You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: packages/kbn-securitysolution-exceptions-common/docs/openapi/ess/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml
+64-18Lines changed: 64 additions & 18 deletions
Original file line number
Diff line number
Diff line change
@@ -16,6 +16,7 @@ servers:
16
16
paths:
17
17
'/api/detection_engine/rules/{id}/exceptions':
18
18
post:
19
+
description: Create exception items that apply to a single detection rule.
19
20
operationId: CreateRuleExceptionListItems
20
21
parameters:
21
22
- description: Detection rule's identifier
@@ -73,11 +74,12 @@ paths:
73
74
schema:
74
75
$ref: '#/components/schemas/SiemErrorResponse'
75
76
description: Internal server error response
76
-
summary: Creates rule exception list items
77
+
summary: Create rule exception list items
77
78
tags:
78
79
- Security Solution Exceptions API
79
80
/api/exception_lists:
80
81
delete:
82
+
description: Delete an exception list using the `id` or `list_id` field.
81
83
operationId: DeleteExceptionList
82
84
parameters:
83
85
- description: Either `id` or `list_id` must be specified
@@ -137,10 +139,11 @@ paths:
137
139
schema:
138
140
$ref: '#/components/schemas/SiemErrorResponse'
139
141
description: Internal server error response
140
-
summary: Deletes an exception list
142
+
summary: Delete an exception list
141
143
tags:
142
144
- Security Solution Exceptions API
143
145
get:
146
+
description: Get the details of an exception list using the `id` or `list_id` field.
144
147
operationId: ReadExceptionList
145
148
parameters:
146
149
- description: Either `id` or `list_id` must be specified
@@ -200,10 +203,23 @@ paths:
200
203
schema:
201
204
$ref: '#/components/schemas/SiemErrorResponse'
202
205
description: Internal server error response
203
-
summary: Retrieves an exception list using its `id` or `list_id` field
206
+
summary: Get exception list details
204
207
tags:
205
208
- Security Solution Exceptions API
206
209
post:
210
+
description: >
211
+
An exception list groups exception items and can be associated with
212
+
detection rules. You can assign detection rules with multiple exception
213
+
lists.
214
+
215
+
> info
216
+
217
+
> All exception items added to the same list are evaluated using `OR`
218
+
logic. That is, if any of the items in a list evaluate to `true`, the
219
+
exception prevents the rule from generating an alert. Likewise, `OR`
220
+
logic is used for evaluating exceptions when more than one exception
221
+
list is assigned to a rule. To use the `AND` operator, you can define
222
+
multiple clauses (`entries`) in a single exception item.
207
223
operationId: CreateExceptionList
208
224
requestBody:
209
225
content:
@@ -277,10 +293,11 @@ paths:
277
293
schema:
278
294
$ref: '#/components/schemas/SiemErrorResponse'
279
295
description: Internal server error response
280
-
summary: Creates an exception list
296
+
summary: Create an exception list
281
297
tags:
282
298
- Security Solution Exceptions API
283
299
put:
300
+
description: Update an exception list using the `id` or `list_id` field.
284
301
operationId: UpdateExceptionList
285
302
requestBody:
286
303
content:
@@ -357,11 +374,12 @@ paths:
357
374
schema:
358
375
$ref: '#/components/schemas/SiemErrorResponse'
359
376
description: Internal server error response
360
-
summary: Updates an exception list
377
+
summary: Update an exception list
361
378
tags:
362
379
- Security Solution Exceptions API
363
380
/api/exception_lists/_duplicate:
364
381
post:
382
+
description: Duplicate an existing exception list.
365
383
operationId: DuplicateExceptionList
366
384
parameters:
367
385
- description: Exception list's human identifier
@@ -426,12 +444,12 @@ paths:
426
444
schema:
427
445
$ref: '#/components/schemas/SiemErrorResponse'
428
446
description: Internal server error response
429
-
summary: Duplicates an exception list
447
+
summary: Duplicate an exception list
430
448
tags:
431
449
- Security Solution Exceptions API
432
450
/api/exception_lists/_export:
433
451
post:
434
-
description: Exports an exception list and its associated items to an .ndjson file
452
+
description: Export an exception list and its associated items to an NDJSON file.
435
453
operationId: ExportExceptionList
436
454
parameters:
437
455
- description: Exception list's identifier
@@ -506,11 +524,12 @@ paths:
506
524
schema:
507
525
$ref: '#/components/schemas/SiemErrorResponse'
508
526
description: Internal server error response
509
-
summary: Exports an exception list
527
+
summary: Export an exception list
510
528
tags:
511
529
- Security Solution Exceptions API
512
530
/api/exception_lists/_find:
513
531
get:
532
+
description: Get a list of all exception lists.
