UEBA
These are the API endpoints for retrieving Rule-Based Anomalies, Recent Anomalies, and the Rule Profile for their respective entities.
End Points
List Entity and Rule based Anomalies
Get Entity based Risk Score Details
Get Entity based Anomalies
List Entity and Rule based Anomalies
Retrieves anomaly details for a specified entity and rule ID, broken down by anomaly type (time, count, and pattern), within the specified time range. Use this endpoint to investigate the specific anomalies associated with an entity and rule, such as when drilling into a alert.
Rate limit: 50 requests per minute per account.
OAuth Scope : logs360cloud.ueba.READ
Role : Administrator, Operator
Query Parameters
entity_name
string
(Required)
The name of the user/entity. You can find the entity name in the Log360 Cloud UEBA dashboard under Users tab.
Max length: 100
Max length: 100
domain_name
string
(Required)
The domain name of the entity. You can find the domain name in the Log360 Cloud UEBA dashboard under Users tab.
Max length: 100
Max length: 100
rule_id
string
(Required)
The ID of the anomaly rule. To list available anomaly rule IDs, call GET /api/v2/detection/rules?rule_type=anomaly (scope: logs360cloud.detection.READ) and use the rule_id field from each item in the data array.
start_time
string
Start time for the search range, in ISO 8601 date-time format. The value must be greater than or equal to 1970-01-01T00:00:00Z. Time zone offsets are supported.
end_time
string
End time for the search range, in ISO 8601 date-time format. The value must be greater than or equal to 1970-01-01T00:00:00Z. Time zone offsets are supported.
from
integer
Start index for pagination. Default value: 1. Maximum: 1000.
limit
integer
Number of records to fetch. Default value: 50. Maximum: 1000.
Headers
Authorization
string
(Required)
OAuth access token using the Zoho-oauthtoken prefix.
account_id
string
(Required)
headers_data = Map();
headers_data.put("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f");
headers_data.put("account_id", "18XXXXX4");
response = invokeUrl
[
url: "https://log360cloud.manageengine.com/api/v2/entities/anomaly-details?entity_name=john.doe&domain_name=example.com&rule_id=1000XXXXXXXXXXX78"
type: GET
headers: headers_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("https://log360cloud.manageengine.com/api/v2/entities/anomaly-details?entity_name=john.doe&domain_name=example.com&rule_id=1000XXXXXXXXXXX78")
.get()
.addHeader("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f")
.addHeader("account_id", "18XXXXX4")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'GET',
headers: {
Authorization: 'Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f',
account_id: '18XXXXX4'
}
};
fetch('https://log360cloud.manageengine.com/api/v2/entities/anomaly-details?entity_name=john.doe&domain_name=example.com&rule_id=1000XXXXXXXXXXX78', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPSConnection("log360cloud.manageengine.com")
headers = {
'Authorization': "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f",
'account_id': "18XXXXX4"
}
conn.request("GET", "/api/v2/entities/anomaly-details?entity_name=john.doe&domain_name=example.com&rule_id=1000XXXXXXXXXXX78", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("https");
const options = {
"method": "GET",
"hostname": "log360cloud.manageengine.com",
"port": null,
"path": "/api/v2/entities/anomaly-details?entity_name=john.doe&domain_name=example.com&rule_id=1000XXXXXXXXXXX78",
"headers": {
"Authorization": "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f",
"account_id": "18XXXXX4"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
curl --request GET \
--url 'https://log360cloud.manageengine.com/api/v2/entities/anomaly-details?entity_name=john.doe&domain_name=example.com&rule_id=1000XXXXXXXXXXX78' \
--header 'Authorization: Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f' \
--header 'account_id: 18XXXXX4'
{
"data": {
"rule_id": "1000XXXXXXXXXXX78",
"rule_name": "windows Logon Details",
"entity_name": "l3cuser1_1",
"entity_id": "1000XXXXXXXXXXX15",
"pattern_anomalies": {
"count": 1,
"anomalies": [
{
"rule_id": "1000XXXXXXXXXXX78",
"score": 0.948,
"action_name": "windows_successful_logon",
"actual_value": "l3cuser1_1 -> [l3cdomain1_20]",
"time": "2026-04-09T00:39:30Z",
"obtained_field": "DOMAIN"
}
]
},
"time_anomalies": {
"count": 0,
"anomalies": []
},
"count_anomalies": {
"count": 0,
"anomalies": []
}
},
"meta": {
"from": 1,
"limit": 200,
"count": 1,
"has_more": false
}
}
{
"error": {
"code": "100010404",
"title": "Bad Request",
"detail": "Rule ID is required."
