Create list container
editCreate list container
editCreates a list container.
A list container groups common list items that define exceptions for when detection rule alerts are not generated even when a rule’s other criteria are met.
All list items in the same list container refer to the same type of exception.
For example, each list item in an ip list container excludes an IP address.
You can retrieve ip items in a list container using CIDR notation, and
ip_range items using a single IP value. For examples, see
Get list item.
Request URL
editPOST <kibana host>:<port>/api/lists
Request body
editA JSON object that defines the list container’s properties.
Required fields
edit| Name | Type | Description |
|---|---|---|
|
String |
Describes the list container. |
|
String |
The list container’s name. |
|
String |
Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
|
Optional fields
edit| Name | Type | Description |
|---|---|---|
|
String |
Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:
For information on parsing item values when they are uploaded, see
|
|
String |
Unique identifier. Automatically created when it is not provided. |
|
Object |
Placeholder for metadata about the list container. |
String |
Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:
|
|
|
Integer |
The list container’s version number. Defaults to |
Example requests
editCreates a list container for IP addresses:
POST api/lists
{
"id": "internal-ip-excludes",
"name": "Exclude internal IP addresses",
"description": "Contains list items that exclude internal IP addresses from detection rules.",
"type": "ip"
}
Creates a list container for a keyword:
POST api/lists
{
"id": "host.name-container",
"name": "Exclude hosts",
"description": "Contains list items that exclude host names from detection rules.",
"type": "keyword"
}
Creates a list container for ip_range items with custom parsing:
POST api/lists
{
"id": "internal-ip-range-excludes",
"name": "Exclude IP ranges",
"description": "Contains excluded IP ranges.",
"serializer": "(?<gte>.+)/(?<lte>.+)",
"deserializer": "{{{gte}}}--{{{lte}}}",
"type": "ip_range"
}
|
Uploads IP ranges using |
|
|
Presents the container’s retrieved IP range list items using |
Response code
edit-
200 - Indicates a successful call.
Response payload
edit{
"_version": "WzAsMV0=",
"id": "internal-ip-excludes",
"created_at": "2020-08-11T10:08:05.289Z",
"created_by": "elastic",
"description": "Contains list items that exclude internal IP addresses from detection rule matches.",
"immutable": false,
"name": "Exclude internal IP addresses",
"tie_breaker_id": "f7951678-ad13-4d65-8d15-a4c706d4893e",
"type": "ip",
"updated_at": "2020-08-11T10:08:05.289Z",
"updated_by": "elastic",
"version": 1
}
|
Base-64 encoded value of |