elastic · tiansivive · Mar 16, 2026 · Feb 19, 2026 · Mar 2, 2026 · Mar 3, 2026
@@ -109917,6 +109917,11 @@ components:
         description:
           description: Description of the watchlist
           type: string
+        entitySourceIds:
+          description: List of entity source IDs associated with the watchlist
+          items:
+            type: string
+          type: array
         id:
           description: The unique ID of the watchlist
           type: string

@@ -120688,6 +120688,11 @@ components:
         description:
           description: Description of the watchlist
           type: string
+        entitySourceIds:
+          description: List of entity source IDs associated with the watchlist
+          items:
+            type: string
+          type: array
         id:
           description: The unique ID of the watchlist
           type: string

@@ -37,6 +37,10 @@ import type {
 import type { CreatePrivilegesImportIndexRequestBodyInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/monitoring/create_index.gen';
 import type { CreatePrivMonUserRequestBodyInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/monitoring/users/create.gen';
 import type { CreateWatchlistRequestBodyInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/watchlists/management/create.gen';
+import type {
+  CreateWatchlistEntitySourceRequestParamsInput,
+  CreateWatchlistEntitySourceRequestBodyInput,
+} from '@kbn/security-solution-plugin/common/api/entity_analytics/watchlists/data_source/create.gen';
 import type { DeleteAssetCriticalityRecordRequestQueryInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/asset_criticality/delete_asset_criticality.gen';
 import type {
   DeleteEntityEngineRequestQueryInput,
@@ -49,6 +53,7 @@ import type {
   DeleteSingleEntityRequestParamsInput,
   DeleteSingleEntityRequestBodyInput,
 } from '@kbn/security-solution-plugin/common/api/entity_analytics/entity_store/entities/delete_entity.gen';
+import type { DeleteWatchlistEntitySourceRequestParamsInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/watchlists/data_source/delete.gen';
 import type {
   DeprecatedTriggerRiskScoreCalculationRequestBodyInput,
   TriggerRiskScoreCalculationRequestBodyInput,
@@ -59,13 +64,18 @@ import type { GetAssetCriticalityRecordRequestQueryInput } from '@kbn/security-s
 import type { GetEntityEngineRequestParamsInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/entity_store/engine/get.gen';
 import type { GetEntityStoreStatusRequestQueryInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/entity_store/status.gen';
 import type { GetWatchlistRequestParamsInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/watchlists/management/get.gen';
+import type { GetWatchlistEntitySourceRequestParamsInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/watchlists/data_source/get.gen';
 import type {
   InitEntityEngineRequestParamsInput,
   InitEntityEngineRequestBodyInput,
 } from '@kbn/security-solution-plugin/common/api/entity_analytics/entity_store/engine/init.gen';
 import type { InitEntityStoreRequestBodyInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/entity_store/enable.gen';
 import type { ListEntitiesRequestQueryInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/entity_store/entities/list_entities.gen';
 import type { ListPrivMonUsersRequestQueryInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/monitoring/users/list.gen';
+import type {
+  ListWatchlistEntitySourcesRequestQueryInput,
+  ListWatchlistEntitySourcesRequestParamsInput,
+} from '@kbn/security-solution-plugin/common/api/entity_analytics/watchlists/data_source/list.gen';
 import type { PreviewRiskScoreRequestBodyInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/risk_engine/preview_route.gen';
 import type { SearchPrivilegesIndicesRequestQueryInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/monitoring/search_indices.gen';
 import type { StartEntityEngineRequestParamsInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/entity_store/engine/start.gen';
@@ -78,6 +88,10 @@ import type {
   UpdateWatchlistRequestParamsInput,
   UpdateWatchlistRequestBodyInput,
 } from '@kbn/security-solution-plugin/common/api/entity_analytics/watchlists/management/update.gen';
+import type {
+  UpdateWatchlistEntitySourceRequestParamsInput,
+  UpdateWatchlistEntitySourceRequestBodyInput,
+} from '@kbn/security-solution-plugin/common/api/entity_analytics/watchlists/data_source/update.gen';
 import type {
   UpsertEntitiesBulkRequestQueryInput,
   UpsertEntitiesBulkRequestBodyInput,
@@ -199,6 +213,25 @@ If a record already exists for the specified entity, that record is overwritten
       .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
       .send(props.body as object);
   },
+  createWatchlistEntitySource(
+    props: CreateWatchlistEntitySourceProps,
+    kibanaSpace: string = 'default'
+  ) {
+    return supertest
+      .post(
+        getRouteUrlForSpace(
+          replaceParams(
+            '/api/entity_analytics/watchlists/{watchlist_id}/entity_source',
+            props.params
+          ),
+          kibanaSpace
+        )
+      )
+      .set('kbn-xsrf', 'true')
+      .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
+      .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
+      .send(props.body as object);
+  },
   /**
    * Delete the asset criticality record for a specific entity.
