github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-06-27 18:51:07 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Detection Engine][Docs] Added response and request descriptions for API docs (#205822)

Browse source 
# Summary

As part of the effort to add missing content for Security APIs, this PR
introduces a few missing request, response, and parameter examples for
Detection Engine Exception APIs.
This commit is contained in:
Yara Tercero 2025-01-16 12:14:08 -08:00 committed by GitHub
parent 47226c9986
commit 94660cf2f5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
40 changed files with 7190 additions and 372 deletions
Download patch file Download diff file Expand all files Collapse all files

1401
oas_docs/output/kibana.serverless.yaml
View file

File diff suppressed because it is too large Load diff

1401
oas_docs/output/kibana.yaml
View file

File diff suppressed because it is too large Load diff

91
x-pack/solutions/security/packages/kbn-securitysolution-endpoint-exceptions-common/docs/openapi/ess/security_solution_endpoint_exceptions_api_2023_10_31.bundled.schema.yaml
View file

@ -464,11 +464,17 @@ components:
type: object
properties:
_version:
description: >-
The version id, normally returned by the API when the item was
retrieved. Use it ensure updates are done against the latest
version.
type: string
created_at:
description: Autogenerated date of object creation.
format: date-time
type: string
created_by:
description: Autogenerated value - user that created object.
type: string
description:
$ref: '#/components/schemas/ExceptionListDescription'
@ -489,13 +495,18 @@ components:
tags:
$ref: '#/components/schemas/ExceptionListTags'
tie_breaker_id:
description: >-
Field used in search to ensure all containers are sorted and
returned correctly.
type: string
type:
$ref: '#/components/schemas/ExceptionListType'
updated_at:
description: Autogenerated date of last object update.
format: date-time
type: string
updated_by:
description: Autogenerated value - user that last updated object.
type: string
version:
$ref: '#/components/schemas/ExceptionListVersion'
@ -514,31 +525,47 @@ components:
- updated_at
- updated_by
ExceptionListDescription:
description: Describes the exception list.
example: This list tracks allowlisted values.
type: string
ExceptionListHumanId:
$ref: '#/components/schemas/NonEmptyString'
description: Human readable string identifier, e.g. `trusted-linux-processes`
description: >-
Exception list's human readable string identifier, e.g.
`trusted-linux-processes`.
example: simple_list
format: nonempty
minLength: 1
type: string
ExceptionListId:
$ref: '#/components/schemas/NonEmptyString'
description: Exception list's identifier.
example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85
format: nonempty
minLength: 1
type: string
ExceptionListItem:
type: object
properties:
_version:
description: >-
The version id, normally returned by the API when the item was
retrieved. Use it ensure updates are done against the latest
version.
type: string
comments:
$ref: '#/components/schemas/ExceptionListItemCommentArray'
created_at:
description: Autogenerated date of object creation.
format: date-time
type: string
created_by:
description: Autogenerated value - user that created object.
type: string
description:
$ref: '#/components/schemas/ExceptionListItemDescription'
entries:
$ref: '#/components/schemas/ExceptionListItemEntryArray'
expire_time:
format: date-time
type: string
$ref: '#/components/schemas/ExceptionListItemExpireTime'
id:
$ref: '#/components/schemas/ExceptionListItemId'
item_id:
@ -556,13 +583,18 @@ components:
tags:
$ref: '#/components/schemas/ExceptionListItemTags'
tie_breaker_id:
description: >-
Field used in search to ensure all containers are sorted and
returned correctly.
type: string
type:
$ref: '#/components/schemas/ExceptionListItemType'
updated_at:
description: Autogenerated date of last object update.
format: date-time
type: string
updated_by:
description: Autogenerated value - user that last updated object.
type: string
required:
- id
@ -585,6 +617,7 @@ components:
comment:
$ref: '#/components/schemas/NonEmptyString'
created_at:
description: Autogenerated date of object creation.
format: date-time
type: string
created_by:
@ -592,6 +625,7 @@ components:
id:
$ref: '#/components/schemas/NonEmptyString'
updated_at:
description: Autogenerated date of last object update.
format: date-time
type: string
updated_by:
@ -602,10 +636,15 @@ components:
- created_at
- created_by
ExceptionListItemCommentArray:
description: |
Array of comment fields:
- comment (string): Comments about the exception item.
items:
$ref: '#/components/schemas/ExceptionListItemComment'
type: array
ExceptionListItemDescription:
description: Describes the exception list.
type: string
ExceptionListItemEntry:
anyOf:
@ -747,22 +786,44 @@ components:
- excluded
- included
type: string
ExceptionListItemExpireTime:
description: >-
The exception items expiration date, in ISO format. This field is only
available for regular exception items, not endpoint exceptions.
format: date-time
type: string
ExceptionListItemHumanId:
$ref: '#/components/schemas/NonEmptyString'
description: Human readable string identifier, e.g. `trusted-linux-processes`
example: simple_list_item
format: nonempty
minLength: 1
type: string
ExceptionListItemId:
$ref: '#/components/schemas/NonEmptyString'
description: Exception's identifier.
example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
format: nonempty
minLength: 1
type: string
ExceptionListItemMeta:
additionalProperties: true
type: object
ExceptionListItemName:
$ref: '#/components/schemas/NonEmptyString'
description: Exception list name.
format: nonempty
minLength: 1
type: string
ExceptionListItemOsTypeArray:
items:
$ref: '#/components/schemas/ExceptionListOsType'
type: array
ExceptionListItemTags:
items:
$ref: '#/components/schemas/NonEmptyString'
description: >-
String array containing words and phrases to help categorize exception
items.
format: nonempty
minLength: 1
type: string
type: array
ExceptionListItemType:
enum:
@ -770,24 +831,35 @@ components:
type: string
ExceptionListMeta:
additionalProperties: true
description: Placeholder for metadata about the list container.
type: object
ExceptionListName:
description: The name of the exception list.
example: My exception list
type: string
ExceptionListOsType:
description: Use this field to specify the operating system.
enum:
- linux
- macos
- windows
type: string
ExceptionListOsTypeArray:
description: Use this field to specify the operating system. Only enter one value.
items:
$ref: '#/components/schemas/ExceptionListOsType'
type: array
ExceptionListTags:
description: >-
String array containing words and phrases to help categorize exception
containers.
items:
type: string
type: array
ExceptionListType:
description: >-
The type of exception list to be created. Different list types may
denote where they can be utilized.
enum:
- detection
- rule_default
@ -798,6 +870,7 @@ components:
- endpoint_blocklists
type: string
ExceptionListVersion:
description: The document version, automatically increasd on updates.
minimum: 1
type: integer
ExceptionNamespaceType:

91
x-pack/solutions/security/packages/kbn-securitysolution-endpoint-exceptions-common/docs/openapi/serverless/security_solution_endpoint_exceptions_api_2023_10_31.bundled.schema.yaml
View file

