Dashboard Data API
DRAFT — Internal Developer Use Only
This API reference is for internal development teams.
Overview
What it is: The dashboard data API provides pre-aggregated identity posture metrics across six domains: accounts, identities, groups, threats, audit, and platform status. Each domain offers a current-state endpoint and a history endpoint returning weekly snapshots.
Why it matters: These endpoints are the primary data source for both Discovery's built-in dashboards and Control's custom dashboard widgets. Control caches this data locally and runs KPI calculations over it to power customer-facing identity risk dashboards.
Endpoints
| Method | Path | Description | Auth |
|---|---|---|---|
GET | /api/v1/dashboard/status | Current view time | JWT |
GET | /api/v1/dashboard/account | Account posture metrics | JWT |
GET | /api/v1/dashboard/account/history | Account metrics — 52 weeks | JWT |
GET | /api/v1/dashboard/identity | Identity counts by source | JWT |
GET | /api/v1/dashboard/identity/history | Identity metrics — 52 weeks | JWT |
GET | /api/v1/dashboard/group | Group counts and privilege status | JWT |
GET | /api/v1/dashboard/group/history | Group metrics — 52 weeks | JWT |
GET | /api/v1/dashboard/threat | Risk scores and compromise metrics | JWT |
GET | /api/v1/dashboard/threat/history | Threat metrics — 52 weeks | JWT |
GET | /api/v1/dashboard/audit | Failed logon counts | JWT |
GET | /api/v1/dashboard/audit/history | Audit metrics — 365 days | JWT |
GET | /api/v1/dashboard/platform | Platform nodes, providers, data sources | JWT |
Common query parameter: All current-state endpoints accept an optional ?time=<ms> query parameter (milliseconds since epoch) to retrieve a historical snapshot. Defaults to the current view time.
GET /api/v1/dashboard/status
Get the current dashboard view time. This timestamp represents the most recent data aggregation point.
Request:
http
GET /api/v1/dashboard/status
Authorization: Bearer <token>Response (200):
json
{
"viewTime": 1707696000000
}| Field | Type | Description |
|---|---|---|
viewTime | int64 | Milliseconds since epoch — latest data aggregation timestamp |
GET /api/v1/dashboard/account
Get current account posture metrics including counts, MFA status, stale credentials, and per-data-source breakdowns.
Request:
http
GET /api/v1/dashboard/account
Authorization: Bearer <token>Response (200):
json
{
"viewTime": 1707696000000,
"count": {
"total": 15420,
"mapped": 12890,
"shared": 342,
"type": {
"User Account": 11200,
"Service Account": 3100,
"Computer Account": 1120
},
"totalChange": 45,
"mappedChange": 32,
"sharedChange": -2,
"orphaned": 1230,
"compromised": 18
},
"multiFactorAuth": {
"enabled": 9800,
"disabled": 4620,
"unknown": 1000,
"provider": [
{ "name": "Microsoft Authenticator", "count": 5200 },
{ "name": "Okta Verify", "count": 3100 },
{ "name": "Duo Security", "count": 1500 }
],
"providers": 3,
"pending": 420
},
"account": [
{
"dataSourceId": "ds-ad-001",
"dataSourceName": "Corporate AD",
"platform": "ActiveDirectory",
"count": 8500,
"type": { "User Account": 7200, "Service Account": 800, "Computer Account": 500 }
},
{
"dataSourceId": "ds-azure-001",
"dataSourceName": "Azure AD",
"platform": "AzureAD",
"count": 4200,
"type": { "User Account": 3800, "Service Account": 400 }
}
],
"stalePassword": [
{ "days": 90, "count": 1240, "change": -15 },
{ "days": 180, "count": 620, "change": -8 },
{ "days": 365, "count": 180, "change": 2 }
],
"staleAccount": [
{ "days": 90, "count": 890, "change": -22 },
{ "days": 180, "count": 450, "change": -10 },
{ "days": 365, "count": 120, "change": 0 }
],
"created": [
{ "days": 1, "count": 12, "change": 3 },
{ "days": 7, "count": 45, "change": -5 },
{ "days": 30, "count": 180, "change": 12 }
]
}AccountDashboard fields
| Field | Type | Description |
|---|---|---|
viewTime | int64 | Snapshot timestamp (ms) |
count | AccountCount | Aggregate account statistics |
multiFactorAuth | MultiFactorAuth | MFA enrollment status |
account | AccountInfo[] | Per-data-source breakdown |
stalePassword | Count[] | Stale password counts at 90/180/365 day thresholds |
staleAccount | Count[] | Stale account counts at 90/180/365 day thresholds |
created | Count[] | Newly created accounts at 1/7/30 day windows |
AccountCount
| Field | Type | Description |
|---|---|---|
total | uint64 | Total discovered accounts |
mapped | uint64 | Accounts mapped to an identity owner |
