elastic · Copilot · Nov 6, 2025 · Nov 6, 2025 · Nov 6, 2025 · Nov 6, 2025
diff --git a/docs/resources/kibana_security_exception_item.md b/docs/resources/kibana_security_exception_item.md
@@ -0,0 +1,131 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "elasticstack_kibana_security_exception_item Resource - terraform-provider-elasticstack"
+subcategory: "Kibana"
+description: |-
+  Manages a Kibana Exception Item. Exception items define the specific query conditions used to prevent rules from generating alerts.
+  See the Kibana Exceptions API documentation https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-exceptions-api for more details.
+---
+
+# elasticstack_kibana_security_exception_item (Resource)
+
+Manages a Kibana Exception Item. Exception items define the specific query conditions used to prevent rules from generating alerts.
+
+See the [Kibana Exceptions API documentation](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-exceptions-api) for more details.
+
+## Example Usage
+
+### Basic exception item
+
+```terraform
+resource "elasticstack_kibana_security_exception_list" "example" {
+  list_id        = "my-exception-list"
+  name           = "My Exception List"
+  description    = "List of exceptions for security rules"
+  type           = "detection"
+  namespace_type = "single"
+
+  tags = ["security", "detections"]
+}
+
+resource "elasticstack_kibana_security_exception_item" "example" {
+  list_id        = elasticstack_kibana_security_exception_list.example.list_id
+  item_id        = "my-exception-item"
+  name           = "My Exception Item"
+  description    = "Exclude specific processes from alerts"
+  type           = "simple"
+  namespace_type = "single"
+
+  entries = jsonencode([
+    {
+      field    = "process.name"
+      operator = "included"
+      type     = "match"
+      value    = "trusted-process"
+    }
+  ])
+
+  tags = ["trusted", "whitelisted"]
+}
+```
+
+### Complex exception item with multiple entries
+
+```terraform
+resource "elasticstack_kibana_security_exception_list" "example" {
+  list_id        = "my-exception-list"
+  name           = "My Exception List"
+  description    = "List of exceptions"
+  type           = "detection"
+  namespace_type = "single"
+}
+
+resource "elasticstack_kibana_security_exception_item" "complex_entry" {
+  list_id        = elasticstack_kibana_security_exception_list.example.list_id
+  item_id        = "complex-exception"
+  name           = "Complex Exception with Multiple Entries"
+  description    = "Exception with multiple conditions"
+  type           = "simple"
+  namespace_type = "single"
+
+  # Multiple entries with different operators
+  entries = jsonencode([
+    {
+      field    = "host.name"
+      operator = "included"
+      type     = "match"
+      value    = "trusted-host"
+    },
+    {
+      field    = "user.name"
+      operator = "excluded"
+      type     = "match_any"
+      value    = ["admin", "root"]
+    }
+  ])
+
+  os_types = ["linux"]
+  tags     = ["complex", "multi-condition"]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `description` (String) Describes the exception item.
+- `entries` (String) The exception item entries as JSON string. This defines the conditions under which the exception applies.
+- `list_id` (String) The exception list's identifier that this item belongs to.
+- `name` (String) The name of the exception item.
+- `type` (String) The type of exception item. Must be `simple`.
+
+### Optional
+
+- `comments` (Attributes List) Array of comments about the exception item. (see [below for nested schema](#nestedatt--comments))
+- `expire_time` (String) The exception item's expiration date in ISO format. This field is only available for regular exception items, not endpoint exceptions.
+- `item_id` (String) The exception item's human readable string identifier.
+- `meta` (String) Placeholder for metadata about the exception item as JSON string.
+- `namespace_type` (String) Determines whether the exception item is available in all Kibana spaces or just the space in which it is created. Can be `single` (default) or `agnostic`.
+- `os_types` (List of String) Array of OS types for which the exceptions apply. Valid values: `linux`, `macos`, `windows`.
+- `tags` (List of String) String array containing words and phrases to help categorize exception items.
+
+### Read-Only
+
+- `created_at` (String) The timestamp of when the exception item was created.
+- `created_by` (String) The user who created the exception item.
+- `id` (String) The unique identifier of the exception item (auto-generated by Kibana).
+- `tie_breaker_id` (String) Field used in search to ensure all items are sorted and returned correctly.
+- `updated_at` (String) The timestamp of when the exception item was last updated.
+- `updated_by` (String) The user who last updated the exception item.
+
+<a id="nestedatt--comments"></a>
+### Nested Schema for `comments`
+
+Required:
+
+- `comment` (String) The comment text.
+
+Read-Only:
+
+- `id` (String) The unique identifier of the comment (auto-generated by Kibana).
diff --git a/docs/resources/kibana_security_exception_list.md b/docs/resources/kibana_security_exception_list.md
@@ -0,0 +1,72 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "elasticstack_kibana_security_exception_list Resource - terraform-provider-elasticstack"
+subcategory: "Kibana"
+description: |-
+  Manages a Kibana Exception List. Exception lists are containers for exception items used to prevent security rules from generating alerts.
+  See the Kibana Exceptions API documentation https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-exceptions-api for more details.
+---
+
+# elasticstack_kibana_security_exception_list (Resource)
+
+Manages a Kibana Exception List. Exception lists are containers for exception items used to prevent security rules from generating alerts.
+
+See the [Kibana Exceptions API documentation](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-exceptions-api) for more details.
