Lists API
editLists API
editLists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.
Lists are made up of:
-
List containers: A container for values of the same Elasticsearch data type. The following data types can be used:
-
boolean
-
byte
-
date
-
date_nanos
-
date_range
-
double
-
double_range
-
float
-
float_range
-
half_float
-
integer
-
integer_range
-
ip
-
ip_range
-
keyword
-
long
-
long_range
-
short
-
text
-
- List items: The values used to determine whether the exception prevents an alert from being generated.
All list items in the same list container must be of the same data type, and
each item defines a single value. For example, an IP list container, named
internal-ip-addresses-southport
, contains five items, where each item defines
one internal IP address:
-
192.168.1.1
-
192.168.1.3
-
192.168.1.18
-
192.168.1.12
-
192.168.1.7
To use these IP addresses as values for defining rule exceptions, use the
Exceptions API to create an
exception item that references the
internal-ip-addresses-southport
list.
Lists cannot be added directly to rules, nor do they define the operators
used to determine when exceptions are applied (is in list
, is not in list
).
Use an exception item to define the
operator and associate it with an exception container.
You can then add the exception container to a rule’s exceptions_list
object.
Lists requirements
editBefore you can start using lists, you must create the .lists
and .items
data streams for the relevant Kibana space. To learn how to do this, go to Lists index endpoint.
Once these data streams are created, your role needs privileges to manage rules. Refer to Enable and access detections for a complete list of requirements.