@ -464,11 +464,17 @@ components:
type: object
properties:
_version:
description: >-
The version id, normally returned by the API when the item was
retrieved. Use it ensure updates are done against the latest
version.
type: string
created_at:
description: Autogenerated date of object creation.
format: date-time
type: string
created_by:
description: Autogenerated value - user that created object.
type: string
description:
$ref: '#/components/schemas/ExceptionListDescription'
@ -489,13 +495,18 @@ components:
tags:
$ref: '#/components/schemas/ExceptionListTags'
tie_breaker_id:
description: >-
Field used in search to ensure all containers are sorted and
returned correctly.
type: string
type:
$ref: '#/components/schemas/ExceptionListType'
updated_at:
description: Autogenerated date of last object update.
format: date-time
type: string
updated_by:
description: Autogenerated value - user that last updated object.
type: string
version:
$ref: '#/components/schemas/ExceptionListVersion'
@ -514,31 +525,47 @@ components:
- updated_at
- updated_by
ExceptionListDescription:
description: Describes the exception list.
example: This list tracks allowlisted values.
type: string
ExceptionListHumanId:
$ref: '#/components/schemas/NonEmptyString'
description: Human readable string identifier, e.g. `trusted-linux-processes`
description: >-
Exception list's human readable string identifier, e.g.
`trusted-linux-processes`.
example: simple_list
format: nonempty
minLength: 1
type: string
ExceptionListId:
$ref: '#/components/schemas/NonEmptyString'
description: Exception list's identifier.
example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85
format: nonempty
minLength: 1
type: string
ExceptionListItem:
type: object
properties:
_version:
description: >-
The version id, normally returned by the API when the item was
retrieved. Use it ensure updates are done against the latest
version.
type: string
comments:
$ref: '#/components/schemas/ExceptionListItemCommentArray'
created_at:
description: Autogenerated date of object creation.
format: date-time
type: string
created_by:
description: Autogenerated value - user that created object.
type: string
description:
$ref: '#/components/schemas/ExceptionListItemDescription'
entries:
$ref: '#/components/schemas/ExceptionListItemEntryArray'
expire_time:
format: date-time
type: string
$ref: '#/components/schemas/ExceptionListItemExpireTime'
id:
$ref: '#/components/schemas/ExceptionListItemId'
item_id:
@ -556,13 +583,18 @@ components:
tags:
$ref: '#/components/schemas/ExceptionListItemTags'
tie_breaker_id:
description: >-
Field used in search to ensure all containers are sorted and
returned correctly.
type: string
type:
$ref: '#/components/schemas/ExceptionListItemType'
updated_at:
description: Autogenerated date of last object update.
format: date-time
type: string
updated_by:
description: Autogenerated value - user that last updated object.
type: string
required:
- id
@ -585,6 +617,7 @@ components:
comment:
$ref: '#/components/schemas/NonEmptyString'
created_at:
description: Autogenerated date of object creation.
format: date-time
type: string
created_by:
@ -592,6 +625,7 @@ components:
id:
$ref: '#/components/schemas/NonEmptyString'
updated_at:
description: Autogenerated date of last object update.
format: date-time
type: string
updated_by:
@ -602,10 +636,15 @@ components:
- created_at
- created_by
ExceptionListItemCommentArray:
description: |
Array of comment fields:
- comment (string): Comments about the exception item.
items:
$ref: '#/components/schemas/ExceptionListItemComment'
type: array
ExceptionListItemDescription:
description: Describes the exception list.
type: string
ExceptionListItemEntry:
anyOf:
@ -747,22 +786,44 @@ components:
- excluded
- included
type: string
ExceptionListItemExpireTime:
description: >-
The exception items expiration date, in ISO format. This field is only
available for regular exception items, not endpoint exceptions.
format: date-time
type: string
ExceptionListItemHumanId:
$ref: '#/components/schemas/NonEmptyString'
description: Human readable string identifier, e.g. `trusted-linux-processes`
example: simple_list_item
format: nonempty
minLength: 1
type: string
ExceptionListItemId:
$ref: '#/components/schemas/NonEmptyString'
description: Exception's identifier.
example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
format: nonempty
minLength: 1
type: string
ExceptionListItemMeta:
additionalProperties: true
type: object
ExceptionListItemName:
$ref: '#/components/schemas/NonEmptyString'
description: Exception list name.
format: nonempty
minLength: 1
type: string
ExceptionListItemOsTypeArray:
items:
$ref: '#/components/schemas/ExceptionListOsType'
type: array
ExceptionListItemTags:
items:
$ref: '#/components/schemas/NonEmptyString'
description: >-
String array containing words and phrases to help categorize exception
items.
format: nonempty
minLength: 1
type: string
type: array
ExceptionListItemType:
enum:
@ -770,24 +831,35 @@ components:
type: string
ExceptionListMeta:
additionalProperties: true
description: Placeholder for metadata about the list container.
type: object
ExceptionListName:
description: The name of the exception list.
example: My exception list
type: string
ExceptionListOsType:
description: Use this field to specify the operating system.
enum:
- linux
- macos
- windows
type: string
ExceptionListOsTypeArray:
description: Use this field to specify the operating system. Only enter one value.
items:
$ref: '#/components/schemas/ExceptionListOsType'
type: array
ExceptionListTags:
description: >-
String array containing words and phrases to help categorize exception
containers.
items:
type: string
type: array
ExceptionListType:
description: >-
The type of exception list to be created. Different list types may
denote where they can be utilized.
enum:
- detection
- rule_default
@ -798,6 +870,7 @@ components:
- endpoint_blocklists
type: string
ExceptionListVersion:
description: The document version, automatically increasd on updates.
minimum: 1
type: integer
ExceptionNamespaceType:

111
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_exception_list/create_exception_list.schema.yaml
View file

@ -10,7 +10,7 @@ paths:
x-codegen-enabled: true
summary: Create an exception list
description: |
An exception list groups exception items and can be associated with detection rules. You can assign detection rules with multiple exception lists.
An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules.
> info
> All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item.
requestBody:
@ -20,6 +20,14 @@ paths:
application/json:
schema:
type: object
example:
list_id: simple_list
type: detection
name: Sample Detection Exception List
description: This is a sample detection type exception list.
namespace_type: single
tags: [malware]
os_types: [linux]
properties:
list_id:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListHumanId'
@ -53,6 +61,79 @@ paths:
application/json:
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionList'
examples:
typeDetection:
value:
id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85
list_id: simple_list
type: detection
name: Sample Detection Exception List
description: This is a sample detection type exception list.
immutable: false
namespace_type: single
os_types: [linux]
tags: [malware]
version: 1
_version: WzIsMV0=
tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3
created_at: 2025-01-07T19:34:27.942Z
created_by: elastic
updated_at: 2025-01-07T19:34:27.942Z
updated_by: elastic
typeEndpoint:
value:
id: a79f4730-6e32-4278-abfc-349c0add7d54
list_id: endpoint_list
type: endpoint
name: Sample Endpoint Exception List
description: This is a sample endpoint type exception list.
immutable: false
namespace_type: single
os_types: [linux]
tags: [malware]
version: 1
_version: WzQsMV0=
tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee
created_at: 2025-01-09T01:07:49.658Z
created_by: elastic
updated_at: 2025-01-09T01:07:49.658Z
updated_by: elastic
namespaceAgnostic:
value:
id: 1a744e77-22ca-4b6b-9085-54f55275ebe5
list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6
type: endpoint
name: Sample Agnostic Endpoint Exception List
description: This is a sample agnostic endpoint type exception.
immutable: false
namespace_type: agnostic
os_types: [linux]
tags: [malware]
version: 1
_version: WzUsMV0=
tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3
created_at: 2025-01-09T01:10:36.369Z
created_by: elastic
updated_at: 2025-01-09T01:10:36.369Z
updated_by: elastic
autogeneratedListId:
value:
id: 28243c2f-624a-4443-823d-c0b894880931
list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783
type: detection
name: Sample Detection Exception List
description: This is a sample detection type exception with an autogenerated list_id.
immutable: false
namespace_type: single
os_types: []
tags: [malware]
version: 1
_version: WzMsMV0=
tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338
created_at: 2025-01-09T01:05:23.019Z
created_by: elastic
updated_at: 2025-01-09T01:05:23.020Z
updated_by: elastic
400:
description: Invalid input data response
content:
@ -61,27 +142,55 @@ paths:
oneOf:
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
badRequest:
value:
statusCode: 400
error: Bad Request
message: '[request body]: list_id: Expected string, received number'
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]"
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
statusCode: 403
error: Forbidden
message: 'API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]'
409:
description: Exception list already exists response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
alreadyExists:
value:
message: 'exception list id: "simple_list" already exists'
status_code: 409
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500

3
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_exception_list_item/create_exception_list_item.gen.ts
View file

@ -27,6 +27,7 @@ import {
ExceptionListItemOsTypeArray,
ExceptionListItemTags,
ExceptionListItemMeta,
ExceptionListItemExpireTime,
ExceptionListItem,
} from '../model/exception_list_common.gen';
import { ExceptionListItemEntryArray } from '../model/exception_list_item_entry.gen';
@ -53,7 +54,7 @@ export const CreateExceptionListItemRequestBody = z.object({
os_types: ExceptionListItemOsTypeArray.optional().default([]),
tags: ExceptionListItemTags.optional().default([]),
meta: ExceptionListItemMeta.optional(),
expire_time: z.string().datetime().optional(),
expire_time: ExceptionListItemExpireTime.optional(),
comments: CreateExceptionListItemCommentArray.optional().default([]),
});
export type CreateExceptionListItemRequestBodyInput = z.input<

216
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_exception_list_item/create_exception_list_item.schema.yaml
View file

