Get exception lists Beta

GET /api/exception_lists/_find
Api key auth

Get a list of all exception list containers.

Query parameters

  • filter string

    Filters the returned results according to the value of the specified field.

    Uses the so type.field name:field value syntax, where so type can be:

    • exception-list: Specify a space-aware exception list.
    • exception-list-agnostic: Specify an exception list that is shared across spaces.
  • namespace_type array[string]

    Determines whether the returned containers are Kibana associated with a Kibana space or available in all spaces (agnostic or single)

    Values are agnostic or single. Default value is ["single"].

  • page integer

    The page number to return

    Minimum value is 1.

  • per_page integer

    The number of exception lists to return per page

    Minimum value is 1.

  • sort_field string

    Determines which field is used to sort the results.

  • sort_order string

    Determines the sort order, which can be desc or asc.

    Values are desc or asc.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • data array[object] Required
      Hide data attributes Show data attributes object
      • _version string

        The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

      • created_at string(date-time) Required

        Autogenerated date of object creation.

      • created_by string Required

        Autogenerated value - user that created object.

      • description string Required

        Describes the exception list.

      • id string(nonempty) Required

        Exception list's identifier.

        Minimum length is 1.

      • immutable boolean Required
      • list_id string(nonempty) Required

        Exception list's human readable string identifier, e.g. trusted-linux-processes.

        Minimum length is 1.

      • meta object

        Placeholder for metadata about the list container.

        Additional properties are allowed.

      • name string Required

        The name of the exception list.

      • namespace_type string Required

        Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

        • single: Only available in the Kibana space in which it is created.
        • agnostic: Available in all Kibana spaces.

        Values are agnostic or single. Default value is single.

      • os_types array[string]

        Use this field to specify the operating system. Only enter one value.

        Values are linux, macos, or windows.

      • tags array[string]

        String array containing words and phrases to help categorize exception containers.

      • tie_breaker_id string Required

        Field used in search to ensure all containers are sorted and returned correctly.

      • type string Required

        The type of exception list to be created. Different list types may denote where they can be utilized.

        Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

      • updated_at string(date-time) Required

        Autogenerated date of last object update.

      • updated_by string Required

        Autogenerated value - user that last updated object.

      • version integer Required

        The document version, automatically increasd on updates.

        Minimum value is 1.

    • page integer Required

      Minimum value is 1.

    • per_page integer Required

      Minimum value is 1.

    • total integer Required

      Minimum value is 0.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
GET /api/exception_lists/_find 
curl \
 --request GET https://<KIBANA_URL>/api/exception_lists/_find \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": [
    {
      "id": "9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85",
      "name": "Detection Exception List",
      "tags": [
        "malware"
      ],
      "type": "detection",
      "list_id": "simple_list",
      "version": 1,
      "_version": "WzIsMV0=",
      "os_types": [],
      "immutable": false,
      "created_at": "2025-01-07T19:34:27.942Z",
      "created_by": "elastic",
      "updated_at": "2025-01-07T19:34:27.942Z",
      "updated_by": "elastic",
      "description": "This is a sample detection type exception list.",
      "namespace_type": "single",
      "tie_breaker_id": "78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3"
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 20
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
  "statusCode": 403
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}