Copies timeline or timeline template

GET /api/timeline/_copy
Api key auth Basic auth

Copies and returns a timeline or timeline template.

application/json

Body Required

Responses

  • 200 application/json

    Indicates that the timeline has been successfully copied.

    Hide response attributes Show response attributes object
    • columns array[object] | null

      The Timeline's columns

      Hide columns attributes Show columns attributes object
    • created number | null

      The time the Timeline was created, using a 13-digit Epoch timestamp.

    • createdBy string | null

      The user who created the Timeline.

    • dataProviders array[object] | null

      Object containing query clauses

      Hide dataProviders attributes Show dataProviders attributes object
    • dataViewId string | null

      ID of the Timeline's Data View

    • dateRange object | null

      The Timeline's search period.

      Hide dateRange attributes Show dateRange attributes object | null
    • description string | null

      The Timeline's description

    • eqlOptions object | null

      EQL query that is used in the correlation tab

      Hide eqlOptions attributes Show eqlOptions attributes object | null
    • eventType string | null Deprecated

      Event types displayed in the Timeline

    • excludedRowRendererIds array[string] | null

      A list of row renderers that should not be used when in Event renderers mode

      Values are alert, alerts, auditd, auditd_file, library, netflow, plain, registry, suricata, system, system_dns, system_endgame_process, system_file, system_fim, system_security_event, system_socket, threat_match, or zeek.

    • favorite array[object] | null

      Indicates when and who marked a Timeline as a favorite.

      Hide favorite attributes Show favorite attributes object
    • filters array[object] | null

      A list of filters that should be applied to the query

      Hide filters attributes Show filters attributes object
    • indexNames array[string] | null

      A list of index names to use in the query (e.g. when the default data view has been modified)

    • kqlMode string | null

      Indicates whether the KQL bar filters the query results or searches for additional results, where:

      • filter: filters query results
      • search: displays additional search results
    • kqlQuery object | null

      KQL bar query.

      Hide kqlQuery attribute Show kqlQuery attribute object | null
    • savedQueryId string | null

      The ID of the saved query that might be used in the Query tab

    • savedSearchId string | null

      The ID of the saved search that is used in the ES|QL tab

    • sort object | null

      Object indicating how rows are sorted in the Timeline's grid

      Hide sort attributes Show sort attributes object | null
    • status string | null

      The status of the Timeline.

      Values are active, draft, or immutable.

    • templateTimelineId string | null

      A unique ID (UUID) for Timeline templates. For Timelines, the value is null.

    • templateTimelineVersion number | null

      Timeline template version number. For Timelines, the value is null.

    • timelineType string | null

      The type of Timeline.

      Values are default or template.

    • title string | null

      The Timeline's title.

    • updated number | null

      The last time the Timeline was updated, using a 13-digit Epoch timestamp

    • updatedBy string | null

      The user who last updated the Timeline

    • savedObjectId string Required

      The savedObjectId of the Timeline or Timeline template

    • version string Required

      The version of the Timeline or Timeline template

    • eventIdToNoteIds array[object] | null

      A list of all the notes that are associated to this Timeline.

      Hide eventIdToNoteIds attributes Show eventIdToNoteIds attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        The _id of the associated event for this note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline that this note is associated with

      • noteId string Required

        The savedObjectId of the note

      • version string Required

        The version of the note

    • noteIds array[string] | null

      A list of all the ids of notes that are associated to this Timeline.

    • notes array[object] | null

      A list of all the notes that are associated to this Timeline.

      Hide notes attributes Show notes attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        The _id of the associated event for this note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline that this note is associated with

      • noteId string Required

        The savedObjectId of the note

      • version string Required

        The version of the note

    • pinnedEventIds array[string] | null

      A list of all the ids of pinned events that are associated to this Timeline.

    • pinnedEventsSaveObject array[object] | null

      A list of all the pinned events that are associated to this Timeline.

      Hide pinnedEventsSaveObject attributes Show pinnedEventsSaveObject attributes object
      • created number | null

        The time the pinned event was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the pinned event.

      • updated number | null

        The last time the pinned event was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the pinned event

      • eventId string Required

        The _id of the associated event for this pinned event.

