Kibana · Capability

Kibana APIs — Security Entity Analytics API

Kibana APIs — Security Entity Analytics API. 42 operations. Lead operation: Delete an asset criticality record. Self-contained Naftiko capability covering one Kibana business surface.

Run with Naftiko KibanaSecurity Entity Analytics API

What You Can Do

DELETE

Deleteassetcriticalityrecord — Delete an asset criticality record

/v1/api/asset-criticality

GET

Getassetcriticalityrecord — Get an asset criticality record

/v1/api/asset-criticality

POST

Createassetcriticalityrecord — Upsert an asset criticality record

/v1/api/asset-criticality

POST

Bulkupsertassetcriticalityrecords — Bulk upsert asset criticality records

/v1/api/asset-criticality/bulk

GET

Findassetcriticalityrecords — List asset criticality records

/v1/api/asset-criticality/list

DELETE

Deletemonitoringengine — Delete the Privilege Monitoring Engine

/v1/api/entity-analytics/monitoring/engine/delete

POST

Disablemonitoringengine — Disable the Privilege Monitoring Engine

/v1/api/entity-analytics/monitoring/engine/disable

POST

Initmonitoringengine — Initialize the Privilege Monitoring Engine

/v1/api/entity-analytics/monitoring/engine/init

POST

Schedulemonitoringengine — Schedule the Privilege Monitoring Engine

/v1/api/entity-analytics/monitoring/engine/schedule-now

GET

Privmonhealth — Health check on Privilege Monitoring

/v1/api/entity-analytics/monitoring/privileges/health

GET

Privmonprivileges — Run a privileges check on Privilege Monitoring

/v1/api/entity-analytics/monitoring/privileges/privileges

POST

Createprivmonuser — Create a new monitored user

/v1/api/entity-analytics/monitoring/users

POST

Privmonbulkuploaduserscsv — Upsert multiple monitored users via CSV upload

/v1/api/entity-analytics/monitoring/users/csv

GET

Listprivmonusers — List all monitored users

/v1/api/entity-analytics/monitoring/users/list

DELETE

Deleteprivmonuser — Delete a monitored user

/v1/api/entity-analytics/monitoring/users/{id}

PUT

Updateprivmonuser — Update a monitored user

/v1/api/entity-analytics/monitoring/users/{id}

POST

Installprivilegedaccessdetectionpackage — Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience

/v1/api/entity-analytics/privileged-user-monitoring/pad/install

GET

Getprivilegedaccessdetectionpackagestatus — Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience

/v1/api/entity-analytics/privileged-user-monitoring/pad/status

POST

Createwatchlist — Create a new watchlist

/v1/api/entity-analytics/watchlists

GET

Listwatchlists — List all watchlists

/v1/api/entity-analytics/watchlists/list

GET

Getwatchlist — Get a watchlist by ID

/v1/api/entity-analytics/watchlists/{id}

PUT

Updatewatchlist — Update an existing watchlist

/v1/api/entity-analytics/watchlists/{id}

POST

Uploadwatchlistcsv — Upload a CSV file to add entities to a watchlist

/v1/api/entity-analytics/watchlists/{watchlist-id}/csv-upload

POST

Assignwatchlistentities — Manually assign entities to a watchlist

/v1/api/entity-analytics/watchlists/{watchlist-id}/entities/assign

POST

Unassignwatchlistentities — Manually unassign entities from a watchlist

/v1/api/entity-analytics/watchlists/{watchlist-id}/entities/unassign

POST

Initentitystore — Initialize the Entity Store

/v1/api/entity-store/enable

DELETE

Deleteentityengines — Delete Entity Engines

/v1/api/entity-store/engines

GET

Listentityengines — List the Entity Engines

/v1/api/entity-store/engines

POST

Applyentityenginedataviewindices — Apply DataView indices to all installed engines

