Create a clean draft Timeline or Timeline template

POST /api/timeline/_draft

Api key auth Basic auth

Create a clean draft Timeline or Timeline template for the current user.

If the user already has a draft Timeline, the existing draft Timeline is cleared and returned.

application/json

Body Required

The type of Timeline to create. Valid values are default and template.

timelineType string | null Required

The type of Timeline.

Values are default or template.

Responses

200 application/json

Indicates that the draft Timeline was successfully created. In the event the user already has a draft Timeline, the existing draft Timeline is cleared and returned.
Hide response attributes Show response attributes object
- columns array[object] | null
  
  The Timeline's columns
  
  Hide columns attributes Show columns attributes object
  
  aggregatable boolean | null
  
  category string | null
  
  columnHeaderType string | null
  
  description string | null
  
  example string | null
  
  id string | null
  
  indexes array[string] | null
  
  name string | null
  
  placeholder string | null
  
  searchable boolean | null
  
  type string | null
- created number | null
  
  The time the Timeline was created, using a 13-digit Epoch timestamp.
- createdBy string | null
  
  The user who created the Timeline.
- dataProviders array[object] | null
  
  Object containing query clauses
  
  Hide dataProviders attributes Show dataProviders attributes object
  
  and array[object] | null
  
  Hide and attributes Show and attributes object
  
  enabled boolean | null
  
  excluded boolean | null
  
  id string | null
  
  kqlQuery string | null
  
  name string | null
  
  queryMatch object | null
  
  Hide queryMatch attributes Show queryMatch attributes object | null
  
  displayField string | null
  
  displayValue string | null
  
  field string | null
  
  operator string | null
  
  value string | null | array[string]
  
  One of:
  string-1 string | null array-2 array[string] | null
  
  type string | null
  
  The type of data provider.
  
  Values are default or template.
  
  enabled boolean | null
  
  excluded boolean | null
  
  id string | null
  
  kqlQuery string | null
  
  name string | null
  
  queryMatch object | null
  
  Hide queryMatch attributes Show queryMatch attributes object | null
  
  displayField string | null
  
  displayValue string | null
  
  field string | null
  
  operator string | null
  
  value string | null | array[string]
  
  One of:
  string-1 string | null array-2 array[string] | null
  
  type string | null
  
  The type of data provider.
  
  Values are default or template.
- dataViewId string | null
  
  ID of the Timeline's Data View
- dateRange object | null
  
  The Timeline's search period.
  
  Hide dateRange attributes Show dateRange attributes object | null
  
  end string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  start string | null | number
  
  One of:
  string-1 string | null number-2 number | null
- description string | null
  
  The Timeline's description
- eqlOptions object | null
  
  EQL query that is used in the correlation tab
  
  Hide eqlOptions attributes Show eqlOptions attributes object | null
  
  eventCategoryField string | null
  
  query string | null
  
  size string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  tiebreakerField string | null
  
  timestampField string | null
- eventType string | null Deprecated
  
  Event types displayed in the Timeline
- excludedRowRendererIds array[string] | null
  
  A list of row renderers that should not be used when in Event renderers mode
  
  Values are alert, alerts, auditd, auditd_file, library, netflow, plain, registry, suricata, system, system_dns, system_endgame_process, system_file, system_fim, system_security_event, system_socket, threat_match, or zeek.
- favorite array[object] | null
  
  Indicates when and who marked a Timeline as a favorite.
  
  Hide favorite attributes Show favorite attributes object
  
  favoriteDate number | null
  
  fullName string | null
  
  userName string | null
- filters array[object] | null
  
  A list of filters that should be applied to the query
  
  Hide filters attributes Show filters attributes object
  
  exists string | null
  
  match_all string | null
  
  meta object | null
  
  Hide meta attributes Show meta attributes object | null
  
  alias string | null
  
  controlledBy string | null
  
  disabled boolean | null
  
  field string | null
  
  formattedValue string | null
  
  index string | null
  
  key string | null
  
  negate boolean | null
  
  params string | null
  
  type string | null
  
  value string | null
  
  missing string | null
  
  query string | null
  
  range string | null
  
  script string | null
- indexNames array[string] | null
  
  A list of index names to use in the query (e.g. when the default data view has been modified)
- kqlMode string | null
  
  Indicates whether the KQL bar filters the query results or searches for additional results, where:
  
  filter: filters query results
  
  search: displays additional search results
- kqlQuery object | null
  
  KQL bar query.
  
