Create a shared exception list

POST /api/exceptions/shared
Api key auth Basic auth

Spaces method and path for this operation:

post /s/{space_id}/api/exceptions/shared

Refer to Spaces for more information.

An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules.

All exception items added to the same list are evaluated using OR logic. That is, if any of the items in a list evaluate to true, the exception prevents the rule from generating an alert. Likewise, OR logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the AND operator, you can define multiple clauses (entries) in a single exception item.

application/json

Body Required

  • description string Required
  • name string Required

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string
    • created_at string(date-time) Required
    • created_by string Required
    • description string Required
    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • immutable boolean Required
    • list_id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • meta object

      Additional properties are allowed.

    • name string Required
    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single.

    • os_types array[string]

      Values are linux, macos, or windows.

    • tags array[string]
    • tie_breaker_id string Required
    • type string Required

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • updated_at string(date-time) Required
    • updated_by string Required
    • version integer Required

      Minimum value is 1.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
    • error string Required
    • message string Required
    • statusCode integer Required
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
    • error string Required
    • message string Required
    • statusCode integer Required
  • 409 application/json

    Exception list already exists response

    Hide response attributes Show response attributes object
    • message string Required
    • status_code integer Required
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
    • message string Required
    • status_code integer Required
POST /api/exceptions/shared 
curl \
 --request POST 'http://localhost:5601/api/exceptions/shared' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"description":"string","name":"string"}'