Create an exception list

POST /api/exception_lists

An exception list groups exception items and can be associated with detection rules. You can assign detection rules with multiple exception lists.

All exception items added to the same list are evaluated using OR logic. That is, if any of the items in a list evaluate to true, the exception prevents the rule from generating an alert. Likewise, OR logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the AND operator, you can define multiple clauses (entries) in a single exception item.

application/json; Elastic-Api-Version=2023-10-31

Body Required

Exception list's properties

  • description string Required
  • list_id string

    A string that is not empty and does not contain only whitespace

    Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

  • meta object

    Additional properties are allowed.

  • name string Required
  • Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

    • single: Only available in the Kibana space in which it is created.
    • agnostic: Available in all Kibana spaces.

    Values are agnostic or single. Default value is single.

  • os_types array[string]

    Values are linux, macos, or windows.

  • tags array[string]
  • type string Required

    Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

  • version integer

    Minimum value is 1.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Successful response

    Hide response attributes Show response attributes object
    • _version string
    • created_at string(date-time) Required
    • created_by string Required
    • description string Required
    • id string Required

      A string that is not empty and does not contain only whitespace

      Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

    • immutable boolean Required
    • list_id string Required

      A string that is not empty and does not contain only whitespace

      Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

    • meta object

      Additional properties are allowed.

    • name string Required
    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single. Default value is single.

    • os_types array[string]

      Values are linux, macos, or windows.

    • tags array[string]
    • tie_breaker_id string Required
    • type string Required

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • updated_at string(date-time) Required
    • updated_by string Required
    • version integer Required

      Minimum value is 1.

  • 400 application/json; Elastic-Api-Version=2023-10-31

    Invalid input data response

    One of:
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json; Elastic-Api-Version=2023-10-31

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 409 application/json; Elastic-Api-Version=2023-10-31

    Exception list already exists response

    Hide response attributes Show response attributes object
  • 500 application/json; Elastic-Api-Version=2023-10-31

    Internal server error response

    Hide response attributes Show response attributes object
POST /api/exception_lists
curl \
 -X POST https://localhost:5601/api/exception_lists \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31"
Request examples
{
  "description": "string",
  "list_id": "string",
  "meta": {},
  "name": "string",
  "namespace_type": "single",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "type": "detection",
  "version": 42
}
Response examples (200)
{
  "_version": "string",
  "created_at": "2024-05-04T09:42:00+00:00",
  "created_by": "string",
  "description": "string",
  "id": "string",
  "immutable": true,
  "list_id": "string",
  "meta": {},
  "name": "string",
  "namespace_type": "single",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "detection",
  "updated_at": "2024-05-04T09:42:00+00:00",
  "updated_by": "string",
  "version": 42
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (409)
{
  "message": "string",
  "status_code": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}