From 36f46f12e46722f12d594da79885f2cb349b8569 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kuba=20Sobo=C5=84?= Date: Tue, 21 Apr 2026 13:41:12 +0200 Subject: [PATCH] [Zod Helper][OAS Docs] Fix OAS docs generation for routes using buildRouteValidationWithZod (#263354) ## Summary When working on we have discovered both path and query parameters missing from generated OAS docs, despite being defined in the route itself. I have tracked the issue down to `buildRouteValidationWithZod` function obscuring the Zod schema. This PR aims to fix this issue by attaching the original, source schema to the output of `buildRouteValidationWithZod` and adding code to try and unwrap it in the `kbn-router-to-openapispec` code. This has no influence on existing code, other than correctly handling the routes with `buildRouteValidationWithZod`. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit f50036c6f1821d5dcf42158e30b3ec611ce94135) --- oas_docs/output/kibana.serverless.yaml | 7466 ++++++++++++++++- oas_docs/output/kibana.yaml | 7464 +++++++++++++++- .../src/oas_converter/index.test.ts | 61 + .../src/oas_converter/index.ts | 22 +- .../v4/build_route_validation_with_zod.ts | 5 +- .../saved_objects/global_state/constants.ts | 4 +- .../server/routes/apis/crud/create.ts | 8 +- .../server/routes/apis/crud/get.ts | 2 +- .../server/routes/apis/crud/update.ts | 8 +- .../apis/force_ccs_extract_to_updates.ts | 2 +- .../entity_store/server/routes/constants.ts | 4 +- 11 files changed, 14706 insertions(+), 340 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index 2ad2f041d5676..b6072251b96b2 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -61748,7 +61748,43 @@ paths: fieldHistoryLength: 15 frequency: 10m lookbackPeriod: 6h - schema: {} + schema: + additionalProperties: false + type: object + properties: + logExtraction: + additionalProperties: false + type: object + properties: + additionalIndexPatterns: + items: + type: string + type: array + delay: + pattern: '[smdh]$' + type: string + docsLimit: + maximum: 9007199254740991 + minimum: 1 + type: integer + fieldHistoryLength: + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + filter: + type: string + frequency: + pattern: '[smdh]$' + type: string + lookbackPeriod: + pattern: '[smdh]$' + type: string + maxLogsPerPage: + maximum: 9007199254740991 + minimum: 1 + type: integer + required: + - logExtraction responses: '200': content: @@ -61818,7 +61854,93 @@ paths: List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.

[Required authorization] Route required privileges: securitySolution. operationId: get-security-entity-store-entities - parameters: [] + parameters: + - description: A Kibana Query Language (KQL) filter for the search-after mode. + in: query + name: filter + required: false + schema: + type: string + - description: Number of entities to return in search-after mode. + in: query + name: size + required: false + schema: + maximum: 9007199254740991 + minimum: 1 + type: integer + - description: JSON-encoded search_after value for cursor-based pagination. + in: query + name: searchAfter + required: false + schema: + type: string + - description: Fields to include in the response source. + in: query + name: source + required: false + schema: + items: + type: string + type: array + - description: Fields to include in the response. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Field to sort results by in page mode. + in: query + name: sort_field + required: false + schema: + type: string + - description: Sort order in page mode. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Page number to return (1-indexed) in page mode. + in: query + name: page + required: false + schema: + maximum: 9007199254740991 + minimum: 1 + type: integer + - description: Number of entities per page in page mode. + in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An Elasticsearch query string to filter entities in page mode. + in: query + name: filterQuery + required: false + schema: + type: string + - description: Entity types to include in the results. + in: query + name: entity_types + required: false + schema: + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: @@ -61956,7 +62078,15 @@ paths: summary: Delete an entity by identifier value: entityId: host:web-server-prod-01 - schema: {} + schema: + additionalProperties: false + type: object + properties: + entityId: + description: The identifier of the entity to delete. + type: string + required: + - entityId responses: '200': content: @@ -62018,6 +62148,17 @@ paths: schema: example: 'true' type: string + - description: The entity type to create. + in: path + name: entityType + required: true + schema: + enum: + - user + - host + - service + - generic + type: string requestBody: content: application/json: @@ -62045,154 +62186,4699 @@ paths: ip: - 10.0.1.42 name: web-server-prod-01 - schema: {} - responses: - '200': - content: - application/json: - examples: - createSuccessExample: - description: The entity record was successfully created in the Entity Store. - summary: Entity created - value: - ok: true - description: Indicates the entity was successfully created. - '400': - content: - application/json: - examples: - euidMismatchExample: - description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields. - summary: Entity identifier mismatch - value: - error: Bad Request - message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01' - statusCode: 400 - description: Bad request. - '409': - content: - application/json: - examples: - conflictExample: - description: An entity with the specified identifier already exists. - summary: Entity already exists - value: - error: Conflict - message: Entity ID 'host:web-server-prod-01' already exists - statusCode: 409 - description: Conflict. - summary: Create an entity - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \ - "${KIBANA_URL}/api/security/entity_store/entities/host" - - lang: Console - source: | - POST kbn://api/security/entity_store/entities/host - { - "entity": { - "id": "host:web-server-prod-01", - "name": "web-server-prod-01", - "type": "host", - "source": ["manual"], - "attributes": { "asset": true } - }, - "host": { - "name": "web-server-prod-01", - "ip": ["10.0.1.42"] - } - } - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security/entity_store/entities/{entityType}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.

