Update an exception list
Update an exception list using the id
or list_id
field.
Body Required
Exception list's properties
-
_version string
The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
-
Describes the exception list.
-
id string(nonempty)
Exception list's identifier.
Minimum length is
1
. -
list_id string(nonempty)
Exception list's human readable string identifier, e.g.
trusted-linux-processes
.Minimum length is
1
. -
meta object
Placeholder for metadata about the list container.
Additional properties are allowed.
-
The name of the exception list.
-
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
single
: Only available in the Kibana space in which it is created.agnostic
: Available in all Kibana spaces.
Values are
agnostic
orsingle
. Default value issingle
. -
os_types array[string]
Use this field to specify the operating system.
Values are
linux
,macos
, orwindows
. -
The type of exception list to be created. Different list types may denote where they can be utilized.
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
. -
version integer
The document version, automatically increasd on updates.
Minimum value is
1
.
Responses
-
200 application/json
Successful response
-
400 application/json
Invalid input data response
-
401 application/json
Unsuccessful authentication response
-
403 application/json
Not enough privileges response
-
404 application/json
Exception list not found response
-
500 application/json
Internal server error response
curl \
--request PUT https://localhost:5601/api/exception_lists \
--header "Content-Type: application/json" \
--data '{"name":"Updated exception list name","tags":["draft malware"],"type":"detection","list_id":"simple_list","os_types":["linux"],"description":"Different description"}'
{
"name": "Updated exception list name",
"tags": [
"draft malware"
],
"type": "detection",
"list_id": "simple_list",
"os_types": [
"linux"
],
"description": "Different description"
}
{
"id": "fa7f545f-191b-4d32-b1f0-c7cd62a79e55",
"name": "Updated exception list name",
"tags": [
"draft malware"
],
"type": "detection",
"list_id": "simple_list",
"version": 2,
"_version": "WzExLDFd",
"os_types": [],
"immutable": false,
"created_at": "2025-01-07T20:43:55.264Z",
"created_by": "elastic",
"updated_at": "2025-01-07T21:32:03.726Z",
"updated_by": "elastic",
"description": "Different description",
"namespace_type": "single",
"tie_breaker_id": "319fe983-acdd-4806-b6c4-3098eae9392f"
}
{
"error": "Bad Request",
"message": "[request body]: list_id: Expected string, received number",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
"statusCode": 403
}
{
"message\"": "exception list id: \"foo\" does not exist",
"status_code\"": 404
}
{
"message": "Internal Server Error",
"status_code": 500
}