---
title: Get entity context
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > API Reference > Security Monitoring
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Get entity context{% #get-entity-context %}
Copy pageCopied
{% tab title="v2" %}
**Note**: This endpoint is in Preview and is subject to change. If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/).
| Datadog site      | API endpoint                                                                |
| ----------------- | --------------------------------------------------------------------------- |
| ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/entity_context |
| ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/entity_context |
| app.datadoghq.eu  | GET https://api.datadoghq.eu/api/v2/security_monitoring/entity_context      |
| app.ddog-gov.com  | GET https://api.ddog-gov.com/api/v2/security_monitoring/entity_context      |
| us2.ddog-gov.com  | GET https://api.us2.ddog-gov.com/api/v2/security_monitoring/entity_context  |
| uk1.datadoghq.com | GET https://api.uk1.datadoghq.com/api/v2/security_monitoring/entity_context |
| app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/entity_context     |
| us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/entity_context |
| us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/entity_context |

### Overview

Search the Cloud SIEM entity context store for entities that match a query, and return the historical revisions of each entity in the requested time range. The endpoint can either return revisions across an interval (`from` / `to`) or the snapshot of each entity at a single point in time (`as_of`); the two modes are mutually exclusive. This endpoint requires the `siem_entities_read` permission.

OAuth apps require the `siem_entities_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes.md#security-monitoring) to access this endpoint.



### Arguments

#### Query Strings

| Name       | Type    | Description                                                                                                                                                                                                                                             |
| ---------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| query      | string  | A free-text query (for example, an email address or principal ID) used to filter the entities returned.                                                                                                                                                 |
| from       | string  | The start of the time range to query, as an RFC3339 timestamp or a relative time (for example, `now-7d`). Defaults to `now-7d`. Ignored when `as_of` is set.                                                                                            |
| to         | string  | The end of the time range to query, as an RFC3339 timestamp or a relative time (for example, `now`). Defaults to `now`. Ignored when `as_of` is set.                                                                                                    |
| as_of      | string  | A point in time at which to query the entity revisions, as an RFC3339 timestamp, a Unix timestamp (in seconds), or a relative time (for example, `now-1d`). When set, `from` and `to` are ignored. Cannot be combined with custom `from` / `to` values. |
| limit      | integer | The maximum number of entities to return.                                                                                                                                                                                                               |
| page_token | string  | An opaque token used to fetch the next page of results, as returned in `meta.page.next_token` of a previous response.                                                                                                                                   |

### Response

{% tab title="200" %}
OK
{% tab title="Model" %}
Response from the entity context endpoint, containing the matching entities and pagination metadata.

| Parent field | Field                           | Type      | Description                                                                                                                                                                                    |
| ------------ | ------------------------------- | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|              | data [*required*]          | [object]  | The list of entities matching the query.                                                                                                                                                       |
| data         | attributes [*required*]    | object    | The attributes of an entity context entry, grouping all the historical revisions of the entity.                                                                                                |
| attributes   | revisions [*required*]     | [object]  | The historical revisions of the entity, ordered chronologically.                                                                                                                               |
| revisions    | attributes [*required*]    | object    | The set of attributes recorded for the entity at this revision. The keys depend on the kind of entity.                                                                                         |
| revisions    | first_seen_at [*required*] | date-time | The first time the entity was observed at this revision.                                                                                                                                       |
| revisions    | last_seen_at [*required*]  | date-time | The last time the entity was observed at this revision.                                                                                                                                        |
| data         | id [*required*]            | string    | The unique identifier of the entity.                                                                                                                                                           |
| data         | type [*required*]          | string    | The type of the entity. Reflects the underlying entity kind from the entity context store (for example, `siem_entity_identity` for identities). Defaults to `entity` when the kind is unknown. |
|              | meta [*required*]          | object    | Metadata returned alongside the entity context response.                                                                                                                                       |
| meta         | page [*required*]          | object    | Pagination metadata for the entity context response.                                                                                                                                           |
| page         | next_token [*required*]    | string    | An opaque token to pass as `page_token` in a subsequent request to retrieve the next page of results. Empty when there are no more results.                                                    |
| meta         | total_count [*required*]   | int32     | The total number of entities matching the query, irrespective of pagination.                                                                                                                   |

