Install prepackaged Timelines
Install or update prepackaged Timelines.
Body
Required
The Timelines to install or update.
-
prepackagedTimelines
array[object] Required -
timelinesToInstall
array[object] Required -
timelinesToUpdate
array[object] Required
POST
/api/timeline/_prepackaged
curl \
--request POST http://localhost:5622/api/timeline/_prepackaged \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"prepackagedTimelines":[{"columns":[{"id":"@timestamp","columnHeaderType":"not-filtered"},{"id":"event.category","columnHeaderType":"not-filtered"}],"created":1587468588922,"createdBy":"casetester","dataProviders":[{"id":"id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","name":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","enabled":true,"excluded":false,"queryMatch":{"field":"_id,","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,","operator":":"}}],"dataViewId":"security-solution-default","dateRange":{"end":1587456479201,"start":1587370079200},"description":"Investigating exposure of CVE XYZ","eqlOptions":{"size":100,"query":"sequence\\n[process where process.name == \"sudo\"]\\n[any where true]","timestampField":"@timestamp","eventCategoryField":"event.category"},"eventType":"all","excludedRowRendererIds":["alert"],"favorite":[{"userName":"elastic","favoriteDate":1741337636741}],"filters":[{"meta":{"key":"@timestamp","type":"exists","alias":"Custom filter name","index":".alerts-security.alerts-default,logs-*","value":"exists","negate":"false,","disabled":false},"query":"{\"exists\":{\"field\":\"@timestamp\"}}"}],"indexNames":[".logs*"],"kqlMode":"search","kqlQuery":{"kuery":{"kind":"kuery","expression":"_id : *"},"filterQuery":null,"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"},"savedQueryId":"c7b16904-02d7-4f32-b8f2-cc20f9625d6e","savedSearchId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","sort":{"columnId":"@timestamp","sortDirection":"desc"},"status":"active","templateTimelineId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","templateTimelineVersion":12,"timelineType":"default","title":"CVE XYZ investigation","updated":1741344876825,"updatedBy":"casetester","eventIdToNoteIds":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","noteId":"709f99c6-89b6-4953-9160-35945c8e174e","version":"WzQ2LDFd"}],"noteIds":["string"],"notes":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","noteId":"709f99c6-89b6-4953-9160-35945c8e174e","version":"WzQ2LDFd"}],"pinnedEventIds":["string"],"pinnedEventsSaveObject":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","pinnedEventId":"10r1929b-0af7-42bd-85a8-56e234f98h2f3","version":"WzQ2LDFe"}],"savedObjectId":"string","version":"string"}],"timelinesToInstall":[{"columns":[{"id":"@timestamp","columnHeaderType":"not-filtered"},{"id":"event.category","columnHeaderType":"not-filtered"}],"created":1587468588922,"createdBy":"casetester","dataProviders":[{"id":"id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","name":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","enabled":true,"excluded":false,"queryMatch":{"field":"_id,","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,","operator":":"}}],"dataViewId":"security-solution-default","dateRange":{"end":1587456479201,"start":1587370079200},"description":"Investigating exposure of CVE XYZ","eqlOptions":{"size":100,"query":"sequence\\n[process where process.name == \"sudo\"]\\n[any where true]","timestampField":"@timestamp","eventCategoryField":"event.category"},"eventType":"all","excludedRowRendererIds":["alert"],"favorite":[{"userName":"elastic","favoriteDate":1741337636741}],"filters":[{"meta":{"key":"@timestamp","type":"exists","alias":"Custom filter name","index":".alerts-security.alerts-default,logs-*","value":"exists","negate":"false,","disabled":false},"query":"{\"exists\":{\"field\":\"@timestamp\"}}"}],"indexNames":[".logs*"],"kqlMode":"search","kqlQuery":{"kuery":{"kind":"kuery","expression":"_id : *"},"filterQuery":null,"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"},"savedQueryId":"c7b16904-02d7-4f32-b8f2-cc20f9625d6e","savedSearchId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","sort":{"columnId":"@timestamp","sortDirection":"desc"},"status":"active","templateTimelineId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","templateTimelineVersion":12,"timelineType":"default","title":"CVE XYZ investigation","updated":1741344876825,"updatedBy":"casetester","eventNotes":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}],"globalNotes":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}],"pinnedEventIds":["string"],"savedObjectId":"string","version":"string"}],"timelinesToUpdate":[{"columns":[{"id":"@timestamp","columnHeaderType":"not-filtered"},{"id":"event.category","columnHeaderType":"not-filtered"}],"created":1587468588922,"createdBy":"casetester","dataProviders":[{"id":"id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","name":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","enabled":true,"excluded":false,"queryMatch":{"field":"_id,","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,","operator":":"}}],"dataViewId":"security-solution-default","dateRange":{"end":1587456479201,"start":1587370079200},"description":"Investigating