Create a Timeline or Timeline template

POST /api/timeline
Api key auth Basic auth

Create a new Timeline or Timeline template.

application/json; Elastic-Api-Version=2023-10-31

Body Required

The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates the Timeline was successfully created.

    Hide response attribute Show response attribute object
    • data object Required
      Hide data attribute Show data attribute object
      • persistTimeline object Required
        Hide persistTimeline attribute Show persistTimeline attribute object
        • timeline object Required
          Hide timeline attributes Show timeline attributes object
          • columns array[object] | null

            The Timeline's columns

            Hide columns attributes Show columns attributes object
          • created number | null

            The time the Timeline was created, using a 13-digit Epoch timestamp.

          • createdBy string | null

            The user who created the Timeline.

          • dataProviders array[object] | null

            Object containing query clauses

            Hide dataProviders attributes Show dataProviders attributes object
          • dataViewId string | null

            ID of the Timeline's Data View

          • dateRange object | null

            The Timeline's search period.

            Hide dateRange attributes Show dateRange attributes object | null
          • description string | null

            The Timeline's description

          • eqlOptions object | null

            EQL query that is used in the correlation tab

            Hide eqlOptions attributes Show eqlOptions attributes object | null
          • eventType string | null Deprecated

            Event types displayed in the Timeline

          • excludedRowRendererIds array[string] | null

            A list of row renderers that should not be used when in Event renderers mode

            Values are alert, alerts, auditd, auditd_file, library, netflow, plain, registry, suricata, system, system_dns, system_endgame_process, system_file, system_fim, system_security_event, system_socket, threat_match, or zeek.

          • favorite array[object] | null

            Indicates when and who marked a Timeline as a favorite.

            Hide favorite attributes Show favorite attributes object
          • filters array[object] | null

            A list of filters that should be applied to the query

            Hide filters attributes Show filters attributes object
          • indexNames array[string] | null

            A list of index names to use in the query (e.g. when the default data view has been modified)

          • kqlMode string | null

            Indicates whether the KQL bar filters the query results or searches for additional results, where:

            • filter: filters query results
            • search: displays additional search results
          • kqlQuery object | null

            KQL bar query.

            Hide kqlQuery attribute Show kqlQuery attribute object | null
          • savedQueryId string | null

            The ID of the saved query that might be used in the Query tab

          • savedSearchId string | null

            The ID of the saved search that is used in the ES|QL tab

          • sort object | null

            Object indicating how rows are sorted in the Timeline's grid

            Hide sort attributes Show sort attributes object | null
          • status string | null

            The status of the Timeline.

            Values are active, draft, or immutable.

          • templateTimelineId string | null

            A unique ID (UUID) for Timeline templates. For Timelines, the value is null.

          • templateTimelineVersion number | null

            Timeline template version number. For Timelines, the value is null.

          • timelineType string | null

            The type of Timeline.

            Values are default or template.

          • title string | null

            The Timeline's title.

          • updated number | null

            The last time the Timeline was updated, using a 13-digit Epoch timestamp

          • updatedBy string | null

            The user who last updated the Timeline

          • savedObjectId string Required

            The savedObjectId of the Timeline or Timeline template

          • version string Required

            The version of the Timeline or Timeline template

          • eventIdToNoteIds array[object] | null

            A list of all the notes that are associated to this Timeline.

            Hide eventIdToNoteIds attributes Show eventIdToNoteIds attributes object
            • created number | null

              The time the note was created, using a 13-digit Epoch timestamp.

            • createdBy string | null

              The user who created the note.

            • updated number | null

              The last time the note was updated, using a 13-digit Epoch timestamp

            • updatedBy string | null

              The user who last updated the note

            • eventId string | null

              The _id of the associated event for this note.

            • note string | null

              The text of the note

            • timelineId string Required

              The savedObjectId of the Timeline that this note is associated with

            • noteId string Required

              The savedObjectId of the note

            • version string Required

              The version of the note

          • noteIds array[string] | null

            A list of all the ids of notes that are associated to this Timeline.

          • notes array[object] | null

            A list of all the notes that are associated to this Timeline.

            Hide notes attributes Show notes attributes object
            • created number | null

              The time the note was created, using a 13-digit Epoch timestamp.

            • createdBy string | null

              The user who created the note.

            • updated number | null

              The last time the note was updated, using a 13-digit Epoch timestamp

            • updatedBy string | null

              The user who last updated the note

            • eventId string | null

              The _id of the associated event for this note.

            • note string | null

              The text of the note

            • timelineId string Required

              The savedObjectId of the Timeline that this note is associated with

            • noteId string Required

              The savedObjectId of the note

            • version string Required

              The version of the note

          • pinnedEventIds array[string] | null

            A list of all the ids of pinned events that are associated to this Timeline.

          • pinnedEventsSaveObject array[object] | null

            A list of all the pinned events that are associated to this Timeline.

            Hide pinnedEventsSaveObject attributes Show pinnedEventsSaveObject attributes object
            • created number | null

              The time the pinned event was created, using a 13-digit Epoch timestamp.

            • createdBy string | null

              The user who created the pinned event.

            • updated number | null

              The last time the pinned event was updated, using a 13-digit Epoch timestamp

            • updatedBy string | null

              The user who last updated the pinned event

            • eventId string Required

              The _id of the associated event for this pinned event.

            • timelineId string Required

              The savedObjectId of the timeline that this pinned event is associated with

            • pinnedEventId string Required

              The savedObjectId of this pinned event

            • version string Required

              The version of this pinned event
  • 405 application/json; Elastic-Api-Version=2023-10-31

    Indicates that there was an error in the Timeline creation.

