Create an exception list | Kibana Serverless API

Create an exception list Beta

POST /api/exception_lists

An exception list groups exception items and can be associated with detection rules. You can assign detection rules with multiple exception lists.

All exception items added to the same list are evaluated using OR logic. That is, if any of the items in a list evaluate to true, the exception prevents the rule from generating an alert. Likewise, OR logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the AND operator, you can define multiple clauses (entries) in a single exception item.

application/json; Elastic-Api-Version=2023-10-31

Body Required

Exception list's properties

description string Required
list_id string

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
meta object

Additional properties are allowed.
name string Required
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
Values are agnostic or single. Default value is single.
os_types array[string]

Values are linux, macos, or windows.
tags array[string]
type string Required

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
version integer

Minimum value is 1.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Successful response
Hide response attributes Show response attributes object
- _version string
- created_at string(date-time) Required
- created_by string Required
- description string Required
- id string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- immutable boolean Required
- list_id string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- meta object
  
  Additional properties are allowed.
- name string Required
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single. Default value is single.
- os_types array[string]
  
  Values are linux, macos, or windows.
- tags array[string]
- tie_breaker_id string Required
- type string Required
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
- updated_at string(date-time) Required
- updated_by string Required
- version integer Required
  
  Minimum value is 1.
400 application/json; Elastic-Api-Version=2023-10-31

Invalid input data response
One of:
Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json; Elastic-Api-Version=2023-10-31

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json; Elastic-Api-Version=2023-10-31

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
409 application/json; Elastic-Api-Version=2023-10-31

Exception list already exists response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json; Elastic-Api-Version=2023-10-31

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/exception_lists

curl \
 -X POST https://localhost:5601/api/exception_lists \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31"

Request examples

{
  "description": "string",
  "list_id": "string",
  "meta": {},
  "name": "string",
  "namespace_type": "single",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "type": "detection",
  "version": 42
}

Response examples (200)

{
  "_version": "string",
  "created_at": "2024-05-04T09:42:00+00:00",
  "created_by": "string",
  "description": "string",
  "id": "string",
  "immutable": true,
  "list_id": "string",
  "meta": {},
  "name": "string",
  "namespace_type": "single",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "detection",
  "updated_at": "2024-05-04T09:42:00+00:00",
  "updated_by": "string",
  "version": 42
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (403)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (409)

{
  "message": "string",
  "status_code": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}