Get draft Timeline or Timeline template details

GET /api/timeline/_draft

Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned.

Query parameters

timelineType string | null Required

The type of Timeline.

Values are default or template.

Responses

200 application/json

Indicates that the draft Timeline was successfully retrieved.
Hide response attribute Show response attribute object
- data object Required
  
  Hide data attribute Show data attribute object
  
  persistTimeline object Required
  
  Hide persistTimeline attribute Show persistTimeline attribute object
  
  timeline object Required
  
  Hide timeline attributes Show timeline attributes object
  
  columns array[object] | null
  
  The Timeline's columns
  
  Hide columns attributes Show columns attributes object
  
  aggregatable boolean | null
  
  category string | null
  
  columnHeaderType string | null
  
  description string | null
  
  example string | null
  
  id string | null
  
  indexes array[string] | null
  
  name string | null
  
  placeholder string | null
  
  searchable boolean | null
  
  type string | null
  
  created number | null
  
  The time the Timeline was created, using a 13-digit Epoch timestamp.
  
  createdBy string | null
  
  The user who created the Timeline.
  
  dataProviders array[object] | null
  
  Object containing query clauses
  
  Hide dataProviders attributes Show dataProviders attributes object
  
  and array[object] | null
  
  Hide and attributes Show and attributes object
  
  enabled boolean | null
  
  excluded boolean | null
  
  id string | null
  
  kqlQuery string | null
  
  name string | null
  
  queryMatch object | null
  
  Hide queryMatch attributes Show queryMatch attributes object | null
  
  displayField string | null
  
  displayValue string | null
  
  field string | null
  
  operator string | null
  
  value string | null | array[string]
  
  One of:
  string-1 string | null array-2 array[string] | null
  
  type string | null
  
  The type of data provider.
  
  Values are default or template.
  
  enabled boolean | null
  
  excluded boolean | null
  
  id string | null
  
  kqlQuery string | null
  
  name string | null
  
  queryMatch object | null
  
  Hide queryMatch attributes Show queryMatch attributes object | null
  
  displayField string | null
  
  displayValue string | null
  
  field string | null
  
  operator string | null
  
  value string | null | array[string]
  
  One of:
  string-1 string | null array-2 array[string] | null
  
  type string | null
  
  The type of data provider.
  
  Values are default or template.
  
  dataViewId string | null
  
  ID of the Timeline's Data View
  
  dateRange object | null
  
  The Timeline's search period.
  
  Hide dateRange attributes Show dateRange attributes object | null
  
  end string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  end string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  start string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  start string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  description string | null
  
  The Timeline's description
  
  eqlOptions object | null
  
  EQL query that is used in the correlation tab
  
  Hide eqlOptions attributes Show eqlOptions attributes object | null
  
  eventCategoryField string | null
  
  query string | null
  
  size string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  size string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  tiebreakerField string | null
  
  timestampField string | null
  
  eventType string | null Deprecated
  
  Event types displayed in the Timeline
  
  excludedRowRendererIds array[string] | null
  
  A list of row renderers that should not be used when in Event renderers mode
  
  Values are alert, alerts, auditd, auditd_file, library, netflow, plain, registry, suricata, system, system_dns, system_endgame_process, system_file, system_fim, system_security_event, system_socket, threat_match, or zeek.
  
  favorite array[object] | null
  
  Indicates when and who marked a Timeline as a favorite.
  
  Hide favorite attributes Show favorite attributes object
  
  favoriteDate number | null
  
  fullName string | null
  
  userName string | null
  
  filters array[object] | null
  
  A list of filters that should be applied to the query
  
  Hide filters attributes Show filters attributes object
  
  exists string | null
  
  match_all string | null
  
  meta object | null
  
  Hide meta attributes Show meta attributes object | null
  
  alias string | null
  
  controlledBy string | null
  
  disabled boolean | null
  
  field string | null
  
  formattedValue string | null
  
  index string | null
  
  key string | null
  
  negate boolean | null
  
  params string | null
  
  type string | null
  
  value string | null
  
  missing string | null
  
  query string | null
  
  range string | null
  
  script string | null
  
  indexNames array[string] | null
  
  A list of index names to use in the query (e.g. when the default data view has been modified)
  
  kqlMode string | null
  
  Indicates whether the KQL bar filters the query results or searches for additional results, where:
  
  filter: filters query results
  
  search: displays additional search results
  
  kqlQuery object | null
  
  KQL bar query.
  
