Create a shared exception list
An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules.
All exception items added to the same list are evaluated using OR
logic. That is, if any of the items in a list evaluate to true
, the exception prevents the rule from generating an alert. Likewise, OR
logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the AND
operator, you can define multiple clauses (entries
) in a single exception item.
POST
/api/exceptions/shared
curl \
-X POST https://localhost:5601/api/exceptions/shared \
-H "Content-Type: application/json; Elastic-Api-Version=2023-10-31"
Request examples
{
"description": "string",
"name": "string"
}
Response examples (200)
{
"_version": "string",
"created_at": "2024-05-04T09:42:00+00:00",
"created_by": "string",
"description": "string",
"id": "string",
"immutable": true,
"list_id": "string",
"meta": {},
"name": "string",
"namespace_type": "single",
"os_types": [
"linux"
],
"tags": [
"string"
],
"tie_breaker_id": "string",
"type": "detection",
"updated_at": "2024-05-04T09:42:00+00:00",
"updated_by": "string",
"version": 42
}
Response examples (400)
Security_exceptions_api_platformerrorresponse
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
Response examples (401)
{
"error": "string",
"message": "string",
"statusCode": 42
}
Response examples (403)
{
"error": "string",
"message": "string",
"statusCode": 42
}
Response examples (409)
{
"message": "string",
"status_code": 42
}
Response examples (500)
{
"message": "string",
"status_code": 42
}