[Required authorization] Route required privileges: securitySolution. - operationId: put-security-entity-store-entities-entitytype - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - updateEntityAttributesExample: - description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter. - summary: Update entity attributes - value: - entity: - attributes: - managed: true - mfa_enabled: true - id: user:jane.doe@example.com - lifecycle: - last_activity: '2026-04-10T14:30:00.000Z' - name: jane.doe - type: user - user: - email: - - jane.doe@example.com - name: jane.doe - roles: - - admin - - analyst - schema: {} - responses: - '200': - content: - application/json: - examples: - updateSuccessExample: - description: The entity record was successfully updated. - summary: Entity updated - value: - ok: true - description: Indicates the entity was successfully updated. - '400': - content: - application/json: - examples: - protectedFieldsExample: - description: The request attempts to update protected fields without the force query parameter. - summary: Protected fields without force - value: - error: Bad Request - message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' - statusCode: 400 - description: Bad request. - '404': - content: - application/json: - examples: - notFoundExample: - description: No entity with the specified identifier exists. - summary: Entity not found - value: - error: Not Found - message: Entity ID 'user:jane.doe@example.com' not found - statusCode: 404 - description: Entity not found. - summary: Update an entity - tags: - - Security entity store - x-codeSamples: - - lang: curl + schema: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array + responses: + '200': + content: + application/json: + examples: + createSuccessExample: + description: The entity record was successfully created in the Entity Store. + summary: Entity created + value: + ok: true + description: Indicates the entity was successfully created. + '400': + content: + application/json: + examples: + euidMismatchExample: + description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields. + summary: Entity identifier mismatch + value: + error: Bad Request + message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01' + statusCode: 400 + description: Bad request. + '409': + content: + application/json: + examples: + conflictExample: + description: An entity with the specified identifier already exists. + summary: Entity already exists + value: + error: Conflict + message: Entity ID 'host:web-server-prod-01' already exists + statusCode: 409 + description: Conflict. + summary: Create an entity + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \ + "${KIBANA_URL}/api/security/entity_store/entities/host" + - lang: Console + source: | + POST kbn://api/security/entity_store/entities/host + { + "entity": { + "id": "host:web-server-prod-01", + "name": "web-server-prod-01", + "type": "host", + "source": ["manual"], + "attributes": { "asset": true } + }, + "host": { + "name": "web-server-prod-01", + "ip": ["10.0.1.42"] + } + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-entities-entitytype + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The entity type to update. + in: path + name: entityType + required: true + schema: + enum: + - user + - host + - service + - generic + type: string + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false + requestBody: + content: + application/json: + examples: + updateEntityAttributesExample: + description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter. + summary: Update entity attributes + value: + entity: + attributes: + managed: true + mfa_enabled: true + id: user:jane.doe@example.com + lifecycle: + last_activity: '2026-04-10T14:30:00.000Z' + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + roles: + - admin + - analyst + schema: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array + responses: + '200': + content: + application/json: + examples: + updateSuccessExample: + description: The entity record was successfully updated. + summary: Entity updated + value: + ok: true + description: Indicates the entity was successfully updated. + '400': + content: + application/json: + examples: + protectedFieldsExample: + description: The request attempts to update protected fields without the force query parameter. + summary: Protected fields without force + value: + error: Bad Request + message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' + statusCode: 400 + description: Bad request. + '404': + content: + application/json: + examples: + notFoundExample: + description: No entity with the specified identifier exists. + summary: Entity not found + value: + error: Not Found + message: Entity ID 'user:jane.doe@example.com' not found + statusCode: 404 + description: Entity not found. + summary: Update an entity + tags: + - Security entity store + x-codeSamples: + - lang: curl source: | curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ @@ -62232,6 +66918,18 @@ paths: schema: example: 'true' type: string + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false requestBody: content: application/json: @@ -62261,7 +66959,2291 @@ paths: user: name: jane.doe type: user - schema: {} + schema: + additionalProperties: false + type: object + properties: + entities: + description: The entities to update. + items: + type: object + properties: + doc: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array + type: + description: The entity type of this record. + enum: + - user + - host + - service + - generic + type: string + required: + - type + - doc + type: array + required: + - entities responses: '200': content: @@ -62373,7 +69355,71 @@ paths: filter: 'host.os.type: linux' frequency: 5m lookbackPeriod: 12h - schema: {} + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + items: + enum: + - user + - host + - service + - generic + type: string + type: array + historySnapshot: + additionalProperties: false + type: object + properties: + frequency: + default: 24h + pattern: '[smdh]$' + type: string + logExtraction: + additionalProperties: false + type: object + properties: + additionalIndexPatterns: + default: [] + items: + type: string + type: array + delay: + default: 1m + pattern: '[smdh]$' + type: string + docsLimit: + default: 10000 + maximum: 9007199254740991 + minimum: 1 + type: integer + fieldHistoryLength: + default: 10 + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + filter: + default: '' + type: string + frequency: + default: 30s + pattern: '[smdh]$' + type: string + lookbackPeriod: + default: 3h + pattern: '[smdh]$' + type: string + maxLogsPerPage: + default: 40000 + maximum: 9007199254740991 + minimum: 1 + type: integer responses: '200': content: @@ -62438,7 +69484,13 @@ paths: Get the resolution group for a given entity, returning all linked entities. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. operationId: get-security-entity-store-resolution-group - parameters: [] + parameters: + - description: The entity identifier to look up the resolution group for. + in: query + name: entity_id + required: true + schema: + type: string responses: '200': content: @@ -62540,7 +69592,23 @@ paths: - user:jdoe@example.com - user:j.doe@example.com target_id: user:jane.doe@example.com - schema: {} + schema: + additionalProperties: false + type: object + properties: + entity_ids: + description: Entity identifiers to link to the target entity. Minimum 1, maximum 1000. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + target_id: + description: The entity identifier to resolve the linked entities to. + type: string + required: + - target_id + - entity_ids responses: '200': content: @@ -62637,7 +69705,19 @@ paths: entity_ids: - user:jdoe@example.com - user:j.doe@example.com - schema: {} + schema: + additionalProperties: false + type: object + properties: + entity_ids: + description: Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + required: + - entity_ids responses: '200': content: @@ -62721,7 +69801,25 @@ paths: value: entityTypes: - host - schema: {} + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to start. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: @@ -62763,7 +69861,19 @@ paths: Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.

[Required authorization] Route required privileges: securitySolution. operationId: get-security-entity-store-status - parameters: [] + parameters: + - description: If true, returns a detailed status of each engine including all its components. + in: query + name: include_components + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false responses: '200': content: @@ -62856,7 +69966,25 @@ paths: - host - service - generic - schema: {} + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to stop. Defaults to all running types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: @@ -62925,7 +70053,25 @@ paths: value: entityTypes: - host - schema: {} + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to uninstall. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 5d6b53950032a..8c37677bcf661 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -65586,7 +65586,43 @@ paths: fieldHistoryLength: 15 frequency: 10m lookbackPeriod: 6h - schema: {} + schema: + additionalProperties: false + type: object + properties: + logExtraction: + additionalProperties: false + type: object + properties: + additionalIndexPatterns: + items: + type: string + type: array + delay: + pattern: '[smdh]$' + type: string + docsLimit: + maximum: 9007199254740991 + minimum: 1 + type: integer + fieldHistoryLength: + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + filter: + type: string + frequency: + pattern: '[smdh]$' + type: string + lookbackPeriod: + pattern: '[smdh]$' + type: string + maxLogsPerPage: + maximum: 9007199254740991 + minimum: 1 + type: integer + required: + - logExtraction responses: '200': content: @@ -65656,7 +65692,93 @@ paths: List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.

