Create list containeredit

Creates a list container.

Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.

A list container groups common list items that define exceptions for when detection rule alerts are not generated even when a rule’s other criteria are met.

All list items in the same list container refer to the same type of exception. For example, each list item in an ip list container excludes an IP address.

You can retrieve ip items in a list container using CIDR notation, and ip_range items using a single IP value. For examples, see Get list item.

Request URLedit

POST <kibana host>:<port>/api/lists

Request bodyedit

A JSON object that defines the list container’s properties.

Required fieldsedit

Name Type Description



Describes the list container.



The list container’s name.



Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

Optional fieldsedit

Name Type Description



Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:

  • {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
  • {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
  • {{{gte}}},{{{lte}}} - Date range values.

For information on parsing item values when they are uploaded, see serializer.



Unique identifier. Automatically created when it is not provided.



Placeholder for metadata about the list container.



Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:

  • (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
  • (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.



The list container’s version number. Defaults to 1.

Example requestsedit

Creates a list container for IP addresses:

POST api/lists
  "id": "internal-ip-excludes",
  "name": "Exclude internal IP addresses",
  "description": "Contains list items that exclude internal IP addresses from detection rules.",
  "type": "ip"

Creates a list container for a keyword:

POST api/lists
  "id": "",
  "name": "Exclude hosts",
  "description": "Contains list items that exclude host names from detection rules.",
  "type": "keyword"

Creates a list container for ip_range items with custom parsing:

POST api/lists
  "id": "internal-ip-range-excludes",
  "name": "Exclude IP ranges",
  "description": "Contains excluded IP ranges.",
  "serializer": "(?<gte>.+)/(?<lte>.+)", 
  "deserializer": "{{{gte}}}--{{{lte}}}", 
  "type": "ip_range"

Uploads IP ranges using / characters instead of - characters. The list item or source file from which the IP ranges are uploaded must use the / character to define the range. For example,

Presents the container’s retrieved IP range list items using -- characters. For example,

Response codeedit

Indicates a successful call.

Response payloadedit

  "_version": "WzAsMV0=", 
  "id": "internal-ip-excludes",
  "created_at": "2020-08-11T10:08:05.289Z",
  "created_by": "elastic",
  "description": "Contains list items that exclude internal IP addresses from detection rule matches.",
  "immutable": false,
  "name": "Exclude internal IP addresses",
  "tie_breaker_id": "f7951678-ad13-4d65-8d15-a4c706d4893e",
  "type": "ip",
  "updated_at": "2020-08-11T10:08:05.289Z",
  "updated_by": "elastic",
  "version": 1

Base-64 encoded value of if_seq_no and if_primary_term parameters, used for Optimistic concurrency control. To ensure there are no conflicts, use this value when updating a list container.