Create an exception list
An exception list groups exception items and can be associated with detection rules. You can assign detection rules with multiple exception lists.
All exception items added to the same list are evaluated using OR
logic. That is, if any of the items in a list evaluate to true
, the exception prevents the rule from generating an alert. Likewise, OR
logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the AND
operator, you can define multiple clauses (entries
) in a single exception item.
Body Required
Exception list's properties
-
list_id string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
meta object
Additional properties are allowed.
-
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
single
: Only available in the Kibana space in which it is created.agnostic
: Available in all Kibana spaces.
Values are
agnostic
orsingle
. Default value issingle
. -
os_types array[string]
Values are
linux
,macos
, orwindows
. -
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
. -
version integer
Minimum value is
1
.
Responses
-
200 application/json; Elastic-Api-Version=2023-10-31
Successful response
-
400 application/json; Elastic-Api-Version=2023-10-31
Invalid input data response
-
401 application/json; Elastic-Api-Version=2023-10-31
Unsuccessful authentication response
-
403 application/json; Elastic-Api-Version=2023-10-31
Not enough privileges response
-
409 application/json; Elastic-Api-Version=2023-10-31
Exception list already exists response
-
500 application/json; Elastic-Api-Version=2023-10-31
Internal server error response
curl \
-X POST https://localhost:5601/api/exception_lists \
-H "Content-Type: application/json; Elastic-Api-Version=2023-10-31"
{
"description": "string",
"list_id": "string",
"meta": {},
"name": "string",
"namespace_type": "single",
"os_types": [
"linux"
],
"tags": [
"string"
],
"type": "detection",
"version": 42
}
{
"_version": "string",
"created_at": "2024-05-04T09:42:00+00:00",
"created_by": "string",
"description": "string",
"id": "string",
"immutable": true,
"list_id": "string",
"meta": {},
"name": "string",
"namespace_type": "single",
"os_types": [
"linux"
],
"tags": [
"string"
],
"tie_breaker_id": "string",
"type": "detection",
"updated_at": "2024-05-04T09:42:00+00:00",
"updated_by": "string",
"version": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"message": "string",
"status_code": 42
}