Get value list details

GET /api/lists
Api key auth

Get the details of a value list using the list ID.

Query parameters

  • id string(nonempty)

    Value list's identifier.

    Minimum length is 1.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.

    • @timestamp string(date-time)
    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string(nonempty) Required

      Describes the value list.

      Minimum length is 1.

    • deserializer string

      Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:

      • {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
      • {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
      • {{{gte}}},{{{lte}}} - Date range values.
    • id string(nonempty) Required

      Value list's identifier.

      Minimum length is 1.

    • immutable boolean Required
    • meta object

      Placeholder for metadata about the value list.

      Additional properties are allowed.

    • name string(nonempty) Required

      Value list's name.

      Minimum length is 1.

    • serializer string

      Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:

      • (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
      • (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

      • keyword: Many ECS fields are Elasticsearch keywords
      • ip: IP addresses
      • ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

      Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

    • version integer Required

      The document version number.

      Minimum value is 1.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
    • error string Required
    • message string Required
    • statusCode integer Required
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
    • error string Required
    • message string Required
    • statusCode integer Required
  • 404 application/json

    List not found response

    Hide response attributes Show response attributes object
    • message string Required
    • status_code integer Required
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
    • message string Required
    • status_code integer Required
GET /api/lists 
curl \ --request GET 'https://<KIBANA_URL>/api/lists' \ --header "Authorization: $API_KEY"
Response examples (200) 
{ "id": "ip_list", "name": "My bad ips", "type": "ip", "version": 1, "_version": "WzEsMV0=", "immutable": false, "@timestamp": "2025-01-08T04:47:34.273Z", "created_at": "2025-01-08T04:47:34.273Z", "created_by": "elastic", "updated_at": "2025-01-08T05:21:53.843Z", "updated_by": "elastic", "description": "This list describes bad internet ip", "tie_breaker_id": "f5508188-b1e9-4e6e-9662-d039a7d89899" }
Response examples (400) 
{ "error": "Bad Request", "message": "[request query]: id: Required", "statusCode": 400 }
Response examples (401) 
{ "error": "Unauthorized", "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]", "statusCode": 401 }
Response examples (403) 
{ "error": "Forbidden", "message": "API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]", "statusCode": 403 }
Response examples (404) 
{ "message": "list id: \\\"foo\\\" not found", "status_code": 404 }
Response examples (500) 
{ "message": "Internal Server Error", "status_code": 500 }