Get exception lists

GET /api/exception_lists/_find

Api key auth Basic auth

Spaces method and path for this operation:

get /s/{space_id}/api/exception_lists/_find

Refer to Spaces for more information.

Get a list of all exception list containers.

Query parameters

filter string
Filters the returned results according to the value of the specified field.

Uses the so type.field name:field value syntax, where so type can be:
- exception-list: Specify a space-aware exception list.
- exception-list-agnostic: Specify an exception list that is shared across spaces.
namespace_type array[string]

Determines whether the returned containers are Kibana associated with a Kibana space or available in all spaces (agnostic or single)

Values are agnostic or single. Default value is ["single"].
page integer

The page number to return

Minimum value is 1.
per_page integer

The number of exception lists to return per page

Minimum value is 1.
sort_field string

Determines which field is used to sort the results.
sort_order string

Determines the sort order, which can be desc or asc.

Values are desc or asc.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- data array[object] Required
  
  Hide data attributes Show data attributes object
  
  _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string Required
  
  Autogenerated value - user that created object.
  
  description string Required
  
  Describes the exception list.
  
  id string(nonempty) Required
  
  Exception list's identifier.
  
  Minimum length is 1.
  
  immutable boolean Required
  
  list_id string(nonempty) Required
  
  The exception list's human readable string identifier, endpoint_list.
  
  Minimum length is 1.
  
  meta object
  
  Placeholder for metadata about the list container.
  
  Additional properties are allowed.
  
  name string Required
  
  The name of the exception list.
  
  namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single.
  
  os_types array[string]
  
  Use this field to specify the operating system. Only enter one value.
  
  Values are linux, macos, or windows.
  
  tags array[string]
  
  String array containing words and phrases to help categorize exception containers.
  
  tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
  
  type string Required
  
  The type of exception list to be created. Different list types may denote where they can be utilized.
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_trusted_devices, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
  
  updated_at string(date-time) Required
  
  Autogenerated date of last object update.
  
  updated_by string Required
  
  Autogenerated value - user that last updated object.
  
  version integer Required
  
  The document version, automatically increasd on updates.
  
  Minimum value is 1.
- page integer Required
  
  Minimum value is 1.
- per_page integer Required
  
  Minimum value is 1.
- total integer Required
  
  Minimum value is 0.
400 application/json

Invalid input data response
One of:
Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/exception_lists/_find

curl \ --request GET 'https://localhost:5601/api/exception_lists/_find' \ --header "Authorization: $API_KEY"

Response examples (200)

{ "data": [ { "id": "9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85", "name": "Detection Exception List", "tags": [ "malware" ], "type": "detection", "list_id": "simple_list", "version": 1, "_version": "WzIsMV0=", "os_types": [], "immutable": false, "created_at": "2025-01-07T19:34:27.942Z", "created_by": "elastic", "updated_at": "2025-01-07T19:34:27.942Z", "updated_by": "elastic", "description": "This is a sample detection type exception list.", "namespace_type": "single", "tie_breaker_id": "78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3" } ], "page": 1, "total": 1, "per_page": 20 }

Response examples (400)

{ "error": "Bad Request", "message": "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'", "statusCode": 400 }

Response examples (401)

{ "error": "Unauthorized", "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]", "statusCode": 401 }

Response examples (403)

{ "error": "Forbidden", "message": "API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]", "statusCode": 403 }

Response examples (500)

{ "message": "Internal Server Error", "status_code": 500 }