Language

English Français 日本語 한국어 Español

Datadog Site

Site help
US1 US3 US5 EU AP1 AP2 US1-FED US2-FED

Get Entity Risk Score

Note: This endpoint is in public beta and it’s subject to change. If you have any feedback, contact Datadog support.

GET https://api.ap1.datadoghq.com/api/v2/security-entities/risk-scores/{entity_id}https://api.ap2.datadoghq.com/api/v2/security-entities/risk-scores/{entity_id}https://api.datadoghq.eu/api/v2/security-entities/risk-scores/{entity_id}https://api.ddog-gov.com/api/v2/security-entities/risk-scores/{entity_id}https://api.us2.ddog-gov.com/api/v2/security-entities/risk-scores/{entity_id}https://api.datadoghq.com/api/v2/security-entities/risk-scores/{entity_id}https://api.us3.datadoghq.com/api/v2/security-entities/risk-scores/{entity_id}https://api.us5.datadoghq.com/api/v2/security-entities/risk-scores/{entity_id}

Overview

Get the risk score for a specific entity by its ID. Returns security risk assessment including risk score, severity, detected signals, misconfigurations, and identity risks.

Arguments

Path Parameters

Name

Type

Description

entity_id [required]

string

The URL-encoded unique identifier for the entity.

Response

OK

Response containing a single entity risk score

Expand All

Field

Type

Description

data [required]

object

An entity risk score containing security risk assessment information

attributes [required]

object

Attributes of an entity risk score.

accountIds [required]

[string]

Cloud account IDs associated with the entity.

configRisks [required]

object

Configuration risks associated with the entity

hasIdentityRisk [required]

boolean

Whether the entity has identity risks

hasMisconfiguration [required]

boolean

Whether the entity has misconfigurations

hasPrivilegedRole [required]

boolean

Whether the entity has privileged roles

isPrivileged [required]

boolean

Whether the entity has privileged access

isProduction [required]

boolean

Whether the entity is in a production environment

isPubliclyAccessible [required]

boolean

Whether the entity is publicly accessible

entityMetadata [required]

object

Metadata about the entity from cloud providers

accountID

string

Cloud account ID (AWS)

environments [required]

[string]

Environment tags associated with the entity

mitreTactics [required]

[string]

MITRE ATT&CK tactics detected

mitreTechniques [required]

[string]

MITRE ATT&CK techniques detected

projectID

string

Cloud project ID (GCP)

services [required]

[string]

Services associated with the entity

sources [required]

[string]

Data sources that detected this entity

subscriptionID

string

Cloud subscription ID (Azure)

entityName

string

Human-readable name of the entity.

entityProviders [required]

[string]

Cloud providers associated with the entity.

entityRoles

[string]

Roles associated with the entity.

entitySubTypes [required]

[string]

Sub-types associated with the entity.

entityType

string

Type of the entity (for example, aws_iam_user, aws_ec2_instance).

entityTypes

[string]

All types associated with the entity.

firstDetected [required]

int64

Timestamp when the entity was first detected (Unix milliseconds).

lastActivityTitle [required]

string

Title of the most recent signal detected for this entity.

lastDetected [required]

int64

Timestamp when the entity was last detected (Unix milliseconds).

riskScore [required]

int64

Current risk score for the entity.

riskScoreEvolution [required]

int64

Change in risk score compared to previous period.

severity [required]

enum

Severity level based on risk score Allowed enum values: critical,high,medium,low,info

signalsDetected [required]

int64

Number of security signals detected for this entity.

id [required]

string

Unique identifier for the entity

type [required]

enum

Resource type. Allowed enum values: SecurityEntityRiskScore

{
  "data": {
    "attributes": {
      "accountIds": [
        "222233334444",
        "3333333555555"
      ],
      "configRisks": {
        "hasIdentityRisk": false,
        "hasMisconfiguration": true,
        "hasPrivilegedRole": true,
        "isPrivileged": false,
        "isProduction": true,
        "isPubliclyAccessible": true
      },
      "entityMetadata": {
        "accountID": "123456789012",
        "environments": [
          "production",
          "us-east-1"
        ],
        "mitreTactics": [
          "Credential Access",
          "Privilege Escalation"
        ],
        "mitreTechniques": [
          "T1078",
          "T1098"
        ],
        "projectID": "my-gcp-project",
        "services": [
          "api-gateway",
          "lambda"
        ],
        "sources": [
          "cloudtrail",
          "cloud-security-posture-management"
        ],
        "subscriptionID": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
      },
      "entityName": "john.doe",
      "entityProviders": [
        "AWS"
      ],
      "entityRoles": [
        []
      ],
      "entitySubTypes": [
        "Root"
      ],
      "entityType": "aws_iam_user",
      "entityTypes": [
        "Root",
        "User Name"
      ],
      "firstDetected": 1778876604661,
      "lastActivityTitle": "Suspicious API call detected",
      "lastDetected": 1780064607093,
      "riskScore": 85,
      "riskScoreEvolution": 12,
      "severity": "critical",
      "signalsDetected": 15
    },
    "id": "arn:aws:iam::123456789012:user/john.doe",
    "type": "SecurityEntityRiskScore"
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Unauthorized

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Forbidden

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Path parameters
export entity_id="arn:aws:iam::123456789012:user/john.doe"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security-entities/risk-scores/${entity_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"