shared | uint64 | Shared accounts |
type | map<string, uint64> | Account count by type (User, Service, Computer) |
totalChange | int64 | Delta from previous period |
mappedChange | int64 | Delta from previous period |
sharedChange | int64 | Delta from previous period |
orphaned | uint64 | Accounts with no owner |
compromised | uint64 | Accounts flagged as compromised |
MultiFactorAuth
| Field | Type | Description |
|---|---|---|
enabled | uint32 | Accounts with MFA enabled |
disabled | uint32 | Accounts with MFA disabled |
unknown | uint32 | Accounts with unknown MFA status |
provider | MfaProvider[] | Breakdown by MFA provider |
providers | uint32 | Total number of distinct MFA providers |
pending | uint32 | Accounts with pending MFA enrollment |
AccountInfo
| Field | Type | Description |
|---|---|---|
dataSourceId | string | Data source unique identifier |
dataSourceName | string | Display name |
platform | string | Platform type (ActiveDirectory, AzureAD, Okta, Linux, etc.) |
count | uint64 | Total accounts from this data source |
type | map<string, uint64> | Account count by type within this data source |
Count (used by stalePassword, staleAccount, created)
| Field | Type | Description |
|---|---|---|
days | uint32 | Threshold in days (e.g., 90, 180, 365) |
count | uint32 | Number of matching accounts |
change | int32 | Delta from previous period |
GET /api/v1/dashboard/account/history
Get weekly account posture snapshots for the past 52 weeks. Each entry in the history array is a full AccountDashboard object with a different viewTime.
Request:
http
GET /api/v1/dashboard/account/history
Authorization: Bearer <token>Response (200):
json
{
"history": [
{
"viewTime": 1707696000000,
"count": { "total": 15420, "mapped": 12890, "..." : "..." },
"multiFactorAuth": { "enabled": 9800, "..." : "..." },
"account": [ "..." ],
"stalePassword": [ "..." ],
"staleAccount": [ "..." ],
"created": [ "..." ]
},
{
"viewTime": 1707091200000,
"count": { "total": 15375, "..." : "..." },
"...": "..."
}
]
}Each element follows the same AccountDashboard structure defined above.
GET /api/v1/dashboard/identity
Get current identity counts broken down by data source.
Request:
http
GET /api/v1/dashboard/identity
Authorization: Bearer <token>Response (200):
json
{
"viewTime": 1707696000000,
"total": 3200,
"identity": [
{
"dataSourceId": "ds-ad-001",
"dataSourceName": "Corporate AD",
"platform": "ActiveDirectory",
"count": 2100
},
{
"dataSourceId": "ds-azure-001",
"dataSourceName": "Azure AD",
"platform": "AzureAD",
"count": 1100
}
]
}IdentityDashboard fields
| Field | Type | Description |
|---|---|---|
viewTime | int64 | Snapshot timestamp (ms) |
total | uint64 | Total identity owners |
identity | IdentityInfo[] | Per-data-source breakdown |
IdentityInfo
| Field | Type | Description |
|---|---|---|
dataSourceId | string | Data source unique identifier |
dataSourceName | string | Display name |
platform | string | Platform type |
count | uint64 | Identity count from this source |
GET /api/v1/dashboard/identity/history
Get weekly identity snapshots for the past 52 weeks.
Request:
http
GET /api/v1/dashboard/identity/history
Authorization: Bearer <token>Response (200):
json
{
"history": [
{
"viewTime": 1707696000000,
"total": 3200,
"identity": [ "..." ]
}
]
}GET /api/v1/dashboard/group
Get current group counts including privileged group breakdowns.
Request:
http
GET /api/v1/dashboard/group
Authorization: Bearer <token>Response (200):
json
{
"viewTime": 1707696000000,
"total": 890,
"privileged": 45,
"group": [
{
"dataSourceId": "ds-ad-001",
"dataSourceName": "Corporate AD",
"platform": "ActiveDirectory",
"count": 620,
"privileged": 32
},
{
"dataSourceId": "ds-azure-001",
"dataSourceName": "Azure AD",
"platform": "AzureAD",
"count": 270,
"privileged": 13
}
]
}GroupDashboard fields
| Field | Type | Description |
|---|---|---|
viewTime | int64 | Snapshot timestamp (ms) |
total | uint64 | Total groups |
privileged | uint64 | Groups flagged as high-privilege |
group | GroupInfo[] | Per-data-source breakdown |
GroupInfo
| Field | Type | Description |
|---|---|---|
dataSourceId | string | Data source unique identifier |
dataSourceName | string | Display name |
platform | string | Platform type |
count | uint64 | Group count from this source |
privileged | uint64 | Privileged groups from this source |
GET /api/v1/dashboard/group/history
Get weekly group snapshots for the past 52 weeks.
