Upsert an entity in Entity Store

PUT /api/entity_store/entities/{entityType}
Api key auth

Update or create an entity in Entity Store. If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. By default, only the following fields can be updated: * entity.attributes.* * entity.lifecycle.* * entity.behavior.* To update other fields, set the force query parameter to true. > info > Some fields always retain the first observed value. Updates to these fields will not appear in the final index.

Due to technical limitations, not all updates are guaranteed to appear in the final list of observed values. Due to technical limitations, create is an async operation. The time for a document to be present in the > final index depends on the entity store transform and usually takes more than 1 minute.

Path parameters

  • entityType string Required

    Values are user, host, service, or generic.

Query parameters

  • force boolean

    Default value is false.

application/json

Body object Required

Schema for the updating a single entity

One of:
Security_Entity_Analytics_API_UserEntity object Security_Entity_Analytics_API_HostEntity object Security_Entity_Analytics_API_ServiceEntity object Security_Entity_Analytics_API_GenericEntity object

Responses

  • 200 application/json

    Entity updated or created

    One of:
    Security_Entity_Analytics_API_UserEntity object Security_Entity_Analytics_API_HostEntity object Security_Entity_Analytics_API_ServiceEntity object Security_Entity_Analytics_API_GenericEntity object
  • 403

    Operation on a restricted field

  • 409

    Conflict. The entity was updated while another update was happening in ElasticSearch

  • 503

    Operation on an uninitialized Engine or in a cluster without CRUD API Enabled

PUT /api/entity_store/entities/{entityType} 
curl \
 --request PUT 'https://<KIBANA_URL>/api/entity_store/entities/{entityType}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"@timestamp":"2025-05-04T09:42:00Z","asset":{"business_unit":"string","criticality":"low_impact","environment":"string","id":"string","model":"string","name":"string","owner":"string","serial_number":"string","vendor":"string"},"entity":{"attributes":{"asset":true,"managed":true,"mfa_enabled":true,"privileged":true},"behaviors":{"brute_force_victim":true,"new_country_login":true,"used_usb_device":true},"EngineMetadata":{"Type":"string"},"id":"string","lifecycle":{"first_seen":"2025-05-04T09:42:00Z","last_activity":"2025-05-04T09:42:00Z"},"name":"string","relationships":{"accessed_frequently_by":["string"],"accesses_frequently":["string"],"communicates_with":["string"],"dependent_of":["string"],"depends_on":["string"],"owned_by":["string"],"owns":["string"],"supervised_by":["string"],"supervises":["string"]},"risk":{"calculated_level":"Unknown","calculated_score":42.0,"calculated_score_norm":42.0},"source":"string","sub_type":"string","type":"string"},"event":{"ingested":"2025-05-04T09:42:00Z"},"user":{"domain":["string"],"email":["string"],"full_name":["string"],"hash":["string"],"id":["string"],"name":"string","risk":{"@timestamp":"2017-07-21T17:32:28Z","calculated_level":"Unknown","calculated_score":42.0,"calculated_score_norm":42.0,"category_1_count":42,"category_1_score":42.0,"category_2_count":42,"category_2_score":42.0,"criticality_level":"low_impact","criticality_modifier":42.0,"id_field":"host.name","id_value":"example.host","inputs":[{"category":"category_1","contribution_score":42.0,"description":"Generated from Detection Engine Rule: Malware Prevention Alert","id":"91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c","index":".internal.alerts-security.alerts-default-000001","risk_score":42.0,"timestamp":"2017-07-21T17:32:28Z"}],"notes":["string"]},"roles":["string"]}}'