Update exception item

edit

Updates an existing exception item.

Request URL

edit

PUT <kibana host>:<port>/api/exception_lists/items

Request body

edit
Name Type Description Required

comments

comments[]

Array of comments to be appended:

  • comment (string): Comments about the exception item.

Comments cannot be modified—they can only be appended.

No, defaults to empty array.

description

String

Describes the exception item.

Yes

entries

entries[]

Array containing the exception queries. Boolean AND logic is used to evaluate the relationship between array elements. If you want to use OR logic, create a separate exception item.

Yes

expire_time

String

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

No

id

String

The item’s unique identifier.

Yes, when the item’s item_id field is not used.

item_id

String

The item_id of the item you are updating.

Yes, when the item’s id field is not used.

meta

Object

Placeholder for metadata about the exception item.

No

name

String

The exception item’s name.

Yes

namespace_type

String

Determines whether the exception item is available in all Kibana spaces or just the space in which it is created, where:

  • single: Only available in the Kibana space in which it is created.
  • agnostic: Available in all Kibana spaces.

No, defaults to single.

tags

String[]

String array containing words and phrases to help categorize exception items.

No

type

String

Exception query type, must be simple.

Yes

Example request

edit

Updates the entries object:

PUT api/exception_lists/items
{
  "description": "Process allowlist",
  "entries": [
    {
      "field": "process.name",
      "operator": "included",
      "type": "match",
      "value": "maintenance"
    },
    {
      "field": "host.name",
      "operator": "included",
      "type": "match_any",
      "value": [
        "liv-win-anf",
        "livw-win-mel",
        "linux-anfield",
        "new-host"
      ]
    }
  ],
  "item_id": "allow-process-on-machines",
  "name": "Host-process exclusions",
  "namespace_type": "single",
  "tags": [
    "hosts",
    "processes"
  ],
  "type": "simple"
}

Response code

edit
200
Indicates a successful call.

Response payload

edit

The updated object, including the time it was updated.

Example response:

{
  "_tags": [],
  "comments": [],
  "created_at": "2020-07-15T06:28:32.457Z",
  "created_by": "elastic",
  "description": "Process allowlist",
  "entries": [
    {
      "field": "process.name",
      "operator": "included",
      "type": "match",
      "value": "maintenance"
    },
    {
      "field": "host.name",
      "operator": "included",
      "type": "match_any",
      "value": [
        "liv-win-anf",
        "livw-win-mel",
        "linux-anfield",
        "new-host"
      ]
    }
  ],
  "id": "67a70610-c664-11ea-bab5-9d6ae015701b",
  "item_id": "allow-process-on-machines",
  "list_id": "allowed-processes",
  "name": "Host-process exclusions",
  "namespace_type": "single",
  "tags": [
    "hosts",
    "processes"
  ],
  "tie_breaker_id": "15d7f2eb-7192-4f4b-a803-ad8a4f5efd08",
  "type": "simple",
  "updated_at": "2020-07-15T06:28:50.494Z",
  "updated_by": "elastic"
}