|
| 1 | +[[lists-api-create-list]] |
| 2 | +=== Create list container |
| 3 | + |
| 4 | +Creates a list container. |
| 5 | + |
| 6 | +A list container groups common list items that define exceptions for when |
| 7 | +alerts are not generated from their associated detection rule, even when the |
| 8 | +rule's query is matched. All list items in the same list container refer to the same type of exceptions. For example, each list item in an `ip` list container excludes a specific IP address. |
| 9 | + |
| 10 | + |
| 11 | +==== Request URL |
| 12 | + |
| 13 | +`POST <kibana host>:<port>/api/lists` |
| 14 | + |
| 15 | +==== Request body |
| 16 | + |
| 17 | +A JSON object with these fields: |
| 18 | + |
| 19 | +[width="100%",options="header"] |
| 20 | +|============================================== |
| 21 | +|Name |Type |Description |Required |
| 22 | + |
| 23 | +|`description` |String |Describes the list container |Yes |
| 24 | +|`id` |String |Unique identifier |No, automatically created when it is not |
| 25 | +provided |
| 26 | +|`meta` |Object |Placeholder for metadata about the list container |No |
| 27 | +|`name` |String |The list container's name |Yes |
| 28 | +|`type` |String a|Specifies the datatype of excludes the list container holds: |
| 29 | + |
| 30 | +* `ip`: IP addresses |
| 31 | +* `keyword`: Any relevant {es} keyword |
| 32 | + |
| 33 | +|Yes |
| 34 | + |
| 35 | +|============================================== |
| 36 | + |
| 37 | +===== Example request |
| 38 | + |
| 39 | +[source,console] |
| 40 | +-------------------------------------------------- |
| 41 | +POST api/lists |
| 42 | +{ |
| 43 | + "id": "internal-ip-excludes", |
| 44 | + "name": "Exclude internal IP addresses", |
| 45 | + "description": "Contains list items that exclude internal IP addresses from detection rule matches.", |
| 46 | + "type": "ip" |
| 47 | +} |
| 48 | +-------------------------------------------------- |
| 49 | +// KIBANA |
| 50 | + |
| 51 | +==== Response code |
| 52 | + |
| 53 | +`200`:: |
| 54 | + Indicates a successful call. |
| 55 | + |
| 56 | +==== Response payload |
| 57 | + |
| 58 | +[source,json] |
| 59 | +-------------------------------------------------- |
| 60 | +{ |
| 61 | + "id": "internal-ip-excludes", |
| 62 | + "created_at": "2020-06-24T13:25:20.027Z", |
| 63 | + "created_by": "Threat Hunter", |
| 64 | + "description": "Contains list items that exclude internal IP addresses from detection rule matches.", |
| 65 | + "name": "Exclude internal IP addresses", |
| 66 | + "tie_breaker_id": "39851ee3-038a-49d3-a7b8-85caeb098675", |
| 67 | + "type": "ip", |
| 68 | + "updated_at": "2020-06-24T13:25:20.027Z", |
| 69 | + "updated_by": "Threat Hunter" |
| 70 | +} |
| 71 | +-------------------------------------------------- |
0 commit comments