string
+ type:
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ type:
+ description: The entity type of this record.
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
+ required:
+ - type
+ - doc
+ type: array
+ required:
+ - entities
responses:
'200':
content:
@@ -68358,7 +75340,71 @@ paths:
filter: 'host.os.type: linux'
frequency: 5m
lookbackPeriod: 12h
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entityTypes:
+ default:
+ - user
+ - host
+ - service
+ - generic
+ items:
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
+ type: array
+ historySnapshot:
+ additionalProperties: false
+ type: object
+ properties:
+ frequency:
+ default: 24h
+ pattern: '[smdh]$'
+ type: string
+ logExtraction:
+ additionalProperties: false
+ type: object
+ properties:
+ additionalIndexPatterns:
+ default: []
+ items:
+ type: string
+ type: array
+ delay:
+ default: 1m
+ pattern: '[smdh]$'
+ type: string
+ docsLimit:
+ default: 10000
+ maximum: 9007199254740991
+ minimum: 1
+ type: integer
+ fieldHistoryLength:
+ default: 10
+ maximum: 9007199254740991
+ minimum: -9007199254740991
+ type: integer
+ filter:
+ default: ''
+ type: string
+ frequency:
+ default: 30s
+ pattern: '[smdh]$'
+ type: string
+ lookbackPeriod:
+ default: 3h
+ pattern: '[smdh]$'
+ type: string
+ maxLogsPerPage:
+ default: 40000
+ maximum: 9007199254740991
+ minimum: 1
+ type: integer
responses:
'200':
content:
@@ -68423,7 +75469,13 @@ paths:
Get the resolution group for a given entity, returning all linked entities. Requires an enterprise license.
[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics.
operationId: get-security-entity-store-resolution-group
- parameters: []
+ parameters:
+ - description: The entity identifier to look up the resolution group for.
+ in: query
+ name: entity_id
+ required: true
+ schema:
+ type: string
responses:
'200':
content:
@@ -68525,7 +75577,23 @@ paths:
- user:jdoe@example.com
- user:j.doe@example.com
target_id: user:jane.doe@example.com
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entity_ids:
+ description: Entity identifiers to link to the target entity. Minimum 1, maximum 1000.
+ items:
+ type: string
+ maxItems: 1000
+ minItems: 1
+ type: array
+ target_id:
+ description: The entity identifier to resolve the linked entities to.
+ type: string
+ required:
+ - target_id
+ - entity_ids
responses:
'200':
content:
@@ -68622,7 +75690,19 @@ paths:
entity_ids:
- user:jdoe@example.com
- user:j.doe@example.com
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entity_ids:
+ description: Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000.
+ items:
+ type: string
+ maxItems: 1000
+ minItems: 1
+ type: array
+ required:
+ - entity_ids
responses:
'200':
content:
@@ -68706,7 +75786,25 @@ paths:
value:
entityTypes:
- host
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entityTypes:
+ default:
+ - user
+ - host
+ - service
+ - generic
+ description: Entity types to start. Defaults to all installed types.
+ items:
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
+ type: array
responses:
'200':
content:
@@ -68748,7 +75846,19 @@ paths:
Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.
[Required authorization] Route required privileges: securitySolution.
operationId: get-security-entity-store-status
- parameters: []
+ parameters:
+ - description: If true, returns a detailed status of each engine including all its components.
+ in: query
+ name: include_components
+ required: false
+ schema:
+ anyOf:
+ - enum:
+ - 'true'
+ - 'false'
+ type: string
+ - type: boolean
+ default: false
responses:
'200':
content:
@@ -68841,7 +75951,25 @@ paths:
- host
- service
- generic
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entityTypes:
+ default:
+ - user
+ - host
+ - service
+ - generic
+ description: Entity types to stop. Defaults to all running types.
+ items:
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
+ type: array
responses:
'200':
content:
@@ -68910,7 +76038,25 @@ paths:
value:
entityTypes:
- host
- schema: {}
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ entityTypes:
+ default:
+ - user
+ - host
+ - service
+ - generic
+ description: Entity types to uninstall. Defaults to all installed types.