@ -20,6 +20,23 @@ paths:
application/json:
schema:
type: object
example:
item_id: simple_list_item
list_id: simple_list
type: simple
name: Sample Exception List Item
description: This is a sample detection type exception item.
entries:
- type: exists
field: actingProcess.file.signer
operator: excluded
- type: match_any
field: host.name
value: [saturn, jupiter]
operator: included
namespace_type: single
os_types: [linux]
tags: [malware]
properties:
item_id:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListItemHumanId'
@ -45,8 +62,7 @@ paths:
meta:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListItemMeta'
expire_time:
type: string
format: date-time
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListItemExpireTime'
comments:
$ref: '#/components/schemas/CreateExceptionListItemCommentArray'
default: []
@ -63,6 +79,174 @@ paths:
application/json:
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListItem'
examples:
detectionExceptionListItem:
value:
id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
item_id: simple_list_item
list_id: simple_list
type: simple
name: Sample Exception List Item
description: This is a sample detection type exception item.
entries:
- type: exists
field: actingProcess.file.signer
operator: excluded
namespace_type: single
os_types: [linux]
tags: [malware]
comments: []
_version: WzQsMV0=
tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c
created_at: 2025-01-07T20:07:33.119Z
created_by: elastic
updated_at: 2025-01-07T20:07:33.119Z
updated_by: elastic
autogeneratedItemId:
value:
id: 323faa75-c657-4fa0-9084-8827612c207b
item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37
list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783
type: simple
name: Sample Autogenerated Exception List Item ID
description: This is a sample exception that has no item_id so it is autogenerated.
entries:
- type: exists
field: actingProcess.file.signer
operator: excluded
namespace_type: single
os_types: []
tags: [malware]
comments: []
_version: WzYsMV0=
tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23
created_at: 2025-01-09T01:16:23.322Z
created_by: elastic
updated_at: 2025-01-09T01:16:23.322Z
updated_by: elastic
withMatchAnyEntry:
value:
id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
item_id: simple_list_item
list_id: simple_list
type: simple
name: Sample Exception List Item
description: This is a sample detection type exception item.
entries:
- type: match_any
field: host.name
value: [saturn, jupiter]
operator: included
namespace_type: single
os_types: [linux]
tags: [malware]
comments: []
_version: WzQsMV0=
tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c
created_at: 2025-01-07T20:07:33.119Z
created_by: elastic
updated_at: 2025-01-07T20:07:33.119Z
updated_by: elastic
withMatchEntry:
value:
id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
item_id: simple_list_item
list_id: simple_list
type: simple
name: Sample Exception List Item
description: This is a sample detection type exception item.
entries:
- type: match
field: actingProcess.file.signer
value: Elastic N.V.
operator: included
namespace_type: single
os_types: [linux]
tags: [malware]
comments: []
_version: WzQsMV0=
tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c
created_at: 2025-01-07T20:07:33.119Z
created_by: elastic
updated_at: 2025-01-07T20:07:33.119Z
updated_by: elastic
withNestedEntry:
value:
id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
item_id: simple_list_item
list_id: simple_list
type: simple
name: Sample Exception List Item
description: This is a sample detection type exception item.
entries:
- type: nested
field: file.signature
entries:
- type: match
field: signer
value: Evil
operator: included
- type: match
field: trusted
value: true
operator: included
namespace_type: single
os_types: [linux]
tags: [malware]
comments: []
_version: WzQsMV0=
tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c
created_at: 2025-01-07T20:07:33.119Z
created_by: elastic
updated_at: 2025-01-07T20:07:33.119Z
updated_by: elastic
withExistEntry:
value:
id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
item_id: simple_list_item
list_id: simple_list
type: simple
name: Sample Exception List Item
description: This is a sample detection type exception item.
entries:
- type: exists
field: actingProcess.file.signer
operator: excluded
namespace_type: single
os_types: [linux]
tags: [malware]
comments: []
_version: WzQsMV0=
tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c
created_at: 2025-01-07T20:07:33.119Z
created_by: elastic
updated_at: 2025-01-07T20:07:33.119Z
updated_by: elastic
withValueListEntry:
value:
id: deb26876-297d-4677-8a1f-35467d2f1c4f
item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71
list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783
type: simple
name: Filter out good guys ip and agent.name rock01
description: Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list
entries:
- type: list
field: source.ip
list:
id: goodguys.txt
type: ip
operator: excluded
namespace_type: single
os_types: []
tags: [malware]
comments: []
_version: WzcsMV0=
tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8
created_at: 2025-01-09T01:31:12.614Z
created_by: elastic
updated_at: 2025-01-09T01:31:12.614Z
updated_by: elastic
400:
description: Invalid input data response
content:
@ -71,30 +255,58 @@ paths:
oneOf:
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
badRequest:
value:
statusCode: 400,
error: Bad Request,
message: '[request body]: list_id: Expected string, received number'
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
statusCode: 403
error: Forbidden
message: 'API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]'
409:
description: Exception list item already exists response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
alreadyExists:
value:
message: 'exception list item id: \"simple_list_item\" already exists'
status_code: 409
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
components:
x-codegen-enabled: true

2
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_rule_exceptions/create_rule_exceptions.gen.ts
View file

@ -10,7 +10,7 @@
* This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
*
* info:
* title: Create rule exception list items API endpoint
* title: Create rule exception items API endpoint
* version: 2023-10-31
*/

81
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_rule_exceptions/create_rule_exceptions.schema.yaml
View file

@ -1,6 +1,6 @@
openapi: 3.0.0
info:
title: Create rule exception list items API endpoint
title: Create rule exception items API endpoint
version: '2023-10-31'
paths:
/api/detection_engine/rules/{id}/exceptions:
@ -8,7 +8,7 @@ paths:
x-labels: [serverless, ess]
operationId: CreateRuleExceptionListItems
x-codegen-enabled: true
summary: Create rule exception list items
summary: Create rule exception items
description: Create exception items that apply to a single detection rule.
parameters:
- name: id
@ -17,8 +17,11 @@ paths:
description: Detection rule's identifier
schema:
$ref: '#/components/schemas/RuleId'
examples:
id:
value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0
requestBody:
description: Rule exception list items
description: Rule exception items.
required: true
content:
application/json:
@ -30,6 +33,24 @@ paths:
items:
$ref: '#/components/schemas/CreateRuleExceptionListItemProps'
required: [items]
example:
items:
- item_id: simple_list_item
list_id: simple_list
type: simple
name: Sample Exception List Item
description: This is a sample detection type exception item.
entries:
- type: exists
field: actingProcess.file.signer
operator: excluded
- type: match_any
field: host.name
value: [saturn, jupiter]
operator: included
namespace_type: single
os_types: [linux]
tags: [malware]
responses:
200:
description: Successful response
@ -39,6 +60,33 @@ paths:
type: array
items:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListItem'
examples:
ruleExceptionItems:
value:
- id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
item_id: simple_list_item
list_id: simple_list
type: simple
name: Sample Exception List Item
description: This is a sample detection type exception item.
entries:
- type: exists
field: actingProcess.file.signer
operator: excluded
- type: match_any
field: host.name
value: [saturn, jupiter]
operator: included
namespace_type: single
os_types: [linux]
tags: [malware]
comments: []
_version: WzQsMV0=
tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c
created_at: 2025-01-07T20:07:33.119Z
created_by: elastic
updated_at: 2025-01-07T20:07:33.119Z
updated_by: elastic
400:
description: Invalid input data response
content:
@ -47,24 +95,51 @@ paths:
oneOf:
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
badRequest:
value:
statusCode: 400
error: Bad Request
message: '[request params]: id: Invalid uuid'
badPayload:
value:
statusCode: 400
error: Bad Request
message: 'Invalid request payload JSON format'
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
message: 'Unable to create exception-list'
status_code: 403
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
components:
schemas:

53
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/create_shared_exceptions_list/create_shared_exceptions_list.schema.yaml
View file

@ -27,6 +27,13 @@ paths:
required:
- name
- description
example:
list_id: simple_list
name: Sample Detection Exception List
description: This is a sample detection type exception list.
namespace_type: single
tags: [malware]
os_types: [linux]
responses:
200:
description: Successful response
@ -34,6 +41,25 @@ paths:
application/json:
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionList'
examples:
sharedList:
value:
id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85
list_id: simple_list
type: detection
name: Sample Detection Exception List
description: This is a sample detection type exception list.
immutable: false
namespace_type: single
os_types: [linux]
tags: [malware]
version: 1
_version: WzIsMV0=
tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3
created_at: 2025-01-07T19:34:27.942Z
created_by: elastic
updated_at: 2025-01-07T19:34:27.942Z
updated_by: elastic
400:
description: Invalid input data response
content:
@ -42,27 +68,54 @@ paths:
oneOf:
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
badRequest:
value:
statusCode: 400
error: Bad Request
message: '[request body]: list_id: Expected string, received number'
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]"
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
message: 'Unable to create exception-list'
status_code: 403
409:
description: Exception list already exists response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
alreadyExists:
value:
message: 'exception list id: "simple_list" already exists'
status_code: 409
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500

4
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list/delete_exception_list.gen.ts
View file

