Duplicate an exception list

POST /api/exception_lists/_duplicate

Duplicate an existing exception list.

Query parameters

  • list_id string(nonempty) Required

    Exception list's human readable string identifier, e.g. trusted-linux-processes.

    Minimum length is 1.

  • namespace_type string Required

    Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

    • single: Only available in the Kibana space in which it is created.
    • agnostic: Available in all Kibana spaces.

    Values are agnostic or single. Default value is single.

  • Determines whether to include expired exceptions in the duplicated list. Expiration date defined by expire_time.

    Values are true or false. Default value is true.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • id string(nonempty) Required

      Exception list's identifier.

      Minimum length is 1.

    • immutable boolean Required
    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Placeholder for metadata about the list container.

      Additional properties are allowed.

    • name string Required

      The name of the exception list.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single. Default value is single.

    • os_types array[string]

      Use this field to specify the operating system.

      Values are linux, macos, or windows.

    • tags array[string]

      String array containing words and phrases to help categorize exception containers.

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      The type of exception list to be created. Different list types may denote where they can be utilized.

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

    • version integer Required

      The document version, automatically increasd on updates.

      Minimum value is 1.

  • 400 application/json

    Invalid input data response

    One of:
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 404 application/json

    Exception list not found

    Hide response attributes Show response attributes object
  • 405 application/json

    Exception list to duplicate not found response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
POST /api/exception_lists/_duplicate
curl \
 --request POST https://localhost:5601/api/exception_lists/_duplicate?list_id=simple_list&namespace_type=agnostic&include_expired_exceptions=true
Response examples (200)
{
  "id": "b2f4a715-6ab1-444c-8b1e-3fa1b1049429",
  "name": "Sample Detection Exception List [Duplicate]",
  "tags": [
    "malware"
  ],
  "type": "detection",
  "list_id": "d6390d60-bce3-4a48-9002-52db600f329c",
  "version": 1,
  "_version": "WzExNDY1LDFd",
  "os_types": [],
  "immutable": false,
  "created_at": "2025-01-09T16:19:50.280Z",
  "created_by": "elastic",
  "updated_at": "2025-01-09T16:19:50.280Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception",
  "namespace_type": "single",
  "tie_breaker_id": "6fa670bd-666d-4c9c-9f1e-d1dbc516e985"
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "[request query]: namespace_type: Invalid enum value. Expected 'agnostic' | 'single', received 'foo'",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}
Response examples (404)
{
  "message\"": "exception list id: \"foo\" does not exist",
  "status_code\"": 404
}
Response examples (405)
{
  "message": "string",
  "status_code": 42
}
Response examples (500)
{
  "message": "Internal Server Error",
  "status_code": 500
}