Create an exception list item

POST /api/exception_lists/items

Api key auth Basic auth

Spaces method and path for this operation:

post /s/{space_id}/api/exception_lists/items

Refer to Spaces for more information.

Create an exception item and associate it with the specified exception list.

Before creating exception items, you must create an exception list.

application/json

Body object Required

Exception list item's properties

comments array[object]
Hide comments attribute Show comments attribute object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
For endpoint artifacts, the namespace_type must always be agnostic. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
Values are agnostic or single.
type string Required

Value is simple.
entries array[object] Required
Any of:
Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list object Required

Hide list attributes Show list attributes object

id string(nonempty) Required

Value list's identifier.

Minimum length is 1.

type string Required

Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

keyword: Many ECS fields are Elasticsearch keywords

ip: IP addresses

ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

operator string Required

Values are excluded or included.

type string Required Discriminator
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator
Hide attributes Show attributes

entries array[object] Required

At least 1 element.

One of:
Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match_any.

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is exists.

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required Discriminator
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
list_id string(nonempty) Required
The exception list's human-readable string identifier.

For endpoint artifacts, use one of the following values:
- endpoint_list: Elastic Endpoint exception list
- endpoint_trusted_apps: Trusted applications list
- endpoint_trusted_devices: Trusted devices list
- endpoint_event_filters: Event filters list
- endpoint_host_isolation_exceptions: Host isolation exceptions list
- endpoint_blocklists: Blocklists list
Minimum length is 1.
os_types array[string]

Use this field to specify the operating system.

Values are linux, macos, or windows.
tags array[string(nonempty)]

String array containing words and phrases to help categorize exception items.

Minimum length of each is 1.

Elastic Endpoint exception list item properties.

comments array[object]
Hide comments attribute Show comments attribute object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
For endpoint artifacts, the namespace_type must always be agnostic. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
Values are agnostic or single.
type string Required

Value is simple.
entries array[object]
Any of:
Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list object Required

Hide list attributes Show list attributes object

id string(nonempty) Required

Value list's identifier.

Minimum length is 1.

type string Required

Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

keyword: Many ECS fields are Elasticsearch keywords

ip: IP addresses

ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

operator string Required

Values are excluded or included.

type string Required Discriminator
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator
Hide attributes Show attributes

entries array[object] Required

At least 1 element.

One of:
Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match_any.

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is exists.

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required Discriminator
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
list_id string Required

Value is endpoint_list.
os_types array[string]

Use this field to specify the operating system.

Values are linux, macos, or windows.
tags array[string]
Tags for categorization. Special tags for scope control:
- "policy:all" - Global artifact (applies to all Elastic Defend policies)
- "policy:<policy_id>" - Private artifact (applies to specific Elastic Defend policy only, where <policy_id> is the Elastic Defend integration policy ID)
Default value is [] (empty).

Trusted applications list item properties (Windows).

comments array[object]
Hide comments attribute Show comments attribute object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
For endpoint artifacts, the namespace_type must always be agnostic. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
Values are agnostic or single.
type string Required

Value is simple.
entries array[object]

Process hash, executable path, or code signature entries

At least 1 element.
One of:
Security_Exceptions_API_TrustedAppHashEntry object Security_Exceptions_API_TrustedAppPathEntry object Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry object
Hide attributes Show attributes

field string Required

Process hash field

Values are process.hash.md5, process.hash.sha1, or process.hash.sha256.

operator string Required

Value is included.

type string Required

Hash entries only support match type

Value is match.

value string Required

Hash value (MD5, SHA1, or SHA256)
Hide attributes Show attributes

field string Required

Process executable path field

Value is process.executable.caseless.

operator string Required

Value is included.

type string Required

Path supports both match and wildcard types

Values are match or wildcard.

value string Required

Executable path
Hide attributes Show attributes

entries array[object] Required

Must include exactly 2 entries - one for subject_name and one for trusted

At least 2 but not more than 2 elements.

