Create an exception list item | Kibana Serverless API

Create an exception list item Beta

POST /api/exception_lists/items

Create an exception item and associate it with the specified exception list.

Before creating exception items, you must create an exception list.

application/json; Elastic-Api-Version=2023-10-31

Body Required

Exception list item's properties

comments array[object]

Default value is [] (empty).
Hide comments attribute Show comments attribute object
- comment string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
description string Required
entries array[object] Required
Any of:
Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
Hide attributes Show attributes

field string Required

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is match.

value string Required

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
Hide attributes Show attributes

field string Required

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is match_any.

value array[string] Required

A string that is not empty and does not contain only whitespace

At least 1 element. Minimum length of each is 1. Format of each should match the following pattern: ^(?! *$).+$.
Hide attributes Show attributes

field string Required

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

list object Required

Additional properties are allowed.

Hide list attributes Show list attributes object

id string Required

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

type string Required

Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is list.
Hide attributes Show attributes

field string Required

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is exists.
Hide attributes Show attributes

entries array[object] Required

At least 1 element.

One of:
Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object

Hide attributes Show attributes

field string Required

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

operator string Required

Values are excluded or included.

type string Required

Value is match.

value string Required

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

Hide attributes Show attributes

field string Required

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

operator string Required

Values are excluded or included.

type string Required

Value is match_any.

value array[string] Required

A string that is not empty and does not contain only whitespace

At least 1 element. Minimum length of each is 1. Format of each should match the following pattern: ^(?! *$).+$.

Hide attributes Show attributes

field string Required

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

operator string Required

Values are excluded or included.

type string Required

Value is exists.

field string Required

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

type string Required Discriminator

Value is nested.
Hide attributes Show attributes

field string Required

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is wildcard.

value string Required

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
expire_time string(date-time)
item_id string

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
list_id string Required

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
meta object

Additional properties are allowed.
name string Required

A string that is not empty and does not contain only whitespace

Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
Values are agnostic or single. Default value is single.
os_types array[string]

Values are linux, macos, or windows. Default value is [] (empty).
tags array[string]

A string that is not empty and does not contain only whitespace

Minimum length of each is 1. Format of each should match the following pattern: ^(?! *$).+$. Default value is [] (empty).
type string Required

Value is simple.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Successful response
Hide response attributes Show response attributes object
- _version string
- comments array[object] Required
  
  Hide comments attributes Show comments attributes object
  
  comment string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  created_at string(date-time) Required
  
  created_by string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  id string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  updated_at string(date-time)
  
  updated_by string
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- created_at string(date-time) Required
- created_by string Required
- description string Required
- entries array[object] Required
  
  Any of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string] Required
  
  A string that is not empty and does not contain only whitespace
  
  At least 1 element. Minimum length of each is 1. Format of each should match the following pattern: ^(?! *$).+$.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  list object Required
  
  Additional properties are allowed.
  
  Hide list attributes Show list attributes object
  
  id string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  type string Required
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string] Required
  
  A string that is not empty and does not contain only whitespace
  
  At least 1 element. Minimum length of each is 1. Format of each should match the following pattern: ^(?! *$).+$.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- expire_time string(date-time)
- id string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- item_id string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- list_id string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- meta object
  
  Additional properties are allowed.
- name string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single. Default value is single.
- os_types array[string]
  
  Values are linux, macos, or windows. Default value is [] (empty).
- tags array[string]
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length of each is 1. Format of each should match the following pattern: ^(?! *$).+$. Default value is [] (empty).
- tie_breaker_id string Required
- type string Required
  
  Value is simple.
- updated_at string(date-time) Required
- updated_by string Required
400 application/json; Elastic-Api-Version=2023-10-31

Invalid input data response
One of:
Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json; Elastic-Api-Version=2023-10-31

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json; Elastic-Api-Version=2023-10-31

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
409 application/json; Elastic-Api-Version=2023-10-31

Exception list item already exists response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json; Elastic-Api-Version=2023-10-31

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/exception_lists/items

curl \
 -X POST https://localhost:5601/api/exception_lists/items \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31"

Request examples

{
  "comments": [
    {
      "comment": "string"
    }
  ],
  "description": "string",
  "entries": [
    {
      "field": "string",
      "operator": "excluded",
      "type": "match",
      "value": "string"
    }
  ],
  "expire_time": "2024-05-04T09:42:00+00:00",
  "item_id": "string",
  "list_id": "string",
  "meta": {},
  "name": "string",
  "namespace_type": "single",
  "os_types": [],
  "tags": [],
  "type": "simple"
}

Response examples (200)

{
  "_version": "string",
  "comments": [
    {
      "comment": "string",
      "created_at": "2024-05-04T09:42:00+00:00",
      "created_by": "string",
      "id": "string",
      "updated_at": "2024-05-04T09:42:00+00:00",
      "updated_by": "string"
    }
  ],
  "created_at": "2024-05-04T09:42:00+00:00",
  "created_by": "string",
  "description": "string",
  "entries": [
    {
      "field": "string",
      "operator": "excluded",
      "type": "match",
      "value": "string"
    }
  ],
  "expire_time": "2024-05-04T09:42:00+00:00",
  "id": "string",
  "item_id": "string",
  "list_id": "string",
  "meta": {},
  "name": "string",
  "namespace_type": "single",
  "os_types": [],
  "tags": [],
  "tie_breaker_id": "string",
  "type": "simple",
  "updated_at": "2024-05-04T09:42:00+00:00",
  "updated_by": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (403)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (409)

{
  "message": "string",
  "status_code": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}