[Required authorization] Route required privileges: securitySolution. operationId: get-security-entity-store-entities - parameters: [] + parameters: + - description: A Kibana Query Language (KQL) filter for the search-after mode. + in: query + name: filter + required: false + schema: + type: string + - description: Number of entities to return in search-after mode. + in: query + name: size + required: false + schema: + maximum: 9007199254740991 + minimum: 1 + type: integer + - description: JSON-encoded search_after value for cursor-based pagination. + in: query + name: searchAfter + required: false + schema: + type: string + - description: Fields to include in the response source. + in: query + name: source + required: false + schema: + items: + type: string + type: array + - description: Fields to include in the response. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Field to sort results by in page mode. + in: query + name: sort_field + required: false + schema: + type: string + - description: Sort order in page mode. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Page number to return (1-indexed) in page mode. + in: query + name: page + required: false + schema: + maximum: 9007199254740991 + minimum: 1 + type: integer + - description: Number of entities per page in page mode. + in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An Elasticsearch query string to filter entities in page mode. + in: query + name: filterQuery + required: false + schema: + type: string + - description: Entity types to include in the results. + in: query + name: entity_types + required: false + schema: + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: @@ -65794,7 +65916,15 @@ paths: summary: Delete an entity by identifier value: entityId: host:web-server-prod-01 - schema: {} + schema: + additionalProperties: false + type: object + properties: + entityId: + description: The identifier of the entity to delete. + type: string + required: + - entityId responses: '200': content: @@ -65856,6 +65986,17 @@ paths: schema: example: 'true' type: string + - description: The entity type to create. + in: path + name: entityType + required: true + schema: + enum: + - user + - host + - service + - generic + type: string requestBody: content: application/json: @@ -65883,153 +66024,4698 @@ paths: ip: - 10.0.1.42 name: web-server-prod-01 - schema: {} - responses: - '200': - content: - application/json: - examples: - createSuccessExample: - description: The entity record was successfully created in the Entity Store. - summary: Entity created - value: - ok: true - description: Indicates the entity was successfully created. - '400': - content: - application/json: - examples: - euidMismatchExample: - description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields. - summary: Entity identifier mismatch - value: - error: Bad Request - message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01' - statusCode: 400 - description: Bad request. - '409': - content: - application/json: - examples: - conflictExample: - description: An entity with the specified identifier already exists. - summary: Entity already exists - value: - error: Conflict - message: Entity ID 'host:web-server-prod-01' already exists - statusCode: 409 - description: Conflict. - summary: Create an entity - tags: - - Security entity store - x-codeSamples: - - lang: curl - source: | - curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ - -H "Content-Type: application/json" \ - -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \ - "${KIBANA_URL}/api/security/entity_store/entities/host" - - lang: Console - source: | - POST kbn://api/security/entity_store/entities/host - { - "entity": { - "id": "host:web-server-prod-01", - "name": "web-server-prod-01", - "type": "host", - "source": ["manual"], - "attributes": { "asset": true } - }, - "host": { - "name": "web-server-prod-01", - "ip": ["10.0.1.42"] - } - } - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/security/entity_store/entities/{entityType}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.

