Create rule exception list items | Kibana Serverless API

Create rule exception list items Beta

POST /api/detection_engine/rules/{id}/exceptions

Create exception items that apply to a single detection rule.

Path parameters

id string(uuid) Required

Detection rule's identifier

application/json; Elastic-Api-Version=2023-10-31

Body Required

Rule exception list items

items array[object] Required
Hide items attributes Show items attributes object
- comments array[object]
  
  Default value is [] (empty).
  Hide comments attribute Show comments attribute object
  
  comment string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- description string Required
- entries array[object] Required
  Any of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string] Required
  
  A string that is not empty and does not contain only whitespace
  
  At least 1 element. Minimum length of each is 1. Format of each should match the following pattern: ^(?! *$).+$.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  list object Required
  
  Additional properties are allowed.
  
  Hide list attributes Show list attributes object
  
  id string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  type string Required
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string] Required
  
  A string that is not empty and does not contain only whitespace
  
  At least 1 element. Minimum length of each is 1. Format of each should match the following pattern: ^(?! *$).+$.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- expire_time string(date-time)
- item_id string
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- meta object
  
  Additional properties are allowed.
- name string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- namespace_type string
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  Values are agnostic or single. Default value is single.
- os_types array[string]
  
  Values are linux, macos, or windows. Default value is [] (empty).
- tags array[string]
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length of each is 1. Format of each should match the following pattern: ^(?! *$).+$. Default value is [] (empty).
- type string Required
  
  Value is simple.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Successful response
Hide response attributes Show response attributes object
- _version string
- comments array[object] Required
  
  Hide comments attributes Show comments attributes object
  
  comment string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  created_at string(date-time) Required
  
  created_by string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  id string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  updated_at string(date-time)
  
  updated_by string
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- created_at string(date-time) Required
- created_by string Required
- description string Required
- entries array[object] Required
  
  Any of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string] Required
  
  A string that is not empty and does not contain only whitespace
  
  At least 1 element. Minimum length of each is 1. Format of each should match the following pattern: ^(?! *$).+$.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  list object Required
  
  Additional properties are allowed.
  
  Hide list attributes Show list attributes object
  
  id string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  type string Required
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string] Required
  
  A string that is not empty and does not contain only whitespace
  
  At least 1 element. Minimum length of each is 1. Format of each should match the following pattern: ^(?! *$).+$.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- expire_time string(date-time)
- id string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- item_id string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- list_id string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- meta object
  
  Additional properties are allowed.
- name string Required
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single. Default value is single.
- os_types array[string]
  
  Values are linux, macos, or windows. Default value is [] (empty).
- tags array[string]
  
  A string that is not empty and does not contain only whitespace
  
  Minimum length of each is 1. Format of each should match the following pattern: ^(?! *$).+$. Default value is [] (empty).
- tie_breaker_id string Required
- type string Required
  
  Value is simple.
- updated_at string(date-time) Required
- updated_by string Required
400 application/json; Elastic-Api-Version=2023-10-31

Invalid input data response
One of:
Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json; Elastic-Api-Version=2023-10-31

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json; Elastic-Api-Version=2023-10-31

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json; Elastic-Api-Version=2023-10-31

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/detection_engine/rules/{id}/exceptions

curl \
 -X POST https://localhost:5601/api/detection_engine/rules/{id}/exceptions \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31"

Request examples

{
  "items": [
    {
      "comments": [
        {
          "comment": "string"
        }
      ],
      "description": "string",
      "entries": [
        {
          "field": "string",
          "operator": "excluded",
          "type": "match",
          "value": "string"
        }
      ],
      "expire_time": "2024-05-04T09:42:00+00:00",
      "item_id": "string",
      "meta": {},
      "name": "string",
      "namespace_type": "single",
      "os_types": [],
      "tags": [],
      "type": "simple"
    }
  ]
}

Response examples (200)

[
  {
    "_version": "string",
    "comments": [
      {
        "comment": "string",
        "created_at": "2024-05-04T09:42:00+00:00",
        "created_by": "string",
        "id": "string",
        "updated_at": "2024-05-04T09:42:00+00:00",
        "updated_by": "string"
      }
    ],
    "created_at": "2024-05-04T09:42:00+00:00",
    "created_by": "string",
    "description": "string",
    "entries": [
      {
        "field": "string",
        "operator": "excluded",
        "type": "match",
        "value": "string"
      }
    ],
    "expire_time": "2024-05-04T09:42:00+00:00",
    "id": "string",
    "item_id": "string",
    "list_id": "string",
    "meta": {},
    "name": "string",
    "namespace_type": "single",
    "os_types": [],
    "tags": [],
    "tie_breaker_id": "string",
    "type": "simple",
    "updated_at": "2024-05-04T09:42:00+00:00",
    "updated_by": "string"
  }
]

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (403)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}