Create rule exception list items Beta

POST /api/detection_engine/rules/{id}/exceptions

Create exception items that apply to a single detection rule.

Path parameters

  • id string(uuid) Required

    Detection rule's identifier

application/json; Elastic-Api-Version=2023-10-31

Body Required

Rule exception list items

  • items array[object] Required
    Hide items attributes Show items attributes object
    • comments array[object]

      Default value is [] (empty).

      Hide comments attribute Show comments attribute object
      • comment string Required

        A string that is not empty and does not contain only whitespace

        Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

    • description string Required
    • entries array[object] Required
      Any of:
    • expire_time string(date-time)
    • item_id string

      A string that is not empty and does not contain only whitespace

      Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

    • meta object

      Additional properties are allowed.

    • name string Required

      A string that is not empty and does not contain only whitespace

      Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

    • Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single. Default value is single.

    • os_types array[string]

      Values are linux, macos, or windows. Default value is [] (empty).

    • tags array[string]

      A string that is not empty and does not contain only whitespace

      Minimum length of each is 1. Format of each should match the following pattern: ^(?! *$).+$. Default value is [] (empty).

    • type string Required

      Value is simple.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Successful response

    Hide response attributes Show response attributes object
    • _version string
    • comments array[object] Required
      Hide comments attributes Show comments attributes object
      • comment string Required

        A string that is not empty and does not contain only whitespace

        Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

      • created_at string(date-time) Required
      • created_by string Required

        A string that is not empty and does not contain only whitespace

        Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

      • id string Required

        A string that is not empty and does not contain only whitespace

        Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

      • updated_at string(date-time)
      • A string that is not empty and does not contain only whitespace

        Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

    • created_at string(date-time) Required
    • created_by string Required
    • description string Required
    • entries array[object] Required
      Any of:
    • expire_time string(date-time)
    • id string Required

      A string that is not empty and does not contain only whitespace

      Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

    • item_id string Required

      A string that is not empty and does not contain only whitespace

      Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

    • list_id string Required

      A string that is not empty and does not contain only whitespace

      Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

    • meta object

      Additional properties are allowed.

    • name string Required

      A string that is not empty and does not contain only whitespace

      Minimum length is 1. Format should match the following pattern: ^(?! *$).+$.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single. Default value is single.

    • os_types array[string]

      Values are linux, macos, or windows. Default value is [] (empty).

    • tags array[string]

      A string that is not empty and does not contain only whitespace

      Minimum length of each is 1. Format of each should match the following pattern: ^(?! *$).+$. Default value is [] (empty).

    • tie_breaker_id string Required
    • type string Required

      Value is simple.

    • updated_at string(date-time) Required
    • updated_by string Required
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Invalid input data response

    One of:
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json; Elastic-Api-Version=2023-10-31

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 500 application/json; Elastic-Api-Version=2023-10-31

    Internal server error response

    Hide response attributes Show response attributes object
POST /api/detection_engine/rules/{id}/exceptions
curl \
 -X POST https://localhost:5601/api/detection_engine/rules/{id}/exceptions \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31"
Request examples
{
  "items": [
    {
      "comments": [
        {
          "comment": "string"
        }
      ],
      "description": "string",
      "entries": [
        {
          "field": "string",
          "operator": "excluded",
          "type": "match",
          "value": "string"
        }
      ],
      "expire_time": "2024-05-04T09:42:00+00:00",
      "item_id": "string",
      "meta": {},
      "name": "string",
      "namespace_type": "single",
      "os_types": [],
      "tags": [],
      "type": "simple"
    }
  ]
}
Response examples (200)
[
  {
    "_version": "string",
    "comments": [
      {
        "comment": "string",
        "created_at": "2024-05-04T09:42:00+00:00",
        "created_by": "string",
        "id": "string",
        "updated_at": "2024-05-04T09:42:00+00:00",
        "updated_by": "string"
      }
    ],
    "created_at": "2024-05-04T09:42:00+00:00",
    "created_by": "string",
    "description": "string",
    "entries": [
      {
        "field": "string",
        "operator": "excluded",
        "type": "match",
        "value": "string"
      }
    ],
    "expire_time": "2024-05-04T09:42:00+00:00",
    "id": "string",
    "item_id": "string",
    "list_id": "string",
    "meta": {},
    "name": "string",
    "namespace_type": "single",
    "os_types": [],
    "tags": [],
    "tie_breaker_id": "string",
    "type": "simple",
    "updated_at": "2024-05-04T09:42:00+00:00",
    "updated_by": "string"
  }
]
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}