One of:
object-1 object object-2 object

Hide attributes Show attributes

field string Required

Value is subject_name.

operator string Required

Value is included.

type string Required

Value is match.

value string Required

Certificate subject name

Hide attributes Show attributes

field string Required

Value is trusted.

operator string Required

Value is included.

type string Required

Value is match.

value string Required

Must be the string 'true'

Value is true.

field string Required

Windows code signature field

Value is process.Ext.code_signature.

type string Required

Value is nested.
list_id string Required

Value is endpoint_trusted_apps.
os_types array[string]

Must be Windows only

At least 1 but not more than 1 element. Value is windows.
tags array[string]
Tags for categorization. Special tags for scope control:
- "policy:all" - Global artifact (applies to all Elastic Defend policies)
- "policy:<policy_id>" - Private artifact (applies to specific Elastic Defend policy only, where <policy_id> is the Elastic Defend integration policy ID)
Default value is [] (empty).

Trusted applications list item properties (macOS).

comments array[object]
Hide comments attribute Show comments attribute object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
For endpoint artifacts, the namespace_type must always be agnostic. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
Values are agnostic or single.
type string Required

Value is simple.
entries array[object]

Process hash, executable path, or code signature entries

At least 1 element.
One of:
Security_Exceptions_API_TrustedAppHashEntry object Security_Exceptions_API_TrustedAppPathEntry object Security_Exceptions_API_TrustedAppMacCodeSignatureEntry object
Hide attributes Show attributes

field string Required

Process hash field

Values are process.hash.md5, process.hash.sha1, or process.hash.sha256.

operator string Required

Value is included.

type string Required

Hash entries only support match type

Value is match.

value string Required

Hash value (MD5, SHA1, or SHA256)
Hide attributes Show attributes

field string Required

Process executable path field

Value is process.executable.caseless.

operator string Required

Value is included.

type string Required

Path supports both match and wildcard types

Values are match or wildcard.

value string Required

Executable path
Hide attributes Show attributes

entries array[object] Required

Must include exactly 2 entries - one for subject_name and one for trusted

At least 2 but not more than 2 elements.

One of:
object-1 object object-2 object

Hide attributes Show attributes

field string Required

Value is subject_name.

operator string Required

Value is included.

type string Required

Value is match.

value string Required

Certificate subject name

Hide attributes Show attributes

field string Required

Value is trusted.

operator string Required

Value is included.

type string Required

Value is match.

value string Required

Must be the string 'true'

Value is true.

field string Required

macOS code signature field

Value is process.code_signature.

type string Required

Value is nested.
list_id string Required

Value is endpoint_trusted_apps.
os_types array[string]

Must be macOS only

At least 1 but not more than 1 element. Value is macos.
tags array[string]
Tags for categorization. Special tags for scope control:
- "policy:all" - Global artifact (applies to all Elastic Defend policies)
- "policy:<policy_id>" - Private artifact (applies to specific Elastic Defend policy only, where <policy_id> is the Elastic Defend integration policy ID)
Default value is [] (empty).

Trusted applications list item properties (Linux).

comments array[object]
Hide comments attribute Show comments attribute object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
For endpoint artifacts, the namespace_type must always be agnostic. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
Values are agnostic or single.
type string Required

Value is simple.
entries array[object]

Process hash or executable path entries (code signature not supported on Linux)

At least 1 element.
One of:
Security_Exceptions_API_TrustedAppHashEntry object Security_Exceptions_API_TrustedAppPathEntry object
Hide attributes Show attributes

field string Required

Process hash field

Values are process.hash.md5, process.hash.sha1, or process.hash.sha256.

operator string Required

Value is included.

type string Required

Hash entries only support match type

Value is match.

value string Required

Hash value (MD5, SHA1, or SHA256)
Hide attributes Show attributes

field string Required

Process executable path field

Value is process.executable.caseless.

operator string Required

Value is included.

type string Required

Path supports both match and wildcard types

Values are match or wildcard.

value string Required

Executable path
list_id string Required

Value is endpoint_trusted_apps.
os_types array[string]

Must be Linux only

At least 1 but not more than 1 element. Value is linux.
tags array[string]
Tags for categorization. Special tags for scope control:
- "policy:all" - Global artifact (applies to all Elastic Defend policies)
- "policy:<policy_id>" - Private artifact (applies to specific Elastic Defend policy only, where <policy_id> is the Elastic Defend integration policy ID)
Default value is [] (empty).