[Required authorization] Route required privileges: securitySolution. - operationId: put-security-entity-store-entities-entitytype - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - updateEntityAttributesExample: - description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter. - summary: Update entity attributes - value: - entity: - attributes: - managed: true - mfa_enabled: true - id: user:jane.doe@example.com - lifecycle: - last_activity: '2026-04-10T14:30:00.000Z' - name: jane.doe - type: user - user: - email: - - jane.doe@example.com - name: jane.doe - roles: - - admin - - analyst - schema: {} - responses: - '200': - content: - application/json: - examples: - updateSuccessExample: - description: The entity record was successfully updated. - summary: Entity updated - value: - ok: true - description: Indicates the entity was successfully updated. - '400': - content: - application/json: - examples: - protectedFieldsExample: - description: The request attempts to update protected fields without the force query parameter. - summary: Protected fields without force - value: - error: Bad Request - message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' - statusCode: 400 - description: Bad request. - '404': - content: - application/json: - examples: - notFoundExample: - description: No entity with the specified identifier exists. - summary: Entity not found - value: - error: Not Found - message: Entity ID 'user:jane.doe@example.com' not found - statusCode: 404 - description: Entity not found. - summary: Update an entity - tags: - - Security entity store - x-codeSamples: + schema: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array + responses: + '200': + content: + application/json: + examples: + createSuccessExample: + description: The entity record was successfully created in the Entity Store. + summary: Entity created + value: + ok: true + description: Indicates the entity was successfully created. + '400': + content: + application/json: + examples: + euidMismatchExample: + description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields. + summary: Entity identifier mismatch + value: + error: Bad Request + message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01' + statusCode: 400 + description: Bad request. + '409': + content: + application/json: + examples: + conflictExample: + description: An entity with the specified identifier already exists. + summary: Entity already exists + value: + error: Conflict + message: Entity ID 'host:web-server-prod-01' already exists + statusCode: 409 + description: Conflict. + summary: Create an entity + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \ + "${KIBANA_URL}/api/security/entity_store/entities/host" + - lang: Console + source: | + POST kbn://api/security/entity_store/entities/host + { + "entity": { + "id": "host:web-server-prod-01", + "name": "web-server-prod-01", + "type": "host", + "source": ["manual"], + "attributes": { "asset": true } + }, + "host": { + "name": "web-server-prod-01", + "ip": ["10.0.1.42"] + } + } + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-entities-entitytype + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The entity type to update. + in: path + name: entityType + required: true + schema: + enum: + - user + - host + - service + - generic + type: string + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false + requestBody: + content: + application/json: + examples: + updateEntityAttributesExample: + description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter. + summary: Update entity attributes + value: + entity: + attributes: + managed: true + mfa_enabled: true + id: user:jane.doe@example.com + lifecycle: + last_activity: '2026-04-10T14:30:00.000Z' + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + roles: + - admin + - analyst + schema: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array + responses: + '200': + content: + application/json: + examples: + updateSuccessExample: + description: The entity record was successfully updated. + summary: Entity updated + value: + ok: true + description: Indicates the entity was successfully updated. + '400': + content: + application/json: + examples: + protectedFieldsExample: + description: The request attempts to update protected fields without the force query parameter. + summary: Protected fields without force + value: + error: Bad Request + message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' + statusCode: 400 + description: Bad request. + '404': + content: + application/json: + examples: + notFoundExample: + description: No entity with the specified identifier exists. + summary: Entity not found + value: + error: Not Found + message: Entity ID 'user:jane.doe@example.com' not found + statusCode: 404 + description: Entity not found. + summary: Update an entity + tags: + - Security entity store + x-codeSamples: - lang: curl source: | curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ @@ -66070,6 +70756,18 @@ paths: schema: example: 'true' type: string + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false requestBody: content: application/json: @@ -66099,7 +70797,2291 @@ paths: user: name: jane.doe type: user - schema: {} + schema: + additionalProperties: false + type: object + properties: + entities: + description: The entities to update. + items: + type: object + properties: + doc: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array + type: + description: The entity type of this record. + enum: + - user + - host + - service + - generic + type: string + required: + - type + - doc + type: array + required: + - entities responses: '200': content: @@ -66211,7 +73193,71 @@ paths: filter: 'host.os.type: linux' frequency: 5m lookbackPeriod: 12h - schema: {} + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + items: + enum: + - user + - host + - service + - generic + type: string + type: array + historySnapshot: + additionalProperties: false + type: object + properties: + frequency: + default: 24h + pattern: '[smdh]$' + type: string + logExtraction: + additionalProperties: false + type: object + properties: + additionalIndexPatterns: + default: [] + items: + type: string + type: array + delay: + default: 1m + pattern: '[smdh]$' + type: string + docsLimit: + default: 10000 + maximum: 9007199254740991 + minimum: 1 + type: integer + fieldHistoryLength: + default: 10 + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + filter: + default: '' + type: string + frequency: + default: 30s + pattern: '[smdh]$' + type: string + lookbackPeriod: + default: 3h + pattern: '[smdh]$' + type: string + maxLogsPerPage: + default: 40000 + maximum: 9007199254740991 + minimum: 1 + type: integer responses: '200': content: @@ -66276,7 +73322,13 @@ paths: Get the resolution group for a given entity, returning all linked entities. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. operationId: get-security-entity-store-resolution-group - parameters: [] + parameters: + - description: The entity identifier to look up the resolution group for. + in: query + name: entity_id + required: true + schema: + type: string responses: '200': content: @@ -66378,7 +73430,23 @@ paths: - user:jdoe@example.com - user:j.doe@example.com target_id: user:jane.doe@example.com - schema: {} + schema: + additionalProperties: false + type: object + properties: + entity_ids: + description: Entity identifiers to link to the target entity. Minimum 1, maximum 1000. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + target_id: + description: The entity identifier to resolve the linked entities to. + type: string + required: + - target_id + - entity_ids responses: '200': content: @@ -66475,7 +73543,19 @@ paths: entity_ids: - user:jdoe@example.com - user:j.doe@example.com - schema: {} + schema: + additionalProperties: false + type: object + properties: + entity_ids: + description: Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + required: + - entity_ids responses: '200': content: @@ -66559,7 +73639,25 @@ paths: value: entityTypes: - host - schema: {} + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to start. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: @@ -66601,7 +73699,19 @@ paths: Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.

