Query parameters

Responses

GET /api/timeline/resolve
curl \
 --request GET 'http://localhost:5622/api/timeline/resolve' \
 --header "Authorization: $API_KEY"
Response examples (200)
{
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "outcome": "exactMatch",
  "timeline": {
    "columns": [
      {
        "id": "@timestamp",
        "columnHeaderType": "not-filtered"
      },
      {
        "id": "event.category",
        "columnHeaderType": "not-filtered"
      }
    ],
    "created": 1587468588922,
    "createdBy": "casetester",
    "dataProviders": [
      {
        "id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
        "name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
        "enabled": true,
        "excluded": false,
        "queryMatch": {
          "field": "_id,",
          "value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
          "operator": ":"
        }
      }
    ],
    "dataViewId": "security-solution-default",
    "dateRange": {
      "end": 1587456479201,
      "start": 1587370079200
    },
    "description": "Investigating exposure of CVE XYZ",
    "eqlOptions": {
      "size": 100,
      "query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
      "timestampField": "@timestamp",
      "eventCategoryField": "event.category"
    },
    "eventType": "all",
    "excludedRowRendererIds": [
      "alert"
    ],
    "favorite": [
      {
        "userName": "elastic",
        "favoriteDate": 1741337636741
      }
    ],
    "filters": [
      {
        "meta": {
          "key": "@timestamp",
          "type": "exists",
          "alias": "Custom filter name",
          "index": ".alerts-security.alerts-default,logs-*",
          "value": "exists",
          "negate": "false,",
          "disabled": false
        },
        "query": "{\"exists\":{\"field\":\"@timestamp\"}}"
      }
    ],
    "indexNames": [
      ".logs*"
    ],
    "kqlMode": "search",
    "kqlQuery": {
      "kuery": {
        "kind": "kuery",
        "expression": "_id : *"
      },
      "filterQuery": null,
      "serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
    },
    "savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
    "savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
    "sort": {
      "columnId": "@timestamp",
      "sortDirection": "desc"
    },
    "status": "active",
    "templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
    "templateTimelineVersion": 12,
    "timelineType": "default",
    "title": "CVE XYZ investigation",
    "updated": 1741344876825,
    "updatedBy": "casetester",
    "eventIdToNoteIds": [
      {
        "created": 1587468588922,
        "createdBy": "casetester",
        "updated": 1741344876825,
        "updatedBy": "casetester",
        "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
        "note": "This is an example text",
        "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
        "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
        "version": "WzQ2LDFd"
      }
    ],
    "noteIds": [
      "string"
    ],
    "notes": [
      {
        "created": 1587468588922,
        "createdBy": "casetester",
        "updated": 1741344876825,
        "updatedBy": "casetester",
        "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
        "note": "This is an example text",
        "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
        "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
        "version": "WzQ2LDFd"
      }
    ],
    "pinnedEventIds": [
      "string"
    ],
    "pinnedEventsSaveObject": [
      {
        "created": 1587468588922,
        "createdBy": "casetester",
        "updated": 1741344876825,
        "updatedBy": "casetester",
        "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
        "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
        "pinnedEventId": "10r1929b-0af7-42bd-85a8-56e234f98h2f3",
        "version": "WzQ2LDFe"
      }
    ],
    "savedObjectId": "string",
    "version": "string"
  }
}