  Hide kqlQuery attribute Show kqlQuery attribute object | null
  
  filterQuery object | null
  
  Hide filterQuery attributes Show filterQuery attributes object | null
  
  kuery object | null
  
  Hide kuery attributes Show kuery attributes object | null
  
  expression string | null
  
  kind string | null
  
  serializedQuery string | null
  
  savedQueryId string | null
  
  The ID of the saved query that might be used in the Query tab
  
  savedSearchId string | null
  
  The ID of the saved search that is used in the ES|QL tab
  
  sort object | null | array[object]
  
  One of:
  Security_Timeline_API_SortObject object | null array-2 array[object] | null
  
  Object indicating how rows are sorted in the Timeline's grid
  
  Hide attributes Show attributes
  
  columnId string | null
  
  columnType string | null
  
  sortDirection string | null
  
  sort object | null | array[object]
  
  One of:
  Security_Timeline_API_SortObject object | null array-2 array[object] | null
  
  Object indicating how rows are sorted in the Timeline's grid
  
  Hide attributes Show attributes
  
  columnId string | null
  
  columnType string | null
  
  sortDirection string | null
  
  status string | null
  
  The status of the Timeline.
  
  Values are active, draft, or immutable.
  
  templateTimelineId string | null
  
  A unique ID (UUID) for Timeline templates. For Timelines, the value is null.
  
  templateTimelineVersion number | null
  
  Timeline template version number. For Timelines, the value is null.
  
  timelineType string | null
  
  The type of Timeline.
  
  Values are default or template.
  
  title string | null
  
  The Timeline's title.
  
  updated number | null
  
  The last time the Timeline was updated, using a 13-digit Epoch timestamp
  
  updatedBy string | null
  
  The user who last updated the Timeline
  
  savedObjectId string Required
  
  The savedObjectId of the Timeline or Timeline template
  
  version string Required
  
  The version of the Timeline or Timeline template
  
  eventIdToNoteIds array[object] | null
  
  A list of all the notes that are associated to this Timeline.
  
  Hide eventIdToNoteIds attributes Show eventIdToNoteIds attributes object
  
  created number | null
  
  The time the note was created, using a 13-digit Epoch timestamp.
  
  createdBy string | null
  
  The user who created the note.
  
  updated number | null
  
  The last time the note was updated, using a 13-digit Epoch timestamp
  
  updatedBy string | null
  
  The user who last updated the note
  
  eventId string | null
  
  The _id of the associated event for this note.
  
  note string | null
  
  The text of the note
  
  timelineId string Required
  
  The savedObjectId of the Timeline that this note is associated with
  
  noteId string Required
  
  The savedObjectId of the note
  
  version string Required
  
  The version of the note
  
  noteIds array[string] | null
  
  A list of all the ids of notes that are associated to this Timeline.
  
  notes array[object] | null
  
  A list of all the notes that are associated to this Timeline.
  
  Hide notes attributes Show notes attributes object
  
  created number | null
  
  The time the note was created, using a 13-digit Epoch timestamp.
  
  createdBy string | null
  
  The user who created the note.
  
  updated number | null
  
  The last time the note was updated, using a 13-digit Epoch timestamp
  
  updatedBy string | null
  
  The user who last updated the note
  
  eventId string | null
  
  The _id of the associated event for this note.
  
  note string | null
  
  The text of the note
  
  timelineId string Required
  
  The savedObjectId of the Timeline that this note is associated with
  
  noteId string Required
  
  The savedObjectId of the note
  
  version string Required
  
  The version of the note
  
  pinnedEventIds array[string] | null
  
  A list of all the ids of pinned events that are associated to this Timeline.
  
  pinnedEventsSaveObject array[object] | null
  
  A list of all the pinned events that are associated to this Timeline.
  
