Create an exception list item
Create an exception item and associate it with the specified exception list.
Before creating exception items, you must create an exception list.
Body Required
Exception list item's properties
-
comments array[object]
Default value is
[]
(empty). -
Describes the exception list.
-
Any of: Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object -
expire_time string(date-time)
The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
-
item_id string(nonempty)
Human readable string identifier, e.g.
trusted-linux-processes
Minimum length is
1
. -
Exception list's human readable string identifier, e.g.
trusted-linux-processes
.Minimum length is
1
. -
meta object
Additional properties are allowed.
-
Exception list name.
Minimum length is
1
. -
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
single
: Only available in the Kibana space in which it is created.agnostic
: Available in all Kibana spaces.
Values are
agnostic
orsingle
. Default value issingle
. -
os_types array[string]
Use this field to specify the operating system.
Values are
linux
,macos
, orwindows
. Default value is[]
(empty). -
Value is
simple
.
Responses
-
200 application/json
Successful response
-
400 application/json
Invalid input data response
-
401 application/json
Unsuccessful authentication response
-
403 application/json
Not enough privileges response
-
409 application/json
Exception list item already exists response
-
500 application/json
Internal server error response
curl \
--request POST https://localhost:5601/api/exception_lists/items \
--header "Content-Type: application/json" \
--data '{"name":"Sample Exception List Item","tags":["malware"],"type":"simple","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["saturn","jupiter"],"operator":"included"}],"item_id":"simple_list_item","list_id":"simple_list","os_types":["linux"],"description":"This is a sample detection type exception item.","namespace_type":"single"}'
{
"name": "Sample Exception List Item",
"tags": [
"malware"
],
"type": "simple",
"entries": [
{
"type": "exists",
"field": "actingProcess.file.signer",
"operator": "excluded"
},
{
"type": "match_any",
"field": "host.name",
"value": [
"saturn",
"jupiter"
],
"operator": "included"
}
],
"item_id": "simple_list_item",
"list_id": "simple_list",
"os_types": [
"linux"
],
"description": "This is a sample detection type exception item.",
"namespace_type": "single"
}
{
"id": "323faa75-c657-4fa0-9084-8827612c207b",
"name": "Sample Autogenerated Exception List Item ID",
"tags": [
"malware"
],
"type": "simple",
"entries": [
{
"type": "exists",
"field": "actingProcess.file.signer",
"operator": "excluded"
}
],
"item_id": "80e6edf7-4b13-4414-858f-2fa74aa52b37",
"list_id": "8c1aae4c-1ef5-4bce-a2e3-16584b501783",
"_version": "WzYsMV0=",
"comments": [],
"os_types": [],
"created_at": "2025-01-09T01:16:23.322Z",
"created_by": "elastic",
"updated_at": "2025-01-09T01:16:23.322Z",
"updated_by": "elastic",
"description": "This is a sample exception that has no item_id so it is autogenerated.",
"namespace_type": "single",
"tie_breaker_id": "d6799986-3a23-4213-bc6d-ed9463a32f23"
}
{
"id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
"name": "Sample Exception List Item",
"tags": [
"malware"
],
"type": "simple",
"entries": [
{
"type": "exists",
"field": "actingProcess.file.signer",
"operator": "excluded"
}
],
"item_id": "simple_list_item",
"list_id": "simple_list",
"_version": "WzQsMV0=",
"comments": [],
"os_types": [
"linux"
],
"created_at": "2025-01-07T20:07:33.119Z",
"created_by": "elastic",
"updated_at": "2025-01-07T20:07:33.119Z",
"updated_by": "elastic",
"description": "This is a sample detection type exception item.",
"namespace_type": "single",
"tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}
{
"id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
"name": "Sample Exception List Item",
"tags": [
"malware"
],
"type": "simple",
"entries": [
{
"type": "exists",
"field": "actingProcess.file.signer",
"operator": "excluded"
}
],
"item_id": "simple_list_item",
"list_id": "simple_list",
"_version": "WzQsMV0=",
"comments": [],
"os_types": [
"linux"
],
"created_at": "2025-01-07T20:07:33.119Z",
"created_by": "elastic",
"updated_at": "2025-01-07T20:07:33.119Z",
"updated_by": "elastic",
"description": "This is a sample detection type exception item.",
"namespace_type": "single",
"tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}
{
"id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
"name": "Sample Exception List Item",
"tags": [
"malware"
],
"type": "simple",
"entries": [
{
"type": "match_any",
"field": "host.name",
"value": [
"saturn",
"jupiter"
],
"operator": "included"
}
],
"item_id": "simple_list_item",
"list_id": "simple_list",
"_version": "WzQsMV0=",
"comments": [],
"os_types": [
"linux"
],
"created_at": "2025-01-07T20:07:33.119Z",
"created_by": "elastic",
"updated_at": "2025-01-07T20:07:33.119Z",
"updated_by": "elastic",
"description": "This is a sample detection type exception item.",
"namespace_type": "single",
"tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}
{
"id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
"name": "Sample Exception List Item",
"tags": [
"malware"
],
"type": "simple",
"entries": [
{
"type": "match",
"field": "actingProcess.file.signer",
"value": "Elastic N.V.",
"operator": "included"
}
],
"item_id": "simple_list_item",
"list_id": "simple_list",
"_version": "WzQsMV0=",
"comments": [],
"os_types": [
"linux"
],
"created_at": "2025-01-07T20:07:33.119Z",
"created_by": "elastic",
"updated_at": "2025-01-07T20:07:33.119Z",
"updated_by": "elastic",
"description": "This is a sample detection type exception item.",
"namespace_type": "single",
"tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}
{
"id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
"name": "Sample Exception List Item",
"tags": [
"malware"
],
"type": "simple",
"entries": [
{
"type": "nested",
"field": "file.signature",
"entries": [
{
"type": "match",
"field": "signer",
"value": "Evil",
"operator": "included"
},
{
"type": "match",
"field": "trusted",
"value": true,
"operator": "included"
}
]
}
],
"item_id": "simple_list_item",
"list_id": "simple_list",
"_version": "WzQsMV0=",
"comments": [],
"os_types": [
"linux"
],
"created_at": "2025-01-07T20:07:33.119Z",
"created_by": "elastic",
"updated_at": "2025-01-07T20:07:33.119Z",
"updated_by": "elastic",
"description": "This is a sample detection type exception item.",
"namespace_type": "single",
"tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}
{
"id": "deb26876-297d-4677-8a1f-35467d2f1c4f",
"name": "Filter out good guys ip and agent.name rock01",
"tags": [
"malware"
],
"type": "simple",
"entries": [
{
"list": {
"id": "goodguys.txt",
"type": "ip"
},
"type": "list",
"field": "source.ip",
"operator": "excluded"
}
],
"item_id": "686b129e-9b8d-4c59-8d8d-c93a9ea82c71",
"list_id": "8c1aae4c-1ef5-4bce-a2e3-16584b501783",
"_version": "WzcsMV0=",
"comments": [],
"os_types": [],
"created_at": "2025-01-09T01:31:12.614Z",
"created_by": "elastic",
"updated_at": "2025-01-09T01:31:12.614Z",
"updated_by": "elastic",
"description": "Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list",
"namespace_type": "single",
"tie_breaker_id": "5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8"
}
{
"error": "Bad Request,",
"message": "[request body]: list_id: Expected string, received number",
"statusCode": "400,"
}
{
"error": "Unauthorized",
"message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
"statusCode": 403
}
{
"message": "exception list item id: \\\"simple_list_item\\\" already exists",
"status_code": 409
}
{
"message": "Internal Server Error",
"status_code": 500
}