Create an endpoint exception list

POST /api/endpoint_list

Create an endpoint exception list, which groups endpoint exception list items. If an endpoint exception list already exists, an empty response is returned.

Responses

200 application/json

Successful response
One of:
Security_Endpoint_Exceptions_API_ExceptionList object object-2 object
Hide attributes Show attributes

_version string

The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

created_at string(date-time) Required

Autogenerated date of object creation.

created_by string Required

Autogenerated value - user that created object.

description string Required

Describes the exception list.

id string(nonempty) Required

Exception list's identifier.

Minimum length is 1.

immutable boolean Required

list_id string(nonempty) Required

Exception list's human readable string identifier, e.g. trusted-linux-processes.

Minimum length is 1.

meta object

Placeholder for metadata about the list container.

Additional properties are allowed.

name string Required

The name of the exception list.

namespace_type string Required

Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

single: Only available in the Kibana space in which it is created.

agnostic: Available in all Kibana spaces.

Values are agnostic or single.

os_types array[string]

Use this field to specify the operating system. Only enter one value.

Values are linux, macos, or windows.

tags array[string]

String array containing words and phrases to help categorize exception containers.

tie_breaker_id string Required

Field used in search to ensure all containers are sorted and returned correctly.

type string Required

The type of exception list to be created. Different list types may denote where they can be utilized.

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

updated_at string(date-time) Required

Autogenerated date of last object update.

updated_by string Required

Autogenerated value - user that last updated object.

version integer Required

The document version, automatically increasd on updates.

Minimum value is 1.
Additional properties are NOT allowed.
400 application/json

Invalid input data
One of:
Security_Endpoint_Exceptions_API_PlatformErrorResponse object Security_Endpoint_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Insufficient privileges
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/endpoint_list

curl \
 --request POST http://localhost:5622/api/endpoint_list \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "_version": "string",
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "description": "This list tracks allowlisted values.",
  "id": "9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85",
  "immutable": true,
  "list_id": "simple_list",
  "meta": {},
  "name": "My exception list",
  "namespace_type": "agnostic",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "detection",
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "version": 42
}

{}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (403)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}