[Required authorization] Route required privileges: securitySolution. operationId: get-security-entity-store-status - parameters: [] + parameters: + - description: If true, returns a detailed status of each engine including all its components. + in: query + name: include_components + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false responses: '200': content: @@ -66694,7 +73804,25 @@ paths: - host - service - generic - schema: {} + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to stop. Defaults to all running types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: @@ -66763,7 +73891,25 @@ paths: value: entityTypes: - host - schema: {} + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to uninstall. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: diff --git a/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.test.ts b/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.test.ts index 716006d452558..fd16a8320b792 100644 --- a/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.test.ts +++ b/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.test.ts @@ -9,6 +9,8 @@ import { OasConverter } from '.'; import { schema } from '@kbn/config-schema'; +import { z } from '@kbn/zod/v4'; +import { buildRouteValidationWithZod } from '@kbn/zod-helpers/v4'; describe('OasConverter', () => { it('converts schemas with refs', () => { @@ -88,4 +90,63 @@ describe('OasConverter', () => { required: ['foo'], }); }); + + describe('unwraps Zod schemas from buildRouteValidationWithZod', () => { + it('converts query parameters from a wrapped Zod schema', () => { + const converter = new OasConverter(); + const querySchema = z.object({ + include_components: z.boolean().optional().describe('Return component-level details'), + page: z.number().int().optional().describe('Page number'), + }); + const wrapped = buildRouteValidationWithZod(querySchema); + + const result = converter.convertQuery(wrapped); + expect(result.length).toBe(2); + expect(result.map((p) => p.name).sort()).toEqual(['include_components', 'page']); + expect(result.find((p) => p.name === 'include_components')).toMatchObject({ + in: 'query', + required: false, + schema: { type: 'boolean' }, + description: 'Return component-level details', + }); + }); + + it('converts path parameters from a wrapped Zod schema', () => { + const converter = new OasConverter(); + const paramsSchema = z.object({ + entityType: z.enum(['user', 'host']).describe('The entity type'), + }); + const wrapped = buildRouteValidationWithZod(paramsSchema); + + const result = converter.convertPathParameters(wrapped, { + entityType: { optional: false }, + }); + expect(result.length).toBe(1); + expect(result[0]).toMatchObject({ + name: 'entityType', + in: 'path', + required: true, + description: 'The entity type', + }); + }); + + it('converts body schema from a wrapped Zod schema', () => { + const converter = new OasConverter(); + const bodySchema = z.object({ + name: z.string().describe('Entity name'), + tags: z.array(z.string()).optional().describe('Tags'), + }); + const wrapped = buildRouteValidationWithZod(bodySchema); + + const result = converter.convert(wrapped); + expect(result).toMatchObject({ + type: 'object', + properties: { + name: { type: 'string', description: 'Entity name' }, + tags: { type: 'array', items: { type: 'string' }, description: 'Tags' }, + }, + required: ['name'], + }); + }); + }); }); diff --git a/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.ts b/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.ts index 9e28714d1961e..d4fd37b2466c9 100644 --- a/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.ts +++ b/src/platform/packages/shared/kbn-router-to-openapispec/src/oas_converter/index.ts @@ -28,6 +28,17 @@ export class OasConverter { this.