Find exception items

edit

Retrieves a paginated subset of exception items in the specified container. By default, the first page is returned with 20 results per page.

Request URL

edit

GET <kibana host>:<port>/api/exception_lists/items/_find

URL query parameters

edit
Name Type Description Required

list_id

String

ID of the exception container.

Yes

page

Integer

The page number to return.

No

per_page

Integer

The number of items to return per page.

No

sort_field

String

Determines which field is used to sort the results.

No

sort_order

String

Determines the sort order, which can be desc or asc.

No

cursor

String

Returns the items that come after the last item returned in the previous call (use the cursor value returned in the previous call). This parameter uses the tie_breaker_id field to ensure all items are sorted and returned correctly. See Search After for more information.

No

Example request

edit

Retrieves exception items in the allowed-processes container:

GET api/exception_lists/items/_find?list_id=allowed-processes

Response code

edit
200
Indicates a successful call.

Response payload

edit
{
  "data": [
    {
      "_tags": [],
      "comments": [
        {
          "comment": "Allowed on all hosts.",
          "created_at": "2020-07-14T13:40:39.804Z",
          "created_by": "elastic"
        }
      ],
      "created_at": "2020-07-14T13:40:39.804Z",
      "created_by": "elastic",
      "description": "Global process allowlist",
      "entries": [
        {
          "field": "process.name",
          "operator": "included",
          "type": "match",
          "value": "housekeeping"
        }
      ],
      "id": "9b25aec0-c5d7-11ea-a3d8-a5b753aeeb9e",
      "item_id": "global-allow-processes",
      "list_id": "allowed-processes",
      "name": "Host-process global exclusion",
      "namespace_type": "single",
      "tags": [
        "global",
        "hosts",
        "processes"
      ],
      "tie_breaker_id": "28c6b069-8e39-4f9a-b93c-95e5a15b46c5",
      "type": "simple",
      "updated_at": "2020-07-14T13:40:39.980Z",
      "updated_by": "elastic"
    },
    {
      "_tags": [],
      "comments": [
        {
          "comment": "Allows maintenance process to run on the specified machines",
          "created_at": "2020-07-14T13:41:24.005Z",
          "created_by": "elastic"
        }
      ],
      "created_at": "2020-07-14T13:41:24.005Z",
      "created_by": "elastic",
      "description": "Process allowlist",
      "entries": [
        {
          "field": "process.name",
          "operator": "included",
          "type": "match",
          "value": "maintenance"
        },
        {
          "field": "host.name",
          "operator": "included",
          "type": "match_any",
          "value": [
            "liv-win-anf",
            "livw-win-mel",
            "linux-anfield"
          ]
        }
      ],
      "id": "b57e5f60-c5d7-11ea-a3d8-a5b753aeeb9e",
      "item_id": "allow-process-on-machines",
      "list_id": "allowed-processes",
      "name": "Host-process exclusions",
      "namespace_type": "single",
      "tags": [
        "hosts",
        "processes"
      ],
      "tie_breaker_id": "a1bacb3d-7ce1-4f03-80f4-d49235b6bbde",
      "type": "simple",
      "updated_at": "2020-07-14T13:41:24.182Z",
      "updated_by": "elastic"
    }
  ],
  "page": 1,
  "per_page": 20,
  "total": 2
}