Trusted devices list item properties (Windows-only, allows username field).

comments array[object]
Hide comments attribute Show comments attribute object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
For endpoint artifacts, the namespace_type must always be agnostic. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
Values are agnostic or single.
type string Required

Value is simple.
entries array[object]

Exception entries for the trusted device (duplicate field entries are not allowed)

At least 1 element.
Hide entries attributes Show entries attributes object
- field string Required
  
  Device field to match against (user.name is Windows-only)
  
  Values are device.serial_number, device.type, host.name, device.vendor.name, device.vendor.id, device.product.id, device.product.name, or user.name.
- operator string Required
  
  Must be the value "included"
  
  Value is included.
- type string Required
  
  Entry match type
  
  Values are match, wildcard, or match_any.
- value string | array[string] Required
  
  One of:
  string-1 string array-2 array[string]
  
  Single value (used with match or wildcard)
  
  Array of values (used with match_any)
  
  At least 1 element.
list_id string Required

Value is endpoint_trusted_devices.
os_types array[string]

Must be Windows-only to allow username field

At least 1 but not more than 1 element. Value is windows.
tags array[string]
Tags for categorization. Special tags for scope control:
- "policy:all" - Global artifact (applies to all Elastic Defend policies)
- "policy:<policy_id>" - Private artifact (applies to specific Elastic Defend policy only, where <policy_id> is the Elastic Defend integration policy ID)
Default value is [] (empty).

Trusted devices list item properties (macOS-only, username not supported).

comments array[object]
Hide comments attribute Show comments attribute object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
For endpoint artifacts, the namespace_type must always be agnostic. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
Values are agnostic or single.
type string Required

Value is simple.
entries array[object]

Exception entries for the trusted device (duplicate field entries are not allowed)

At least 1 element.
Hide entries attributes Show entries attributes object
- field string Required
  
  Device field to match against
  
  Values are device.serial_number, device.type, host.name, device.vendor.name, device.vendor.id, device.product.id, or device.product.name.
- operator string Required
  
  Must be the value "included"
  
  Value is included.
- type string Required
  
  Entry match type
  
  Values are match, wildcard, or match_any.
- value string | array[string] Required
  
  One of:
  string-1 string array-2 array[string]
  
  Single value (used with match or wildcard)
  
  Array of values (used with match_any)
  
  At least 1 element.
list_id string Required

Value is endpoint_trusted_devices.
os_types array[string]

macOS-only

At least 1 but not more than 1 element. Value is macos.
tags array[string]
Tags for categorization. Special tags for scope control:
- "policy:all" - Global artifact (applies to all Elastic Defend policies)
- "policy:<policy_id>" - Private artifact (applies to specific Elastic Defend policy only, where <policy_id> is the Elastic Defend integration policy ID)
Default value is [] (empty).

Trusted devices list item properties (Windows + macOS, username not supported).

comments array[object]
Hide comments attribute Show comments attribute object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
For endpoint artifacts, the namespace_type must always be agnostic. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
Values are agnostic or single.
type string Required

Value is simple.
entries array[object]

Exception entries for the trusted device (duplicate field entries are not allowed, username not available when targeting both OS)

At least 1 element.
Hide entries attributes Show entries attributes object
- field string Required
  
  Device field to match against (username not available for multi-OS)
  
  Values are device.serial_number, device.type, host.name, device.vendor.name, device.vendor.id, device.product.id, or device.product.name.
- operator string Required
  
  Must be the value "included"
  
  Value is included.
- type string Required
  
  Entry match type
  
  Values are match, wildcard, or match_any.
- value string | array[string] Required
  
  One of:
  string-1 string array-2 array[string]
  
  Single value (used with match or wildcard)
  
  Array of values (used with match_any)
  
  At least 1 element.
list_id string Required

Value is endpoint_trusted_devices.
os_types array[string]

Must include both Windows and macOS (username field not allowed)

At least 2 but not more than 2 elements. Values are windows or macos.
tags array[string]
Tags for categorization. Special tags for scope control:
- "policy:all" - Global artifact (applies to all Elastic Defend policies)
- "policy:<policy_id>" - Private artifact (applies to specific Elastic Defend policy only, where <policy_id> is the Elastic Defend integration policy ID)
Default value is [] (empty).