Request:
http
GET /api/v1/dashboard/group/history
Authorization: Bearer <token>Response (200):
json
{
"history": [
{
"viewTime": 1707696000000,
"total": 890,
"privileged": 45,
"group": [ "..." ]
}
]
}GET /api/v1/dashboard/threat
Get current threat and risk metrics including per-tenant risk scores, account threat distribution, compromise indicators, and risk impact categories.
Request:
http
GET /api/v1/dashboard/threat
Authorization: Bearer <token>Response (200):
json
{
"viewTime": 1707696000000,
"tenantThreat": {
"overall": 42.5,
"privileged": 68.3,
"service_accounts": 31.2
},
"account": [
{
"name": "Corporate AD",
"low": 7200,
"moderate": 1800,
"critical": 120
},
{
"name": "Azure AD",
"low": 3500,
"moderate": 600,
"critical": 45
}
],
"compromise": {
"name": "Compromise Summary",
"identity": 8,
"account": 18,
"highRisk": 12
},
"impacts": {
"stale_credentials": 35.2,
"orphaned_accounts": 22.8,
"excessive_privilege": 18.5,
"mfa_gaps": 15.1,
"shared_accounts": 8.4
}
}ThreatDashboard fields
| Field | Type | Description |
|---|---|---|
viewTime | int64 | Snapshot timestamp (ms) |
tenantThreat | map<string, double> | Aggregate risk scores by category |
account | AccountThreat[] | Per-data-source threat distribution |
compromise | CompromiseThreat | Summary of compromised entities |
impacts | map<string, double> | Risk impact scores by category |
AccountThreat
| Field | Type | Description |
|---|---|---|
name | string | Data source or category name |
low | uint32 | Accounts with low risk |
moderate | uint32 | Accounts with moderate risk |
critical | uint32 | Accounts with critical risk |
CompromiseThreat
| Field | Type | Description |
|---|---|---|
name | string | Summary label |
identity | uint32 | Compromised identity owners |
account | uint32 | Compromised accounts |
highRisk | uint32 | High-risk compromised entities |
GET /api/v1/dashboard/threat/history
Get weekly threat snapshots for the past 52 weeks.
Request:
http
GET /api/v1/dashboard/threat/history
Authorization: Bearer <token>Response (200):
json
{
"history": [
{
"viewTime": 1707696000000,
"tenantThreat": { "overall": 42.5, "..." : "..." },
"account": [ "..." ],
"compromise": { "..." : "..." },
"impacts": { "..." : "..." }
}
]
}GET /api/v1/dashboard/audit
Get current audit metrics, primarily failed logon data.
Request:
http
GET /api/v1/dashboard/audit
Authorization: Bearer <token>Response (200):
json
{
"viewTime": 1707696000000,
"failedLogon": 3420,
"failedLogons": {
"1707609600000": 120,
"1707613200000": 85,
"1707616800000": 210,
"1707620400000": 95
}
}AuditDashboard fields
| Field | Type | Description |
|---|---|---|
viewTime | int64 | Snapshot timestamp (ms) |
failedLogon | uint64 | Total failed logons in current period |
failedLogons | map<uint64, uint64> | Failed logon counts bucketed by timestamp (ms) |
GET /api/v1/dashboard/audit/history
Get daily audit snapshots for the past 365 days.
Request:
http
GET /api/v1/dashboard/audit/history
Authorization: Bearer <token>Response (200):
json
{
"history": [
{
"viewTime": 1707696000000,
"failedLogon": 3420,
"failedLogons": { "..." : "..." }
}
]
}GET /api/v1/dashboard/platform
Get platform infrastructure status including Discovery nodes, authentication providers, and data source collection status.
