Lists API
editLists API
editLists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.
Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl
or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.
Lists are made up of:
-
List containers: A container for values of the same Elasticsearch data type. The following data types can be used:
-
boolean
-
byte
-
date
-
date_nanos
-
date_range
-
double
-
double_range
-
float
-
float_range
-
half_float
-
integer
-
integer_range
-
ip
-
ip_range
-
keyword
-
long
-
long_range
-
short
-
text
-
- List items: The values used to determine whether the exception prevents an alert from being generated.
All list items in the same list container must be of the same data type, and
each item defines a single value. For example, an IP list container, named
internal-ip-addresses-southport
, contains five items, where each item defines
one internal IP address:
-
192.168.1.1
-
192.168.1.3
-
192.168.1.18
-
192.168.1.12
-
192.168.1.7
To use these IP addresses as values for defining rule exceptions, use the
Exceptions API to create an
exception item that references the
internal-ip-addresses-southport
list.
Lists cannot be added directly to rules, nor do they define the operators
used to determine when exceptions are applied (is in list
, is not in list
).
Use an exception item to define the
operator and associate it with an exception container.
You can then add the exception container to a rule’s exceptions_list
object.
Lists requirements
editBefore you can start using lists, you must create the .lists
and .items
indices for the relevant Kibana space. To learn how to do this, go to Lists index endpoint.
Once these indices are created, your role needs privileges to manage rules. Refer to Enable and access detections for a complete list of requirements.