The top_ten_users_anomalies API endpoint returns the 10 users with the
most anomalies (rules fired).
cURL command
curl -k -H
'Content-Type:application/json' -H 'Accept:application/json' -H 'SEC:SEC_TOKEN'
https://QR_IP_ADDRESS/console/plugins/UBA_APP_ID/app_proxy/api/top_ten_users_anomalies
Sample return
Note: The following sample shows an example return of one user.
{"users":[{"alert":"Test","aliases":["john.doe"],"city":null,"color_severity":4,"country":null,"custom_group":null,"dept":null,"display_name":"john.doe","email":null,"full_name":null,"id":4,"id1":"john.doe","id2":null,"id3":null,"id4":null,"in_custom_grp_peer_group_watchlist":false,"in_dept_peer_group_watchlist":false,"in_job_title_peer_group_watchlist":false,"in_ml_abridged_watch_list":true,"in_ml_watch_list":true,"in_peer_group_watchlist":false,"investigation_expires":1626364130,"investigation_started":1626277730,"investigation_user":"admin","job_title":null,"last_offense_time":1626278817,"latest_risk":80.0,"linked_import_ids":null,"manager":null,"member_of":null,"ml_id":"john.doe","ml_watched":false,"prolonged_risk":22830.0,"risk":1652.54,"risk_1":1666.13,"risk_2":1660.97,"risk_3":1659.96,"risk_poll_count":245,"risk_scale_max":1.0,"source":"ariel","state":null,"total_anomalies":28,"trending":-1,"trusted_user":false,"updated_this_run":0,"user_id":4,"username":"john.doe","watched":1,"watchlist_memberships":[{"addition_date":1626267571,"from_ref_set":false,"from_regex":true,"name":"Watch
ML Users with
data","ref_set":null,"regex":"ibm_sense","regex_field":"username","risk_scale":1.0,"source":"automatic","watchlist_id":2}],"watson_search_date":0,"watson_search_id":null}