Import an exception list
Import an exception list and its associated items from an NDJSON file.
Query parameters
-
overwrite boolean
Determines whether existing exception lists with the same
list_id
are overwritten. If any exception items have the sameitem_id
, those are also overwritten.Default value is
false
. -
as_new_list boolean
Determines whether the list being imported will have a new
list_id
generated. Additionalitem_id
's are generated for each exception item. Both the exception list and its items are overwritten.Default value is
false
.
POST
/api/exception_lists/_import
curl \
--request POST https://localhost:5601/api/exception_lists/_import \
--header "Content-Type: multipart/form-data" \
--form "file={"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1}
{"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"}
"
Response examples (200)
With errors
{
"errors": [
{
"error": {
"message": "Error found importing exception list: Invalid value \\\"4\\\" supplied to \\\"list_id\\\"",
"status_code": 400
},
"list_id": "(unknown list_id)"
},
{
"error": {
"message": "Found that item_id: \\\"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\\\" already exists. Import of item_id: \\\"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\\\" skipped.",
"status_code": 409
},
"item_id": "f7fd00bb-dba8-4c93-9d59-6cbd427b6330",
"list_id": "7d7cccb8-db72-4667-b1f3-648efad7c1ee"
}
],
"success": "false,",
"success_count": 0,
"success_exception_lists": "false,",
"success_exception_list_items": "false,",
"success_count_exception_lists": 0,
"success_count_exception_list_items": 0
}
{
"errors": [],
"success": true,
"success_count": 2,
"success_exception_lists": "true,",
"success_exception_list_items": true,
"success_count_exception_lists": 1,
"success_count_exception_list_items": 1
}
Response examples (400)
Security_exceptions_api_platformerrorresponse
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
Response examples (401)
{
"error": "Unauthorized",
"message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}
Response examples (403)
{
"error": "Forbidden",
"message": "API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
"statusCode": 403
}
Response examples (500)
{
"message": "Internal Server Error",
"status_code": 500
}