IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Lists index endpoint Create list container »

› ›

Lists API

edit

Lists API

edit

Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.

Lists are made up of:

List containers: A container for values of the same Elasticsearch data type. The following data types can be used:
- boolean
- byte
- date
- date_nanos
- date_range
- double
- double_range
- float
- float_range
- half_float
- integer
- integer_range
- ip
- ip_range
- keyword
- long
- long_range
- short
- text
List items: The values used to determine whether the exception prevents an alert from being generated.

All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container, named internal-ip-addresses-southport, contains five items, where each item defines one internal IP address:

192.168.1.1
192.168.1.3
192.168.1.18
192.168.1.12
192.168.1.7

To use these IP addresses as values for defining rule exceptions, use the Exceptions API to create an exception item that references the internal-ip-addresses-southport list.

Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (is in list, is not in list). Use an exception item to define the operator and associate it with an exception container. You can then add the exception container to a rule’s exceptions_list object.

Lists requirements

edit

Before you can start using lists, you must create the .lists and .items data streams for the relevant Kibana space. To learn how to do this, go to Lists index endpoint.

Once these data streams are created, your role needs privileges to manage rules. Refer to Enable and access detections for a complete list of requirements.

« Lists index endpoint Create list container »