    */
@@ -284,6 +317,24 @@ The entity will be immediately deleted from the latest index.  It will remain av
       .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
       .send(props.body as object);
   },
+  deleteWatchlistEntitySource(
+    props: DeleteWatchlistEntitySourceProps,
+    kibanaSpace: string = 'default'
+  ) {
+    return supertest
+      .delete(
+        getRouteUrlForSpace(
+          replaceParams(
+            '/api/entity_analytics/watchlists/{watchlist_id}/entity_source/{id}',
+            props.params
+          ),
+          kibanaSpace
+        )
+      )
+      .set('kbn-xsrf', 'true')
+      .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
+      .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
+  },
   /**
    * Calculates and persists Risk Scores for an entity, returning the calculated risk score.
    */
@@ -435,6 +486,21 @@ The entity will be immediately deleted from the latest index.  It will remain av
       .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
       .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
   },
+  getWatchlistEntitySource(props: GetWatchlistEntitySourceProps, kibanaSpace: string = 'default') {
+    return supertest
+      .get(
+        getRouteUrlForSpace(
+          replaceParams(
+            '/api/entity_analytics/watchlists/{watchlist_id}/entity_source/{id}',
+            props.params
+          ),
+          kibanaSpace
+        )
+      )
+      .set('kbn-xsrf', 'true')
+      .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
+      .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
+  },
   initEntityEngine(props: InitEntityEngineProps, kibanaSpace: string = 'default') {
     return supertest
       .post(
@@ -526,6 +592,25 @@ The entity will be immediately deleted from the latest index.  It will remain av
       .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
       .query(props.query);
   },
+  listWatchlistEntitySources(
+    props: ListWatchlistEntitySourcesProps,
+    kibanaSpace: string = 'default'
+  ) {
+    return supertest
+      .get(
+        getRouteUrlForSpace(
+          replaceParams(
+            '/api/entity_analytics/watchlists/{watchlist_id}/entity_source/list',
+            props.params
+          ),
+          kibanaSpace
+        )
+      )
+      .set('kbn-xsrf', 'true')
+      .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
+      .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
+      .query(props.query);
+  },
   listWatchlists(kibanaSpace: string = 'default') {
     return supertest
       .get(getRouteUrlForSpace('/api/entity_analytics/watchlists/list', kibanaSpace))
@@ -695,6 +780,25 @@ The entity will be immediately deleted from the latest index.  It will remain av
       .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
       .send(props.body as object);
   },
+  updateWatchlistEntitySource(
+    props: UpdateWatchlistEntitySourceProps,
+    kibanaSpace: string = 'default'
+  ) {
+    return supertest
+      .put(
+        getRouteUrlForSpace(
+          replaceParams(
+            '/api/entity_analytics/watchlists/{watchlist_id}/entity_source/{id}',
+            props.params
+          ),
+          kibanaSpace
+        )
+      )
+      .set('kbn-xsrf', 'true')
+      .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
+      .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
+      .send(props.body as object);
+  },
   uploadAssetCriticalityRecords(kibanaSpace: string = 'default') {
     return supertest
       .post(getRouteUrlForSpace('/api/asset_criticality/upload_csv', kibanaSpace))
@@ -777,6 +881,10 @@ export interface CreatePrivMonUserProps {
 export interface CreateWatchlistProps {
   body: CreateWatchlistRequestBodyInput;
 }
+export interface CreateWatchlistEntitySourceProps {
+  params: CreateWatchlistEntitySourceRequestParamsInput;
+  body: CreateWatchlistEntitySourceRequestBodyInput;
+}
 export interface DeleteAssetCriticalityRecordProps {
   query: DeleteAssetCriticalityRecordRequestQueryInput;
 }
@@ -800,6 +908,9 @@ export interface DeleteSingleEntityProps {
   params: DeleteSingleEntityRequestParamsInput;
   body: DeleteSingleEntityRequestBodyInput;
 }
+export interface DeleteWatchlistEntitySourceProps {
+  params: DeleteWatchlistEntitySourceRequestParamsInput;
+}
 export interface DeprecatedTriggerRiskScoreCalculationProps {
   body: DeprecatedTriggerRiskScoreCalculationRequestBodyInput;
 }
@@ -824,6 +935,9 @@ export interface GetEntityStoreStatusProps {
 export interface GetWatchlistProps {
   params: GetWatchlistRequestParamsInput;
 }
+export interface GetWatchlistEntitySourceProps {
+  params: GetWatchlistEntitySourceRequestParamsInput;
+}
 export interface InitEntityEngineProps {
   params: InitEntityEngineRequestParamsInput;
   body: InitEntityEngineRequestBodyInput;
@@ -840,6 +954,10 @@ export interface ListEntitySourcesProps {
 export interface ListPrivMonUsersProps {
   query: ListPrivMonUsersRequestQueryInput;
 }
+export interface ListWatchlistEntitySourcesProps {
+  query: ListWatchlistEntitySourcesRequestQueryInput;
+  params: ListWatchlistEntitySourcesRequestParamsInput;
+}
 export interface PreviewRiskScoreProps {
   body: PreviewRiskScoreRequestBodyInput;
 }
@@ -867,6 +985,10 @@ export interface UpdateWatchlistProps {
   params: UpdateWatchlistRequestParamsInput;
   body: UpdateWatchlistRequestBodyInput;
 }
+export interface UpdateWatchlistEntitySourceProps {
+  params: UpdateWatchlistEntitySourceRequestParamsInput;
+  body: UpdateWatchlistEntitySourceRequestBodyInput;
+}
 export interface UpsertEntitiesBulkProps {
   query: UpsertEntitiesBulkRequestQueryInput;
   body: UpsertEntitiesBulkRequestBodyInput;

@@ -0,0 +1,100 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/*
+ * NOTICE: Do not edit this file manually.
+ * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
+ *
+ * info:
+ *   title: Watchlists Entity Source Common Schema
+ *   version: 1
+ */
+
+import { z } from '@kbn/zod';
+
+export type EntitySourceType = z.infer<typeof EntitySourceType>;
+export const EntitySourceType = z.enum(['index', 'entity_analytics_integration']);
+export type EntitySourceTypeEnum = typeof EntitySourceType.enum;
+export const EntitySourceTypeEnum = EntitySourceType.enum;
+
+export type Matcher = z.infer<typeof Matcher>;
+export const Matcher = z.object({
+  fields: z.array(z.string()),
+  /**
+      * Matcher values. Must be either an array of strings (e.g. group or role names) or an array of booleans (e.g. integration-derived flags like privileged_group_member). Mixed types are intentionally not supported for simplicity and predictability.
+
+      */
+  values: z.union([z.array(z.string()), z.array(z.boolean())]),
+});
+
+export type Filter = z.infer<typeof Filter>;
+export const Filter = z.object({
+  kuery: z.union([z.string(), z.object({})]).optional(),
+});
+
+export type Integrations = z.infer<typeof Integrations>;
+export const Integrations = z.object({
+  /**
+   * Index to read latest sync markers from
+   */
+  syncMarkerIndex: z.string().optional(),
+  /**
+   * integrations latest full sync and update syncData
+   */
+  syncData: z
+    .object({
+      /**
+       * Timestamp of the last full sync from integrations
+       */
+      lastFullSync: z.string().datetime().optional(),
+      /**
+       * Timestamp of the last update processed from integrations
+       */
+      lastUpdateProcessed: z.string().datetime().optional(),
+    })
+    .optional(),
+});
+
+export type UpdateableMonitoringEntitySourceProperties = z.infer<
+  typeof UpdateableMonitoringEntitySourceProperties
+>;
+export const UpdateableMonitoringEntitySourceProperties = z.object({
+  name: z.string().optional(),
+  indexPattern: z.string().optional(),
+  integrationName: z.string().optional(),
+  enabled: z.boolean().optional(),
+  matchers: z.array(Matcher).optional(),
+  filter: Filter.optional(),
+  integrations: Integrations.optional(),
+});
+
+export type UpdateEntitySourceNoadditionalProps = z.infer<
+  typeof UpdateEntitySourceNoadditionalProps
+>;
+export const UpdateEntitySourceNoadditionalProps = UpdateableMonitoringEntitySourceProperties.merge(
+  z.object({}).strict()
+);
+
+export type MonitoringEntitySourceProperties = z.infer<typeof MonitoringEntitySourceProperties>;
+export const MonitoringEntitySourceProperties = UpdateableMonitoringEntitySourceProperties.merge(
+  z.object({
+    type: EntitySourceType.optional(),
+    managed: z.boolean().optional(),
+  })
+);
+
+export type MonitoringEntitySourceAttributes = z.infer<typeof MonitoringEntitySourceAttributes>;
+export const MonitoringEntitySourceAttributes = MonitoringEntitySourceProperties.merge(
+  z.object({})
+);
+
+export type MonitoringEntitySource = z.infer<typeof MonitoringEntitySource>;
+export const MonitoringEntitySource = MonitoringEntitySourceProperties.merge(
+  z.object({
+    id: z.string(),
+  })
+);