Create an Elastic Endpoint rule exception list

POST /api/endpoint_list

Spaces method and path for this operation:

post /s/{space_id}/api/endpoint_list

Refer to Spaces for more information.

Create the exception list for Elastic Endpoint rule exceptions. When you create the exception list, it will have a list_id of endpoint_list. If the Elastic Endpoint exception list already exists, your request will return an empty response.

Responses

200 application/json

Successful response
One of:
Security_Endpoint_Exceptions_API_ExceptionList object object-2 object
Hide attributes Show attributes

_version string

The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

created_at string(date-time) Required

Autogenerated date of object creation.

created_by string Required

Autogenerated value - user that created object.

description string Required

Describes the exception list.

id string(nonempty) Required

Exception list's identifier.

Minimum length is 1.

immutable boolean Required

list_id string(nonempty) Required

The exception list's human-readable string identifier.

For endpoint artifacts, use one of the following values:

endpoint_list: Elastic Endpoint exception list

endpoint_trusted_apps: Trusted applications list

endpoint_trusted_devices: Trusted devices list

endpoint_event_filters: Event filters list

endpoint_host_isolation_exceptions: Host isolation exceptions list

endpoint_blocklists: Blocklists list

Minimum length is 1.

meta object

Placeholder for metadata about the list container.

Additional properties are allowed.

name string Required

The name of the exception list.

namespace_type string Required

Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

single: Only available in the Kibana space in which it is created.

agnostic: Available in all Kibana spaces.

For endpoint artifacts, the namespace_type must always be agnostic. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.

Values are agnostic or single.

os_types array[string]

Use this field to specify the operating system. Only enter one value.

Values are linux, macos, or windows.

tags array[string]

String array containing words and phrases to help categorize exception containers.

tie_breaker_id string Required

Field used in search to ensure all containers are sorted and returned correctly.

type string Required

The type of exception list to be created. Different list types may denote where they can be utilized.

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_trusted_devices, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

updated_at string(date-time) Required

Autogenerated date of last object update.

updated_by string Required

Autogenerated value - user that last updated object.

version integer Required

The document version, automatically increasd on updates.

Minimum value is 1.
Additional properties are NOT allowed.
400 application/json

Invalid input data
One of:
Security_Endpoint_Exceptions_API_PlatformErrorResponse object Security_Endpoint_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Insufficient privileges
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/endpoint_list

curl \
 --request POST 'https://<KIBANA_URL>/api/endpoint_list' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "summary": "Endpoint exception list already exists (empty response)",
  "value": {}
}

{
  "created_at": "2025-01-01T00:00:00.000Z",
  "created_by": "elastic",
  "description": "Endpoint Security Exception List",
  "id": "2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b",
  "immutable": false,
  "list_id": "endpoint_list",
  "name": "Endpoint Security Exception List",
  "namespace_type": "agnostic",
  "os_types": [],
  "tags": [],
  "tie_breaker_id": "e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e",
  "type": "endpoint",
  "updated_at": "2025-01-01T00:00:00.000Z",
  "updated_by": "elastic",
  "version": 1
}