Import an exception list

POST /api/exception_lists/_import

Import an exception list and its associated items from an NDJSON file.

Query parameters

  • overwrite boolean

    Determines whether existing exception lists with the same list_id are overwritten. If any exception items have the same item_id, those are also overwritten.

    Default value is false.

  • Determines whether the list being imported will have a new list_id generated. Additional item_id's are generated for each exception item. Both the exception list and its items are overwritten.

    Default value is false.

multipart/form-data

Body Required

  • file string(binary)

    A .ndjson file containing the exception list

Responses

POST /api/exception_lists/_import
curl \
 --request POST https://localhost:5601/api/exception_lists/_import \
 --header "Content-Type: multipart/form-data" \
 --form "file={"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1}
{"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"}
"
Response examples (200)
{
  "errors": [
    {
      "error": {
        "message": "Error found importing exception list: Invalid value \\\"4\\\" supplied to \\\"list_id\\\"",
        "status_code": 400
      },
      "list_id": "(unknown list_id)"
    },
    {
      "error": {
        "message": "Found that item_id: \\\"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\\\" already exists. Import of item_id: \\\"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\\\" skipped.",
        "status_code": 409
      },
      "item_id": "f7fd00bb-dba8-4c93-9d59-6cbd427b6330",
      "list_id": "7d7cccb8-db72-4667-b1f3-648efad7c1ee"
    }
  ],
  "success": "false,",
  "success_count": 0,
  "success_exception_lists": "false,",
  "success_exception_list_items": "false,",
  "success_count_exception_lists": 0,
  "success_count_exception_list_items": 0
}
{
  "errors": [],
  "success": true,
  "success_count": 2,
  "success_exception_lists": "true,",
  "success_exception_list_items": true,
  "success_count_exception_lists": 1,
  "success_count_exception_list_items": 1
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}
Response examples (500)
{
  "message": "Internal Server Error",
  "status_code": 500
}