1. people
Anzenna Public API
  • data exfiltration
    • Query database exfiltration events
      POST
    • List file movement activities
      POST
    • Get file movement activity by id
      GET
    • List files used with data exfiltration.
      POST
    • Get a specific data exfiltration file
      GET
    • List git events
      POST
    • Get a specific git event by id
      GET
    • List git repositories
      POST
    • Get a specific git repository
      GET
  • api key
    • Get API key information
      GET
  • login events
    • List login events
      POST
    • Get a login event by ID
      GET
  • browser applications
    • Query all browser applications
      POST
    • Get a browser application by id
      GET
    • List browser application instances
      POST
  • browser history
    • List browser history entries
      POST
  • data sharing
    • List file sharing instances
      POST
    • Query database share grants
      POST
    • Query database share user additions
      POST
    • List documents
      POST
    • Get document by id
      GET
  • devices
    • List devices
    • Get a device
    • List USB device connection events
    • Get a USB connection event
  • device policies
    • List device policies
    • Get a device policy
  • device applications
    • List device applications
    • Get a device application
    • Query device application instances.
  • device infections
    • List device infections
    • Get a device infection
  • ide applications
    • List IDE applications
    • Get an IDE application
  • ide application instances
    • Query IDE application instances.
  • mcp servers
    • List MCP servers
    • Get an MCP server
    • Query MCP server installations
  • mfa
    • Query all mfa statuses
  • oauth applications
    • Query all OAuth applications
    • Get an OAuth application by id
    • Query all OAuth application instances
  • passwords
    • Query all password reuse instances
  • people
    • Query all people
      POST
    • Get a person by id
      GET
    • Add a category to multiple people
      POST
    • Remove a category from multiple people
      POST
  • account
    • List accounts
    • Get an account by id
  • phishing interactions
    • Query all phishing interactions
  • email flows
    • Query all outbound email events
    • Get an outbound email event by id
  • company wide risk trends
    • Get company risk trends
  • high risk organizations
    • Get number of high risk organizations
  • detections
    • Get key finding detections
    • Get detection details
    • List users associated with a given detection
  • events
    • List security events
  • shadow it
    • Query all Shadow IT instances
  • web host
    • Query all web host resources
    • Get a web host resource by id
  • advanced query
    • Execute an advanced query
  • sources
    • Query raw events
  • allowlist
    • Query all allowlists
    • Create a new allowlist
    • Delete an allowlist
    • Update an allowlist
  1. people

Query all people

POST
/people
Query and filter people.
This endpoint only lists active users from the configured identity source.
To list all accounts known to Anzenna, including inactive users and users from
other data sources, use the "List Accounts" endpoint.
However, "Query All People" provides richer information about each user, such as
risk scores and other derived attributes.
Relations:
manager (Person): The person's manager
devices (Device): The person's devices. Warning - this is a one to many relation. This is not generally useful to find a user's devices because of the one to many joins resulting in duplicates, but it can be used to find a user without any devices (through devices.id IS NULL). It is not recommended to use it in any other fashion
Additional Filters:
category_label (string): Filter by custom category label text

Request

Authorization
Bearer Token
Provide your bearer token in the
Authorization
header when making requests to protected resources.
Example:
Authorization: Bearer ********************
or
Body Params application/jsonRequired

Examples

Responses

🟢200OK
application/json
Successful operation
Body

🟠400Bad Request
🟠401Unauthorized
🟠403Forbidden
Request Request Example
Shell
JavaScript
Java
Swift
curl --location --request POST '/people' \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "distinct_count": "string",
    "include_total_count": true,
    "limit": 10,
    "offset": 0,
    "query": "name='\''WINPC-4291'\'' AND status IN ('\''active'\'', '\''pending'\'')",
    "sort": "name desc, id"
}'
Response Response Example
200 - Example 1
{
    "distinct_values": [
        {
            "count": 0,
            "value": null
        }
    ],
    "pagination": {
        "count": 0,
        "total_count": 1000
    },
    "items": [
        {
            "categories": [
                "automation"
            ],
            "departed_time": "2021-01-01T00:00:00Z",
            "department": "EPD",
            "email": "joe.smith@example.com",
            "id": "8CA67511-744C-4D74-B26E-7281CF88712F",
            "job_category": "engineer",
            "job_title": "Engineer",
            "last_login": "2021-01-01T00:00:00Z",
            "location_city": "San Francisco",
            "location_country": "USA",
            "location_state": "CA",
            "manager_email": "john.lopez@example.com",
            "manager_name": "John Lopez",
            "name": "Joe Smith",
            "password_changed": "2021-01-01T00:00:00Z",
            "risk_factors": [
                {
                    "magnitude": 40,
                    "type": "sensitive_file"
                }
            ],
            "risk_score": 9.2,
            "state": "unspecified"
        }
    ]
}
Modified at 2026-03-31 19:28:57
Previous
Query all password reuse instances
Next
Get a person by id
Built with