Delete a value list item

DELETE /api/lists/items

Api key auth

Delete a value list item using its id, or its list_id and value fields.

Query parameters

id string(nonempty)

Value list item's identifier. Required if list_id and value are not specified.

Minimum length is 1.
list_id string(nonempty)

Value list's identifier. Required if id is not specified.

Minimum length is 1.
value string

The value used to evaluate exceptions. Required if id is not specified.
refresh string

Determines when changes made by the request are made visible to search.

Values are true, false, or wait_for. Default value is false.

Responses

200 application/json

Successful response
One of:
Security_Lists_API_ListItem object array-2 array[object]
Hide attributes Show attributes

_version string

The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.

@timestamp string(date-time)

created_at string(date-time) Required

Autogenerated date of object creation.

created_by string Required

Autogenerated value - user that created object.

deserializer string

Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:

{{{value}}} - Single value item types, such as ip, long, date, keyword, and text.

{{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.

{{{gte}}},{{{lte}}} - Date range values.

id string(nonempty) Required

Value list item's identifier.

Minimum length is 1.

list_id string(nonempty) Required

Value list's identifier.

Minimum length is 1.

meta object

Placeholder for metadata about the value list item.

Additional properties are allowed.

serializer string

Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:

(?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.

(?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.

tie_breaker_id string Required

Field used in search to ensure all containers are sorted and returned correctly.

type string Required

Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

keyword: Many ECS fields are Elasticsearch keywords

ip: IP addresses

ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

updated_at string(date-time) Required

Autogenerated date of last object update.

updated_by string Required

Autogenerated value - user that last updated object.

value string(nonempty) Required

The value used to evaluate exceptions.

Minimum length is 1.
Hide attributes Show attributes object

_version string

The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.

@timestamp string(date-time)

created_at string(date-time) Required

Autogenerated date of object creation.

created_by string Required

Autogenerated value - user that created object.

deserializer string

Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:

{{{value}}} - Single value item types, such as ip, long, date, keyword, and text.

{{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.

{{{gte}}},{{{lte}}} - Date range values.

id string(nonempty) Required

Value list item's identifier.

Minimum length is 1.

list_id string(nonempty) Required

Value list's identifier.

Minimum length is 1.

meta object

Placeholder for metadata about the value list item.

Additional properties are allowed.

serializer string

Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:

(?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.

(?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.

tie_breaker_id string Required

Field used in search to ensure all containers are sorted and returned correctly.

type string Required

Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

keyword: Many ECS fields are Elasticsearch keywords

ip: IP addresses

ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

updated_at string(date-time) Required

Autogenerated date of last object update.

updated_by string Required

Autogenerated value - user that last updated object.

value string(nonempty) Required

The value used to evaluate exceptions.

Minimum length is 1.
400 application/json

Invalid input data response
One of:
Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

List item not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

DELETE /api/lists/items

curl \ --request DELETE 'https://<KIBANA_URL>/api/lists/items' \ --header "Authorization: $API_KEY"

Response examples (200)

{ "id": "pd1WRJQBs4HAK3VQeHFI", "type": "ip", "value": "255.255.255.255", "list_id": "ip_list", "_version": "WzIwLDFd", "@timestamp": "2025-01-08T05:15:05.159Z", "created_at": "2025-01-08T05:15:05.159Z", "created_by": "elastic", "updated_at": "2025-01-08T05:44:14.009Z", "updated_by": "elastic", "tie_breaker_id": "eee41dc7-1666-4876-982f-8b0f7b59eca3" }

Response examples (400)

{ "message": "Either \\\"list_id\\\" or \\\"id\\\" needs to be defined in the request", "status_code": 400 }

Response examples (401)

{ "error": "Unauthorized", "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]", "statusCode": 401 }

Response examples (403)

{ "error": "Forbidden", "message": "API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]", "statusCode": 403 }

Response examples (404)

{ "message": "list item with id: \\\"pd1WRJQBs4HAK3VQeHFI\\\" not found", "status_code": 404 }

Response examples (500)

{ "message": "Internal Server Error", "status_code": 500 }