IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Bulk rule actions Create exceptions for a rule »
Elastic Docs Elastic Security Solution [8.7] Elastic Security APIs Detections API

Create default exception list for a rule

edit

Create default exception list for a rule

edit

Creates a default exception list for the rule you specify.

To add exception items to a default exception list, pass in exceptions items that you want applied to the rule. Refer to Create exceptions for a rule for more information.

When an exception item’s query evaluates to true, the associated rule does not issue alerts even when its other criteria are met.

Default exception lists do not display on the Shared Exception Lists page in the Elastic Security app UI; they only appear in the Rule exceptions on the rule details page. This is because default exception lists can only be associated with a single rule. Refer to View and manage exceptions to learn more.

Request URL

edit

POST <kibana host>:<port>/api/detection_engine/<rule_id>/exceptions

Request body

edit

A JSON object with these fields:

Name Type Description Required

description

String

Describes the exception list.

Yes

list_id

String

Unique identifier.

No, automatically created when it is not provided.

meta

Object

Placeholder for metadata about the exception list.

No

name

String

The exception list’s name.

Yes

namespace_type

String

Determines whether the exception list is available in all Kibana spaces or just the space in which it is created, where:

  • single: Only available in the Kibana space in which it is created.
  • agnostic: Available in all Kibana spaces.

No, defaults to single.

tags

String[]

String array containing words and phrases to help categorize exception lists.

No

type

String

The type of exception, which must be:

  • rule_default: Exception list that belongs to a single rule.

Yes

Example requests

edit

Creates an exception list for holding trusted Linux process exception items:

POST api/detection_engine/<rule_id>/exceptions
{
  "description": "Excludes Linux trusted processes",
  "name": "Linux process exceptions",
  "list_id": "trusted-linux-processes",
  "type": "detection",
  "namespace_type": "single",
  "tags": [
    "linux",
    "processes"
  ]
}

Response code

edit
200
Indicates a successful call.

Response payload

edit

The exception list object with a unique ID.

{
  "_tags": [],
  "created_at": "2020-07-13T09:33:46.187Z",
  "created_by": "elastic",
  "description": "Excludes Linux trusted processes",
  "id": "f320c070-c4eb-11ea-80bb-11861bae2798", 
  "list_id": "trusted-linux-processes", 
  "name": "Linux process exceptions",
  "namespace_type": "single", 
  "tags": [
    "linux",
    "processes"
  ],
  "tie_breaker_id": "2c08d5a5-2ecc-4d5a-acfb-0a367f25b3f3",
  "type": "detection", 
  "updated_at": "2020-07-13T09:33:46.359Z",
  "updated_by": "elastic"
}

The highlighted values can help you identify detection rules associated with the exception list:

id

list_id

namespace_type

type
« Bulk rule actions Create exceptions for a rule »