@ -26,11 +26,11 @@ import {
export type DeleteExceptionListRequestQuery = z.infer<typeof DeleteExceptionListRequestQuery>;
export const DeleteExceptionListRequestQuery = z.object({
/**
* Either `id` or `list_id` must be specified
* Exception list's identifier. Either `id` or `list_id` must be specified.
*/
id: ExceptionListId.optional(),
/**
* Either `id` or `list_id` must be specified
* Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified.
*/
list_id: ExceptionListHumanId.optional(),
namespace_type: ExceptionNamespaceType.optional().default('single'),

61
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list/delete_exception_list.schema.yaml
View file

@ -14,21 +14,31 @@ paths:
- name: id
in: query
required: false
description: Either `id` or `list_id` must be specified
description: Exception list's identifier. Either `id` or `list_id` must be specified.
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListId'
- name: list_id
in: query
required: false
description: Either `id` or `list_id` must be specified
description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified.
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListHumanId'
examples:
list_id:
value: simple_list
autogeneratedId:
value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
- name: namespace_type
in: query
required: false
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType'
default: single
examples:
single:
value: single
agnostic:
value: agnostic
responses:
200:
description: Successful response
@ -36,6 +46,25 @@ paths:
application/json:
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionList'
examples:
detectionExceptionList:
value:
id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85
list_id: simple_list
type: detection
name: Sample Detection Exception List
description: This is a sample detection type exception list.
immutable: false
namespace_type: single
os_types: [linux]
tags: [malware]
version: 1
_version: WzIsMV0=
tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3
created_at: 2025-01-07T19:34:27.942Z
created_by: elastic
updated_at: 2025-01-07T19:34:27.942Z
updated_by: elastic
400:
description: Invalid input data response
content:
@ -44,27 +73,55 @@ paths:
oneOf:
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
badRequest:
value:
statusCode: 400
error: Bad Request
message: "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'"
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
statusCode: 403
error: Forbidden
message: 'API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]'
404:
description: Exception list not found response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
notFound:
value:
message: 'exception list list_id: "foo" does not exist'
status_code: 404
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500

4
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list_item/delete_exception_list_item.gen.ts
View file

@ -28,11 +28,11 @@ export type DeleteExceptionListItemRequestQuery = z.infer<
>;
export const DeleteExceptionListItemRequestQuery = z.object({
/**
* Either `id` or `item_id` must be specified
* Exception item's identifier. Either `id` or `item_id` must be specified
*/
id: ExceptionListItemId.optional(),
/**
* Either `id` or `item_id` must be specified
* Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified
*/
item_id: ExceptionListItemHumanId.optional(),
namespace_type: ExceptionNamespaceType.optional().default('single'),

62
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/delete_exception_list_item/delete_exception_list_item.schema.yaml
View file

@ -14,13 +14,13 @@ paths:
- name: id
in: query
required: false
description: Either `id` or `item_id` must be specified
description: Exception item's identifier. Either `id` or `item_id` must be specified
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListItemId'
- name: item_id
in: query
required: false
description: Either `id` or `item_id` must be specified
description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListItemHumanId'
- name: namespace_type
@ -29,6 +29,11 @@ paths:
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType'
default: single
examples:
single:
value: single
agnostic:
value: agnostic
responses:
200:
description: Successful response
@ -36,6 +41,33 @@ paths:
application/json:
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListItem'
examples:
simpleExceptionItem:
value:
id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
item_id: simple_list_item
list_id: simple_list
type: simple
name: Sample Exception List Item
description: This is a sample detection type exception item.
entries:
- type: exists
field: actingProcess.file.signer
operator: excluded
- type: match_any
field: host.name
value: [saturn, jupiter]
operator: included
namespace_type: single
os_types: [linux]
tags: [malware]
comments: []
_version: WzQsMV0=
tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c
created_at: 2025-01-07T20:07:33.119Z
created_by: elastic
updated_at: 2025-01-07T20:07:33.119Z
updated_by: elastic
400:
description: Invalid input data response
content:
@ -44,27 +76,53 @@ paths:
oneOf:
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
example:
statusCode: 400
error: Bad Request
message: "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'"
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
statusCode: 403
error: Forbidden
message: 'API [DELETE /api/exception_lists/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]'
404:
description: Exception list item not found response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
notFound:
value:
message: 'exception list item item_id: \"foo\" does not exist'
status_code: 404
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500

5
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/duplicate_exception_list/duplicate_exception_list.gen.ts
View file

@ -24,13 +24,10 @@ import {
export type DuplicateExceptionListRequestQuery = z.infer<typeof DuplicateExceptionListRequestQuery>;
export const DuplicateExceptionListRequestQuery = z.object({
/**
* Exception list's human identifier
*/
list_id: ExceptionListHumanId,
namespace_type: ExceptionNamespaceType,
/**
* Determines whether to include expired exceptions in the exported list
* Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`.
*/
include_expired_exceptions: z.enum(['true', 'false']).default('true'),
});

62
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/duplicate_exception_list/duplicate_exception_list.schema.yaml
View file

@ -14,7 +14,6 @@ paths:
- name: list_id
in: query
required: true
description: Exception list's human identifier
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListHumanId'
- name: namespace_type
@ -22,14 +21,20 @@ paths:
required: true
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType'
examples:
single:
value: single
agnostic:
value: agnostic
- name: include_expired_exceptions
in: query
required: true
description: Determines whether to include expired exceptions in the exported list
description: Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`.
schema:
type: string
enum: ['true', 'false']
default: 'true'
example: true
responses:
200:
description: Successful response
@ -37,6 +42,25 @@ paths:
application/json:
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionList'
examples:
detectionExceptionList:
value:
id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429
list_id: d6390d60-bce3-4a48-9002-52db600f329c
type: detection
name: Sample Detection Exception List [Duplicate]
description: This is a sample detection type exception
immutable: false
namespace_type: single
os_types: []
tags: [malware]
version: 1
_version: WzExNDY1LDFd
tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985
created_at: 2025-01-09T16:19:50.280Z
created_by: elastic
updated_at: 2025-01-09T16:19:50.280Z
updated_by: elastic
400:
description: Invalid input data response
content:
@ -45,18 +69,47 @@ paths:
oneOf:
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
badRequest:
value:
statusCode: 400
error: Bad Request
message: "[request query]: namespace_type: Invalid enum value. Expected 'agnostic' | 'single', received 'foo'"
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
statusCode: 403
error: Forbidden
message: 'API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]'
404:
description: Exception list not found
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
notFound:
value:
message": 'exception list id: "foo" does not exist'
status_code": 404
405:
description: Exception list to duplicate not found response
content:
@ -69,3 +122,8 @@ paths:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500

8
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/export_exception_list/export_exception_list.gen.ts
View file

@ -24,17 +24,11 @@ import {
export type ExportExceptionListRequestQuery = z.infer<typeof ExportExceptionListRequestQuery>;
export const ExportExceptionListRequestQuery = z.object({
/**
* Exception list's identifier
*/
id: ExceptionListId,
/**
* Exception list's human identifier
*/
list_id: ExceptionListHumanId,
namespace_type: ExceptionNamespaceType,
/**
* Determines whether to include expired exceptions in the exported list
* Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`.
*/
include_expired_exceptions: z.enum(['true', 'false']).default('true'),
});

44
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/export_exception_list/export_exception_list.schema.yaml
View file

@ -14,13 +14,11 @@ paths:
- name: id
in: query
required: true
description: Exception list's identifier
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListId'
- name: list_id
in: query
required: true
description: Exception list's human identifier
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListHumanId'
- name: namespace_type
@ -28,14 +26,20 @@ paths:
required: true
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType'
examples:
single:
value: single
agnostic:
value: agnostic
- name: include_expired_exceptions
in: query
required: true
description: Determines whether to include expired exceptions in the exported list
description: Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`.
schema:
type: string
enum: ['true', 'false']
default: 'true'
example: true
responses:
200:
description: Successful response
@ -45,6 +49,12 @@ paths:
type: string
format: binary
description: A `.ndjson` file containing specified exception list and its items
examples:
exportSavedObjectsResponse:
value: |
{"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1}
{"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"}
{"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0}
400:
description: Invalid input data response
content:
@ -53,27 +63,55 @@ paths:
oneOf:
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
badRequest:
value:
statusCode: 400
error: Bad Request
message: '[request query]: list_id: Required, namespace_type: Required'
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
statusCode: 403
error: Forbidden
message: 'API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]'
404:
description: Exception list not found response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
notFound:
value:
message": 'exception list id: "foo" does not exist'
status_code": 404
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500

6
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/find_exception_list_items/find_exception_list_items.gen.ts
View file