}
}
{
"error": {
"code": "100010402",
"title": "Bad Request",
"detail": "Entity Name is required."
}
}
{
"error": {
"code": "100010406",
"title": "Bad Request",
"detail": "Entity Name must not exceed 100 characters."
}
}
{
"error": {
"code": "100010403",
"title": "Bad Request",
"detail": "Domain Name is required."
}
}
{
"error": {
"code": "100010407",
"title": "Bad Request",
"detail": "Domain Name must not exceed 100 characters."
}
}
{
"error": {
"code": "100010400",
"title": "Not Found",
"detail": "Given Entity not found."
}
}
{
"error": {
"code": "10001018",
"title": "Internal Server Error",
"detail": "Exception occurred"
}
}
Get Entity based Risk Score Details
Retrieves a comprehensive risk profile for a specified entity, including the risk score, anomaly count, activity summary, and behavioral baseline deviation details.
Rate limit: 50 requests per minute per account.
OAuth Scope : logs360cloud.ueba.READ
Role : Administrator, Operator
Query Parameters
entity_name
string
(Required)
The name of the user/entity. You can find the entity name in the Log360 Cloud UEBA dashboard under Users tab.
Max length: 100
Max length: 100
domain_name
string
(Required)
The domain name of the entity. You can find the domain name in the Log360 Cloud UEBA dashboard under Users tab.
Max length: 100
Max length: 100
entity_type
string
(Required)
The type of entity. Accepted values: user, device.
Headers
Authorization
string
(Required)
OAuth access token using the Zoho-oauthtoken prefix.
account_id
string
(Required)
headers_data = Map();
headers_data.put("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f");
headers_data.put("account_id", "18XXXXX4");
response = invokeUrl
[
url: "https://log360cloud.manageengine.com/api/v2/entities/risk-profile?entity_name=john.doe&domain_name=example.com&entity_type=user"
type: GET
headers: headers_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("https://log360cloud.manageengine.com/api/v2/entities/risk-profile?entity_name=john.doe&domain_name=example.com&entity_type=user")
.get()
.addHeader("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f")
.addHeader("account_id", "18XXXXX4")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'GET',
headers: {
Authorization: 'Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f',
account_id: '18XXXXX4'
}
};
fetch('https://log360cloud.manageengine.com/api/v2/entities/risk-profile?entity_name=john.doe&domain_name=example.com&entity_type=user', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPSConnection("log360cloud.manageengine.com")
headers = {
'Authorization': "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f",
'account_id': "18XXXXX4"
}
conn.request("GET", "/api/v2/entities/risk-profile?entity_name=john.doe&domain_name=example.com&entity_type=user", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("https");
const options = {
"method": "GET",
"hostname": "log360cloud.manageengine.com",
"port": null,
"path": "/api/v2/entities/risk-profile?entity_name=john.doe&domain_name=example.com&entity_type=user",
"headers": {
"Authorization": "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f",
"account_id": "18XXXXX4"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
curl --request GET \
--url 'https://log360cloud.manageengine.com/api/v2/entities/risk-profile?entity_name=john.doe&domain_name=example.com&entity_type=user' \
--header 'Authorization: Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f' \
--header 'account_id: 18XXXXX4'
{
"data": {
"entity_name": "l3cuser1_1",
"risk_score": 100,
"anomaly_count": 1,
"activity_summary": [
{
"action_name": "windows_successful_logon",
"anomaly_count": 1
}
],
"behavioral_baseline_deviations": [
{
"action_name": "windows_successful_logon",
"anomaly_type": "time",
"actual_value": "l3cuser1_1 -> [l3cdomain1_20]",
"obtained_field": "DOMAIN"
}
]
}
}
{
"error": {
"code": "100010402",
"title": "Bad Request",
"detail": "Entity Name is required."
}
}
{
"error": {
"code": "100010406",
"title": "Bad Request",
"detail": "Entity Name must not exceed 100 characters."
}
}
{
"error": {
"code": "100010403",
"title": "Bad Request",
"detail": "Domain Name is required."
}
}
{
"error": {
"code": "100010407",
"title": "Bad Request",
"detail": "Domain Name must not exceed 100 characters."
}
}
{
"error": {
"code": "100010408",
"title": "Bad Request",
"detail": "Entity Type is required. Allowed values: user, device."
}
}
{
"error": {
"code": "100010405",
"title": "Bad Request",
"detail": "Entity Type must be 'user' or 'device'."