/v1/api/entity-store/engines/apply-dataview-indices

DELETE

Deleteentityengine — Delete the Entity Engine

/v1/api/entity-store/engines/{entitytype}

GET

Getentityengine — Get an Entity Engine

/v1/api/entity-store/engines/{entitytype}

POST

Initentityengine — Initialize an Entity Engine

/v1/api/entity-store/engines/{entitytype}/init

POST

Startentityengine — Start an Entity Engine

/v1/api/entity-store/engines/{entitytype}/start

POST

Stopentityengine — Stop an Entity Engine

/v1/api/entity-store/engines/{entitytype}/stop

PUT

Upsertentitiesbulk — Upsert many entities in Entity Store

/v1/api/entity-store/entities/bulk

GET

Listentities — List Entity Store Entities

/v1/api/entity-store/entities/list

DELETE

Deletesingleentity — Delete an entity in Entity Store

/v1/api/entity-store/entities/{entitytype}

PUT

Upsertentity — Upsert an entity in Entity Store

/v1/api/entity-store/entities/{entitytype}

GET

Getentitystorestatus — Get the status of the Entity Store

/v1/api/entity-store/status

DELETE

Cleanupriskengine — Cleanup the Risk Engine

/v1/api/risk-score/engine/dangerously-delete-data

PATCH

Configureriskenginesavedobject — Configure the Risk Engine Saved Object

/v1/api/risk-score/engine/saved-object/configure

POST

Scheduleriskenginenow — Run the risk scoring engine

/v1/api/risk-score/engine/schedule-now

MCP Tools

delete-asset-criticality-record

Delete an asset criticality record

idempotent

get-asset-criticality-record

Get an asset criticality record

read-only idempotent

upsert-asset-criticality-record

Upsert an asset criticality record

bulk-upsert-asset-criticality-records

Bulk upsert asset criticality records

list-asset-criticality-records

List asset criticality records

read-only idempotent

delete-privilege-monitoring-engine

Delete the Privilege Monitoring Engine

idempotent

disable-privilege-monitoring-engine

Disable the Privilege Monitoring Engine

initialize-privilege-monitoring-engine

Initialize the Privilege Monitoring Engine

schedule-privilege-monitoring-engine

Schedule the Privilege Monitoring Engine

health-check-privilege-monitoring

Health check on Privilege Monitoring

read-only idempotent

run-privileges-check-privilege-monitoring

Run a privileges check on Privilege Monitoring

read-only idempotent

create-new-monitored-user

Create a new monitored user

upsert-multiple-monitored-users-csv

Upsert multiple monitored users via CSV upload

list-all-monitored-users

List all monitored users

read-only idempotent

delete-monitored-user

Delete a monitored user

idempotent

update-monitored-user

Update a monitored user

idempotent

installs-privileged-access-detection-package

Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience

gets-status-privileged-access-detection

Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience

read-only idempotent

create-new-watchlist

Create a new watchlist

list-all-watchlists

List all watchlists

read-only idempotent

get-watchlist-id

Get a watchlist by ID

read-only idempotent

update-existing-watchlist

Update an existing watchlist

idempotent

upload-csv-file-add-entities

Upload a CSV file to add entities to a watchlist

manually-assign-entities-watchlist

Manually assign entities to a watchlist

manually-unassign-entities-watchlist

Manually unassign entities from a watchlist

initialize-entity-store

Initialize the Entity Store

delete-entity-engines

Delete Entity Engines

idempotent

list-entity-engines

List the Entity Engines

read-only idempotent

apply-dataview-indices-all-installed

Apply DataView indices to all installed engines

delete-entity-engine

Delete the Entity Engine

idempotent

get-entity-engine

Get an Entity Engine

read-only idempotent

initialize-entity-engine

Initialize an Entity Engine

start-entity-engine

Start an Entity Engine

stop-entity-engine

Stop an Entity Engine

upsert-many-entities-entity-store

Upsert many entities in Entity Store

idempotent

list-entity-store-entities

List Entity Store Entities

read-only idempotent

delete-entity-entity-store

Delete an entity in Entity Store

idempotent

upsert-entity-entity-store

Upsert an entity in Entity Store

idempotent

get-status-entity-store

Get the status of the Entity Store

read-only idempotent

cleanup-risk-engine

Cleanup the Risk Engine

idempotent

configure-risk-engine-saved-object

Configure the Risk Engine Saved Object

idempotent

run-risk-scoring-engine

Run the risk scoring engine

Capability Spec

naftiko: 1.0.0-alpha2
info:
  label: Kibana APIs — Security Entity Analytics API
  description: 'Kibana APIs — Security Entity Analytics API. 42 operations. Lead operation: Delete an asset criticality record.
    Self-contained Naftiko capability covering one Kibana business surface.'
  tags:
  - Kibana
  - Security Entity Analytics API
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    KIBANA_API_KEY: KIBANA_API_KEY
capability:
  consumes:
  - type: http
    namespace: kibana-security-entity-analytics-api
    baseUri: https://{kibana_url}
    description: Kibana APIs — Security Entity Analytics API business capability. Self-contained, no shared references.
    resources:
    - name: api-asset_criticality
      path: /api/asset_criticality
      operations:
      - name: deleteassetcriticalityrecord
        method: DELETE
        description: Delete an asset criticality record
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id_value
          in: query
          type: string
          description: The ID value of the asset.
          required: true
        - name: id_field
          in: query
          type: string
          description: The field representing the ID.
          required: true
        - name: refresh
          in: query
          type: string
          description: If 'wait_for' the request will wait for the index refresh.
      - name: getassetcriticalityrecord
        method: GET
        description: Get an asset criticality record
