--- title: Get entity context description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > API Reference > Security Monitoring --- # Get entity context{% #get-entity-context %} Copy pageCopied {% tab title="v2" %} **Note**: This endpoint is in Preview and is subject to change. If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/). | Datadog site | API endpoint | | ----------------- | --------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/entity_context | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/entity_context | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/entity_context | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/entity_context | | us2.ddog-gov.com | GET https://api.us2.ddog-gov.com/api/v2/security_monitoring/entity_context | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/entity_context | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/entity_context | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/entity_context | ### Overview Search the Cloud SIEM entity context store for entities that match a query, and return the historical revisions of each entity in the requested time range. The endpoint can either return revisions across an interval (`from` / `to`) or the snapshot of each entity at a single point in time (`as_of`); the two modes are mutually exclusive. This endpoint requires the `siem_entities_read` permission. OAuth apps require the `siem_entities_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes.md#security-monitoring) to access this endpoint. ### Arguments #### Query Strings | Name | Type | Description | | ---------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | query | string | A free-text query (for example, an email address or principal ID) used to filter the entities returned. | | from | string | The start of the time range to query, as an RFC3339 timestamp or a relative time (for example, `now-7d`). Defaults to `now-7d`. Ignored when `as_of` is set. | | to | string | The end of the time range to query, as an RFC3339 timestamp or a relative time (for example, `now`). Defaults to `now`. Ignored when `as_of` is set. | | as_of | string | A point in time at which to query the entity revisions, as an RFC3339 timestamp, a Unix timestamp (in seconds), or a relative time (for example, `now-1d`). When set, `from` and `to` are ignored. Cannot be combined with custom `from` / `to` values. | | limit | integer | The maximum number of entities to return. | | page_token | string | An opaque token used to fetch the next page of results, as returned in `meta.page.next_token` of a previous response. | ### Response {% tab title="200" %} OK {% tab title="Model" %} Response from the entity context endpoint, containing the matching entities and pagination metadata. | Parent field | Field | Type | Description | | ------------ | ------------------------------- | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | [object] | The list of entities matching the query. | | data | attributes [*required*] | object | The attributes of an entity context entry, grouping all the historical revisions of the entity. | | attributes | revisions [*required*] | [object] | The historical revisions of the entity, ordered chronologically. | | revisions | attributes [*required*] | object | The set of attributes recorded for the entity at this revision. The keys depend on the kind of entity. | | revisions | first_seen_at [*required*] | date-time | The first time the entity was observed at this revision. | | revisions | last_seen_at [*required*] | date-time | The last time the entity was observed at this revision. | | data | id [*required*] | string | The unique identifier of the entity. | | data | type [*required*] | string | The type of the entity. Reflects the underlying entity kind from the entity context store (for example, `siem_entity_identity` for identities). Defaults to `entity` when the kind is unknown. | | | meta [*required*] | object | Metadata returned alongside the entity context response. | | meta | page [*required*] | object | Pagination metadata for the entity context response. | | page | next_token [*required*] | string | An opaque token to pass as `page_token` in a subsequent request to retrieve the next page of results. Empty when there are no more results. | | meta | total_count [*required*] | int32 | The total number of entities matching the query, irrespective of pagination. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "revisions": [ { "attributes": { "accounts": [ "linked-account-123" ], "display_name": "Test User", "email": "user@example.com", "principal_id": "user@example.com" }, "first_seen_at": "2026-04-01T00:00:00Z", "last_seen_at": "2026-05-01T00:00:00Z" } ] }, "id": "user@example.com", "type": "siem_entity_identity" } ], "meta": { "page": { "next_token": "" }, "total_count": 1 } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl command curl -X GET "https://api.datadoghq.com/api/v2/security_monitoring/entity_context" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" {% /tab %}