+
+## Example Usage
+
+### Basic exception list
+
+```terraform
+resource "elasticstack_kibana_security_exception_list" "example" {
+  list_id        = "my-detection-exception-list"
+  name           = "My Detection Exception List"
+  description    = "List of exceptions for security detection rules"
+  type           = "detection"
+  namespace_type = "single"
+
+  tags = ["security", "detections"]
+}
+```
+
+### Endpoint exception list with OS types
+
+```terraform
+resource "elasticstack_kibana_security_exception_list" "endpoint" {
+  list_id        = "my-endpoint-exception-list"
+  name           = "My Endpoint Exception List"
+  description    = "List of endpoint exceptions"
+  type           = "endpoint"
+  namespace_type = "agnostic"
+
+  os_types = ["linux", "windows", "macos"]
+  tags     = ["endpoint", "security"]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `description` (String) Describes the exception list.
+- `list_id` (String) The exception list's human readable string identifier.
+- `name` (String) The name of the exception list.
+- `type` (String) The type of exception list. Can be one of: `detection`, `endpoint`, `endpoint_trusted_apps`, `endpoint_events`, `endpoint_host_isolation_exceptions`, `endpoint_blocklists`.
+
+### Optional
+
+- `meta` (String) Placeholder for metadata about the list container as JSON string.
+- `namespace_type` (String) Determines whether the exception list is available in all Kibana spaces or just the space in which it is created. Can be `single` (default) or `agnostic`.
+- `os_types` (List of String) Array of OS types for which the exceptions apply. Valid values: `linux`, `macos`, `windows`.
+- `tags` (List of String) String array containing words and phrases to help categorize exception containers.
+
+### Read-Only
+
+- `created_at` (String) The timestamp of when the exception list was created.
+- `created_by` (String) The user who created the exception list.
+- `id` (String) The unique identifier of the exception list (auto-generated by Kibana).
+- `immutable` (Boolean) Whether the exception list is immutable.
+- `tie_breaker_id` (String) Field used in search to ensure all containers are sorted and returned correctly.
+- `updated_at` (String) The timestamp of when the exception list was last updated.
+- `updated_by` (String) The user who last updated the exception list.
diff --git a/examples/resources/elasticstack_kibana_security_exception_item/resource.tf b/examples/resources/elasticstack_kibana_security_exception_item/resource.tf
@@ -0,0 +1,29 @@
+resource "elasticstack_kibana_security_exception_list" "example" {
+  list_id        = "my-exception-list"
+  name           = "My Exception List"
+  description    = "List of exceptions for security rules"
+  type           = "detection"
+  namespace_type = "single"
+
+  tags = ["security", "detections"]
+}
+
+resource "elasticstack_kibana_security_exception_item" "example" {
+  list_id        = elasticstack_kibana_security_exception_list.example.list_id
+  item_id        = "my-exception-item"
+  name           = "My Exception Item"
+  description    = "Exclude specific processes from alerts"
+  type           = "simple"
+  namespace_type = "single"
+
+  entries = jsonencode([
+    {
+      field    = "process.name"
+      operator = "included"
+      type     = "match"
+      value    = "trusted-process"
+    }
+  ])
+
+  tags = ["trusted", "whitelisted"]
+}
diff --git a/examples/resources/elasticstack_kibana_security_exception_item/resource_complex.tf b/examples/resources/elasticstack_kibana_security_exception_item/resource_complex.tf
@@ -0,0 +1,35 @@
+resource "elasticstack_kibana_security_exception_list" "example" {
+  list_id        = "my-exception-list"
+  name           = "My Exception List"
+  description    = "List of exceptions"
+  type           = "detection"
+  namespace_type = "single"
+}
+
+resource "elasticstack_kibana_security_exception_item" "complex_entry" {
+  list_id        = elasticstack_kibana_security_exception_list.example.list_id
+  item_id        = "complex-exception"
+  name           = "Complex Exception with Multiple Entries"
+  description    = "Exception with multiple conditions"
+  type           = "simple"
+  namespace_type = "single"
+
+  # Multiple entries with different operators
+  entries = jsonencode([
+    {
+      field    = "host.name"
+      operator = "included"
+      type     = "match"
+      value    = "trusted-host"
+    },
+    {
+      field    = "user.name"
+      operator = "excluded"
+      type     = "match_any"
+      value    = ["admin", "root"]
+    }
+  ])
+
+  os_types = ["linux"]
+  tags     = ["complex", "multi-condition"]
+}
diff --git a/examples/resources/elasticstack_kibana_security_exception_list/resource.tf b/examples/resources/elasticstack_kibana_security_exception_list/resource.tf
@@ -0,0 +1,9 @@
+resource "elasticstack_kibana_security_exception_list" "example" {
+  list_id        = "my-detection-exception-list"
+  name           = "My Detection Exception List"
+  description    = "List of exceptions for security detection rules"
+  type           = "detection"
+  namespace_type = "single"
+
+  tags = ["security", "detections"]
+}
diff --git a/examples/resources/elasticstack_kibana_security_exception_list/resource_endpoint.tf b/examples/resources/elasticstack_kibana_security_exception_list/resource_endpoint.tf
@@ -0,0 +1,10 @@
+resource "elasticstack_kibana_security_exception_list" "endpoint" {
+  list_id        = "my-endpoint-exception-list"
+  name           = "My Endpoint Exception List"
+  description    = "List of endpoint exceptions"
+  type           = "endpoint"
+  namespace_type = "agnostic"
+
+  os_types = ["linux", "windows", "macos"]
+  tags     = ["endpoint", "security"]
+}