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id_value
          in: query
          type: string
          description: The ID value of the asset.
          required: true
        - name: id_field
          in: query
          type: string
          description: The field representing the ID.
          required: true
      - name: createassetcriticalityrecord
        method: POST
        description: Upsert an asset criticality record
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-asset_criticality-bulk
      path: /api/asset_criticality/bulk
      operations:
      - name: bulkupsertassetcriticalityrecords
        method: POST
        description: Bulk upsert asset criticality records
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    - name: api-asset_criticality-list
      path: /api/asset_criticality/list
      operations:
      - name: findassetcriticalityrecords
        method: GET
        description: List asset criticality records
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: sort_field
          in: query
          type: string
          description: The field to sort by.
        - name: sort_direction
          in: query
          type: string
          description: The order to sort by.
        - name: page
          in: query
          type: integer
          description: The page number to return.
        - name: per_page
          in: query
          type: integer
          description: The number of records to return per page.
        - name: kuery
          in: query
          type: string
          description: The kuery to filter by.
    - name: api-entity_analytics-monitoring-engine-delete
      path: /api/entity_analytics/monitoring/engine/delete
      operations:
      - name: deletemonitoringengine
        method: DELETE
        description: Delete the Privilege Monitoring Engine
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: data
          in: query
          type: boolean
          description: Whether to delete all the privileged user data
    - name: api-entity_analytics-monitoring-engine-disable
      path: /api/entity_analytics/monitoring/engine/disable
      operations:
      - name: disablemonitoringengine
        method: POST
        description: Disable the Privilege Monitoring Engine
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-entity_analytics-monitoring-engine-init
      path: /api/entity_analytics/monitoring/engine/init
      operations:
      - name: initmonitoringengine
        method: POST
        description: Initialize the Privilege Monitoring Engine
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-entity_analytics-monitoring-engine-schedule_now
      path: /api/entity_analytics/monitoring/engine/schedule_now
      operations:
      - name: schedulemonitoringengine
        method: POST
        description: Schedule the Privilege Monitoring Engine
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-entity_analytics-monitoring-privileges-health
      path: /api/entity_analytics/monitoring/privileges/health
      operations:
      - name: privmonhealth
        method: GET
        description: Health check on Privilege Monitoring
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-entity_analytics-monitoring-privileges-privileges
      path: /api/entity_analytics/monitoring/privileges/privileges
      operations:
      - name: privmonprivileges
        method: GET
        description: Run a privileges check on Privilege Monitoring
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-entity_analytics-monitoring-users
      path: /api/entity_analytics/monitoring/users
      operations:
      - name: createprivmonuser
        method: POST
        description: Create a new monitored user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-entity_analytics-monitoring-users-_csv
      path: /api/entity_analytics/monitoring/users/_csv
      operations:
      - name: privmonbulkuploaduserscsv
        method: POST
        description: Upsert multiple monitored users via CSV upload
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    - name: api-entity_analytics-monitoring-users-list
      path: /api/entity_analytics/monitoring/users/list
      operations:
      - name: listprivmonusers
        method: GET
        description: List all monitored users
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: kql
          in: query
          type: string
          description: KQL query to filter the list of monitored users
    - name: api-entity_analytics-monitoring-users-id
      path: /api/entity_analytics/monitoring/users/{id}
      operations:
      - name: deleteprivmonuser
        method: DELETE
        description: Delete a monitored user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: string
          description: The document ID of the monitored user to delete
          required: true
      - name: updateprivmonuser
        method: PUT
        description: Update a monitored user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: string
          description: The document ID of the monitored user to update
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-entity_analytics-privileged_user_monitoring-pad-install
      path: /api/entity_analytics/privileged_user_monitoring/pad/install
      operations:
      - name: installprivilegedaccessdetectionpackage
        method: POST
        description: Installs the privileged access detection package for the Entity Analytics privileged user monitoring
          experience
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-entity_analytics-privileged_user_monitoring-pad-status
      path: /api/entity_analytics/privileged_user_monitoring/pad/status
      operations:
      - name: getprivilegedaccessdetectionpackagestatus
        method: GET
        description: Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring
          experience
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-entity_analytics-watchlists
      path: /api/entity_analytics/watchlists