{% /tab %}

{% tab title="Example" %}

```json
{
  "data": [
    {
      "attributes": {
        "revisions": [
          {
            "attributes": {
              "accounts": [
                "linked-account-123"
              ],
              "display_name": "Test User",
              "email": "user@example.com",
              "principal_id": "user@example.com"
            },
            "first_seen_at": "2026-04-01T00:00:00Z",
            "last_seen_at": "2026-05-01T00:00:00Z"
          }
        ]
      },
      "id": "user@example.com",
      "type": "siem_entity_identity"
    }
  ],
  "meta": {
    "page": {
      "next_token": ""
    },
    "total_count": 1
  }
}
```

{% /tab %}

{% /tab %}

{% tab title="400" %}
Bad Request
{% tab title="Model" %}
API error response.

| Field                    | Type     | Description       |
| ------------------------ | -------- | ----------------- |
| errors [*required*] | [string] | A list of errors. |

{% /tab %}

{% tab title="Example" %}

```json
{
  "errors": [
    "Bad Request"
  ]
}
```

{% /tab %}

{% /tab %}

{% tab title="403" %}
Not Authorized
{% tab title="Model" %}
API error response.

| Field                    | Type     | Description       |
| ------------------------ | -------- | ----------------- |
| errors [*required*] | [string] | A list of errors. |

{% /tab %}

{% tab title="Example" %}

```json
{
  "errors": [
    "Bad Request"
  ]
}
```

{% /tab %}

{% /tab %}

{% tab title="429" %}
Too many requests
{% tab title="Model" %}
API error response.

| Field                    | Type     | Description       |
| ------------------------ | -------- | ----------------- |
| errors [*required*] | [string] | A list of errors. |

{% /tab %}

{% tab title="Example" %}

```json
{
  "errors": [
    "Bad Request"
  ]
}
```

{% /tab %}

{% /tab %}

### Code Example

##### 
                  \# Curl command curl -X GET "https://api.datadoghq.com/api/v2/security_monitoring/entity_context" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" 
                
##### 

```python
"""
Get entity context returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
configuration.unstable_operations["get_entity_context"] = True
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_entity_context()

    print(response)
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=python) and then save the example to `example.py` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
##### 

```ruby
# Get entity context returns "OK" response

require "datadog_api_client"
DatadogAPIClient.configure do |config|
  config.unstable_operations["v2.get_entity_context".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.get_entity_context()
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=ruby) and then save the example to `example.rb` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
##### 

```go
// Get entity context returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	configuration.SetUnstableOperationEnabled("v2.GetEntityContext", true)
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetEntityContext(ctx, *datadogV2.NewGetEntityContextOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetEntityContext`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetEntityContext`:\n%s\n", responseContent)
}
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=go) and then save the example to `main.go` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
##### 

```java
// Get entity context returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.EntityContextResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    defaultClient.setUnstableOperationEnabled("v2.getEntityContext", true);
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      EntityContextResponse result = apiInstance.getEntityContext();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getEntityContext");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=java) and then save the example to `Example.java` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
##### 

```rust
// Get entity context returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::GetEntityContextOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let mut configuration = datadog::Configuration::new();
    configuration.set_unstable_operation_enabled("v2.GetEntityContext", true);
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_entity_context(GetEntityContextOptionalParams::default())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=rust) and then save the example to `src/main.rs` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
##### 

```typescript
/**
 * Get entity context returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
configuration.unstableOperations["v2.getEntityContext"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .getEntityContext()
  .then((data: v2.EntityContextResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=typescript) and then save the example to `example.ts` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
{% /tab %}