+ items:
+ enum:
+ - user
+ - host
+ - service
+ - generic
+ type: string
+ type: array
responses:
'200':
content:
diff --git a/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.test.ts b/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.test.ts
index 716006d452558..fd16a8320b792 100644
--- a/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.test.ts
+++ b/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.test.ts
@@ -9,6 +9,8 @@
import { OasConverter } from '.';
import { schema } from '@kbn/config-schema';
+import { z } from '@kbn/zod/v4';
+import { buildRouteValidationWithZod } from '@kbn/zod-helpers/v4';
describe('OasConverter', () => {
it('converts schemas with refs', () => {
@@ -88,4 +90,63 @@ describe('OasConverter', () => {
required: ['foo'],
});
});
+
+ describe('unwraps Zod schemas from buildRouteValidationWithZod', () => {
+ it('converts query parameters from a wrapped Zod schema', () => {
+ const converter = new OasConverter();
+ const querySchema = z.object({
+ include_components: z.boolean().optional().describe('Return component-level details'),
+ page: z.number().int().optional().describe('Page number'),
+ });
+ const wrapped = buildRouteValidationWithZod(querySchema);
+
+ const result = converter.convertQuery(wrapped);
+ expect(result.length).toBe(2);
+ expect(result.map((p) => p.name).sort()).toEqual(['include_components', 'page']);
+ expect(result.find((p) => p.name === 'include_components')).toMatchObject({
+ in: 'query',
+ required: false,
+ schema: { type: 'boolean' },
+ description: 'Return component-level details',
+ });
+ });
+
+ it('converts path parameters from a wrapped Zod schema', () => {
+ const converter = new OasConverter();
+ const paramsSchema = z.object({
+ entityType: z.enum(['user', 'host']).describe('The entity type'),
+ });
+ const wrapped = buildRouteValidationWithZod(paramsSchema);
+
+ const result = converter.convertPathParameters(wrapped, {
+ entityType: { optional: false },
+ });
+ expect(result.length).toBe(1);
+ expect(result[0]).toMatchObject({
+ name: 'entityType',
+ in: 'path',
+ required: true,
+ description: 'The entity type',
+ });
+ });
+
+ it('converts body schema from a wrapped Zod schema', () => {
+ const converter = new OasConverter();
+ const bodySchema = z.object({
+ name: z.string().describe('Entity name'),
+ tags: z.array(z.string()).optional().describe('Tags'),
+ });
+ const wrapped = buildRouteValidationWithZod(bodySchema);
+
+ const result = converter.convert(wrapped);
+ expect(result).toMatchObject({
+ type: 'object',
+ properties: {
+ name: { type: 'string', description: 'Entity name' },
+ tags: { type: 'array', items: { type: 'string' }, description: 'Tags' },
+ },
+ required: ['name'],
+ });
+ });
+ });
});
diff --git a/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.ts b/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.ts
index 9e28714d1961e..d4fd37b2466c9 100644
--- a/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.ts
+++ b/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.ts
@@ -28,6 +28,17 @@ export class OasConverter {
this.#env = env;
}
+ /**
+ * Unwrap a RouteValidationFunction produced by buildRouteValidationWithZod
+ * so the original Zod schema is visible to the converter chain.
+ */
+ #unwrapSchema(schema: unknown): unknown {
+ if (typeof schema === 'function' && '_sourceSchema' in schema && schema._sourceSchema != null) {
+ return schema._sourceSchema;
+ }
+ return schema;
+ }
+
#getConverter(schema: unknown) {
return this.#converters.find((c) => c.is(schema))!;
}
@@ -43,7 +54,8 @@ export class OasConverter {
}
public convert(schema: unknown) {
- const { schema: oasSchema, shared } = this.#getConverter(schema)!.convert(schema, {
+ const unwrapped = this.#unwrapSchema(schema);
+ const { schema: oasSchema, shared } = this.#getConverter(unwrapped)!.convert(unwrapped, {
env: this.#env,
sharedSchemas: this.#sharedSchemas,
});
@@ -52,8 +64,9 @@ export class OasConverter {
}
public convertPathParameters(schema: unknown, pathParameters: KnownParameters) {
- const { params, shared } = this.#getConverter(schema).convertPathParameters(
- schema,
+ const unwrapped = this.#unwrapSchema(schema);
+ const { params, shared } = this.#getConverter(unwrapped).convertPathParameters(
+ unwrapped,
pathParameters
);
this.#addComponents(shared);
@@ -61,7 +74,8 @@ export class OasConverter {
}
public convertQuery(schema: unknown) {
- const { query, shared } = this.#getConverter(schema).convertQuery(schema);
+ const unwrapped = this.#unwrapSchema(schema);
+ const { query, shared } = this.#getConverter(unwrapped).convertQuery(unwrapped);
this.#addComponents(shared);
return query;
}
diff --git a/src/platform/packages/shared/kbn-zod-helpers/v4/build_route_validation_with_zod.ts b/src/platform/packages/shared/kbn-zod-helpers/v4/build_route_validation_with_zod.ts
index 809b9e0e3d3c9..7e0361d6c29d8 100644
--- a/src/platform/packages/shared/kbn-zod-helpers/v4/build_route_validation_with_zod.ts
+++ b/src/platform/packages/shared/kbn-zod-helpers/v4/build_route_validation_with_zod.ts
@@ -44,11 +44,14 @@ interface ZodSafeParseable