Create a shared exception list

POST /api/exceptions/shared

An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules.

All exception items added to the same list are evaluated using OR logic. That is, if any of the items in a list evaluate to true, the exception prevents the rule from generating an alert. Likewise, OR logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the AND operator, you can define multiple clauses (entries) in a single exception item.

application/json; Elastic-Api-Version=2023-10-31

Body Required

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Successful response

    Hide response attributes Show response attributes object
    • _version string
    • created_at string(date-time) Required
    • created_by string Required
    • description string Required
    • id string Required

      A string that is not empty and does not contain only whitespace

      Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

    • immutable boolean Required
    • list_id string Required

      A string that is not empty and does not contain only whitespace

      Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

    • meta object

      Additional properties are allowed.

    • name string Required
    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single. Default value is single.

    • os_types array[string]

      Values are linux, macos, or windows.

    • tags array[string]
    • tie_breaker_id string Required
    • type string Required

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • updated_at string(date-time) Required
    • updated_by string Required
    • version integer Required

      Minimum value is 1.

  • 400 application/json; Elastic-Api-Version=2023-10-31

    Invalid input data response

    One of:
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json; Elastic-Api-Version=2023-10-31

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 409 application/json; Elastic-Api-Version=2023-10-31

    Exception list already exists response

    Hide response attributes Show response attributes object
  • 500 application/json; Elastic-Api-Version=2023-10-31

    Internal server error response

    Hide response attributes Show response attributes object
POST /api/exceptions/shared
curl \
 -X POST https://localhost:5601/api/exceptions/shared \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31"
Request examples
{
  "description": "string",
  "name": "string"
}
Response examples (200)
{
  "_version": "string",
  "created_at": "2024-05-04T09:42:00+00:00",
  "created_by": "string",
  "description": "string",
  "id": "string",
  "immutable": true,
  "list_id": "string",
  "meta": {},
  "name": "string",
  "namespace_type": "single",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "detection",
  "updated_at": "2024-05-04T09:42:00+00:00",
  "updated_by": "string",
  "version": 42
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (409)
{
  "message": "string",
  "status_code": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}