Investigated Entity List API

The Investigated Entity List API returns entities that have been marked as investigated. The API supports pagination, allowing consumers to retrieve and navigate through large sets of investigated entities.

Overview

The Offenses API returns the most recent offenses from QRadar. Results can be filtered by offense type or restricted to User and Entity Behavior Analytics (UEBA) offenses.

Endpoint

GET /api/investigated_entity_list

Query parameters

Parameter Type Default Description
limit integer 50

Maximum number of investigated entities returned in a single request.

offset integer 0

Number of entities to skip before returning results. Used for pagination.

Pagination

  • limit: Controls the number of records returned per request.
  • offset: Specifies the starting position within the result set.
Note: Use both parameters together to navigate through large result sets.

Response

The API returns a list of offenses containing information such as:

  • A list of investigated entitites
  • Entity identifiers and associated user information
  • Investigation-related details, such as status and investigation date
  • Pagination metadata, including total_count, limit, and offset

Response example

{
  "investigated": [
    {
      "entity_id": 12345,
      "username": "john.doe",
      "investigation_date": "2026-06-15T10:15:00Z",
      "investigation_status": "Closed",
      "notes": "Investigation completed"
    }
  ],
  "total_count": 150,
  "limit": 50,
  "offset": 0
}

Error handling

HTTP Status Description
500 Internal Server Error An unexpected error occurred while retrieving investigated entity list.