Event filters list item properties.

comments array[object]
Hide comments attribute Show comments attribute object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
For endpoint artifacts, the namespace_type must always be agnostic. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
Values are agnostic or single.
type string Required

Value is simple.
entries array[object]
Any of:
Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list object Required

Hide list attributes Show list attributes object

id string(nonempty) Required

Value list's identifier.

Minimum length is 1.

type string Required

Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

keyword: Many ECS fields are Elasticsearch keywords

ip: IP addresses

ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

operator string Required

Values are excluded or included.

type string Required Discriminator
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator
Hide attributes Show attributes

entries array[object] Required

At least 1 element.

One of:
Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match_any.

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is exists.

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required Discriminator
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
list_id string Required

Value is endpoint_event_filters.
os_types array[string]

Use this field to specify the operating system.

Values are linux, macos, or windows.
tags array[string]
Tags for categorization. Special tags for scope control:
- "policy:all" - Global artifact (applies to all Elastic Defend policies)
- "policy:<policy_id>" - Private artifact (applies to specific Elastic Defend policy only, where <policy_id> is the Elastic Defend integration policy ID)
Default value is [] (empty).

Host isolation exceptions list item properties.

comments array[object]
Hide comments attribute Show comments attribute object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
For endpoint artifacts, the namespace_type must always be agnostic. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
Values are agnostic or single.
type string Required

Value is simple.
entries array[object]

Exactly one entry allowed for host isolation exceptions

At least 1 but not more than 1 element.
Hide entries attributes Show entries attributes object
- field string Required
  
  Must be destination.ip
  
  Value is destination.ip.
- operator string Required
  
  Must be the value "included"
  
  Value is included.
- type string Required
  
  Must be match
  
  Value is match.
- value string Required
  
  Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or "10.0.0.0/8")
list_id string Required

Value is endpoint_host_isolation_exceptions.
os_types array[string]

Must include all three operating systems (windows, linux, macos)

At least 3 but not more than 3 elements. Values are windows, linux, or macos.
tags array[string]
Tags for categorization. Special tags for scope control:
- "policy:all" - Global artifact (applies to all Elastic Defend policies)
- "policy:<policy_id>" - Private artifact (applies to specific Elastic Defend policy only, where <policy_id> is the Elastic Defend integration policy ID)
Default value is [] (empty).

Blocklist list item properties (Windows, supports code signature).

comments array[object]
Hide comments attribute Show comments attribute object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
For endpoint artifacts, the namespace_type must always be agnostic. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
Values are agnostic or single.
type string Required

Value is simple.
entries array[object]
Validation rules:
- Hash entries: up to 3 (one for each hash type: md5, sha1, sha256)
- Path entry: only 1 allowed
- Code signature entry: only 1 allowed
At least 1 element.
One of:
Security_Exceptions_API_BlocklistHashOrPathEntry object Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry object
Hide attributes Show attributes

field string Required

File hash or path field

Values are file.hash.md5, file.hash.sha1, file.hash.sha256, file.path, or file.path.caseless.

operator string Required

Must be the value "included"

Value is included.

type string Required

Must be match_any for blocklists

Value is match_any.

value array[string] Required

Array of hash values or file paths

At least 1 element.
Hide attributes Show attributes

entries array[object] Required

Nested subject_name entries

At least 1 element.

Hide entries attributes Show entries attributes object

field string Required

Certificate subject name

Value is subject_name.

operator string Required

Must be the value "included"

Value is included.

type string Required

Match type for subject name

Values are match or match_any.

value string | array[string] Required

One of:
string-1 string array-2 array[string]

Single subject name (used with match)

Array of subject names (used with match_any)

At least 1 element.

field string Required

Windows code signature field

Value is file.Ext.code_signature.

type string Required

Must be nested for Windows code signature

Value is nested.
list_id string Required

Value is endpoint_blocklists.
os_types array[string]

Windows-only

At least 1 but not more than 1 element. Value is windows.
tags array[string]
Tags for categorization. Special tags for scope control:
- "policy:all" - Global artifact (applies to all Elastic Defend policies)
- "policy:<policy_id>" - Private artifact (applies to specific Elastic Defend policy only, where <policy_id> is the Elastic Defend integration policy ID)
Default value is [] (empty).

