Update a Timeline
Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline.
Body
Required
The Timeline updates, along with the Timeline ID and version.
-
timeline
object Required -
timelineId
string | null Required The
savedObjectIdof the Timeline or Timeline template that you’re updating. -
version
string | null Required The version of the Timeline or Timeline template that you’re updating.
PATCH
/api/timeline
curl \
--request PATCH 'https://localhost:5601/api/timeline' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"timeline":{"columns":[{"id":"@timestamp","columnHeaderType":"not-filtered"},{"id":"event.category","columnHeaderType":"not-filtered"}],"created":1587468588922,"createdBy":"casetester","dataProviders":[{"id":"id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","name":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","enabled":true,"excluded":false,"queryMatch":{"field":"_id,","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,","operator":":"}}],"dataViewId":"security-solution-default","dateRange":{"end":1587456479201,"start":1587370079200},"description":"Investigating exposure of CVE XYZ","eqlOptions":{"size":100,"query":"sequence\\n[process where process.name == \"sudo\"]\\n[any where true]","timestampField":"@timestamp","eventCategoryField":"event.category"},"eventType":"all","excludedRowRendererIds":["alert"],"favorite":[{"userName":"elastic","favoriteDate":1741337636741}],"filters":[{"meta":{"key":"@timestamp","type":"exists","alias":"Custom filter name","index":".alerts-security.alerts-default,logs-*","value":"exists","negate":"false,","disabled":false},"query":"{\"exists\":{\"field\":\"@timestamp\"}}"}],"indexNames":[".logs*"],"kqlMode":"search","kqlQuery":{"kuery":{"kind":"kuery","expression":"_id : *"},"filterQuery":null,"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"},"savedQueryId":"c7b16904-02d7-4f32-b8f2-cc20f9625d6e","savedSearchId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","sort":{"columnId":"@timestamp","sortDirection":"desc"},"status":"active","templateTimelineId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","templateTimelineVersion":12,"timelineType":"default","title":"CVE XYZ investigation","updated":1741344876825,"updatedBy":"casetester"},"timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}'
Request examples
{
"timeline": {
"columns": [
{
"id": "@timestamp",
"columnHeaderType": "not-filtered"
},
{
"id": "event.category",
"columnHeaderType": "not-filtered"
}
],
"created": 1587468588922,
"createdBy": "casetester",
"dataProviders": [
{
"id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
"name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
"enabled": true,
"excluded": false,
"queryMatch": {
"field": "_id,",
"value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
"operator": ":"
}
}
],
"dataViewId": "security-solution-default",
"dateRange": {
"end": 1587456479201,
"start": 1587370079200
},
"description": "Investigating exposure of CVE XYZ",
"eqlOptions": {
"size": 100,
"query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
"timestampField": "@timestamp",
"eventCategoryField": "event.category"
},
"eventType": "all",
"excludedRowRendererIds": [
"alert"
],
"favorite": [
{
"userName": "elastic",
"favoriteDate": 1741337636741
}
],
"filters": [
{
"meta": {
"key": "@timestamp",
"type": "exists",
"alias": "Custom filter name",
"index": ".alerts-security.alerts-default,logs-*",
"value": "exists",
"negate": "false,",
"disabled": false
},
"query": "{\"exists\":{\"field\":\"@timestamp\"}}"
}
],
"indexNames": [
".logs*"
],
"kqlMode": "search",
"kqlQuery": {
"kuery": {
"kind": "kuery",
"expression": "_id : *"
},
"filterQuery": null,
"serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
},
"savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
"savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
"sort": {
"columnId": "@timestamp",
"sortDirection": "desc"
},
"status": "active",
"templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
"templateTimelineVersion": 12,
"timelineType": "default",
"title": "CVE XYZ investigation",
"updated": 1741344876825,
"updatedBy": "casetester"
},
"timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
"version": "WzE0LDFd"
}
Response examples (200)
{
"data": {
"persistTimeline": {
"timeline": {
"columns": [
{
"id": "@timestamp",
"columnHeaderType": "not-filtered"
},
{
"id": "event.category",
"columnHeaderType": "not-filtered"
}
],
"created": 1587468588922,
"createdBy": "casetester",
"dataProviders": [
{
"id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
"name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
"enabled": true,
"excluded": false,
"queryMatch": {
"field": "_id,",
"value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
"operator": ":"
}
}
],
"dataViewId": "security-solution-default",
"dateRange": {
"end": 1587456479201,
"start": 1587370079200
},
"description": "Investigating exposure of CVE XYZ",
"eqlOptions": {
"size": 100,
"query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
"timestampField": "@timestamp",
"eventCategoryField": "event.category"
},
"eventType": "all",
"excludedRowRendererIds": [
"alert"
],
"favorite": [
{
"userName": "elastic",
"favoriteDate": 1741337636741
}
],
"filters": [
{
"meta": {
"key": "@timestamp",
"type": "exists",
"alias": "Custom filter name",
"index": ".alerts-security.alerts-default,logs-*",
"value": "exists",
"negate": "false,",
"disabled": false
},
"query": "{\"exists\":{\"field\":\"@timestamp\"}}"
}
],
"indexNames": [
".logs*"
],
"kqlMode": "search",
"kqlQuery": {
"kuery": {
"kind": "kuery",
"expression": "_id : *"
},
"filterQuery": null,
"serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
},
"savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
"savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
"sort": {
"columnId": "@timestamp",
"sortDirection": "desc"
},
"status": "active",
"templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
"templateTimelineVersion": 12,
"timelineType": "default",
"title": "CVE XYZ investigation",
"updated": 1741344876825,
"updatedBy": "casetester",
"savedObjectId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
"version": "WzE0LDFd",
"eventIdToNoteIds": [
{
"created": 1587468588922,
"createdBy": "casetester",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
"note": "This is an example text",
"timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
"noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
"version": "WzQ2LDFd"
}
],
"noteIds": [
"709f99c6-89b6-4953-9160-35945c8e174e"
],
"notes": [
{
"created": 1587468588922,
"createdBy": "casetester",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
"note": "This is an example text",
"timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
"noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
"version": "WzQ2LDFd"
}
],
"pinnedEventIds": [
"983f99c6-89b6-4953-9160-35945c8a194f"
],
"pinnedEventsSaveObject": [
{
"created": 1587468588922,
"createdBy": "casetester",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
"timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
"pinnedEventId": "10r1929b-0af7-42bd-85a8-56e234f98h2f3",
"version": "WzQ2LDFe"
}
]
}
}
}
}
Response examples (405)
{
"body": "update timeline error",
"statusCode": 405
}