    Hide response attributes Show response attributes object
POST /api/timeline 
curl \
 --request POST 'http://localhost:5622/api/timeline' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31"
Request examples 
{
  "status": "active",
  "templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
  "templateTimelineVersion": 12,
  "timeline": {
    "columns": [
      {
        "id": "@timestamp",
        "columnHeaderType": "not-filtered"
      },
      {
        "id": "event.category",
        "columnHeaderType": "not-filtered"
      }
    ],
    "created": 1587468588922,
    "createdBy": "casetester",
    "dataProviders": [
      {
        "id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
        "name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
        "enabled": true,
        "excluded": false,
        "queryMatch": {
          "field": "_id,",
          "value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
          "operator": ":"
        }
      }
    ],
    "dataViewId": "security-solution-default",
    "dateRange": {
      "end": 1587456479201,
      "start": 1587370079200
    },
    "description": "Investigating exposure of CVE XYZ",
    "eqlOptions": {
      "size": 100,
      "query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
      "timestampField": "@timestamp",
      "eventCategoryField": "event.category"
    },
    "eventType": "all",
    "excludedRowRendererIds": [
      "alert"
    ],
    "favorite": [
      {
        "userName": "elastic",
        "favoriteDate": 1741337636741
      }
    ],
    "filters": [
      {
        "meta": {
          "key": "@timestamp",
          "type": "exists",
          "alias": "Custom filter name",
          "index": ".alerts-security.alerts-default,logs-*",
          "value": "exists",
          "negate": "false,",
          "disabled": false
        },
        "query": "{\"exists\":{\"field\":\"@timestamp\"}}"
      }
    ],
    "indexNames": [
      ".logs*"
    ],
    "kqlMode": "search",
    "kqlQuery": {
      "kuery": {
        "kind": "kuery",
        "expression": "_id : *"
      },
      "filterQuery": null,
      "serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
    },
    "savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
    "savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
    "sort": {
      "columnId": "@timestamp",
      "sortDirection": "desc"
    },
    "status": "active",
    "templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
    "templateTimelineVersion": 12,
    "timelineType": "default",
    "title": "CVE XYZ investigation",
    "updated": 1741344876825,
    "updatedBy": "casetester"
  },
  "timelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
  "timelineType": "default",
  "version": "string"
}
Response examples (200) 
{
  "data": {
    "persistTimeline": {
      "timeline": {
        "columns": [
          {
            "id": "@timestamp",
            "columnHeaderType": "not-filtered"
          },
          {
            "id": "event.category",
            "columnHeaderType": "not-filtered"
          }
        ],
        "created": 1587468588922,
        "createdBy": "casetester",
        "dataProviders": [
          {
            "id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
            "name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
            "enabled": true,
            "excluded": false,
            "queryMatch": {
              "field": "_id,",
              "value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
              "operator": ":"
            }
          }
        ],
        "dataViewId": "security-solution-default",
        "dateRange": {
          "end": 1587456479201,
          "start": 1587370079200
        },
        "description": "Investigating exposure of CVE XYZ",
        "eqlOptions": {
          "size": 100,
          "query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
          "timestampField": "@timestamp",
          "eventCategoryField": "event.category"
        },
        "eventType": "all",
        "excludedRowRendererIds": [
          "alert"
        ],
        "favorite": [
          {
            "userName": "elastic",
            "favoriteDate": 1741337636741
          }
        ],
        "filters": [
          {
            "meta": {
              "key": "@timestamp",
              "type": "exists",
              "alias": "Custom filter name",
              "index": ".alerts-security.alerts-default,logs-*",
              "value": "exists",
              "negate": "false,",
              "disabled": false
            },
            "query": "{\"exists\":{\"field\":\"@timestamp\"}}"
          }
        ],
        "indexNames": [
          ".logs*"
        ],
        "kqlMode": "search",
        "kqlQuery": {
          "kuery": {
            "kind": "kuery",
            "expression": "_id : *"
          },
          "filterQuery": null,
          "serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
        },
        "savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
        "savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
        "sort": {
          "columnId": "@timestamp",
          "sortDirection": "desc"
        },
        "status": "active",
        "templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
        "templateTimelineVersion": 12,
        "timelineType": "default",
        "title": "CVE XYZ investigation",
        "updated": 1741344876825,
        "updatedBy": "casetester",
        "savedObjectId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
        "version": "WzE0LDFd",
        "eventIdToNoteIds": [
          {
            "created": 1587468588922,
            "createdBy": "casetester",
            "updated": 1741344876825,
            "updatedBy": "casetester",
            "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
            "note": "This is an example text",
            "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
            "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
            "version": "WzQ2LDFd"
          }
        ],
        "noteIds": [
          "709f99c6-89b6-4953-9160-35945c8e174e"
        ],
        "notes": [
          {
            "created": 1587468588922,
            "createdBy": "casetester",
            "updated": 1741344876825,
            "updatedBy": "casetester",
            "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
            "note": "This is an example text",
            "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
            "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
            "version": "WzQ2LDFd"
          }
        ],
        "pinnedEventIds": [
          "983f99c6-89b6-4953-9160-35945c8a194f"
        ],
        "pinnedEventsSaveObject": [
          {
            "created": 1587468588922,
            "createdBy": "casetester",
            "updated": 1741344876825,
            "updatedBy": "casetester",
            "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
            "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
            "pinnedEventId": "10r1929b-0af7-42bd-85a8-56e234f98h2f3",
            "version": "WzQ2LDFe"
          }
        ]
      }
    }
  }
}
Response examples (405) 
{
  "body": "update timeline error",
  "statusCode": 405
}