#env = env; } + /** + * Unwrap a RouteValidationFunction produced by buildRouteValidationWithZod + * so the original Zod schema is visible to the converter chain. + */ + #unwrapSchema(schema: unknown): unknown { + if (typeof schema === 'function' && '_sourceSchema' in schema && schema._sourceSchema != null) { + return schema._sourceSchema; + } + return schema; + } + #getConverter(schema: unknown) { return this.#converters.find((c) => c.is(schema))!; } @@ -43,7 +54,8 @@ export class OasConverter { } public convert(schema: unknown) { - const { schema: oasSchema, shared } = this.#getConverter(schema)!.convert(schema, { + const unwrapped = this.#unwrapSchema(schema); + const { schema: oasSchema, shared } = this.#getConverter(unwrapped)!.convert(unwrapped, { env: this.#env, sharedSchemas: this.#sharedSchemas, }); @@ -52,8 +64,9 @@ export class OasConverter { } public convertPathParameters(schema: unknown, pathParameters: KnownParameters) { - const { params, shared } = this.#getConverter(schema).convertPathParameters( - schema, + const unwrapped = this.#unwrapSchema(schema); + const { params, shared } = this.#getConverter(unwrapped).convertPathParameters( + unwrapped, pathParameters ); this.#addComponents(shared); @@ -61,7 +74,8 @@ export class OasConverter { } public convertQuery(schema: unknown) { - const { query, shared } = this.#getConverter(schema).convertQuery(schema); + const unwrapped = this.#unwrapSchema(schema); + const { query, shared } = this.#getConverter(unwrapped).convertQuery(unwrapped); this.#addComponents(shared); return query; } diff --git a/src/platform/packages/shared/kbn-zod-helpers/v4/build_route_validation_with_zod.ts b/src/platform/packages/shared/kbn-zod-helpers/v4/build_route_validation_with_zod.ts index 809b9e0e3d3c9..7e0361d6c29d8 100644 --- a/src/platform/packages/shared/kbn-zod-helpers/v4/build_route_validation_with_zod.ts +++ b/src/platform/packages/shared/kbn-zod-helpers/v4/build_route_validation_with_zod.ts @@ -44,11 +44,14 @@ interface ZodSafeParseable { export function buildRouteValidationWithZod( schema: ZodSafeParseable ): RouteValidationFunction { - return (inputValue: unknown, validationResult: RouteValidationResultFactory) => { + const fn = (inputValue: unknown, validationResult: RouteValidationResultFactory) => { const decoded = schema.safeParse(inputValue); return decoded.success ? validationResult.ok(decoded.data) : validationResult.badRequest(stringifyZodError(decoded.error as any)); }; + // Expose the original Zod schema so the OAS generator can detect and convert it. + (fn as RouteValidationFunction & { _sourceSchema: unknown })._sourceSchema = schema; + return fn; } diff --git a/x-pack/solutions/security/plugins/entity_store/server/domain/saved_objects/global_state/constants.ts b/x-pack/solutions/security/plugins/entity_store/server/domain/saved_objects/global_state/constants.ts index a0cc9e892f497..4aca25051bb78 100644 --- a/x-pack/solutions/security/plugins/entity_store/server/domain/saved_objects/global_state/constants.ts +++ b/x-pack/solutions/security/plugins/entity_store/server/domain/saved_objects/global_state/constants.ts @@ -31,8 +31,8 @@ export const LogExtractionConfig = z.object({ .string() .regex(/[smdh]$/) .default(LOG_EXTRACTION_DELAY_DEFAULT), - docsLimit: z.number().int().positive().default(LOG_EXTRACTION_DOCS_LIMIT_DEFAULT), - maxLogsPerPage: z.number().int().positive().default(LOG_EXTRACTION_MAX_LOGS_PER_PAGE_DEFAULT), + docsLimit: z.number().int().min(1).default(LOG_EXTRACTION_DOCS_LIMIT_DEFAULT), + maxLogsPerPage: z.number().int().min(1).default(LOG_EXTRACTION_MAX_LOGS_PER_PAGE_DEFAULT), timeout: z .string() .regex(/[smdh]$/) diff --git a/x-pack/solutions/security/plugins/entity_store/server/routes/apis/crud/create.ts