}
}
{
"error": {
"code": "100010400",
"title": "Not Found",
"detail": "Given Entity not found."
}
}
{
"error": {
"code": "10001018",
"title": "Internal Server Error",
"detail": "Exception occurred"
}
}
Get Entity based Anomalies
Retrieves recent anomaly details for a specified entity, broken down by anomaly type (time, count, and pattern) and anomaly rule action, within the specified time range. Use this endpoint to review the latest anomalous activity for an entity, such as when assessing risk during an active investigation.
Rate limit: 50 requests per minute per account.
OAuth Scope : logs360cloud.ueba.READ
Role : Administrator, Operator
Query Parameters
entity_name
string
(Required)
The name of the user/entity. You can find the entity name in the Log360 Cloud UEBA dashboard under Users tab.
Max length: 100
Max length: 100
domain_name
string
(Required)
The domain name of the entity. You can find the domain name in the Log360 Cloud UEBA dashboard under Users tab.
Max length: 100
Max length: 100
start_time
string
Start time for the search range, in ISO 8601 date-time format. The value must be greater than or equal to 1970-01-01T00:00:00Z. Time zone offsets are supported.
end_time
string
End time for the search range, in ISO 8601 date-time format. The value must be greater than or equal to 1970-01-01T00:00:00Z. Time zone offsets are supported.
from
integer
Start index for pagination. Default value: 1. Maximum: 1000.
limit
integer
Number of records to fetch. Default value: 50. Maximum: 1000.
Headers
Authorization
string
(Required)
OAuth access token using the Zoho-oauthtoken prefix.
account_id
string
(Required)
headers_data = Map();
headers_data.put("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f");
headers_data.put("account_id", "18XXXXX4");
response = invokeUrl
[
url: "https://log360cloud.manageengine.com/api/v2/entities/recent-anomalies?entity_name=john.doe&domain_name=example.com"
type: GET
headers: headers_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("https://log360cloud.manageengine.com/api/v2/entities/recent-anomalies?entity_name=john.doe&domain_name=example.com")
.get()
.addHeader("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f")
.addHeader("account_id", "18XXXXX4")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'GET',
headers: {
Authorization: 'Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f',
account_id: '18XXXXX4'
}
};
fetch('https://log360cloud.manageengine.com/api/v2/entities/recent-anomalies?entity_name=john.doe&domain_name=example.com', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPSConnection("log360cloud.manageengine.com")
headers = {
'Authorization': "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f",
'account_id': "18XXXXX4"
}
conn.request("GET", "/api/v2/entities/recent-anomalies?entity_name=john.doe&domain_name=example.com", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("https");
const options = {
"method": "GET",
"hostname": "log360cloud.manageengine.com",
"port": null,
"path": "/api/v2/entities/recent-anomalies?entity_name=john.doe&domain_name=example.com",
"headers": {
"Authorization": "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f",
"account_id": "18XXXXX4"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
curl --request GET \
--url 'https://log360cloud.manageengine.com/api/v2/entities/recent-anomalies?entity_name=john.doe&domain_name=example.com' \
--header 'Authorization: Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f' \
--header 'account_id: 18XXXXX4'
{
"data": {
"entity_name": "l3cuser1_1",
"entity_id": "1000XXXXXXXXXXX15",
"pattern_anomalies": {
"count": 1,
"anomalies": [
{
"rule_id": "1000XXXXXXXXXXX78",
"score": 0.948,
"action_name": "windows_successful_logon",
"actual_value": "l3cuser1_1 -> [l3cdomain1_20]",
"time": "2026-04-09T00:39:30Z",
"obtained_field": "DOMAIN"
}
]
},
"time_anomalies": {
"count": 0,
"anomalies": []
},
"count_anomalies": {
"count": 0,
"anomalies": []
}
},
"meta": {
"from": 1,
"limit": 50,
"count": 1,
"has_more": false
}
}
{
"error": {
"code": "100010402",
"title": "Bad Request",
"detail": "Entity Name is required."
}
}
{
"error": {
"code": "100010406",
"title": "Bad Request",
"detail": "Entity Name must not exceed 100 characters."
}
}
{
"error": {
"code": "100010403",
"title": "Bad Request",
"detail": "Domain Name is required."
}
}
{
"error": {
"code": "100010407",
"title": "Bad Request",
"detail": "Domain Name must not exceed 100 characters."
}
}
{
"error": {
"code": "100010400",
"title": "Not Found",
"detail": "Given Entity not found."
}
}
{
"error": {
"code": "10001018",
"title": "Internal Server Error",
"detail": "Exception occurred"
}
}