From 206f23dc49fb698bffaa59ee412c22cf64a47a40 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Mon, 9 Oct 2023 15:42:57 -0400
Subject: [PATCH] First draft

---
 .../api/exceptions-api-index.asciidoc         |   2 +
 .../api-create-exception-container.asciidoc   |   1 +
 ...reate-rule-default-exception-list.asciidoc | 103 ++++++++++++++++++
 3 files changed, 106 insertions(+)
 create mode 100644 docs/detections/api/exceptions/api-create-rule-default-exception-list.asciidoc

diff --git a/docs/detections/api/exceptions-api-index.asciidoc b/docs/detections/api/exceptions-api-index.asciidoc
index 0e83bba7dd..c61b29e8a7 100644
--- a/docs/detections/api/exceptions-api-index.asciidoc
+++ b/docs/detections/api/exceptions-api-index.asciidoc
@@ -4,6 +4,8 @@ include::exceptions/api-create-exception-container.asciidoc[]
 
 include::exceptions/api-create-exception-item.asciidoc[]
 
+include::api-create-rule-default-exception-list.asciidoc[]
+
 include::exceptions/api-create-shared-exception-list.asciidoc[]
 
 include::exceptions/api-find-exception-containers.asciidoc[]
diff --git a/docs/detections/api/exceptions/api-create-exception-container.asciidoc b/docs/detections/api/exceptions/api-create-exception-container.asciidoc
index 3dadd40a0f..f3d052c82d 100644
--- a/docs/detections/api/exceptions/api-create-exception-container.asciidoc
+++ b/docs/detections/api/exceptions/api-create-exception-container.asciidoc
@@ -45,6 +45,7 @@ exception containers. |No
 
 * `detection`: Detection rule exception
 * `endpoint`: Endpoint alert exception
+* `rule_default`: Exception that belongs to a single rule
 
 |Yes
 
diff --git a/docs/detections/api/exceptions/api-create-rule-default-exception-list.asciidoc b/docs/detections/api/exceptions/api-create-rule-default-exception-list.asciidoc
new file mode 100644
index 0000000000..2e91db3e61
--- /dev/null
+++ b/docs/detections/api/exceptions/api-create-rule-default-exception-list.asciidoc
@@ -0,0 +1,103 @@
+[[exceptions-api-create-rule-default-exception-list]]
+=== Create exception list for an individual rule
+
+Creates a rule default exception list.
+
+An exception list groups <<exceptions-api-create-exception-item, exception items>> and a rule default list is associated with a single rule. When an exception item’s query evaluates to true, the associated rule does not issue alerts even when its other criteria are met.
+
+A rule default exception list can apply to a single detection rule. To add to a rule's default exception list, simply pass in the exception items you would like to be applied to the rule. If a default exception list does not yet exist for the rule, one will be created and the exception added.
+
+==== Request URL
+
+`POST <kibana host>:<port>/api/exception_lists`
+
+==== Request body
+
+A JSON object with these fields:
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description |Required
+
+|`description` |String |Describes the exception container. |Yes
+|`list_id` |String |Unique identifier. |No, automatically created when it is not
+provided.
+|`meta` |Object |Placeholder for metadata about the list container. |No
+|`name` |String |The exception container's name. |Yes
+|`namespace_type` |String a|Determines whether the exception container is available in all {kib} spaces or just the space in which it is created, where:
+
+* `single`: Only available in the {kib} space in which it is created.
+* `agnostic`: Available in all {kib} spaces.
+
+|No, defaults to `single`.
+|`tags` |String[] |String array containing words and phrases to help categorize
+exception containers. |No
+|`type` |String a|The type of exception, which must be:
+
+* `rule_default`: Exception that belongs to a single rule
+
+|Yes
+
+|==============================================
+
+===== Example requests
+
+Creates an exception container for holding trusted Linux process exception
+items:
+
+[source,console]
+--------------------------------------------------
+POST api/exception_lists
+{
+  "description": "Excludes Linux trusted processes",
+  "name": "Linux process exceptions",
+  "list_id": "trusted-linux-processes",
+  "type": "detection",
+  "namespace_type": "single",
+  "tags": [
+    "linux",
+    "processes"
+  ]
+}
+--------------------------------------------------
+// KIBANA
+
+==== Response code
+
+`200`::
+    Indicates a successful call.
+
+
+==== Response payload
+
+The exception container object with a unique ID.
+
+[source,json]
+--------------------------------------------------
+{
+  "_tags": [],
+  "created_at": "2020-07-13T09:33:46.187Z",
+  "created_by": "elastic",
+  "description": "Excludes Linux trusted processes",
+  "id": "f320c070-c4eb-11ea-80bb-11861bae2798", <1>
+  "list_id": "trusted-linux-processes", <2>
+  "name": "Linux process exceptions",
+  "namespace_type": "single", <3>
+  "tags": [
+    "linux",
+    "processes"
+  ],
+  "tie_breaker_id": "2c08d5a5-2ecc-4d5a-acfb-0a367f25b3f3",
+  "type": "detection", <4>
+  "updated_at": "2020-07-13T09:33:46.359Z",
+  "updated_by": "elastic"
+}
+--------------------------------------------------
+
+These values are required to associate the exception container with detection
+rules:
+
+<1> `id`
+<2> `list_id`
+<3> `namespace_type`
+<4> `type`