Import an exception list

POST /api/exception_lists/_import

Api key auth

Spaces method and path for this operation:

post /s/{space_id}/api/exception_lists/_import

Refer to Spaces for more information.

Import an exception list and its associated items from an NDJSON file.

Query parameters

overwrite boolean

Determines whether existing exception lists with the same list_id are overwritten. If any exception items have the same item_id, those are also overwritten.

Default value is false.
as_new_list boolean

Determines whether the list being imported will have a new list_id generated. Additional item_id's are generated for each exception item. Both the exception list and its items are overwritten.

Default value is false.

multipart/form-data

Body Required

file string(binary)

A .ndjson file containing the exception list

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- errors array[object] Required
  
  Hide errors attributes Show errors attributes object
  
  error object Required
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  status_code integer Required
  
  id string(nonempty)
  
  Exception list's identifier.
  
  Minimum length is 1.
  
  item_id string(nonempty)
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
  
  list_id string(nonempty)
  
  The exception list's human-readable string identifier.
  
  For endpoint artifacts, use one of the following values:
  
  endpoint_list: Elastic Endpoint exception list
  
  endpoint_trusted_apps: Trusted applications list
  
  endpoint_trusted_devices: Trusted devices list
  
  endpoint_event_filters: Event filters list
  
  endpoint_host_isolation_exceptions: Host isolation exceptions list
  
  endpoint_blocklists: Blocklists list
  
  Minimum length is 1.
- success boolean Required
- success_count integer Required
  
  Minimum value is 0.
- success_count_exception_list_items integer Required
  
  Minimum value is 0.
- success_count_exception_lists integer Required
  
  Minimum value is 0.
- success_exception_list_items boolean Required
- success_exception_lists boolean Required
400 application/json

Invalid input data response
One of:
Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/exception_lists/_import

curl \
 --request POST 'https://<KIBANA_URL>/api/exception_lists/_import' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: multipart/form-data" \
 --form "file=exception_lists.ndjson"

Request example

{"file" => "exception_lists.ndjson"}

Response examples (200)

{
  "errors": [
    {
      "error": {
        "message": "Error found importing exception list: Invalid value \\\"4\\\" supplied to \\\"list_id\\\"",
        "status_code": 400
      },
      "list_id": "(unknown list_id)"
    },
    {
      "error": {
        "message": "Found that item_id: \\\"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\\\" already exists. Import of item_id: \\\"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\\\" skipped.",
        "status_code": 409
      },
      "item_id": "f7fd00bb-dba8-4c93-9d59-6cbd427b6330",
      "list_id": "7d7cccb8-db72-4667-b1f3-648efad7c1ee"
    }
  ],
  "success": "false,",
  "success_count": "0,",
  "success_count_exception_list_items": 0,
  "success_count_exception_lists": "0,",
  "success_exception_list_items": "false,",
  "success_exception_lists": "false,"
}

{
  "errors": [],
  "success": true,
  "success_count": 2,
  "success_count_exception_list_items": 1,
  "success_count_exception_lists": 1,
  "success_exception_list_items": true,
  "success_exception_lists": "true,"
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "Multipart part `file` is required and must contain a valid .ndjson exception list export",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}