      operations:
      - name: createwatchlist
        method: POST
        description: Create a new watchlist
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-entity_analytics-watchlists-list
      path: /api/entity_analytics/watchlists/list
      operations:
      - name: listwatchlists
        method: GET
        description: List all watchlists
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-entity_analytics-watchlists-id
      path: /api/entity_analytics/watchlists/{id}
      operations:
      - name: getwatchlist
        method: GET
        description: Get a watchlist by ID
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: string
          description: Unique ID of the watchlist
          required: true
      - name: updatewatchlist
        method: PUT
        description: Update an existing watchlist
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: string
          description: The ID of the watchlist to update
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-entity_analytics-watchlists-watchlist_id-csv_upload
      path: /api/entity_analytics/watchlists/{watchlist_id}/csv_upload
      operations:
      - name: uploadwatchlistcsv
        method: POST
        description: Upload a CSV file to add entities to a watchlist
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: watchlist_id
          in: path
          type: string
          description: The ID of the watchlist to add entities to
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-entity_analytics-watchlists-watchlist_id-entities-assign
      path: /api/entity_analytics/watchlists/{watchlist_id}/entities/assign
      operations:
      - name: assignwatchlistentities
        method: POST
        description: Manually assign entities to a watchlist
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: watchlist_id
          in: path
          type: string
          description: The ID of the watchlist to add entities to
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-entity_analytics-watchlists-watchlist_id-entities-unassign
      path: /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign
      operations:
      - name: unassignwatchlistentities
        method: POST
        description: Manually unassign entities from a watchlist
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: watchlist_id
          in: path
          type: string
          description: The ID of the watchlist to remove entities from
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-entity_store-enable
      path: /api/entity_store/enable
      operations:
      - name: initentitystore
        method: POST
        description: Initialize the Entity Store
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-entity_store-engines
      path: /api/entity_store/engines
      operations:
      - name: deleteentityengines
        method: DELETE
        description: Delete Entity Engines
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: entityTypes
          in: query
          type: array
          description: The entity type of the engine ('user', 'host', 'service', 'generic').
        - name: delete_data
          in: query
          type: boolean
          description: Control flag to also delete the entity data.
      - name: listentityengines
        method: GET
        description: List the Entity Engines
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-entity_store-engines-apply_dataview_indices
      path: /api/entity_store/engines/apply_dataview_indices
      operations:
      - name: applyentityenginedataviewindices
        method: POST
        description: Apply DataView indices to all installed engines
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-entity_store-engines-entityType
      path: /api/entity_store/engines/{entityType}
      operations:
      - name: deleteentityengine
        method: DELETE
        description: Delete the Entity Engine
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: entityType
          in: path
          type: string
          description: The entity type of the engine (either 'user' or 'host').
          required: true
        - name: delete_data
          in: query
          type: boolean
          description: Control flag to also delete the entity data.
        - name: data
          in: query
          type: boolean
          description: Control flag to also delete the entity data.
      - name: getentityengine
        method: GET
        description: Get an Entity Engine
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: entityType
          in: path
          type: string
          description: The entity type of the engine.
          required: true
    - name: api-entity_store-engines-entityType-init
      path: /api/entity_store/engines/{entityType}/init
      operations:
      - name: initentityengine
        method: POST
        description: Initialize an Entity Engine
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: entityType
          in: path
          type: string
          description: The entity type of the engine.
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-entity_store-engines-entityType-start
      path: /api/entity_store/engines/{entityType}/start
      operations:
      - name: startentityengine
        method: POST
        description: Start an Entity Engine
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: entityType
          in: path
          type: string
          description: The entity type of the engine to start.
          required: true
    - name: api-entity_store-engines-entityType-stop
      path: /api/entity_store/engines/{entityType}/stop
      operations:
      - name: stopentityengine
        method: POST
        description: Stop an Entity Engine
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: entityType
          in: path
          type: string
          description: The entity type of the engine to stop.
          required: true
    - name: api-entity_store-entities-bulk