Blocklist list item properties (Linux, code signature not supported).

comments array[object]
Hide comments attribute Show comments attribute object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
For endpoint artifacts, the namespace_type must always be agnostic. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
Values are agnostic or single.
type string Required

Value is simple.
entries array[object]
Validation rules:
- Hash entries: up to 3 (one for each hash type: md5, sha1, sha256)
- Path entry: only 1 allowed
At least 1 element.
Hide entries attributes Show entries attributes object
- field string Required
  
  File hash or path field
  
  Values are file.hash.md5, file.hash.sha1, file.hash.sha256, file.path, or file.path.caseless.
- operator string Required
  
  Must be the value "included"
  
  Value is included.
- type string Required
  
  Must be match_any for blocklists
  
  Value is match_any.
- value array[string] Required
  
  Array of hash values or file paths
  
  At least 1 element.
list_id string Required

Value is endpoint_blocklists.
os_types array[string]

Linux-only

At least 1 but not more than 1 element. Value is linux.
tags array[string]
Tags for categorization. Special tags for scope control:
- "policy:all" - Global artifact (applies to all Elastic Defend policies)
- "policy:<policy_id>" - Private artifact (applies to specific Elastic Defend policy only, where <policy_id> is the Elastic Defend integration policy ID)
Default value is [] (empty).

Blocklist list item properties (macOS, code signature not supported).

comments array[object]
Hide comments attribute Show comments attribute object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
For endpoint artifacts, the namespace_type must always be agnostic. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
Values are agnostic or single.
type string Required

Value is simple.
entries array[object]
Validation rules:
- Hash entries: up to 3 (one for each hash type: md5, sha1, sha256)
- Path entry: only 1 allowed
At least 1 element.
Hide entries attributes Show entries attributes object
- field string Required
  
  File hash or path field
  
  Values are file.hash.md5, file.hash.sha1, file.hash.sha256, file.path, or file.path.caseless.
- operator string Required
  
  Must be the value "included"
  
  Value is included.
- type string Required
  
  Must be match_any for blocklists
  
  Value is match_any.
- value array[string] Required
  
  Array of hash values or file paths
  
  At least 1 element.
list_id string Required

Value is endpoint_blocklists.
os_types array[string]

macOS-only

At least 1 but not more than 1 element. Value is macos.
tags array[string]
Tags for categorization. Special tags for scope control:
- "policy:all" - Global artifact (applies to all Elastic Defend policies)
- "policy:<policy_id>" - Private artifact (applies to specific Elastic Defend policy only, where <policy_id> is the Elastic Defend integration policy ID)
Default value is [] (empty).

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
- comments array[object] Required
  
  Array of comment fields:
  
  comment (string): Comments about the exception item.
  
  Hide comments attributes Show comments attributes object
  
  comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updated_at string(date-time)
  
  Autogenerated date of last object update.
  
  updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string Required
  
  Describes the exception list.
- entries array[object] Required
  
  Any of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list object Required
  
  Hide list attributes Show list attributes object
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required Discriminator
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- expire_time string(date-time)
  
  The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
- id string(nonempty) Required
  
  Exception's identifier.
  
  Minimum length is 1.
- item_id string(nonempty) Required
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  The exception list's human-readable string identifier.
  
  For endpoint artifacts, use one of the following values:
  
  endpoint_list: Elastic Endpoint exception list
  
  endpoint_trusted_apps: Trusted applications list
  
  endpoint_trusted_devices: Trusted devices list
  
  endpoint_event_filters: Event filters list
  
  endpoint_host_isolation_exceptions: Host isolation exceptions list
  
  endpoint_blocklists: Blocklists list
  
  Minimum length is 1.
- meta object
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Exception list name.
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  For endpoint artifacts, the namespace_type must always be agnostic. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
  
  Values are agnostic or single.
- os_types array[string]
  
  Use this field to specify the operating system.
  
  Values are linux, macos, or windows.
- tags array[string(nonempty)]
  
  String array containing words and phrases to help categorize exception items.
  