@ -30,7 +30,7 @@ export const FindExceptionListItemsFilter = NonEmptyString;
export type FindExceptionListItemsRequestQuery = z.infer<typeof FindExceptionListItemsRequestQuery>;
export const FindExceptionListItemsRequestQuery = z.object({
/**
* List's id
* The `list_id`s of the items to fetch.
*/
list_id: ArrayFromString(ExceptionListHumanId),
/**
@ -55,11 +55,11 @@ or available in all spaces (`agnostic` or `single`)
*/
per_page: z.coerce.number().int().min(0).optional(),
/**
* Determines which field is used to sort the results
* Determines which field is used to sort the results.
*/
sort_field: NonEmptyString.optional(),
/**
* Determines the sort order, which can be `desc` or `asc`
* Determines the sort order, which can be `desc` or `asc`.
*/
sort_order: z.enum(['desc', 'asc']).optional(),
});

76
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/find_exception_list_items/find_exception_list_items.schema.yaml
View file

@ -14,7 +14,7 @@ paths:
- name: list_id
in: query
required: true
description: List's id
description: The `list_id`s of the items to fetch.
schema:
type: array
items:
@ -30,6 +30,9 @@ paths:
items:
$ref: '#/components/schemas/FindExceptionListItemsFilter'
default: []
examples:
singleFilter:
value: [exception-list.attributes.name:%My%20item]
- name: namespace_type
in: query
required: false
@ -41,11 +44,15 @@ paths:
items:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType'
default: [single]
examples:
single:
value: [single]
- name: search
in: query
required: false
schema:
type: string
example: host.name
- name: page
in: query
required: false
@ -53,6 +60,7 @@ paths:
schema:
type: integer
minimum: 0
example: 1
- name: per_page
in: query
required: false
@ -60,19 +68,22 @@ paths:
schema:
type: integer
minimum: 0
example: 20
- name: sort_field
in: query
required: false
description: Determines which field is used to sort the results
description: Determines which field is used to sort the results.
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/primitives.schema.yaml#/components/schemas/NonEmptyString'
example: 'name'
- name: sort_order
in: query
required: false
description: Determines the sort order, which can be `desc` or `asc`
description: Determines the sort order, which can be `desc` or `asc`.
schema:
type: string
enum: [desc, asc]
example: desc
responses:
200:
description: Successful response
@ -101,6 +112,37 @@ paths:
- page
- per_page
- total
examples:
simpleListItems:
value:
data:
- id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da
item_id: simple_list_item
list_id: simple_list
type: simple
name: Sample Exception List Item
description: This is a sample exception item.
entries:
- type: exists
field: actingProcess.file.signer
operator: excluded
- type: match_any
field: host.name
value: [jupiter, saturn]
operator: included
namespace_type: single
os_types: [linux]
tags: [malware]
comments: []
_version: WzgsMV0=
tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0
created_at: 2025-01-07T21:12:25.512Z
created_by: elastic
updated_at: 2025-01-07T21:12:25.512Z
updated_by: elastic
page: 1
per_page: 20
total: 1
400:
description: Invalid input data response
content:
@ -109,30 +151,58 @@ paths:
oneOf:
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
badRequest:
value:
statusCode: 400
error: Bad Request
message: "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'"
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
statusCode: 403
error: Forbidden
message: 'API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]'
404:
description: Exception list not found response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
notFound:
value:
message: 'exception list list_id: "foo" does not exist'
status_code: 404
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
components:
schemas:

4
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/find_exception_lists/find_exception_lists.gen.ts
View file

@ -49,11 +49,11 @@ or available in all spaces (`agnostic` or `single`)
*/
per_page: z.coerce.number().int().min(1).optional(),
/**
* Determines which field is used to sort the results
* Determines which field is used to sort the results.
*/
sort_field: z.string().optional(),
/**
* Determines the sort order, which can be `desc` or `asc`
* Determines the sort order, which can be `desc` or `asc`.
*/
sort_order: z.enum(['desc', 'asc']).optional(),
});

62
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/find_exception_lists/find_exception_lists.schema.yaml
View file

@ -9,7 +9,7 @@ paths:
operationId: FindExceptionLists
x-codegen-enabled: true
summary: Get exception lists
description: Get a list of all exception lists.
description: Get a list of all exception list containers.
parameters:
- name: filter
in: query
@ -34,6 +34,11 @@ paths:
items:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType'
default: [single]
examples:
single:
value: single
agnostic:
value: agnostic
- name: page
in: query
required: false
@ -41,6 +46,7 @@ paths:
schema:
type: integer
minimum: 1
example: 1
- name: per_page
in: query
required: false
@ -48,19 +54,22 @@ paths:
schema:
type: integer
minimum: 1
example: 20
- name: sort_field
in: query
required: false
description: Determines which field is used to sort the results
description: Determines which field is used to sort the results.
schema:
type: string
example: 'name'
- name: sort_order
in: query
required: false
description: Determines the sort order, which can be `desc` or `asc`
description: Determines the sort order, which can be `desc` or `asc`.
schema:
type: string
enum: [desc, asc]
example: 'desc'
responses:
200:
description: Successful response
@ -87,6 +96,29 @@ paths:
- page
- per_page
- total
examples:
simpleLists:
value:
data:
- id: '9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85'
list_id: 'simple_list'
type: 'detection'
name: 'Detection Exception List'
description: 'This is a sample detection type exception list.'
immutable: false
namespace_type: 'single'
os_types: []
tags: ['malware']
version: 1
_version: 'WzIsMV0='
tie_breaker_id: '78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3'
created_at: 2025-01-07T19:34:27.942Z
created_by: 'elastic'
updated_at: 2025-01-07T19:34:27.942Z
updated_by: 'elastic'
page: 1
per_page: 20
total: 1
400:
description: Invalid input data response
content:
@ -95,26 +127,50 @@ paths:
oneOf:
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
badRequest:
value:
statusCode: 400
error: Bad Request
message: "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'"
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
statusCode: 403
error: Forbidden
message: 'API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]'
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
components:
schemas:
FindExceptionListsFilter:
type: string
example: exception-list.attributes.name:%Detection%20List

2
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/import_exceptions/import_exceptions.gen.ts
View file

@ -45,8 +45,6 @@ If any exception items have the same `item_id`, those are also overwritten.
*/
overwrite: BooleanFromString.optional().default(false),
overwrite_exceptions: BooleanFromString.optional().default(false),
overwrite_action_connectors: BooleanFromString.optional().default(false),
/**
* Determines whether the list being imported will have a new `list_id` generated.
Additional `item_id`'s are generated for each exception item. Both the exception

62
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/import_exceptions/import_exceptions.schema.yaml
View file

@ -21,6 +21,9 @@ paths:
type: string
format: binary
description: A `.ndjson` file containing the exception list
example: |
{"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1}
{"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"}
parameters:
- name: overwrite
in: query
@ -31,18 +34,7 @@ paths:
schema:
type: boolean
default: false
- name: overwrite_exceptions
in: query
required: false
schema:
type: boolean
default: false
- name: overwrite_action_connectors
in: query
required: false
schema:
type: boolean
default: false
example: false
- name: as_new_list
in: query
required: false
@ -53,6 +45,7 @@ paths:
schema:
type: boolean
default: false
example: false
responses:
200:
description: Successful response
@ -86,6 +79,34 @@ paths:
- success_count_exception_lists
- success_exception_list_items
- success_count_exception_list_items
examples:
withoutErrors:
value:
errors: []
success: true
success_count: 2
success_exception_lists: true,
success_count_exception_lists: 1
success_exception_list_items: true
success_count_exception_list_items: 1
withErrors:
value:
errors:
- error:
status_code: 400
message: 'Error found importing exception list: Invalid value \"4\" supplied to \"list_id\"'
list_id: (unknown list_id)
- error:
status_code: 409
message: 'Found that item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already exists. Import of item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped.'
list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee
item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330
success: false,
success_count: 0,
success_exception_lists: false,
success_count_exception_lists: 0,
success_exception_list_items: false,
success_count_exception_list_items: 0
400:
description: Invalid input data response
content:
@ -100,18 +121,35 @@ paths:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
statusCode: 403
error: Forbidden
message: 'API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]'
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
components:
schemas:

124
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/model/exception_list_common.gen.ts
View file

