Create a shared exception list
An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules.
All exception items added to the same list are evaluated using OR
logic. That is, if any of the items in a list evaluate to true
, the exception prevents the rule from generating an alert. Likewise, OR
logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the AND
operator, you can define multiple clauses (entries
) in a single exception item.
POST
/api/exceptions/shared
curl \
--request POST https://localhost:5601/api/exceptions/shared \
--header "Content-Type: application/json" \
--data '{"name":"Sample Detection Exception List","tags":["malware"],"list_id":"simple_list","os_types":["linux"],"description":"This is a sample detection type exception list.","namespace_type":"single"}'
Request example
{
"name": "Sample Detection Exception List",
"tags": [
"malware"
],
"list_id": "simple_list",
"os_types": [
"linux"
],
"description": "This is a sample detection type exception list.",
"namespace_type": "single"
}
Response examples (200)
{
"id": "9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85",
"name": "Sample Detection Exception List",
"tags": [
"malware"
],
"type": "detection",
"list_id": "simple_list",
"version": 1,
"_version": "WzIsMV0=",
"os_types": [
"linux"
],
"immutable": false,
"created_at": "2025-01-07T19:34:27.942Z",
"created_by": "elastic",
"updated_at": "2025-01-07T19:34:27.942Z",
"updated_by": "elastic",
"description": "This is a sample detection type exception list.",
"namespace_type": "single",
"tie_breaker_id": "78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3"
}
Response examples (400)
{
"error": "Bad Request",
"message": "[request body]: list_id: Expected string, received number",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}
Response examples (403)
{
"message": "Unable to create exception-list",
"status_code": 403
}
Response examples (409)
{
"message": "exception list id: \"simple_list\" already exists",
"status_code": 409
}
Response examples (500)
{
"message": "Internal Server Error",
"status_code": 500
}