GET /api/note
Api key auth Basic auth

Spaces method and path for this operation:

get /s/{space_id}/api/note

Refer to Spaces for more information.

Returns Security Timeline notes as saved objects.

Query modes (mutually exclusive branches on the server):

  1. documentIds is set — Returns notes whose eventId matches the given Elasticsearch document _id (single string or array). Pagination query parameters (page, perPage, etc.) are not applied; the server uses a fixed page size (up to 10000 notes).

  2. savedObjectIds is set — Returns notes linked to the given Timeline saved object id(s). Same fixed cap as above; list-mode query parameters are not applied.

  3. Neither documentIds nor savedObjectIds — Lists notes using saved-objects find semantics: page (default 1), perPage (default 10), optional search, sortField, sortOrder, filter, createdByFilter, and associatedFilter.

Requires the Timeline and Notes read privilege (notes_read).

Query parameters

  • documentIds array[string] | string

    Event document _id values to match against each note's eventId. When this parameter is present, the response is all matching notes (up to the server's hard limit), not a paged list using page/perPage.

  • savedObjectIds array[string] | string

    Timeline savedObjectId value(s). Returns notes that reference those timelines. When present, list-mode pagination parameters are not used; up to the server's hard limit of notes may be returned.

  • page string | null

    Page number for list mode (when documentIds and savedObjectIds are omitted). Passed as a string; default 1.

  • perPage string | null

    Page size for list mode (when documentIds and savedObjectIds are omitted). Passed as a string; default 10.

  • sortField string | null

    Field to sort by for saved-objects find (list mode only).

  • sortOrder string | null

    Sort order (asc or desc) for saved-objects find (list mode only).

  • filter string | null

    Kuery filter string combined with other list-mode filters (for example createdByFilter or associatedFilter). Typed as a string for API compatibility; interpreted by the saved-objects layer (list mode only).

  • createdByFilter string | null

    Kibana user profile UID (UUID). The server resolves the user's display identifiers and returns notes whose createdBy matches any of them (list mode only).

  • associatedFilter string

    Restricts notes by how they relate to a Timeline and/or an event document (list mode only). Some values apply extra filtering after the query. Ignored when documentIds or savedObjectIds is used.

    Values are all, document_only, saved_object_only, document_and_saved_object, or orphan.

Responses

  • 200 application/json

    Notes and total count for the requested mode.

    Hide response attributes Show response attributes object
    • notes array[object] Required
      Hide notes attributes Show notes attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        Elasticsearch document _id for the event or alert this note refers to. Same value as the documentIds query parameter when fetching notes via GET /api/note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline this note belongs to (not the note's own ID).

      • noteId string Required

        The savedObjectId of the note

      • version string Required

        The version of the note

    • totalCount number Required

      Number of notes returned (may be adjusted after the query when associatedFilter applies post-filtering).
GET /api/note 
curl \
 --request GET 'https://localhost:5601/api/note' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "notes": [
    {
      "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
      "note": "Escalated to tier-2 analyst",
      "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
      "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "version": "WzQ2LDFd"
    }
  ],
  "totalCount": 1
}