      path: /api/entity_store/entities/bulk
      operations:
      - name: upsertentitiesbulk
        method: PUT
        description: Upsert many entities in Entity Store
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: force
          in: query
          type: boolean
          description: When true, allows updating protected fields.
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-entity_store-entities-list
      path: /api/entity_store/entities/list
      operations:
      - name: listentities
        method: GET
        description: List Entity Store Entities
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: sort_field
          in: query
          type: string
          description: Field to sort results by.
        - name: sort_order
          in: query
          type: string
          description: Sort order.
        - name: page
          in: query
          type: integer
          description: Page number to return (1-indexed).
        - name: per_page
          in: query
          type: integer
          description: Number of entities per page.
        - name: filterQuery
          in: query
          type: string
          description: An ES query to filter by.
        - name: entity_types
          in: query
          type: array
          description: Entity types to include in the results.
          required: true
    - name: api-entity_store-entities-entityType
      path: /api/entity_store/entities/{entityType}
      operations:
      - name: deletesingleentity
        method: DELETE
        description: Delete an entity in Entity Store
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: entityType
          in: path
          type: string
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: upsertentity
        method: PUT
        description: Upsert an entity in Entity Store
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: entityType
          in: path
          type: string
          required: true
        - name: force
          in: query
          type: boolean
          description: When true, allows updating protected fields.
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-entity_store-status
      path: /api/entity_store/status
      operations:
      - name: getentitystorestatus
        method: GET
        description: Get the status of the Entity Store
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: include_components
          in: query
          type: boolean
          description: If true, returns a detailed status of each engine including all its components.
    - name: api-risk_score-engine-dangerously_delete_data
      path: /api/risk_score/engine/dangerously_delete_data
      operations:
      - name: cleanupriskengine
        method: DELETE
        description: Cleanup the Risk Engine
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-risk_score-engine-saved_object-configure
      path: /api/risk_score/engine/saved_object/configure
      operations:
      - name: configureriskenginesavedobject
        method: PATCH
        description: Configure the Risk Engine Saved Object
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-risk_score-engine-schedule_now
      path: /api/risk_score/engine/schedule_now
      operations:
      - name: scheduleriskenginenow
        method: POST
        description: Run the risk scoring engine
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    authentication:
      type: apikey
      key: Authorization
      value: '{{env.KIBANA_API_KEY}}'
      placement: header
  exposes:
  - type: rest
    namespace: kibana-security-entity-analytics-api-rest
    port: 8080
    description: REST adapter for Kibana APIs — Security Entity Analytics API. One Spectral-compliant resource per consumed
      operation, prefixed with /v1.
    resources:
    - path: /v1/api/asset-criticality
      name: api-asset-criticality
      description: REST surface for api-asset_criticality.
      operations:
      - method: DELETE
        name: deleteassetcriticalityrecord
        description: Delete an asset criticality record
        call: kibana-security-entity-analytics-api.deleteassetcriticalityrecord
        with:
          id_value: rest.id_value
          id_field: rest.id_field
          refresh: rest.refresh
        outputParameters:
        - type: object
          mapping: $.
      - method: GET
        name: getassetcriticalityrecord
        description: Get an asset criticality record
        call: kibana-security-entity-analytics-api.getassetcriticalityrecord
        with:
          id_value: rest.id_value
          id_field: rest.id_field
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createassetcriticalityrecord
        description: Upsert an asset criticality record
        call: kibana-security-entity-analytics-api.createassetcriticalityrecord
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/asset-criticality/bulk
      name: api-asset-criticality-bulk
      description: REST surface for api-asset_criticality-bulk.
      operations:
      - method: POST
        name: bulkupsertassetcriticalityrecords
        description: Bulk upsert asset criticality records
        call: kibana-security-entity-analytics-api.bulkupsertassetcriticalityrecords
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/asset-criticality/list
      name: api-asset-criticality-list
      description: REST surface for api-asset_criticality-list.
      operations:
      - method: GET
        name: findassetcriticalityrecords
        description: List asset criticality records
        call: kibana-security-entity-analytics-api.findassetcriticalityrecords
        with:
          sort_field: rest.sort_field
          sort_direction: rest.sort_direction
          page: rest.page
          per_page: rest.per_page
          kuery: rest.kuery
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/entity-analytics/monitoring/engine/delete
      name: api-entity-analytics-monitoring-engine-delete