exposure of CVE XYZ","eqlOptions":{"size":100,"query":"sequence\\n[process where process.name == \"sudo\"]\\n[any where true]","timestampField":"@timestamp","eventCategoryField":"event.category"},"eventType":"all","excludedRowRendererIds":["alert"],"favorite":[{"userName":"elastic","favoriteDate":1741337636741}],"filters":[{"meta":{"key":"@timestamp","type":"exists","alias":"Custom filter name","index":".alerts-security.alerts-default,logs-*","value":"exists","negate":"false,","disabled":false},"query":"{\"exists\":{\"field\":\"@timestamp\"}}"}],"indexNames":[".logs*"],"kqlMode":"search","kqlQuery":{"kuery":{"kind":"kuery","expression":"_id : *"},"filterQuery":null,"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"},"savedQueryId":"c7b16904-02d7-4f32-b8f2-cc20f9625d6e","savedSearchId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","sort":{"columnId":"@timestamp","sortDirection":"desc"},"status":"active","templateTimelineId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","templateTimelineVersion":12,"timelineType":"default","title":"CVE XYZ investigation","updated":1741344876825,"updatedBy":"casetester","eventNotes":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}],"globalNotes":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}],"pinnedEventIds":["string"],"savedObjectId":"string","version":"string"}]}'
Request examples
{
"prepackagedTimelines": [
{
"columns": [
{
"id": "@timestamp",
"columnHeaderType": "not-filtered"
},
{
"id": "event.category",
"columnHeaderType": "not-filtered"
}
],
"created": 1587468588922,
"createdBy": "casetester",
"dataProviders": [
{
"id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
"name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
"enabled": true,
"excluded": false,
"queryMatch": {
"field": "_id,",
"value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
"operator": ":"
}
}
],
"dataViewId": "security-solution-default",
"dateRange": {
"end": 1587456479201,
"start": 1587370079200
},
"description": "Investigating exposure of CVE XYZ",
"eqlOptions": {
"size": 100,
"query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
"timestampField": "@timestamp",
"eventCategoryField": "event.category"
},
"eventType": "all",
"excludedRowRendererIds": [
"alert"
],
"favorite": [
{
"userName": "elastic",
"favoriteDate": 1741337636741
}
],
"filters": [
{
"meta": {
"key": "@timestamp",
"type": "exists",
"alias": "Custom filter name",
"index": ".alerts-security.alerts-default,logs-*",
"value": "exists",
"negate": "false,",
"disabled": false
},
"query": "{\"exists\":{\"field\":\"@timestamp\"}}"
}
],
"indexNames": [
".logs*"
],
"kqlMode": "search",
"kqlQuery": {
"kuery": {
"kind": "kuery",
"expression": "_id : *"
},
"filterQuery": null,
"serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
},
"savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
"savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
"sort": {
"columnId": "@timestamp",
"sortDirection": "desc"
},
"status": "active",
"templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
"templateTimelineVersion": 12,
"timelineType": "default",
"title": "CVE XYZ investigation",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventIdToNoteIds": [
{
"created": 1587468588922,
"createdBy": "casetester",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
"note": "This is an example text",
"timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
"noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
"version": "WzQ2LDFd"
}
],
"noteIds": [
"string"
],
"notes": [
{
"created": 1587468588922,
"createdBy": "casetester",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
"note": "This is an example text",
"timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
"noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
"version": "WzQ2LDFd"
}
],
"pinnedEventIds": [
"string"
],
"pinnedEventsSaveObject": [
{
"created": 1587468588922,
"createdBy": "casetester",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
"timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
"pinnedEventId": "10r1929b-0af7-42bd-85a8-56e234f98h2f3",
"version": "WzQ2LDFe"
}
],
"savedObjectId": "string",
"version": "string"
}
],
"timelinesToInstall": [
{
"columns": [
{
"id": "@timestamp",
"columnHeaderType": "not-filtered"
},
{
"id": "event.category",
"columnHeaderType": "not-filtered"
}
],
"created": 1587468588922,
"createdBy": "casetester",
