User above threshold

The users_above_threshold API endpoint gathers users who are above the risk threshold. It returns the current risk score of the system and the users who risk is above the threshold. The user data returned has fields shown in the sample below from UBA database.

cURL command

curl -k -H 'Content-Type:application/json' -H 'Accept:application/json' -H 'SEC:SEC_TOKEN'https://QR_IP_ADDRESS/console/plugins/UBA_APP_ID/app_proxy/api/users_above_threshold

Sample return

{"risk_threshold":305.0,"users":[{"alert":"Test","aliases":["john.doe"],"city":null,"country":null,"custom_group":null,"dept":null,"display_name":"john.doe","email":null,"full_name":null,"id":4,"id1":"john.doe","id2":null,"id3":null,"id4":null,"in_custom_grp_peer_group_watchlist":false,"in_dept_peer_group_watchlist":false,"in_job_title_peer_group_watchlist":false,"in_ml_abridged_watch_list":true,"in_ml_watch_list":true,"in_peer_group_watchlist":false,"investigation_expires":1626364130,"investigation_started":1626277730,"investigation_user":"admin","job_title":null,"last_offense_time":1626275154,"latest_risk":90.0,"linked_import_ids":null,"manager":null,"member_of":null,"ml_id":"john.doe","ml_watched":false,"prolonged_risk":21380.0,"risk":1618.95,"risk_1":1620.49,"risk_2":1606.45,"risk_3":1628.62,"risk_poll_count":230,"risk_scale_max":1.0,"source":"ariel","state":null,"trending":-1,"trusted_user":false,"updated_this_run":0,"username":"john.doe","watched":1,"watchlist_memberships":[{"addition_date":1626267571,"from_ref_set":false,"from_regex":true,"name":"Watch ML Users with data","ref_set":null,"regex":"ibm_sense","regex_field":"username","risk_scale":1.0,"source":"automatic","watchlist_id":2}],"watson_search_date":0,"watson_search_id":null}]}