@ -15,19 +15,26 @@
*/
import { z } from '@kbn/zod';
import { isNonEmptyString } from '@kbn/zod-helpers';
import { NonEmptyString } from '@kbn/openapi-common/schemas/primitives.gen';
import { ExceptionListItemEntryArray } from './exception_list_item_entry.gen';
/**
* Exception list's identifier.
*/
export type ExceptionListId = z.infer<typeof ExceptionListId>;
export const ExceptionListId = NonEmptyString;
export const ExceptionListId = z.string().min(1).superRefine(isNonEmptyString);
/**
* Human readable string identifier, e.g. `trusted-linux-processes`
* Exception list's human readable string identifier, e.g. `trusted-linux-processes`.
*/
export type ExceptionListHumanId = z.infer<typeof ExceptionListHumanId>;
export const ExceptionListHumanId = NonEmptyString;
export const ExceptionListHumanId = z.string().min(1).superRefine(isNonEmptyString);
/**
* The type of exception list to be created. Different list types may denote where they can be utilized.
*/
export type ExceptionListType = z.infer<typeof ExceptionListType>;
export const ExceptionListType = z.enum([
'detection',
@ -41,12 +48,21 @@ export const ExceptionListType = z.enum([
export type ExceptionListTypeEnum = typeof ExceptionListType.enum;
export const ExceptionListTypeEnum = ExceptionListType.enum;
/**
* The name of the exception list.
*/
export type ExceptionListName = z.infer<typeof ExceptionListName>;
export const ExceptionListName = z.string();
/**
* Describes the exception list.
*/
export type ExceptionListDescription = z.infer<typeof ExceptionListDescription>;
export const ExceptionListDescription = z.string();
/**
* Placeholder for metadata about the list container.
*/
export type ExceptionListMeta = z.infer<typeof ExceptionListMeta>;
export const ExceptionListMeta = z.object({}).catchall(z.unknown());
@ -63,17 +79,29 @@ export const ExceptionNamespaceType = z.enum(['agnostic', 'single']);
export type ExceptionNamespaceTypeEnum = typeof ExceptionNamespaceType.enum;
export const ExceptionNamespaceTypeEnum = ExceptionNamespaceType.enum;
/**
* String array containing words and phrases to help categorize exception containers.
*/
export type ExceptionListTags = z.infer<typeof ExceptionListTags>;
export const ExceptionListTags = z.array(z.string());
/**
* Use this field to specify the operating system.
*/
export type ExceptionListOsType = z.infer<typeof ExceptionListOsType>;
export const ExceptionListOsType = z.enum(['linux', 'macos', 'windows']);
export type ExceptionListOsTypeEnum = typeof ExceptionListOsType.enum;
export const ExceptionListOsTypeEnum = ExceptionListOsType.enum;
/**
* Use this field to specify the operating system. Only enter one value.
*/
export type ExceptionListOsTypeArray = z.infer<typeof ExceptionListOsTypeArray>;
export const ExceptionListOsTypeArray = z.array(ExceptionListOsType);
/**
* The document version, automatically increasd on updates.
*/
export type ExceptionListVersion = z.infer<typeof ExceptionListVersion>;
export const ExceptionListVersion = z.number().int().min(1);
@ -90,34 +118,70 @@ export const ExceptionList = z.object({
tags: ExceptionListTags.optional(),
meta: ExceptionListMeta.optional(),
version: ExceptionListVersion,
/**
* The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
*/
_version: z.string().optional(),
/**
* Field used in search to ensure all containers are sorted and returned correctly.
*/
tie_breaker_id: z.string(),
/**
* Autogenerated date of object creation.
*/
created_at: z.string().datetime(),
/**
* Autogenerated value - user that created object.
*/
created_by: z.string(),
/**
* Autogenerated date of last object update.
*/
updated_at: z.string().datetime(),
/**
* Autogenerated value - user that last updated object.
*/
updated_by: z.string(),
});
/**
* Exception's identifier.
*/
export type ExceptionListItemId = z.infer<typeof ExceptionListItemId>;
export const ExceptionListItemId = NonEmptyString;
export const ExceptionListItemId = z.string().min(1).superRefine(isNonEmptyString);
/**
* Human readable string identifier, e.g. `trusted-linux-processes`
*/
export type ExceptionListItemHumanId = z.infer<typeof ExceptionListItemHumanId>;
export const ExceptionListItemHumanId = NonEmptyString;
export const ExceptionListItemHumanId = z.string().min(1).superRefine(isNonEmptyString);
export type ExceptionListItemType = z.infer<typeof ExceptionListItemType>;
export const ExceptionListItemType = z.literal('simple');
/**
* Exception list name.
*/
export type ExceptionListItemName = z.infer<typeof ExceptionListItemName>;
export const ExceptionListItemName = NonEmptyString;
export const ExceptionListItemName = z.string().min(1).superRefine(isNonEmptyString);
/**
* Describes the exception list.
*/
export type ExceptionListItemDescription = z.infer<typeof ExceptionListItemDescription>;
export const ExceptionListItemDescription = z.string();
export type ExceptionListItemMeta = z.infer<typeof ExceptionListItemMeta>;
export const ExceptionListItemMeta = z.object({}).catchall(z.unknown());
/**
* The exception items expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
*/
export type ExceptionListItemExpireTime = z.infer<typeof ExceptionListItemExpireTime>;
export const ExceptionListItemExpireTime = z.string().datetime();
export type ExceptionListItemTags = z.infer<typeof ExceptionListItemTags>;
export const ExceptionListItemTags = z.array(NonEmptyString);
export const ExceptionListItemTags = z.array(z.string().min(1).superRefine(isNonEmptyString));
export type ExceptionListItemOsType = z.infer<typeof ExceptionListItemOsType>;
export const ExceptionListItemOsType = z.enum(['linux', 'macos', 'windows']);
@ -131,12 +195,24 @@ export type ExceptionListItemComment = z.infer<typeof ExceptionListItemComment>;
export const ExceptionListItemComment = z.object({
id: NonEmptyString,
comment: NonEmptyString,
/**
* Autogenerated date of object creation.
*/
created_at: z.string().datetime(),
created_by: NonEmptyString,
/**
* Autogenerated date of last object update.
*/
updated_at: z.string().datetime().optional(),
updated_by: NonEmptyString.optional(),
});
/**
* Array of comment fields:
- comment (string): Comments about the exception item.
*/
export type ExceptionListItemCommentArray = z.infer<typeof ExceptionListItemCommentArray>;
export const ExceptionListItemCommentArray = z.array(ExceptionListItemComment);
@ -153,13 +229,31 @@ export const ExceptionListItem = z.object({
os_types: ExceptionListItemOsTypeArray.optional(),
tags: ExceptionListItemTags.optional(),
meta: ExceptionListItemMeta.optional(),
expire_time: z.string().datetime().optional(),
expire_time: ExceptionListItemExpireTime.optional(),
comments: ExceptionListItemCommentArray,
/**
* The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
*/
_version: z.string().optional(),
/**
* Field used in search to ensure all containers are sorted and returned correctly.
*/
tie_breaker_id: z.string(),
/**
* Autogenerated date of object creation.
*/
created_at: z.string().datetime(),
/**
* Autogenerated value - user that created object.
*/
created_by: z.string(),
/**
* Autogenerated date of last object update.
*/
updated_at: z.string().datetime(),
/**
* Autogenerated value - user that last updated object.
*/
updated_by: z.string(),
});
@ -176,11 +270,23 @@ export const ExceptionListSO = z.object({
os_types: ExceptionListItemOsTypeArray.optional(),
tags: ExceptionListItemTags.optional(),
meta: ExceptionListItemMeta.optional(),
expire_time: z.string().datetime().optional(),
expire_time: ExceptionListItemExpireTime.optional(),
comments: ExceptionListItemCommentArray.optional(),
version: NonEmptyString.optional(),
/**
* Field used in search to ensure all containers are sorted and returned correctly.
*/
tie_breaker_id: z.string(),
/**
* Autogenerated date of object creation.
*/
created_at: z.string().datetime(),
/**
* Autogenerated value - user that created object.
*/
created_by: z.string(),
/**
* Autogenerated value - user that last updated object.
*/
updated_by: z.string(),
});

79
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/model/exception_list_common.schema.yaml
View file

@ -7,14 +7,22 @@ components:
x-codegen-enabled: true
schemas:
ExceptionListId:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/primitives.schema.yaml#/components/schemas/NonEmptyString'
type: string
minLength: 1
format: nonempty
description: Exception list's identifier.
example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85
ExceptionListHumanId:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/primitives.schema.yaml#/components/schemas/NonEmptyString'
description: Human readable string identifier, e.g. `trusted-linux-processes`
type: string
minLength: 1
format: nonempty
description: Exception list's human readable string identifier, e.g. `trusted-linux-processes`.
example: 'simple_list'
ExceptionListType:
type: string
description: The type of exception list to be created. Different list types may denote where they can be utilized.
enum:
- detection
- rule_default
@ -26,13 +34,18 @@ components:
ExceptionListName:
type: string
description: The name of the exception list.
example: 'My exception list'
ExceptionListDescription:
type: string
description: Describes the exception list.
example: 'This list tracks allowlisted values.'
ExceptionListMeta:
type: object
additionalProperties: true
description: Placeholder for metadata about the list container.
ExceptionNamespaceType:
type: string
@ -50,6 +63,7 @@ components:
type: array
items:
type: string
description: String array containing words and phrases to help categorize exception containers.
ExceptionListOsType:
type: string
@ -57,15 +71,18 @@ components:
- linux
- macos
- windows
description: Use this field to specify the operating system.
ExceptionListOsTypeArray:
type: array
items:
$ref: '#/components/schemas/ExceptionListOsType'
description: Use this field to specify the operating system. Only enter one value.
ExceptionListVersion:
type: integer
minimum: 1
description: The document version, automatically increasd on updates.
ExceptionList:
type: object
@ -94,18 +111,24 @@ components:
$ref: '#/components/schemas/ExceptionListVersion'
_version:
type: string
description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
tie_breaker_id:
type: string
description: Field used in search to ensure all containers are sorted and returned correctly.
created_at:
type: string
format: date-time
description: Autogenerated date of object creation.
created_by:
type: string
description: Autogenerated value - user that created object.
updated_at:
type: string
format: date-time
description: Autogenerated date of last object update.
updated_by:
type: string
description: Autogenerated value - user that last updated object.
required:
- id
- list_id
@ -122,29 +145,49 @@ components:
- updated_by
ExceptionListItemId:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/primitives.schema.yaml#/components/schemas/NonEmptyString'
type: string
minLength: 1
format: nonempty
description: Exception's identifier.
example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
ExceptionListItemHumanId:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/primitives.schema.yaml#/components/schemas/NonEmptyString'
type: string
minLength: 1
format: nonempty
description: Human readable string identifier, e.g. `trusted-linux-processes`
example: simple_list_item
ExceptionListItemType:
type: string
enum: [simple]
ExceptionListItemName:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/primitives.schema.yaml#/components/schemas/NonEmptyString'
type: string
minLength: 1
format: nonempty
description: Exception list name.
ExceptionListItemDescription:
type: string
description: Describes the exception list.
ExceptionListItemMeta:
type: object
additionalProperties: true
ExceptionListItemExpireTime:
type: string
format: date-time
description: The exception items expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
ExceptionListItemTags:
type: array
items:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/primitives.schema.yaml#/components/schemas/NonEmptyString'
type: string
minLength: 1
format: nonempty
description: String array containing words and phrases to help categorize exception items.
ExceptionListItemOsType:
type: string
@ -168,11 +211,13 @@ components:
created_at:
type: string
format: date-time
description: Autogenerated date of object creation.
created_by:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/primitives.schema.yaml#/components/schemas/NonEmptyString'
updated_at:
type: string
format: date-time
description: Autogenerated date of last object update.
updated_by:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/primitives.schema.yaml#/components/schemas/NonEmptyString'
required:
@ -183,6 +228,10 @@ components:
ExceptionListItemCommentArray:
type: array
description: |
Array of comment fields:
- comment (string): Comments about the exception item.
items:
$ref: '#/components/schemas/ExceptionListItemComment'
@ -212,24 +261,29 @@ components:
meta:
$ref: '#/components/schemas/ExceptionListItemMeta'
expire_time:
type: string
format: date-time
$ref: '#/components/schemas/ExceptionListItemExpireTime'
comments:
$ref: '#/components/schemas/ExceptionListItemCommentArray'
_version:
type: string
description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
tie_breaker_id:
type: string
description: Field used in search to ensure all containers are sorted and returned correctly.
created_at:
type: string
format: date-time
description: Autogenerated date of object creation.
created_by:
type: string
description: Autogenerated value - user that created object.
updated_at:
type: string
format: date-time
description: Autogenerated date of last object update.
updated_by:
type: string
description: Autogenerated value - user that last updated object.
required:
- id
- item_id
@ -273,21 +327,24 @@ components:
meta:
$ref: '#/components/schemas/ExceptionListItemMeta'
expire_time:
type: string
format: date-time
$ref: '#/components/schemas/ExceptionListItemExpireTime'
comments:
$ref: '#/components/schemas/ExceptionListItemCommentArray'
version:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/primitives.schema.yaml#/components/schemas/NonEmptyString'
tie_breaker_id:
type: string
description: Field used in search to ensure all containers are sorted and returned correctly.
created_at:
type: string
format: date-time
description: Autogenerated date of object creation.
created_by:
type: string
description: Autogenerated value - user that created object.
updated_by:
type: string
description: Autogenerated value - user that last updated object.
required:
- list_id
- list_type

4
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/quickstart_client.gen.ts
View file

@ -97,7 +97,7 @@ export class Client {
this.log = options.log;
}
/**
* An exception list groups exception items and can be associated with detection rules. You can assign detection rules with multiple exception lists.
* An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules.
> info
> All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item.
@ -255,7 +255,7 @@ export class Client {
.catch(catchAxiosErrorFormatAndThrow);
}
/**
* Get a list of all exception lists.
* Get a list of all exception list containers.
*/
async findExceptionLists(props: FindExceptionListsProps) {
this.log.info(`${new Date().toISOString()} Calling API FindExceptionLists`);

4
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list/read_exception_list.gen.ts
View file

@ -26,11 +26,11 @@ import {
export type ReadExceptionListRequestQuery = z.infer<typeof ReadExceptionListRequestQuery>;
export const ReadExceptionListRequestQuery = z.object({
/**
* Either `id` or `list_id` must be specified
* Exception list's identifier. Either `id` or `list_id` must be specified.
*/
id: ExceptionListId.optional(),
/**
* Either `id` or `list_id` must be specified
* Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified.
*/
list_id: ExceptionListHumanId.optional(),
namespace_type: ExceptionNamespaceType.optional().default('single'),

56
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list/read_exception_list.schema.yaml
View file

@ -14,13 +14,13 @@ paths:
- name: id
in: query
required: false
description: Either `id` or `list_id` must be specified
description: Exception list's identifier. Either `id` or `list_id` must be specified.
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListId'
- name: list_id
in: query
required: false
description: Either `id` or `list_id` must be specified
description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified.
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListHumanId'
- name: namespace_type
@ -29,6 +29,11 @@ paths:
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType'
default: single
examples:
single:
value: single
agnostic:
value: agnostic
responses:
200:
description: Successful response
@ -36,6 +41,25 @@ paths:
application/json:
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionList'
examples:
detectionType:
value:
id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85
list_id: simple_list
type: detection
name: Sample Detection Exception List
description: This is a sample detection type exception list.
immutable: false
namespace_type: single
os_types: [linux]
tags: [malware]
version: 1
_version: WzIsMV0=
tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3
created_at: 2025-01-07T19:34:27.942Z
created_by: elastic
updated_at: 2025-01-07T19:34:27.942Z
updated_by: elastic
400:
description: Invalid input data response
content:
@ -44,27 +68,55 @@ paths:
oneOf:
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
badRequest:
value:
statusCode: 400
error: Bad Request
message: "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'"
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
statusCode: 403
error: Forbidden
message: 'API [GET /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]'
404:
description: Exception list item not found response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
notFound:
value:
message": 'exception list id: "foo" does not exist'
status_code": 404
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500

4
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_item/read_exception_list_item.gen.ts
View file

@ -26,11 +26,11 @@ import {
export type ReadExceptionListItemRequestQuery = z.infer<typeof ReadExceptionListItemRequestQuery>;
export const ReadExceptionListItemRequestQuery = z.object({
/**
* Either `id` or `item_id` must be specified
* Exception list item's identifier. Either `id` or `item_id` must be specified.
*/
id: ExceptionListItemId.optional(),
/**
* Either `id` or `item_id` must be specified
* Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified.
*/
item_id: ExceptionListItemHumanId.optional(),
namespace_type: ExceptionNamespaceType.optional().default('single'),

64
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_item/read_exception_list_item.schema.yaml
View file