  Hide kqlQuery attribute Show kqlQuery attribute object | null
  
  filterQuery object | null
  
  Hide filterQuery attributes Show filterQuery attributes object | null
  
  kuery object | null
  
  Hide kuery attributes Show kuery attributes object | null
  
  expression string | null
  
  kind string | null
  
  serializedQuery string | null
- savedQueryId string | null
  
  The ID of the saved query that might be used in the Query tab
- savedSearchId string | null
  
  The ID of the saved search that is used in the ES|QL tab
- sort object | null
  
  Object indicating how rows are sorted in the Timeline's grid
  
  Hide sort attributes Show sort attributes object | null
  
  columnId string | null
  
  columnType string | null
  
  sortDirection string | null
- status string | null
  
  The status of the Timeline.
  
  Values are active, draft, or immutable.
- templateTimelineId string | null
  
  A unique ID (UUID) for Timeline templates. For Timelines, the value is null.
- templateTimelineVersion number | null
  
  Timeline template version number. For Timelines, the value is null.
- timelineType string | null
  
  The type of Timeline.
  
  Values are default or template.
- title string | null
  
  The Timeline's title.
- updated number | null
  
  The last time the Timeline was updated, using a 13-digit Epoch timestamp
- updatedBy string | null
  
  The user who last updated the Timeline
- savedObjectId string Required
  
  The savedObjectId of the Timeline or Timeline template
- version string Required
  
  The version of the Timeline or Timeline template
- eventIdToNoteIds array[object] | null
  
  A list of all the notes that are associated to this Timeline.
  
  Hide eventIdToNoteIds attributes Show eventIdToNoteIds attributes object
  
  created number | null
  
  The time the note was created, using a 13-digit Epoch timestamp.
  
  createdBy string | null
  
  The user who created the note.
  
  updated number | null
  
  The last time the note was updated, using a 13-digit Epoch timestamp
  
  updatedBy string | null
  
  The user who last updated the note
  
  eventId string | null
  
  The _id of the associated event for this note.
  
  note string | null
  
  The text of the note
  
  timelineId string Required
  
  The savedObjectId of the Timeline that this note is associated with
  
  noteId string Required
  
  The savedObjectId of the note
  
  version string Required
  
  The version of the note
- noteIds array[string] | null
  
  A list of all the ids of notes that are associated to this Timeline.
- notes array[object] | null
  
  A list of all the notes that are associated to this Timeline.
  
  Hide notes attributes Show notes attributes object
  
  created number | null
  
  The time the note was created, using a 13-digit Epoch timestamp.
  
  createdBy string | null
  
  The user who created the note.
  
  updated number | null
  
  The last time the note was updated, using a 13-digit Epoch timestamp
  
  updatedBy string | null
  
  The user who last updated the note
  
  eventId string | null
  
  The _id of the associated event for this note.
  
  note string | null
  
  The text of the note
  
  timelineId string Required
  
  The savedObjectId of the Timeline that this note is associated with
  
  noteId string Required
  
  The savedObjectId of the note
  
  version string Required
  
  The version of the note
- pinnedEventIds array[string] | null
  
  A list of all the ids of pinned events that are associated to this Timeline.
- pinnedEventsSaveObject array[object] | null
  
  A list of all the pinned events that are associated to this Timeline.
  
