The users_above_threshold API endpoint gathers users who are above the
risk threshold. It returns the current risk score of the system and the users who risk is above the
threshold. The user data returned has fields shown in the sample below from UBA
database.
cURL command
curl -k -H
'Content-Type:application/json' -H 'Accept:application/json' -H
'SEC:SEC_TOKEN'https://QR_IP_ADDRESS/console/plugins/UBA_APP_ID/app_proxy/api/users_above_threshold
Sample
return
{"risk_threshold":305.0,"users":[{"alert":"Test","aliases":["john.doe"],"city":null,"country":null,"custom_group":null,"dept":null,"display_name":"john.doe","email":null,"full_name":null,"id":4,"id1":"john.doe","id2":null,"id3":null,"id4":null,"in_custom_grp_peer_group_watchlist":false,"in_dept_peer_group_watchlist":false,"in_job_title_peer_group_watchlist":false,"in_ml_abridged_watch_list":true,"in_ml_watch_list":true,"in_peer_group_watchlist":false,"investigation_expires":1626364130,"investigation_started":1626277730,"investigation_user":"admin","job_title":null,"last_offense_time":1626275154,"latest_risk":90.0,"linked_import_ids":null,"manager":null,"member_of":null,"ml_id":"john.doe","ml_watched":false,"prolonged_risk":21380.0,"risk":1618.95,"risk_1":1620.49,"risk_2":1606.45,"risk_3":1628.62,"risk_poll_count":230,"risk_scale_max":1.0,"source":"ariel","state":null,"trending":-1,"trusted_user":false,"updated_this_run":0,"username":"john.doe","watched":1,"watchlist_memberships":[{"addition_date":1626267571,"from_ref_set":false,"from_regex":true,"name":"Watch
ML Users with
data","ref_set":null,"regex":"ibm_sense","regex_field":"username","risk_scale":1.0,"source":"automatic","watchlist_id":2}],"watson_search_date":0,"watson_search_id":null}]}