"dataProviders": [
{
"id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
"name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
"enabled": true,
"excluded": false,
"queryMatch": {
"field": "_id,",
"value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
"operator": ":"
}
}
],
"dataViewId": "security-solution-default",
"dateRange": {
"end": 1587456479201,
"start": 1587370079200
},
"description": "Investigating exposure of CVE XYZ",
"eqlOptions": {
"size": 100,
"query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
"timestampField": "@timestamp",
"eventCategoryField": "event.category"
},
"eventType": "all",
"excludedRowRendererIds": [
"alert"
],
"favorite": [
{
"userName": "elastic",
"favoriteDate": 1741337636741
}
],
"filters": [
{
"meta": {
"key": "@timestamp",
"type": "exists",
"alias": "Custom filter name",
"index": ".alerts-security.alerts-default,logs-*",
"value": "exists",
"negate": "false,",
"disabled": false
},
"query": "{\"exists\":{\"field\":\"@timestamp\"}}"
}
],
"indexNames": [
".logs*"
],
"kqlMode": "search",
"kqlQuery": {
"kuery": {
"kind": "kuery",
"expression": "_id : *"
},
"filterQuery": null,
"serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
},
"savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
"savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
"sort": {
"columnId": "@timestamp",
"sortDirection": "desc"
},
"status": "active",
"templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
"templateTimelineVersion": 12,
"timelineType": "default",
"title": "CVE XYZ investigation",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventNotes": [
{
"created": 1587468588922,
"createdBy": "casetester",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
"note": "This is an example text",
"timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e"
}
],
"globalNotes": [
{
"created": 1587468588922,
"createdBy": "casetester",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
"note": "This is an example text",
"timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e"
}
],
"pinnedEventIds": [
"string"
],
"savedObjectId": "string",
"version": "string"
}
],
"timelinesToUpdate": [
{
"columns": [
{
"id": "@timestamp",
"columnHeaderType": "not-filtered"
},
{
"id": "event.category",
"columnHeaderType": "not-filtered"
}
],
"created": 1587468588922,
"createdBy": "casetester",
"dataProviders": [
{
"id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
"name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
"enabled": true,
"excluded": false,
"queryMatch": {
"field": "_id,",
"value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
"operator": ":"
}
}
],
"dataViewId": "security-solution-default",
"dateRange": {
"end": 1587456479201,
"start": 1587370079200
},
"description": "Investigating exposure of CVE XYZ",
"eqlOptions": {
"size": 100,
"query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
"timestampField": "@timestamp",
"eventCategoryField": "event.category"
},
"eventType": "all",
"excludedRowRendererIds": [
"alert"
],
"favorite": [
{
"userName": "elastic",
"favoriteDate": 1741337636741
}
],
"filters": [
{
"meta": {
"key": "@timestamp",
"type": "exists",
"alias": "Custom filter name",
"index": ".alerts-security.alerts-default,logs-*",
"value": "exists",
"negate": "false,",
"disabled": false
},
"query": "{\"exists\":{\"field\":\"@timestamp\"}}"
}
],
"indexNames": [
".logs*"
],
"kqlMode": "search",
"kqlQuery": {
"kuery": {
"kind": "kuery",
"expression": "_id : *"
},
"filterQuery": null,
"serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
},
"savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
"savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
"sort": {
"columnId": "@timestamp",
"sortDirection": "desc"
},
"status": "active",
"templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
"templateTimelineVersion": 12,
"timelineType": "default",
"title": "CVE XYZ investigation",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventNotes": [
{
"created": 1587468588922,
"createdBy": "casetester",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
"note": "This is an example text",
"timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e"
}
],
"globalNotes": [
{
"created": 1587468588922,
"createdBy": "casetester",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
"note": "This is an example text",
"timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e"
}
],
"pinnedEventIds": [
"string"
],
"savedObjectId": "string",
"version": "string"
}
]
}
Response examples (200)
{
"errors": [
{
"error": {
"message": "Malformed JSON",
"status_code": 400
},
"id": "6ce1b592-84e3-4b4a-9552-f189d4b82075"
}
],
"success": true,
"success_count": 99,
"timelines_installed": 80,
"timelines_updated": 19
}
Response examples (500)
{
"body": "string",
"statusCode": 42.0
}