      description: REST surface for api-entity_analytics-monitoring-engine-delete.
      operations:
      - method: DELETE
        name: deletemonitoringengine
        description: Delete the Privilege Monitoring Engine
        call: kibana-security-entity-analytics-api.deletemonitoringengine
        with:
          data: rest.data
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/entity-analytics/monitoring/engine/disable
      name: api-entity-analytics-monitoring-engine-disable
      description: REST surface for api-entity_analytics-monitoring-engine-disable.
      operations:
      - method: POST
        name: disablemonitoringengine
        description: Disable the Privilege Monitoring Engine
        call: kibana-security-entity-analytics-api.disablemonitoringengine
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/entity-analytics/monitoring/engine/init
      name: api-entity-analytics-monitoring-engine-init
      description: REST surface for api-entity_analytics-monitoring-engine-init.
      operations:
      - method: POST
        name: initmonitoringengine
        description: Initialize the Privilege Monitoring Engine
        call: kibana-security-entity-analytics-api.initmonitoringengine
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/entity-analytics/monitoring/engine/schedule-now
      name: api-entity-analytics-monitoring-engine-schedule-now
      description: REST surface for api-entity_analytics-monitoring-engine-schedule_now.
      operations:
      - method: POST
        name: schedulemonitoringengine
        description: Schedule the Privilege Monitoring Engine
        call: kibana-security-entity-analytics-api.schedulemonitoringengine
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/entity-analytics/monitoring/privileges/health
      name: api-entity-analytics-monitoring-privileges-health
      description: REST surface for api-entity_analytics-monitoring-privileges-health.
      operations:
      - method: GET
        name: privmonhealth
        description: Health check on Privilege Monitoring
        call: kibana-security-entity-analytics-api.privmonhealth
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/entity-analytics/monitoring/privileges/privileges
      name: api-entity-analytics-monitoring-privileges-privileges
      description: REST surface for api-entity_analytics-monitoring-privileges-privileges.
      operations:
      - method: GET
        name: privmonprivileges
        description: Run a privileges check on Privilege Monitoring
        call: kibana-security-entity-analytics-api.privmonprivileges
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/entity-analytics/monitoring/users
      name: api-entity-analytics-monitoring-users
      description: REST surface for api-entity_analytics-monitoring-users.
      operations:
      - method: POST
        name: createprivmonuser
        description: Create a new monitored user
        call: kibana-security-entity-analytics-api.createprivmonuser
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/entity-analytics/monitoring/users/csv
      name: api-entity-analytics-monitoring-users-csv
      description: REST surface for api-entity_analytics-monitoring-users-_csv.
      operations:
      - method: POST
        name: privmonbulkuploaduserscsv
        description: Upsert multiple monitored users via CSV upload
        call: kibana-security-entity-analytics-api.privmonbulkuploaduserscsv
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/entity-analytics/monitoring/users/list
      name: api-entity-analytics-monitoring-users-list
      description: REST surface for api-entity_analytics-monitoring-users-list.
      operations:
      - method: GET
        name: listprivmonusers
        description: List all monitored users
        call: kibana-security-entity-analytics-api.listprivmonusers
        with:
          kql: rest.kql
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/entity-analytics/monitoring/users/{id}
      name: api-entity-analytics-monitoring-users-id
      description: REST surface for api-entity_analytics-monitoring-users-id.
      operations:
      - method: DELETE
        name: deleteprivmonuser
        description: Delete a monitored user
        call: kibana-security-entity-analytics-api.deleteprivmonuser
        with:
          id: rest.id
        outputParameters:
        - type: object
          mapping: $.
      - method: PUT
        name: updateprivmonuser
        description: Update a monitored user
        call: kibana-security-entity-analytics-api.updateprivmonuser
        with:
          id: rest.id
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/entity-analytics/privileged-user-monitoring/pad/install
      name: api-entity-analytics-privileged-user-monitoring-pad-install
      description: REST surface for api-entity_analytics-privileged_user_monitoring-pad-install.
      operations:
      - method: POST
        name: installprivilegedaccessdetectionpackage
        description: Installs the privileged access detection package for the Entity Analytics privileged user monitoring
          experience
        call: kibana-security-entity-analytics-api.installprivilegedaccessdetectionpackage
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/entity-analytics/privileged-user-monitoring/pad/status
      name: api-entity-analytics-privileged-user-monitoring-pad-status
      description: REST surface for api-entity_analytics-privileged_user_monitoring-pad-status.
      operations:
      - method: GET
        name: getprivilegedaccessdetectionpackagestatus
        description: Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring
          experience
        call: kibana-security-entity-analytics-api.getprivilegedaccessdetectionpackagestatus
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api

# --- truncated at 32 KB (58 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/kibana/refs/heads/main/capabilities/kibana-security-entity-analytics-api.yaml