Create an exception list
Spaces method and path for this operation:
Refer to Spaces for more information.
An exception list groups exception items and can be associated with detection rules. You can assign detection rules with multiple exception lists.
All exception items added to the same list are evaluated using OR logic. That is, if any of the items in a list evaluate to true, the exception prevents the rule from generating an alert. Likewise, OR logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the AND operator, you can define multiple clauses (entries) in a single exception item.
Body
Required
Exception list's properties
-
A string that does not contain only whitespace characters
Minimum length is
1. -
Additional properties are allowed.
-
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
single: Only available in the Kibana space in which it is created.agnostic: Available in all Kibana spaces.
Values are
agnosticorsingle. -
Values are
linux,macos, orwindows. -
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists. -
Minimum value is
1.
curl \
--request POST 'https://localhost:5601/api/exception_lists' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"description":"string","list_id":"string","meta":{},"name":"string","namespace_type":"agnostic","os_types":["linux"],"tags":["string"],"type":"detection","version":42}'