Request:
http
GET /api/v1/dashboard/platform
Authorization: Bearer <token>Response (200):
json
{
"viewTime": 1707696000000,
"tenant": "acme-corp",
"version": "2026.2.0",
"provider": [
{
"id": "oidc-azure",
"name": "Azure AD SSO",
"registered": 450,
"pendingSignup": 12,
"pendingApproval": 3
}
],
"client": [
{ "id": "node-001", "name": "dc-collector-01", "online": true },
{ "id": "node-002", "name": "cloud-collector-01", "online": true },
{ "id": "node-003", "name": "linux-collector-01", "online": false }
],
"dataSource": [
{
"id": "ds-ad-001",
"name": "Corporate AD",
"type": "ActiveDirectory",
"lastCollection": {
"success": true,
"status": "completed",
"entities": 12500,
"accounts": 8500,
"groups": 620,
"roles": 0,
"running": false,
"startTime": 1707688800000,
"finishTime": 1707690600000
},
"dailySuccess": 24,
"dailyFailures": 0
}
]
}PlatformDashboard fields
| Field | Type | Description |
|---|---|---|
viewTime | int64 | Snapshot timestamp (ms) |
tenant | string | Tenant identifier |
version | string | Discovery platform version |
provider | OpenIdProvider[] | Configured authentication providers |
client | PlatformClient[] | Discovery collector/node status |
dataSource | DataSource[] | Data source collection status |
OpenIdProvider
| Field | Type | Description |
|---|---|---|
id | string | Provider unique identifier |
name | string | Display name |
registered | uint32 | Users registered via this provider |
pendingSignup | uint32 | Users awaiting signup completion |
pendingApproval | uint32 | Users awaiting admin approval |
PlatformClient
| Field | Type | Description |
|---|---|---|
id | string | Node unique identifier |
name | string | Node display name |
online | bool | Whether the node is currently online |
DataSource
| Field | Type | Description |
|---|---|---|
id | string | Data source unique identifier |
name | string | Display name |
type | string | Platform type |
lastCollection | LastCollection | Most recent collection run |
dailySuccess | int64 | Successful collections in the past 24h |
dailyFailures | int64 | Failed collections in the past 24h |
LastCollection
| Field | Type | Description |
|---|---|---|
success | bool | Whether the collection succeeded |
status | string | Status text (completed, failed, partial) |
entities | uint32 | Total entities collected |
accounts | uint32 | Accounts collected |
groups | uint32 | Groups collected |
roles | uint32 | Roles collected |
running | bool | Whether a collection is currently running |
startTime | int64 | Collection start (ms since epoch) |
finishTime | int64 | Collection end (ms since epoch) |
Control Integration — Custom Dashboards
Control's custom dashboard system consumes Discovery dashboard data through a two-layer approach:
Data flow
Diagram description: A sequence diagram showing the data flow between Discovery, Control (Cache), KPI Calculator, and Dashboard Widget. During periodic sync, Control requests account data, account history, threat data, and full entity data from Discovery. During dashboard rendering, the KPI Calculator reads cached entities, applies filters and aggregation, and sends KPI results to the Dashboard Widget for visualization.
What Control caches from these endpoints
| Discovery endpoint | Control entity | Widget data it feeds |
|---|---|---|
/dashboard/account | ACCOUNTS aggregate | Risk distribution, MFA gaps, stale credentials |
/dashboard/account/history | ACCOUNTS time series | Risk trend lines, credential age trending |
/dashboard/threat | Threat scores | Risk score widgets, compromise indicators |
/dashboard/threat/history | Threat time series | Risk reduction trending |
/dashboard/group | GROUPS aggregate | Privileged group counts |
/dashboard/identity | OWNERS aggregate | Identity-to-account mapping ratios |
/dashboard/platform | Platform health | Collection status, node availability |
Key fields for KPI widget filters
Control's KPI system defines widgets using filters over these Discovery-sourced fields:
| KPI filter pattern | Discovery source field | Widget example |
|---|---|---|
total_threat IN ['HIGH','CRITICAL'] | AccountThreat.critical + AccountThreat.moderate | High Risk Accounts Over Time |
privileged=true AND managed_by_pam IS NULL | AccountCount.type cross-ref vault status | Unvaulted Privileged Accounts |
password_age_90 IS NOT NULL | stalePassword[days=90].count | Stale Credentials (90+ days) |
status IN ['disabled','inactive'] | AccountCount filtered | Disabled Privileged Accounts |
account_no_owner IS NOT NULL | AccountCount.orphaned | Orphaned Privileged Accounts |
Prebuilt dashboard templates in Control
Control ships three default dashboards built from Discovery data:
- Identity Risk Reduction — High risk accounts trend, risk distribution pie, average risk score, unvaulted privileged count
- PAM/Vaulting Impact — Vaulted vs unvaulted privileged, high risk unvaulted, orphaned privileged, privileged by type
- Privileged Account Hygiene — Stale credentials trend, password age distribution, disabled privileged, inactive accounts