Description
Description
These endpoints were developed to manage the default Endpoint Exception List
(list_id: 'endpoint_list'). This is the exception list found at Security > Rules > Shared Exception Lists > Endpoint Security Exception List.
They were added as a convenience on top of the general exception list functionality, however we never ended up utilizing the HTTP APIs. Coupled with the fact that the newer, similarly-used endpoint exception lists: Trusted Apps, Event Filters, etc., use the general api/exception_lists/ APIs, these /api/endpoint_list APIs have fallen out of favor.
The documentation around these /api/endpoint_list APIs was previously unclear, at best, and some recent changes to that documentation incorrectly assumed the role of those APIs to be a convenience for managing exception lists of type: 'endpoint', instead of its real role (exclusively for list_id: 'endpoint_list').
Since there may well be customers relying on the convenience of these APIs to manage their Endpoint Security Exception List, I think the best action to take right now would be to improve the existing documentation to make it clear that:
- The
/api/endpoint_listAPIs are exclusively for managing the singularlist_id: 'endpoint_list'Exception List - All other list/item management should be done through the general
/api/exception_listsAPIs
Resources
- APIs were added in [SIEM][Detection Engine][Lists] Adds specific endpoint_list REST API and API for abilities to auto-create the endpoint_list if it gets deleted kibana#71792
- Documentation most recently changed in Improves Endpoint exceptions API content kibana#193172
- This discrepancy was uncovered in a recent SDH: https://github.com/elastic/sdh-security-team/issues/1279
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
No difference between deployments.
What release is this request related to?
N/A
Serverless release
N/A
Collaboration model
The documentation team
Point of contact.
Main contact: @rylnd
Stakeholders: