Notes on the different type options that users can specify:

• detection: This type can be shared across multiple rules and
• rule default: This type can only be used for a single rule.

Following up with more details.

Add the rule_default list type as an option
In this section, add the following:

Add section explaining what the rule_default vs detection (shared) is
I'm not yet convinced we need an added section. I think it can be explained along with the addition of the next item, adding information on the create rule exception route.

Document this route as Create rule exception

I think we can add a section under Create shared exception list that is called Create rule default exception list. The text might be something like:

Creates a rule default exception list.

An exception list groups exception items and a rule default list is associated with a single rule. When an exception item’s query evaluates to true, the associated rule does not issue alerts even when its other criteria are met.

A rule default exception list can apply to a single detection rule. To add to a rule's default exception list, simply pass in the exception items you would like to be applied to the rule. If a default exception list does not yet exist for the rule, one will be created and the exception added.

A user just needs to pass in a rule id and then in the body of the request, send in the exception items to be applied.

It would be important to note that as of right now, rule default exception lists do not get displayed in the shared exception list UI page. It's something we're tracking and hoping to get to.

Action items from today's meeting with @yctercero and @natasha-moore-elastic:

• @nastasha-solomon to update the Create exception container API and Update exception container docs as follows:
  • Add the rule_default (exception) list type to the type parameter description.
  • Revise the description for the detection list type. This list type is used for creating/updating a container that holds shared exceptions.
• @nastasha-solomon to document the create_rule_exceptions endpoint, which allows users to create rule default exceptions (i.e., exceptions for individual rules). She'll need the following from @yctercero:
  • A brief description of the endpoint functionality, as well as any pre-reqs that users need to complete. Here's an example.
  • Request body parameters and example request
  • The response code for a successful response
  • An example response payload
• @nastasha-solomon to update the intro for the Create exception item page to show that this endpoint only creates exception items for shared exception lists and endpoint exception lists.
• @yctercero to touch base with @dhurley14 about the endpoint for creating shared exception lists. The endpoint might be deprecated or unavailable.

cc: @jmikell821

@yctercero to touch base with @dhurley14 about the endpoint for creating shared exception lists. The endpoint might be deprecated or unavailable.

@nastasha-solomon we found the route! https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/create_rule_exceptions/route.ts It just exists under detection_engine directory, not the lists plugin.

Mystery solved! Thanks both for investigating this :)

@dhurley14 what's the correct endpoint route for the Create shared exception list endpoint? Is it POST <kibana host>:<port>/api/detection_engine/rule_exceptions or something slightly different?

Also, @yctercero would you be able to provide the following information for the create_rule_exceptions endpoint:

• A brief description of the endpoint functionality, as well as any pre-reqs that users need to complete. Here's an example.
• Request body parameters and example request
• The response code for a successful response
• An example response payload

tyty

Thanks @dhurley14 for helping clarify. I think we can move that endpoint to be documented under the detections section as it is not an endpoint that exists in the lists plugin.

As for create_rule_exceptions - here's the information:

• A brief description of the endpoint functionality, as well as any pre-reqs that users need to complete. Here's an example.

Allows a user to create exception items to be associated with the specified rule id.

Refer to Exceptions API for details on exception item format.

POST :/api/detection_engine/rules/{id}/exceptions

• Request body parameters and example request

Request Params

Body Params

• The response code for a successful response
  200 response code when successful.

• An example response payload

{
  body: [
    {
          comments: [],
          created_by: "elastic",
          description: "Exception item for rule default exception list",
          entries: [
            {
              field: "host.name",
              operator: "included",
              type: "match",
              value: "foo",
            },
          ],
          name: "Sample exception item",
          list_id: "e6c44050-c661-11ea-bab5-9d6ae015701b",
          namespace_type: "single",
          os_types: [],
          tags: [],
          type: "simple",
          updated_by: "elastic"
        }
  ]
}

My action items/notes from meeting with @yctercero today:

Exception API doc updates:
@nastasha-solomon to do the following:

• The endpoint that creates rule default exception items (i.e., exception items that only belong to one rule) is stored in the detection_engine folder and is technically part of the Detections API. As such:
  • The docs for this endpoint should be under the Detections API section in the Security docs TOC and listed as one of the detection API’s endpoints on the top-level Detections API page.
• Within the rules-api-create-rule-default-exception-item file:
  • Remove all params that previously doc and only doc the items param.
  • Note that to create exception items for a rule, users need to specify an array of values for the items JSON object. Also, point towards the shared exception item API docs for the required params.