  Hide pinnedEventsSaveObject attributes Show pinnedEventsSaveObject attributes object
  
  created number | null
  
  The time the pinned event was created, using a 13-digit Epoch timestamp.
  
  createdBy string | null
  
  The user who created the pinned event.
  
  updated number | null
  
  The last time the pinned event was updated, using a 13-digit Epoch timestamp
  
  updatedBy string | null
  
  The user who last updated the pinned event
  
  eventId string Required
  
  The _id of the associated event for this pinned event.
  
  timelineId string Required
  
  The savedObjectId of the timeline that this pinned event is associated with
  
  pinnedEventId string Required
  
  The savedObjectId of this pinned event
  
  version string Required
  
  The version of this pinned event
403 application:json

If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline.
Hide response attributes Show response attributes object
- message string
- status_code number
409 application:json

This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given timelineId.
Hide response attributes Show response attributes object
- message string
- status_code number

GET /api/timeline/_draft

curl \
 --request GET 'https://localhost:5601/api/timeline/_draft?timelineType=default' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "data": {
    "persistTimeline": {
      "timeline": {
        "columns": [
          {
            "id": "@timestamp",
            "columnHeaderType": "not-filtered"
          },
          {
            "id": "event.category",
            "columnHeaderType": "not-filtered"
          }
        ],
        "created": 1587468588922,
        "createdBy": "casetester",
        "dataProviders": [
          {
            "id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
            "name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
            "enabled": true,
            "excluded": false,
            "queryMatch": {
              "field": "_id,",
              "value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
              "operator": ":"
            }
          }
        ],
        "dataViewId": "security-solution-default",
        "dateRange": {
          "end": 1587456479201,
          "start": 1587370079200
        },
        "description": "Investigating exposure of CVE XYZ",
        "eqlOptions": {
          "size": 100,
          "query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
          "timestampField": "@timestamp",
          "eventCategoryField": "event.category"
        },
        "eventType": "all",
        "excludedRowRendererIds": [
          "alert"
        ],
        "favorite": [
          {
            "userName": "elastic",
            "favoriteDate": 1741337636741
          }
        ],
        "filters": [
          {
            "meta": {
              "key": "@timestamp",
              "type": "exists",
              "alias": "Custom filter name",
              "index": ".alerts-security.alerts-default,logs-*",
              "value": "exists",
              "negate": "false,",
              "disabled": false
            },
            "query": "{\"exists\":{\"field\":\"@timestamp\"}}"
          }
        ],
        "indexNames": [
          ".logs*"
        ],
        "kqlMode": "search",
        "kqlQuery": {
          "kuery": {
            "kind": "kuery",
            "expression": "_id : *"
          },
          "filterQuery": null,
          "serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
        },
        "savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
        "savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
        "sort": {
          "columnId": "@timestamp",
          "sortDirection": "desc"
        },
        "status": "active",
        "templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
        "templateTimelineVersion": 12,
        "timelineType": "default",
        "title": "CVE XYZ investigation",
        "updated": 1741344876825,
        "updatedBy": "casetester",
        "savedObjectId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
        "version": "WzE0LDFd",
        "eventIdToNoteIds": [
          {
            "created": 1587468588922,
            "createdBy": "casetester",
            "updated": 1741344876825,
            "updatedBy": "casetester",
            "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
            "note": "This is an example text",
            "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
            "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
            "version": "WzQ2LDFd"
          }
        ],
        "noteIds": [
          "709f99c6-89b6-4953-9160-35945c8e174e"
        ],
        "notes": [
          {
            "created": 1587468588922,
            "createdBy": "casetester",
            "updated": 1741344876825,
            "updatedBy": "casetester",
            "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
            "note": "This is an example text",
            "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
            "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
            "version": "WzQ2LDFd"
          }
        ],
        "pinnedEventIds": [
          "983f99c6-89b6-4953-9160-35945c8a194f"
        ],
        "pinnedEventsSaveObject": [
          {
            "created": 1587468588922,
            "createdBy": "casetester",
            "updated": 1741344876825,
            "updatedBy": "casetester",
            "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
            "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
            "pinnedEventId": "10r1929b-0af7-42bd-85a8-56e234f98h2f3",
            "version": "WzQ2LDFe"
          }
        ]
      }
    }
  }
}

Response examples (403)

{
  "message": "string",
  "status_code": 42.0
}

Response examples (409)

{
  "message": "string",
  "status_code": 42.0
}

Get draft Timeline or Timeline template details

Query parameters

Responses

value string | null | array[string]

value string | null | array[string]

end string | null | number

end string | null | number

start string | null | number

start string | null | number

size string | null | number

size string | null | number

sort object | null | array[object]

sort object | null | array[object]