Update an exception list item
Update an exception list item using the id
or item_id
field.
Body Required
Exception list item's properties
-
_version string
The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
-
comments array[object]
Default value is
[]
(empty). -
Describes the exception list.
-
Any of: Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object -
expire_time string(date-time)
The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
-
id string(nonempty)
Exception's identifier.
Minimum length is
1
. -
item_id string(nonempty)
Human readable string identifier, e.g.
trusted-linux-processes
Minimum length is
1
. -
list_id string(nonempty)
Exception list's human readable string identifier, e.g.
trusted-linux-processes
.Minimum length is
1
. -
meta object
Additional properties are allowed.
-
Exception list name.
Minimum length is
1
. -
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
single
: Only available in the Kibana space in which it is created.agnostic
: Available in all Kibana spaces.
Values are
agnostic
orsingle
. Default value issingle
. -
os_types array[string]
Use this field to specify the operating system.
Values are
linux
,macos
, orwindows
. Default value is[]
(empty). -
Value is
simple
.
Responses
-
200 application/json
Successful response
-
400 application/json
Invalid input data response
-
401 application/json
Unsuccessful authentication response
-
403 application/json
Not enough privileges response
-
404 application/json
Exception list item not found response
-
500 application/json
Internal server error response
curl \
--request PUT https://localhost:5601/api/exception_lists/items \
--header "Content-Type: application/json" \
--data '{"name":"Updated name","tags":[],"type":"simple","entries":[{"type":"match","field":"host.name","value":"rock01","operator":"included"}],"item_id":"simple_list_item","comments":[],"description":"Updated description","namespace_type":"single"}'
{
"name": "Updated name",
"tags": [],
"type": "simple",
"entries": [
{
"type": "match",
"field": "host.name",
"value": "rock01",
"operator": "included"
}
],
"item_id": "simple_list_item",
"comments": [],
"description": "Updated description",
"namespace_type": "single"
}
{
"id": "459c5e7e-f8b2-4f0b-b136-c1fc702f72da",
"name": "Updated name",
"tags": [],
"type": "simple",
"entries": [
{
"type": "match",
"field": "host.name",
"value": "rock01",
"operator": "included"
}
],
"item_id": "simple_list_item",
"list_id": "simple_list",
"_version": "WzEyLDFd",
"comments": [],
"os_types": [],
"created_at": "2025-01-07T21:12:25.512Z",
"created_by": "elastic",
"updated_at": "2025-01-07T21:34:50.233Z",
"updated_by": "elastic",
"description": "Updated description",
"namespace_type": "single",
"tie_breaker_id": "ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0"
}
{
"error": "Bad Request",
"message": "[request body]: item_id: Expected string, received number",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
"statusCode": 403
}
{
"message": "exception list item item_id: \\\"foo\\\" does not exist",
"status_code": 404
}
{
"message": "Internal Server Error",
"status_code": 500
}