Language

English Français 日本語 한국어 Español

Datadog Site

Site help
US1 US3 US5 EU AP1 AP2 US1-FED US2-FED

Get entity context

copy Copy pageCopied

Note: This endpoint is in Preview and is subject to change. If you have any feedback, contact Datadog support.

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/entity_contexthttps://api.ap2.datadoghq.com/api/v2/security_monitoring/entity_contexthttps://api.datadoghq.eu/api/v2/security_monitoring/entity_contexthttps://api.ddog-gov.com/api/v2/security_monitoring/entity_contexthttps://api.us2.ddog-gov.com/api/v2/security_monitoring/entity_contexthttps://api.datadoghq.com/api/v2/security_monitoring/entity_contexthttps://api.us3.datadoghq.com/api/v2/security_monitoring/entity_contexthttps://api.us5.datadoghq.com/api/v2/security_monitoring/entity_context

Overview

Search the Cloud SIEM entity context store for entities that match a query, and return the historical revisions of each entity in the requested time range. The endpoint can either return revisions across an interval (from / to) or the snapshot of each entity at a single point in time (as_of); the two modes are mutually exclusive. This endpoint requires the siem_entities_read permission.

OAuth apps require the siem_entities_read authorization scope to access this endpoint.

Arguments

Query Strings

Name

Type

Description

query

string

A free-text query (for example, an email address or principal ID) used to filter the entities returned.

from

string

The start of the time range to query, as an RFC3339 timestamp or a relative time (for example, now-7d). Defaults to now-7d. Ignored when as_of is set.

to

string

The end of the time range to query, as an RFC3339 timestamp or a relative time (for example, now). Defaults to now. Ignored when as_of is set.

as_of

string

A point in time at which to query the entity revisions, as an RFC3339 timestamp, a Unix timestamp (in seconds), or a relative time (for example, now-1d). When set, from and to are ignored. Cannot be combined with custom from / to values.

limit

integer

The maximum number of entities to return.

page_token

string

An opaque token used to fetch the next page of results, as returned in meta.page.next_token of a previous response.

Response

OK

Response from the entity context endpoint, containing the matching entities and pagination metadata.

Expand All

Field

Type

Description

data [required]

[object]

The list of entities matching the query.

attributes [required]

object

The attributes of an entity context entry, grouping all the historical revisions of the entity.

revisions [required]

[object]

The historical revisions of the entity, ordered chronologically.

attributes [required]

object

The set of attributes recorded for the entity at this revision. The keys depend on the kind of entity.

first_seen_at [required]

date-time

The first time the entity was observed at this revision.

last_seen_at [required]

date-time

The last time the entity was observed at this revision.

id [required]

string

The unique identifier of the entity.

type [required]

string

The type of the entity. Reflects the underlying entity kind from the entity context store (for example, siem_entity_identity for identities). Defaults to entity when the kind is unknown.

default: entity

meta [required]

object

Metadata returned alongside the entity context response.

page [required]

object

Pagination metadata for the entity context response.

next_token [required]

string

An opaque token to pass as page_token in a subsequent request to retrieve the next page of results. Empty when there are no more results.

total_count [required]

int32

The total number of entities matching the query, irrespective of pagination.

{
  "data": [
    {
      "attributes": {
        "revisions": [
          {
            "attributes": {
              "accounts": [
                "linked-account-123"
              ],
              "display_name": "Test User",
              "email": "user@example.com",
              "principal_id": "user@example.com"
            },
            "first_seen_at": "2026-04-01T00:00:00Z",
            "last_seen_at": "2026-05-01T00:00:00Z"
          }
        ]
      },
      "id": "user@example.com",
      "type": "siem_entity_identity"
    }
  ],
  "meta": {
    "page": {
      "next_token": ""
    },
    "total_count": 1
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/entity_context" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"