514
533
operationId: FindExceptionLists
515
534
parameters:
516
535
- description: >
@@ -626,12 +645,12 @@ paths:
626
645
schema:
627
646
$ref: '#/components/schemas/SiemErrorResponse'
628
647
description: Internal server error response
629
-
summary: Finds exception lists
648
+
summary: Get exception lists
630
649
tags:
631
650
- Security Solution Exceptions API
632
651
/api/exception_lists/_import:
633
652
post:
634
-
description: Imports an exception list and associated items
653
+
description: Import an exception list and its associated items from an NDJSON file.
635
654
operationId: ImportExceptionList
636
655
parameters:
637
656
- description: >
@@ -742,11 +761,12 @@ paths:
742
761
schema:
743
762
$ref: '#/components/schemas/SiemErrorResponse'
744
763
description: Internal server error response
745
-
summary: Imports an exception list
764
+
summary: Import an exception list
746
765
tags:
747
766
- Security Solution Exceptions API
748
767
/api/exception_lists/items:
749
768
delete:
769
+
description: Delete an exception list item using the `id` or `item_id` field.
750
770
operationId: DeleteExceptionListItem
751
771
parameters:
752
772
- description: Either `id` or `item_id` must be specified
@@ -806,10 +826,13 @@ paths:
806
826
schema:
807
827
$ref: '#/components/schemas/SiemErrorResponse'
808
828
description: Internal server error response
809
-
summary: Deletes an exception list item
829
+
summary: Delete an exception list item
810
830
tags:
811
831
- Security Solution Exceptions API
812
832
get:
833
+
description: >-
834
+
Get the details of an exception list item using the `id` or `item_id`
835
+
field.
813
836
operationId: ReadExceptionListItem
814
837
parameters:
815
838
- description: Either `id` or `item_id` must be specified
@@ -869,10 +892,17 @@ paths:
869
892
schema:
870
893
$ref: '#/components/schemas/SiemErrorResponse'
871
894
description: Internal server error response
872
-
summary: Gets an exception list item
895
+
summary: Get an exception list item
873
896
tags:
874
897
- Security Solution Exceptions API
875
898
post:
899
+
description: >
900
+
Create an exception item and associate it with the specified exception
901
+
list.
902
+
903
+
> info
904
+
905
+
> Before creating exception items, you must create an exception list.
876
906
operationId: CreateExceptionListItem
877
907
requestBody:
878
908
content:
@@ -956,10 +986,11 @@ paths:
956
986
schema:
957
987
$ref: '#/components/schemas/SiemErrorResponse'
958
988
description: Internal server error response
959
-
summary: Creates an exception list item
989
+
summary: Create an exception list item
960
990
tags:
961
991
- Security Solution Exceptions API
962
992
put:
993
+
description: Update an exception list item using the `id` or `item_id` field.
963
994
operationId: UpdateExceptionListItem
964
995
requestBody:
965
996
content:
@@ -1047,11 +1078,12 @@ paths:
1047
1078
schema:
1048
1079
$ref: '#/components/schemas/SiemErrorResponse'
1049
1080
description: Internal server error response
1050
-
summary: Updates an exception list item
1081
+
summary: Update an exception list item
1051
1082
tags:
1052
1083
- Security Solution Exceptions API
1053
1084
/api/exception_lists/items/_find:
1054
1085
get:
1086
+
description: Get a list of all exception list items in the specified list.
1055
1087
operationId: FindExceptionListItems
1056
1088
parameters:
1057
1089
- description: List's id
@@ -1183,11 +1215,12 @@ paths:
1183
1215
schema:
1184
1216
$ref: '#/components/schemas/SiemErrorResponse'
1185
1217
description: Internal server error response
1186
-
summary: Finds exception list items
1218
+
summary: Get exception list items
1187
1219
tags:
1188
1220
- Security Solution Exceptions API
1189
1221
/api/exception_lists/summary:
1190
1222
get:
1223
+
description: Get a summary of the specified exception list.
1191
1224
operationId: ReadExceptionListSummary
1192
1225
parameters:
1193
1226
- description: Exception list's identifier generated upon creation
@@ -1266,11 +1299,24 @@ paths:
1266
1299
schema:
1267
1300
$ref: '#/components/schemas/SiemErrorResponse'
1268
1301
description: Internal server error response
1269
-
summary: Retrieves an exception list summary
1302
+
summary: Get an exception list summary
1270
1303
tags:
1271
1304
- Security Solution Exceptions API
1272
1305
/api/exceptions/shared:
1273
1306
post:
1307
+
description: >
1308
+
An exception list groups exception items and can be associated with
1309
+
detection rules. A shared exception list can apply to multiple detection
1310
+
rules.
1311
+
1312
+
> info
1313
+
1314
+
> All exception items added to the same list are evaluated using `OR`
1315
+
logic. That is, if any of the items in a list evaluate to `true`, the
1316
+
exception prevents the rule from generating an alert. Likewise, `OR`
1317
+
logic is used for evaluating exceptions when more than one exception
1318
+
list is assigned to a rule. To use the `AND` operator, you can define
1319
+
multiple clauses (`entries`) in a single exception item.
0 commit comments