IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Find exception containers Get exception container »
Elastic Docs Elastic Security Solution [7.13] Elastic Security APIs Exceptions API

Find exception items

edit

Find exception items

edit

Retrieves a paginated subset of exception items in the specified container. By default, the first page is returned with 20 results per page.

The Kibana Console supports only Elasticsearch APIs. You cannot interact with the Kibana APIs with the Console and must use curl or another HTTP tool instead. For more information, refer to Console.

Request URL

edit

GET <kibana host>:<port>/api/exception_lists/items/_find

URL query parameters

edit
Name Type Description Required

list_id

String

ID of the exception container.

Yes

page

Integer

The page number to return.

No

per_page

Integer

The number of items to return per page.

No

sort_field

String

Determines which field is used to sort the results.

No

sort_order

String

Determines the sort order, which can be desc or asc.

No

cursor

String

Returns the items that come after the last item returned in the previous call (use the cursor value returned in the previous call). This parameter uses the tie_breaker_id field to ensure all items are sorted and returned correctly. See Search After for more information.

No

Example request

edit

Retrieves exception items in the allowed-processes container:

GET api/exception_lists/items/_find?list_id=allowed-processes

Response code

edit
200
Indicates a successful call.

Response payload

edit
{
  "data": [
    {
      "_tags": [],
      "comments": [
        {
          "comment": "Allowed on all hosts.",
          "created_at": "2020-07-14T13:40:39.804Z",
          "created_by": "LiverpoolFC"
        }
      ],
      "created_at": "2020-07-14T13:40:39.804Z",
      "created_by": "LiverpoolFC",
      "description": "Global process allowlist",
      "entries": [
        {
          "field": "process.name",
          "operator": "included",
          "type": "match",
          "value": "housekeeping"
        }
      ],
      "id": "9b25aec0-c5d7-11ea-a3d8-a5b753aeeb9e",
      "item_id": "global-allow-processes",
      "list_id": "allowed-processes",
      "name": "Host-process global exclusion",
      "namespace_type": "single",
      "tags": [
        "global",
        "hosts",
        "processes"
      ],
      "tie_breaker_id": "28c6b069-8e39-4f9a-b93c-95e5a15b46c5",
      "type": "simple",
      "updated_at": "2020-07-14T13:40:39.980Z",
      "updated_by": "LiverpoolFC"
    },
    {
      "_tags": [],
      "comments": [
        {
          "comment": "Allows maintenance process to run on the specified machines",
          "created_at": "2020-07-14T13:41:24.005Z",
          "created_by": "LiverpoolFC"
        }
      ],
      "created_at": "2020-07-14T13:41:24.005Z",
      "created_by": "LiverpoolFC",
      "description": "Process allowlist",
      "entries": [
        {
          "field": "process.name",
          "operator": "included",
          "type": "match",
          "value": "maintenance"
        },
        {
          "field": "host.name",
          "operator": "included",
          "type": "match_any",
          "value": [
            "liv-win-anf",
            "livw-win-mel",
            "linux-anfield"
          ]
        }
      ],
      "id": "b57e5f60-c5d7-11ea-a3d8-a5b753aeeb9e",
      "item_id": "allow-process-on-machines",
      "list_id": "allowed-processes",
      "name": "Host-process exclusions",
      "namespace_type": "single",
      "tags": [
        "hosts",
        "processes"
      ],
      "tie_breaker_id": "a1bacb3d-7ce1-4f03-80f4-d49235b6bbde",
      "type": "simple",
      "updated_at": "2020-07-14T13:41:24.182Z",
      "updated_by": "LiverpoolFC"
    }
  ],
  "page": 1,
  "per_page": 20,
  "total": 2
}
« Find exception containers Get exception container »