  Minimum length of each is 1.
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Value is simple.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
400 application/json

Invalid input data response
One of:
Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
409 application/json

Exception list item already exists response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/exception_lists/items

curl \
 --request POST 'https://localhost:5601/api/exception_lists/items' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"name":"Sample Exception List Item","tags":["malware"],"type":"simple","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["saturn","jupiter"],"operator":"included"}],"item_id":"simple_list_item","list_id":"simple_list","os_types":["linux"],"description":"This is a sample detection type exception item.","namespace_type":"single"}'

Response examples (200)

{
  "id": "323faa75-c657-4fa0-9084-8827612c207b",
  "name": "Sample Autogenerated Exception List Item ID",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "type": "exists",
      "field": "actingProcess.file.signer",
      "operator": "excluded"
    }
  ],
  "item_id": "80e6edf7-4b13-4414-858f-2fa74aa52b37",
  "list_id": "8c1aae4c-1ef5-4bce-a2e3-16584b501783",
  "_version": "WzYsMV0=",
  "comments": [],
  "os_types": [],
  "created_at": "2025-01-09T01:16:23.322Z",
  "created_by": "elastic",
  "updated_at": "2025-01-09T01:16:23.322Z",
  "updated_by": "elastic",
  "description": "This is a sample exception that has no item_id so it is autogenerated.",
  "namespace_type": "single",
  "tie_breaker_id": "d6799986-3a23-4213-bc6d-ed9463a32f23"
}

{
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "name": "Sample Exception List Item",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "type": "exists",
      "field": "actingProcess.file.signer",
      "operator": "excluded"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzQsMV0=",
  "comments": [],
  "os_types": [
    "linux"
  ],
  "created_at": "2025-01-07T20:07:33.119Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T20:07:33.119Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception item.",
  "namespace_type": "single",
  "tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}

{
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "name": "Sample Exception List Item",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "type": "exists",
      "field": "actingProcess.file.signer",
      "operator": "excluded"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzQsMV0=",
  "comments": [],
  "os_types": [
    "linux"
  ],
  "created_at": "2025-01-07T20:07:33.119Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T20:07:33.119Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception item.",
  "namespace_type": "single",
  "tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}

{
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "name": "Sample Exception List Item",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "type": "match_any",
      "field": "host.name",
      "value": [
        "saturn",
        "jupiter"
      ],
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzQsMV0=",
  "comments": [],
  "os_types": [
    "linux"
  ],
  "created_at": "2025-01-07T20:07:33.119Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T20:07:33.119Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception item.",
  "namespace_type": "single",
  "tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}

{
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "name": "Sample Exception List Item",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "type": "match",
      "field": "actingProcess.file.signer",
      "value": "Elastic N.V.",
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzQsMV0=",
  "comments": [],
  "os_types": [
    "linux"
  ],
  "created_at": "2025-01-07T20:07:33.119Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T20:07:33.119Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception item.",
  "namespace_type": "single",
  "tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}

{
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "name": "Sample Exception List Item",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "type": "nested",
      "field": "file.signature",
      "entries": [
        {
          "type": "match",
          "field": "signer",
          "value": "Evil",
          "operator": "included"
        },
        {
          "type": "match",
          "field": "trusted",
          "value": true,
          "operator": "included"
        }
      ]
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzQsMV0=",
  "comments": [],
  "os_types": [
    "linux"
  ],
  "created_at": "2025-01-07T20:07:33.119Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T20:07:33.119Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception item.",
  "namespace_type": "single",
  "tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}

{
  "id": "deb26876-297d-4677-8a1f-35467d2f1c4f",
  "name": "Filter out good guys ip and agent.name rock01",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "list": {
        "id": "goodguys.txt",
        "type": "ip"
      },
      "type": "list",
      "field": "source.ip",
      "operator": "excluded"
    }
  ],
  "item_id": "686b129e-9b8d-4c59-8d8d-c93a9ea82c71",
  "list_id": "8c1aae4c-1ef5-4bce-a2e3-16584b501783",
  "_version": "WzcsMV0=",
  "comments": [],
  "os_types": [],
  "created_at": "2025-01-09T01:31:12.614Z",
  "created_by": "elastic",
  "updated_at": "2025-01-09T01:31:12.614Z",
  "updated_by": "elastic",
  "description": "Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list",
  "namespace_type": "single",
  "tie_breaker_id": "5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8"
}

Response examples (400)

{
  "error": "Bad Request,",
  "message": "[request body]: list_id: Expected string, received number",
  "statusCode": "400,"
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}

Response examples (409)

{
  "message": "exception list item id: \\\"simple_list_item\\\" already exists",
  "status_code": 409
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}