b/x-pack/solutions/security/plugins/entity_store/server/routes/apis/crud/create.ts index 2f45928ec79d7..bc0a431aa5823 100644 --- a/x-pack/solutions/security/plugins/entity_store/server/routes/apis/crud/create.ts +++ b/x-pack/solutions/security/plugins/entity_store/server/routes/apis/crud/create.ts @@ -21,11 +21,9 @@ import { } from '../../../domain/errors'; import { Entity } from '../../../../common/domain/definitions/entity.gen'; -const paramsSchema = z - .object({ - entityType: z.enum(ALL_ENTITY_TYPES).describe('The entity type to create.'), - }) - .required(); +const paramsSchema = z.object({ + entityType: z.enum(ALL_ENTITY_TYPES).describe('The entity type to create.'), +}); export function registerCRUDCreate(router: EntityStorePluginRouter) { router.versioned diff --git a/x-pack/solutions/security/plugins/entity_store/server/routes/apis/crud/get.ts b/x-pack/solutions/security/plugins/entity_store/server/routes/apis/crud/get.ts index f8b5e49a95018..8c0a0cc94701e 100644 --- a/x-pack/solutions/security/plugins/entity_store/server/routes/apis/crud/get.ts +++ b/x-pack/solutions/security/plugins/entity_store/server/routes/apis/crud/get.ts @@ -29,7 +29,7 @@ const querySchema = z size: z.coerce .number() .int() - .positive() + .min(1) .optional() .describe('Number of entities to return in search-after mode.'), searchAfter: z diff --git a/x-pack/solutions/security/plugins/entity_store/server/routes/apis/crud/update.ts b/x-pack/solutions/security/plugins/entity_store/server/routes/apis/crud/update.ts index 5113609702314..3f5c37b04fee5 100644 --- a/x-pack/solutions/security/plugins/entity_store/server/routes/apis/crud/update.ts +++ b/x-pack/solutions/security/plugins/entity_store/server/routes/apis/crud/update.ts @@ -21,11 +21,9 @@ import { } from '../../../domain/errors'; import { Entity } from '../../../../common/domain/definitions/entity.gen'; -const paramsSchema = z - .object({ - entityType: z.enum(ALL_ENTITY_TYPES).describe('The entity type to update.'), - }) - .required(); +const paramsSchema = z.object({ + entityType: z.enum(ALL_ENTITY_TYPES).describe('The entity type to update.'), +}); const querySchema = z.object({ force: BooleanFromString.optional() diff --git a/x-pack/solutions/security/plugins/entity_store/server/routes/apis/force_ccs_extract_to_updates.ts b/x-pack/solutions/security/plugins/entity_store/server/routes/apis/force_ccs_extract_to_updates.ts index fcda39059024b..8f659e5936bfa 100644 --- a/x-pack/solutions/security/plugins/entity_store/server/routes/apis/force_ccs_extract_to_updates.ts +++ b/x-pack/solutions/security/plugins/entity_store/server/routes/apis/force_ccs_extract_to_updates.ts @@ -25,7 +25,7 @@ const bodySchema = z.object({ indexPatterns: z.array(z.string()).min(1), fromDateISO: z.string().datetime(), toDateISO: z.string().datetime(), - docsLimit: z.number().int().positive().optional(), + docsLimit: z.number().int().min(1).optional(), }); export function registerForceCcsExtractToUpdates(router: EntityStorePluginRouter) { diff --git a/x-pack/solutions/security/plugins/entity_store/server/routes/constants.ts b/x-pack/solutions/security/plugins/entity_store/server/routes/constants.ts index 70e72566087bb..bd03e6dd4b6a2 100644 --- a/x-pack/solutions/security/plugins/entity_store/server/routes/constants.ts +++ b/x-pack/solutions/security/plugins/entity_store/server/routes/constants.ts @@ -49,8 +49,8 @@ export const LogExtractionUpdateParams = z.object({ .string() .regex(/[smdh]$/) .optional(), - docsLimit: z.number().int().positive().optional(), - maxLogsPerPage: z.number().int().positive().optional(), + docsLimit: z.number().int().min(1).optional(), + maxLogsPerPage: z.number().int().min(1).optional(), }); export type LogExtractionBodyParams = LogExtractionInstallParams | LogExtractionUpdateParams;