@ -14,13 +14,13 @@ paths:
- name: id
in: query
required: false
description: Either `id` or `item_id` must be specified
description: Exception list item's identifier. Either `id` or `item_id` must be specified.
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListItemId'
- name: item_id
in: query
required: false
description: Either `id` or `item_id` must be specified
description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified.
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListItemHumanId'
- name: namespace_type
@ -29,6 +29,11 @@ paths:
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType'
default: single
examples:
single:
value: single
agnostic:
value: agnostic
responses:
200:
description: Successful response
@ -36,6 +41,33 @@ paths:
application/json:
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListItem'
examples:
simpleListItem:
value:
id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
item_id: simple_list_item
list_id: simple_list
type: simple
name: Sample Exception List Item
description: This is a sample detection type exception item.
entries:
- type: exists
field: actingProcess.file.signer
operator: excluded
- type: match_any
field: host.name
value: [saturn, jupiter]
operator: included
namespace_type: single
os_types: [linux]
tags: [malware]
comments: []
_version: WzQsMV0=
tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c
created_at: 2025-01-07T20:07:33.119Z
created_by: elastic
updated_at: 2025-01-07T20:07:33.119Z
updated_by: elastic
400:
description: Invalid input data response
content:
@ -44,27 +76,55 @@ paths:
oneOf:
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
badRequest:
value:
statusCode: 400
error: Bad Request
message: "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'"
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
statusCode: 403
error: Forbidden
message: 'API [GET /api/exception_lists/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]'
404:
description: Exception list item not found response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
notFound:
value:
message: 'exception list item item_id: \"foo\" does not exist'
status_code: 404
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500

4
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_summary/read_exception_list_summary.gen.ts
View file

@ -27,11 +27,11 @@ export type ReadExceptionListSummaryRequestQuery = z.infer<
>;
export const ReadExceptionListSummaryRequestQuery = z.object({
/**
* Exception list's identifier generated upon creation
* Exception list's identifier generated upon creation.
*/
id: ExceptionListId.optional(),
/**
* Exception list's human readable identifier
* Exception list's human readable identifier.
*/
list_id: ExceptionListHumanId.optional(),
namespace_type: ExceptionNamespaceType.optional().default('single'),

45
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/read_exception_list_summary/read_exception_list_summary.schema.yaml
View file

@ -14,13 +14,13 @@ paths:
- name: id
in: query
required: false
description: Exception list's identifier generated upon creation
description: Exception list's identifier generated upon creation.
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListId'
- name: list_id
in: query
required: false
description: Exception list's human readable identifier
description: Exception list's human readable identifier.
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListHumanId'
- name: namespace_type
@ -29,12 +29,18 @@ paths:
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionNamespaceType'
default: single
examples:
single:
value: single
agnostic:
value: agnostic
- name: filter
in: query
required: false
description: Search filter clause
schema:
type: string
example: exception-list-agnostic.attributes.tags:"policy:policy-1" OR exception-list-agnostic.attributes.tags:"policy:all"
responses:
200:
description: Successful response
@ -55,6 +61,13 @@ paths:
total:
type: integer
minimum: 0
examples:
summary:
value:
windows: 0
linux: 0
macos: 0
total: 0
400:
description: Invalid input data response
content:
@ -63,27 +76,55 @@ paths:
oneOf:
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
badRequest:
value:
statusCode: 400
error: Bad Request
message: "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'"
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
statusCode: 403
error: Forbidden
message: 'API [GET /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary]'
404:
description: Exception list not found response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
notFound:
value:
message": 'exception list id: "foo" does not exist'
status_code": 404
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500

3
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/update_exception_list/update_exception_list.gen.ts
View file

@ -42,6 +42,9 @@ export const UpdateExceptionListRequestBody = z.object({
tags: ExceptionListTags.optional(),
meta: ExceptionListMeta.optional(),
version: ExceptionListVersion.optional(),
/**
* The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
*/
_version: z.string().optional(),
});
export type UpdateExceptionListRequestBodyInput = z.input<typeof UpdateExceptionListRequestBody>;

58
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/update_exception_list/update_exception_list.schema.yaml
View file

@ -42,10 +42,18 @@ paths:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListVersion'
_version:
type: string
description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
required:
- name
- description
- type
example:
list_id: simple_list
tags: [draft malware]
type: detection
os_types: [linux]
description: Different description
name: Updated exception list name
responses:
200:
description: Successful response
@ -53,6 +61,28 @@ paths:
application/json:
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionList'
examples:
simpleList:
value:
id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55
list_id: simple_list
type: detection
name: Updated exception list name
description: Different description
immutable: false
namespace_type: single
os_types: []
tags: [
draft
malware,
]
version: 2
_version: WzExLDFd
tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f
created_at: 2025-01-07T20:43:55.264Z
created_by: elastic
updated_at: 2025-01-07T21:32:03.726Z
updated_by: elastic
400:
description: Invalid input data response
content:
@ -61,27 +91,55 @@ paths:
oneOf:
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
badRequest:
value:
statusCode: 400
error: Bad Request
message: '[request body]: list_id: Expected string, received number'
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
statusCode: 403
error: Forbidden
message: 'API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]'
404:
description: Exception list not found response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
notFound:
value:
message": 'exception list id: "foo" does not exist'
status_code": 404
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500

6
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/update_exception_list_item/update_exception_list_item.gen.ts
View file

@ -28,6 +28,7 @@ import {
ExceptionListItemOsTypeArray,
ExceptionListItemTags,
ExceptionListItemMeta,
ExceptionListItemExpireTime,
ExceptionListItem,
} from '../model/exception_list_common.gen';
import { ExceptionListItemEntryArray } from '../model/exception_list_item_entry.gen';
@ -62,8 +63,11 @@ export const UpdateExceptionListItemRequestBody = z.object({
os_types: ExceptionListItemOsTypeArray.optional().default([]),
tags: ExceptionListItemTags.optional(),
meta: ExceptionListItemMeta.optional(),
expire_time: z.string().datetime().optional(),
expire_time: ExceptionListItemExpireTime.optional(),
comments: UpdateExceptionListItemCommentArray.optional().default([]),
/**
* The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
*/
_version: z.string().optional(),
});
export type UpdateExceptionListItemRequestBodyInput = z.input<

69
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/api/update_exception_list_item/update_exception_list_item.schema.yaml
View file

@ -45,18 +45,31 @@ paths:
meta:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListItemMeta'
expire_time:
type: string
format: date-time
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListItemExpireTime'
comments:
$ref: '#/components/schemas/UpdateExceptionListItemCommentArray'
default: []
_version:
type: string
description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
required:
- type
- name
- description
- entries
example:
comments: []
description: Updated description
entries:
- field: host.name
type: match
value: rock01
operator: included
item_id: simple_list_item
name: Updated name
namespace_type: single
tags: []
type: simple
responses:
200:
description: Successful response
@ -64,6 +77,30 @@ paths:
application/json:
schema:
$ref: '../model/exception_list_common.schema.yaml#/components/schemas/ExceptionListItem'
examples:
simpleListItem:
value:
id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da
item_id: simple_list_item
list_id: simple_list
type: simple
name: Updated name
description: Updated description
entries:
- type: match
field: host.name
value: rock01
operator: included
namespace_type: single
os_types: []
tags: []
comments: []
_version: WzEyLDFd
tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0
created_at: 2025-01-07T21:12:25.512Z
created_by: elastic
updated_at: 2025-01-07T21:34:50.233Z
updated_by: elastic
400:
description: Invalid input data response
content:
@ -72,30 +109,58 @@ paths:
oneOf:
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
badRequest:
value:
statusCode: 400
error: Bad Request
message: '[request body]: item_id: Expected string, received number'
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
unauthorized:
value:
statusCode: 401
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
403:
description: Not enough privileges response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
examples:
forbidden:
value:
statusCode: 403
error: Forbidden
message: 'API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]'
404:
description: Exception list item not found response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
notFound:
value:
message: 'exception list item item_id: \"foo\" does not exist'
status_code: 404
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../../../../../src/platform/packages/shared/kbn-openapi-common/schemas/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
components:
x-codegen-enabled: true

1563
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/docs/openapi/ess/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml
View file

File diff suppressed because it is too large Load diff

1563
x-pack/solutions/security/packages/kbn-securitysolution-exceptions-common/docs/openapi/serverless/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml
View file

File diff suppressed because it is too large Load diff

4
x-pack/test/api_integration/services/security_solution_exceptions_api.gen.ts
View file

@ -47,7 +47,7 @@ export function SecuritySolutionApiProvider({ getService }: FtrProviderContext)
return {
/**
* An exception list groups exception items and can be associated with detection rules. You can assign detection rules with multiple exception lists.
* An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules.
> info
> All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item.
@ -166,7 +166,7 @@ export function SecuritySolutionApiProvider({ getService }: FtrProviderContext)
.query(props.query);
},
/**
* Get a list of all exception lists.
* Get a list of all exception list containers.
*/
findExceptionLists(props: FindExceptionListsProps, kibanaSpace: string = 'default') {
return supertest