--- title: Get Entity Risk Score description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > API Reference > Entity Risk Scores --- # Get Entity Risk Score{% #get-entity-risk-score %} Copy pageCopied {% tab title="v2" %} **Note**: This endpoint is in public beta and it's subject to change. If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/). | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security-entities/risk-scores/{entity_id} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security-entities/risk-scores/{entity_id} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security-entities/risk-scores/{entity_id} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security-entities/risk-scores/{entity_id} | | us2.ddog-gov.com | GET https://api.us2.ddog-gov.com/api/v2/security-entities/risk-scores/{entity_id} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security-entities/risk-scores/{entity_id} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security-entities/risk-scores/{entity_id} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security-entities/risk-scores/{entity_id} | ### Overview Get the risk score for a specific entity by its ID. Returns security risk assessment including risk score, severity, detected signals, misconfigurations, and identity risks. ### Arguments #### Path Parameters | Name | Type | Description | | --------------------------- | ------ | ------------------------------------------------- | | entity_id [*required*] | string | The URL-encoded unique identifier for the entity. | ### Response {% tab title="200" %} OK {% tab title="Model" %} Response containing a single entity risk score | Parent field | Field | Type | Description | | -------------- | -------------------------------------- | -------- | --------------------------------------------------------------------------------------- | | | data [*required*] | object | An entity risk score containing security risk assessment information | | data | attributes [*required*] | object | Attributes of an entity risk score. | | attributes | accountIds [*required*] | [string] | Cloud account IDs associated with the entity. | | attributes | configRisks [*required*] | object | Configuration risks associated with the entity | | configRisks | hasIdentityRisk [*required*] | boolean | Whether the entity has identity risks | | configRisks | hasMisconfiguration [*required*] | boolean | Whether the entity has misconfigurations | | configRisks | hasPrivilegedRole [*required*] | boolean | Whether the entity has privileged roles | | configRisks | isPrivileged [*required*] | boolean | Whether the entity has privileged access | | configRisks | isProduction [*required*] | boolean | Whether the entity is in a production environment | | configRisks | isPubliclyAccessible [*required*] | boolean | Whether the entity is publicly accessible | | attributes | entityMetadata [*required*] | object | Metadata about the entity from cloud providers | | entityMetadata | accountID | string | Cloud account ID (AWS) | | entityMetadata | environments [*required*] | [string] | Environment tags associated with the entity | | entityMetadata | mitreTactics [*required*] | [string] | MITRE ATT&CK tactics detected | | entityMetadata | mitreTechniques [*required*] | [string] | MITRE ATT&CK techniques detected | | entityMetadata | projectID | string | Cloud project ID (GCP) | | entityMetadata | services [*required*] | [string] | Services associated with the entity | | entityMetadata | sources [*required*] | [string] | Data sources that detected this entity | | entityMetadata | subscriptionID | string | Cloud subscription ID (Azure) | | attributes | entityName | string | Human-readable name of the entity. | | attributes | entityProviders [*required*] | [string] | Cloud providers associated with the entity. | | attributes | entityRoles | [string] | Roles associated with the entity. | | attributes | entitySubTypes [*required*] | [string] | Sub-types associated with the entity. | | attributes | entityType | string | Type of the entity (for example, aws_iam_user, aws_ec2_instance). | | attributes | entityTypes | [string] | All types associated with the entity. | | attributes | firstDetected [*required*] | int64 | Timestamp when the entity was first detected (Unix milliseconds). | | attributes | lastActivityTitle [*required*] | string | Title of the most recent signal detected for this entity. | | attributes | lastDetected [*required*] | int64 | Timestamp when the entity was last detected (Unix milliseconds). | | attributes | riskScore [*required*] | int64 | Current risk score for the entity. | | attributes | riskScoreEvolution [*required*] | int64 | Change in risk score compared to previous period. | | attributes | severity [*required*] | enum | Severity level based on risk score Allowed enum values: `critical,high,medium,low,info` | | attributes | signalsDetected [*required*] | int64 | Number of security signals detected for this entity. | | data | id [*required*] | string | Unique identifier for the entity | | data | type [*required*] | enum | Resource type. Allowed enum values: `SecurityEntityRiskScore` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "accountIds": [ "222233334444", "3333333555555" ], "configRisks": { "hasIdentityRisk": false, "hasMisconfiguration": true, "hasPrivilegedRole": true, "isPrivileged": false, "isProduction": true, "isPubliclyAccessible": true }, "entityMetadata": { "accountID": "123456789012", "environments": [ "production", "us-east-1" ], "mitreTactics": [ "Credential Access", "Privilege Escalation" ], "mitreTechniques": [ "T1078", "T1098" ], "projectID": "my-gcp-project", "services": [ "api-gateway", "lambda" ], "sources": [ "cloudtrail", "cloud-security-posture-management" ], "subscriptionID": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" }, "entityName": "john.doe", "entityProviders": [ "AWS" ], "entityRoles": [ [] ], "entitySubTypes": [ "Root" ], "entityType": "aws_iam_user", "entityTypes": [ "Root", "User Name" ], "firstDetected": 1778876604661, "lastActivityTitle": "Suspicious API call detected", "lastDetected": 1780064607093, "riskScore": 85, "riskScoreEvolution": 12, "severity": "critical", "signalsDetected": 15 }, "id": "arn:aws:iam::123456789012:user/john.doe", "type": "SecurityEntityRiskScore" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="401" %} Unauthorized {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parameters export entity_id="arn:aws:iam::123456789012:user/john.doe" \# Curl command curl -X GET "https://api.datadoghq.com/api/v2/security-entities/risk-scores/${entity_id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" {% /tab %}