      • timelineId string Required

        The savedObjectId of the timeline that this pinned event is associated with

      • pinnedEventId string Required

        The savedObjectId of this pinned event

      • version string Required

        The version of this pinned event
GET /api/timeline/_copy 
curl \
 --request GET 'https://localhost:5601/api/timeline/_copy' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"timeline":{"columns":[{"id":"@timestamp","columnHeaderType":"not-filtered"},{"id":"event.category","columnHeaderType":"not-filtered"}],"created":1587468588922,"createdBy":"casetester","dataProviders":[{"id":"id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","name":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","enabled":true,"excluded":false,"queryMatch":{"field":"_id,","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,","operator":":"}}],"dataViewId":"security-solution-default","dateRange":{"end":1587456479201,"start":1587370079200},"description":"Investigating exposure of CVE XYZ","eqlOptions":{"size":100,"query":"sequence\\n[process where process.name == \"sudo\"]\\n[any where true]","timestampField":"@timestamp","eventCategoryField":"event.category"},"eventType":"all","excludedRowRendererIds":["alert"],"favorite":[{"userName":"elastic","favoriteDate":1741337636741}],"filters":[{"meta":{"key":"@timestamp","type":"exists","alias":"Custom filter name","index":".alerts-security.alerts-default,logs-*","value":"exists","negate":"false,","disabled":false},"query":"{\"exists\":{\"field\":\"@timestamp\"}}"}],"indexNames":[".logs*"],"kqlMode":"search","kqlQuery":{"kuery":{"kind":"kuery","expression":"_id : *"},"filterQuery":null,"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"},"savedQueryId":"c7b16904-02d7-4f32-b8f2-cc20f9625d6e","savedSearchId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","sort":{"columnId":"@timestamp","sortDirection":"desc"},"status":"active","templateTimelineId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","templateTimelineVersion":12,"timelineType":"default","title":"CVE XYZ investigation","updated":1741344876825,"updatedBy":"casetester"},"timelineIdToCopy":"string"}'
Request examples 
{
  "timeline": {
    "columns": [
      {
        "id": "@timestamp",
        "columnHeaderType": "not-filtered"
      },
      {
        "id": "event.category",
        "columnHeaderType": "not-filtered"
      }
    ],
    "created": 1587468588922,
    "createdBy": "casetester",
    "dataProviders": [
      {
        "id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
        "name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
        "enabled": true,
        "excluded": false,
        "queryMatch": {
          "field": "_id,",
          "value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
          "operator": ":"
        }
      }
    ],
    "dataViewId": "security-solution-default",
    "dateRange": {
      "end": 1587456479201,
      "start": 1587370079200
    },
    "description": "Investigating exposure of CVE XYZ",
    "eqlOptions": {
      "size": 100,
      "query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
      "timestampField": "@timestamp",
      "eventCategoryField": "event.category"
    },
    "eventType": "all",
    "excludedRowRendererIds": [
      "alert"
    ],
    "favorite": [
      {
        "userName": "elastic",
        "favoriteDate": 1741337636741
      }
    ],
    "filters": [
      {
        "meta": {
          "key": "@timestamp",
          "type": "exists",
          "alias": "Custom filter name",
          "index": ".alerts-security.alerts-default,logs-*",
          "value": "exists",
          "negate": "false,",
          "disabled": false
        },
        "query": "{\"exists\":{\"field\":\"@timestamp\"}}"
      }
    ],
    "indexNames": [
      ".logs*"
    ],
    "kqlMode": "search",
    "kqlQuery": {
      "kuery": {
        "kind": "kuery",
        "expression": "_id : *"
      },
      "filterQuery": null,
      "serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
    },
    "savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
    "savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
    "sort": {
      "columnId": "@timestamp",
      "sortDirection": "desc"
    },
    "status": "active",
    "templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
    "templateTimelineVersion": 12,
    "timelineType": "default",
    "title": "CVE XYZ investigation",
    "updated": 1741344876825,
    "updatedBy": "casetester"
  },
  "timelineIdToCopy": "string"
}
Response examples (200) 
{
  "columns": [
    {
      "id": "@timestamp",
      "columnHeaderType": "not-filtered"
    },
    {
      "id": "event.category",
      "columnHeaderType": "not-filtered"
    }
  ],
  "created": 1587468588922,
  "createdBy": "casetester",
  "dataProviders": [
    {
      "id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
      "name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
      "enabled": true,
      "excluded": false,
      "queryMatch": {
        "field": "_id,",
        "value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
        "operator": ":"
      }
    }
  ],
  "dataViewId": "security-solution-default",
  "dateRange": {
    "end": 1587456479201,
    "start": 1587370079200
  },
  "description": "Investigating exposure of CVE XYZ",
  "eqlOptions": {
    "size": 100,
    "query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
    "timestampField": "@timestamp",
    "eventCategoryField": "event.category"
  },
  "eventType": "all",
  "excludedRowRendererIds": [
    "alert"
  ],
  "favorite": [
    {
      "userName": "elastic",
      "favoriteDate": 1741337636741
    }
  ],
  "filters": [
    {
      "meta": {
        "key": "@timestamp",
        "type": "exists",
        "alias": "Custom filter name",
        "index": ".alerts-security.alerts-default,logs-*",
        "value": "exists",
        "negate": "false,",
        "disabled": false
      },
      "query": "{\"exists\":{\"field\":\"@timestamp\"}}"
    }
  ],
  "indexNames": [
    ".logs*"
  ],
  "kqlMode": "search",
  "kqlQuery": {
    "kuery": {
      "kind": "kuery",
      "expression": "_id : *"
    },
    "filterQuery": null,
    "serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
  },
  "savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
  "savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
  "sort": {
    "columnId": "@timestamp",
    "sortDirection": "desc"
  },
  "status": "active",
  "templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
  "templateTimelineVersion": 12,
  "timelineType": "default",
  "title": "CVE XYZ investigation",
  "updated": 1741344876825,
  "updatedBy": "casetester",
  "savedObjectId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
  "version": "WzE0LDFd",
  "eventIdToNoteIds": [
    {
      "created": 1587468588922,
      "createdBy": "casetester",
      "updated": 1741344876825,
      "updatedBy": "casetester",
      "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
      "note": "This is an example text",
      "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
      "version": "WzQ2LDFd"
    }
  ],
  "noteIds": [
    "709f99c6-89b6-4953-9160-35945c8e174e"
  ],
  "notes": [
    {
      "created": 1587468588922,
      "createdBy": "casetester",
      "updated": 1741344876825,
      "updatedBy": "casetester",
      "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
      "note": "This is an example text",
      "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
      "version": "WzQ2LDFd"
    }
  ],
  "pinnedEventIds": [
    "983f99c6-89b6-4953-9160-35945c8a194f"
  ],
  "pinnedEventsSaveObject": [
    {
      "created": 1587468588922,
      "createdBy": "casetester",
      "updated": 1741344876825,
      "updatedBy": "casetester",
      "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
      "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "pinnedEventId": "10r1929b-0af7-42bd-85a8-56e234f98h2f3",
      "version": "WzQ2LDFe"
    }
  ]
}