Get exception list items
Get a list of all exception list items in the specified list.
Query parameters
-
The
list_id
s of the items to fetch.Minimum length of each is
1
. -
filter array[string(nonempty)]
Filters the returned results according to the value of the specified field, using the
<field name>:<field value>
syntax.Minimum length of each is
1
. Default value is[]
(empty). -
namespace_type array[string]
Determines whether the returned containers are Kibana associated with a Kibana space or available in all spaces (
agnostic
orsingle
)Values are
agnostic
orsingle
. Default value is["single"]
. -
search string
-
page integer
The page number to return
Minimum value is
0
. -
per_page integer
The number of exception list items to return per page
Minimum value is
0
. -
sort_field string(nonempty)
Determines which field is used to sort the results.
Minimum length is
1
. -
sort_order string
Determines the sort order, which can be
desc
orasc
.Values are
desc
orasc
.
Responses
-
200 application/json
Successful response
-
400 application/json
Invalid input data response
-
401 application/json
Unsuccessful authentication response
-
403 application/json
Not enough privileges response
-
404 application/json
Exception list not found response
-
500 application/json
Internal server error response
curl \
--request GET https://localhost:5601/api/exception_lists/items/_find?list_id=simple_list
{
"data": [
{
"id": "459c5e7e-f8b2-4f0b-b136-c1fc702f72da",
"name": "Sample Exception List Item",
"tags": [
"malware"
],
"type": "simple",
"entries": [
{
"type": "exists",
"field": "actingProcess.file.signer",
"operator": "excluded"
},
{
"type": "match_any",
"field": "host.name",
"value": [
"jupiter",
"saturn"
],
"operator": "included"
}
],
"item_id": "simple_list_item",
"list_id": "simple_list",
"_version": "WzgsMV0=",
"comments": [],
"os_types": [
"linux"
],
"created_at": "2025-01-07T21:12:25.512Z",
"created_by": "elastic",
"updated_at": "2025-01-07T21:12:25.512Z",
"updated_by": "elastic",
"description": "This is a sample exception item.",
"namespace_type": "single",
"tie_breaker_id": "ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0"
}
],
"page": 1,
"total": 1,
"per_page": 20
}
{
"error": "Bad Request",
"message": "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
"statusCode": 403
}
{
"message": "exception list list_id: \"foo\" does not exist",
"status_code": 404
}
{
"message": "Internal Server Error",
"status_code": 500
}