Update a Timeline

PATCH /api/timeline

Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline.

application/json

Body Required

The Timeline updates, along with the Timeline ID and version.

Responses

PATCH /api/timeline
curl \
 --request PATCH http://localhost:5622/api/timeline \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"timeline":{"columns":[{"id":"@timestamp","columnHeaderType":"not-filtered"},{"id":"event.category","columnHeaderType":"not-filtered"}],"created":1587468588922,"createdBy":"casetester","dataProviders":[{"id":"id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","name":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","enabled":true,"excluded":false,"queryMatch":{"field":"_id,","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,","operator":":"}}],"dataViewId":"security-solution-default","dateRange":{"end":1587456479201,"start":1587370079200},"description":"Investigating exposure of CVE XYZ","eqlOptions":{"size":100,"query":"sequence\\n[process where process.name == \"sudo\"]\\n[any where true]","timestampField":"@timestamp","eventCategoryField":"event.category"},"eventType":"all","excludedRowRendererIds":["alert"],"favorite":[{"userName":"elastic","favoriteDate":1741337636741}],"filters":[{"meta":{"key":"@timestamp","type":"exists","alias":"Custom filter name","index":".alerts-security.alerts-default,logs-*","value":"exists","negate":"false,","disabled":false},"query":"{\"exists\":{\"field\":\"@timestamp\"}}"}],"indexNames":[".logs*"],"kqlMode":"search","kqlQuery":{"kuery":{"kind":"kuery","expression":"_id : *"},"filterQuery":null,"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"},"savedQueryId":"c7b16904-02d7-4f32-b8f2-cc20f9625d6e","savedSearchId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","sort":{"columnId":"@timestamp","sortDirection":"desc"},"status":"active","templateTimelineId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","templateTimelineVersion":12,"timelineType":"default","title":"CVE XYZ investigation","updated":1741344876825,"updatedBy":"casetester"},"timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}'
Request examples
{
  "timeline": {
    "columns": [
      {
        "id": "@timestamp",
        "columnHeaderType": "not-filtered"
      },
      {
        "id": "event.category",
        "columnHeaderType": "not-filtered"
      }
    ],
    "created": 1587468588922,
    "createdBy": "casetester",
    "dataProviders": [
      {
        "id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
        "name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
        "enabled": true,
        "excluded": false,
        "queryMatch": {
          "field": "_id,",
          "value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
          "operator": ":"
        }
      }
    ],
    "dataViewId": "security-solution-default",
    "dateRange": {
      "end": 1587456479201,
      "start": 1587370079200
    },
    "description": "Investigating exposure of CVE XYZ",
    "eqlOptions": {
      "size": 100,
      "query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
      "timestampField": "@timestamp",
      "eventCategoryField": "event.category"
    },
    "eventType": "all",
    "excludedRowRendererIds": [
      "alert"
    ],
    "favorite": [
      {
        "userName": "elastic",
        "favoriteDate": 1741337636741
      }
    ],
    "filters": [
      {
        "meta": {
          "key": "@timestamp",
          "type": "exists",
          "alias": "Custom filter name",
          "index": ".alerts-security.alerts-default,logs-*",
          "value": "exists",
          "negate": "false,",
          "disabled": false
        },
        "query": "{\"exists\":{\"field\":\"@timestamp\"}}"
      }
    ],
    "indexNames": [
      ".logs*"
    ],
    "kqlMode": "search",
    "kqlQuery": {
      "kuery": {
        "kind": "kuery",
        "expression": "_id : *"
      },
      "filterQuery": null,
      "serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
    },
    "savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
    "savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
    "sort": {
      "columnId": "@timestamp",
      "sortDirection": "desc"
    },
    "status": "active",
    "templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
    "templateTimelineVersion": 12,
    "timelineType": "default",
    "title": "CVE XYZ investigation",
    "updated": 1741344876825,
    "updatedBy": "casetester"
  },
  "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
  "version": "WzE0LDFd"
}
Response examples (200)
{
  "columns": [
    {
      "id": "@timestamp",
      "columnHeaderType": "not-filtered"
    },
    {
      "id": "event.category",
      "columnHeaderType": "not-filtered"
    }
  ],
  "created": 1587468588922,
  "createdBy": "casetester",
  "dataProviders": [
    {
      "id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
      "name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
      "enabled": true,
      "excluded": false,
      "queryMatch": {
        "field": "_id,",
        "value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
        "operator": ":"
      }
    }
  ],
  "dataViewId": "security-solution-default",
  "dateRange": {
    "end": 1587456479201,
    "start": 1587370079200
  },
  "description": "Investigating exposure of CVE XYZ",
  "eqlOptions": {
    "size": 100,
    "query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
    "timestampField": "@timestamp",
    "eventCategoryField": "event.category"
  },
  "eventType": "all",
  "excludedRowRendererIds": [
    "alert"
  ],
  "favorite": [
    {
      "userName": "elastic",
      "favoriteDate": 1741337636741
    }
  ],
  "filters": [
    {
      "meta": {
        "key": "@timestamp",
        "type": "exists",
        "alias": "Custom filter name",
        "index": ".alerts-security.alerts-default,logs-*",
        "value": "exists",
        "negate": "false,",
        "disabled": false
      },
      "query": "{\"exists\":{\"field\":\"@timestamp\"}}"
    }
  ],
  "indexNames": [
    ".logs*"
  ],
  "kqlMode": "search",
  "kqlQuery": {
    "kuery": {
      "kind": "kuery",
      "expression": "_id : *"
    },
    "filterQuery": null,
    "serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
  },
  "savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
  "savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
  "sort": {
    "columnId": "@timestamp",
    "sortDirection": "desc"
  },
  "status": "active",
  "templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
  "templateTimelineVersion": 12,
  "timelineType": "default",
  "title": "CVE XYZ investigation",
  "updated": 1741344876825,
  "updatedBy": "casetester",
  "savedObjectId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
  "version": "WzE0LDFd",
  "eventIdToNoteIds": [
    {
      "created": 1587468588922,
      "createdBy": "casetester",
      "updated": 1741344876825,
      "updatedBy": "casetester",
      "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
      "note": "This is an example text",
      "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
      "version": "WzQ2LDFd"
    }
  ],
  "noteIds": [
    "709f99c6-89b6-4953-9160-35945c8e174e"
  ],
  "notes": [
    {
      "created": 1587468588922,
      "createdBy": "casetester",
      "updated": 1741344876825,
      "updatedBy": "casetester",
      "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
      "note": "This is an example text",
      "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
      "version": "WzQ2LDFd"
    }
  ],
  "pinnedEventIds": [
    "983f99c6-89b6-4953-9160-35945c8a194f"
  ],
  "pinnedEventsSaveObject": [
    {
      "created": 1587468588922,
      "createdBy": "casetester",
      "updated": 1741344876825,
      "updatedBy": "casetester",
      "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
      "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "pinnedEventId": "10r1929b-0af7-42bd-85a8-56e234f98h2f3",
      "version": "WzQ2LDFe"
    }
  ]
}
Response examples (405)
{
  "body": "update timeline error",
  "statusCode": 405
}