  Hide pinnedEventsSaveObject attributes Show pinnedEventsSaveObject attributes object
  
  created number | null
  
  The time the pinned event was created, using a 13-digit Epoch timestamp.
  
  createdBy string | null
  
  The user who created the pinned event.
  
  updated number | null
  
  The last time the pinned event was updated, using a 13-digit Epoch timestamp
  
  updatedBy string | null
  
  The user who last updated the pinned event
  
  eventId string Required
  
  The _id of the associated event for this pinned event.
  
  timelineId string Required
  
  The savedObjectId of the timeline that this pinned event is associated with
  
  pinnedEventId string Required
  
  The savedObjectId of this pinned event
  
  version string Required
  
  The version of this pinned event
403 application:json

Indicates that the user does not have the required permissions to create a draft Timeline.
Hide response attributes Show response attributes object
- message string
- status_code number
409 application:json

Indicates that there is already a draft Timeline with the given timelineId.
Hide response attributes Show response attributes object
- message string
- status_code number

POST /api/timeline/_draft

curl \
 --request POST 'http://localhost:5622/api/timeline/_draft' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"timelineType":"default"}'

Request examples

{
  "timelineType": "default"
}

Response examples (200)

{
  "columns": [
    {
      "id": "@timestamp",
      "columnHeaderType": "not-filtered"
    },
    {
      "id": "event.category",
      "columnHeaderType": "not-filtered"
    }
  ],
  "created": 1587468588922,
  "createdBy": "casetester",
  "dataProviders": [
    {
      "id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
      "name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
      "enabled": true,
      "excluded": false,
      "queryMatch": {
        "field": "_id,",
        "value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
        "operator": ":"
      }
    }
  ],
  "dataViewId": "security-solution-default",
  "dateRange": {
    "end": 1587456479201,
    "start": 1587370079200
  },
  "description": "Investigating exposure of CVE XYZ",
  "eqlOptions": {
    "size": 100,
    "query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
    "timestampField": "@timestamp",
    "eventCategoryField": "event.category"
  },
  "eventType": "all",
  "excludedRowRendererIds": [
    "alert"
  ],
  "favorite": [
    {
      "userName": "elastic",
      "favoriteDate": 1741337636741
    }
  ],
  "filters": [
    {
      "meta": {
        "key": "@timestamp",
        "type": "exists",
        "alias": "Custom filter name",
        "index": ".alerts-security.alerts-default,logs-*",
        "value": "exists",
        "negate": "false,",
        "disabled": false
      },
      "query": "{\"exists\":{\"field\":\"@timestamp\"}}"
    }
  ],
  "indexNames": [
    ".logs*"
  ],
  "kqlMode": "search",
  "kqlQuery": {
    "kuery": {
      "kind": "kuery",
      "expression": "_id : *"
    },
    "filterQuery": null,
    "serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
  },
  "savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
  "savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
  "sort": {
    "columnId": "@timestamp",
    "sortDirection": "desc"
  },
  "status": "active",
  "templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
  "templateTimelineVersion": 12,
  "timelineType": "default",
  "title": "CVE XYZ investigation",
  "updated": 1741344876825,
  "updatedBy": "casetester",
  "savedObjectId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
  "version": "WzE0LDFd",
  "eventIdToNoteIds": [
    {
      "created": 1587468588922,
      "createdBy": "casetester",
      "updated": 1741344876825,
      "updatedBy": "casetester",
      "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
      "note": "This is an example text",
      "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
      "version": "WzQ2LDFd"
    }
  ],
  "noteIds": [
    "709f99c6-89b6-4953-9160-35945c8e174e"
  ],
  "notes": [
    {
      "created": 1587468588922,
      "createdBy": "casetester",
      "updated": 1741344876825,
      "updatedBy": "casetester",
      "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
      "note": "This is an example text",
      "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
      "version": "WzQ2LDFd"
    }
  ],
  "pinnedEventIds": [
    "983f99c6-89b6-4953-9160-35945c8a194f"
  ],
  "pinnedEventsSaveObject": [
    {
      "created": 1587468588922,
      "createdBy": "casetester",
      "updated": 1741344876825,
      "updatedBy": "casetester",
      "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
      "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "pinnedEventId": "10r1929b-0af7-42bd-85a8-56e234f98h2f3",
      "version": "WzQ2LDFe"
    }
  ]
}

Response examples (403)

{
  "message": "string",
  "status_code": 42.0
}

Response examples (409)

{
  "message": "string",
  "status_code": 42.0
}

Create a clean draft Timeline or Timeline template

Body Required

Responses

value string | null | array[string]

value string | null | array[string]

end string | null | number

start string | null | number

size string | null | number