Install prepackaged Timelines

POST /api/timeline/_prepackaged
Api key auth Basic auth

Install or update prepackaged Timelines.

application/json

Body Required

The Timelines to install or update.

Responses

  • 200 application/json

    Indicates the installation of prepackaged Timelines was successful.

    Hide response attributes Show response attributes object
    • errors array[object]

      The list of failed Timeline imports

      Hide errors attributes Show errors attributes object
      • error object

        The error containing the reason why the timeline could not be imported

        Hide error attributes Show error attributes object
        • message string

          The reason why the timeline could not be imported

        • status_code number

          The HTTP status code of the error

      • id string

        The ID of the timeline that failed to import

    • success boolean

      Indicates whether any of the Timelines were successfully imports

    • success_count number

      The amount of successfully imported/updated Timelines

    • timelines_installed number

      The amount of successfully installed Timelines

    • timelines_updated number

      The amount of successfully updated Timelines
  • 500 application:json

    Indicates the installation of prepackaged Timelines was unsuccessful.

    Hide response attributes Show response attributes object
POST /api/timeline/_prepackaged 
curl \
 --request POST 'https://localhost:5601/api/timeline/_prepackaged' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"prepackagedTimelines":[{"columns":[{"id":"@timestamp","columnHeaderType":"not-filtered"},{"id":"event.category","columnHeaderType":"not-filtered"}],"created":1587468588922,"createdBy":"casetester","dataProviders":[{"id":"id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","name":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","enabled":true,"excluded":false,"queryMatch":{"field":"_id,","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,","operator":":"}}],"dataViewId":"security-solution-default","dateRange":{"end":1587456479201,"start":1587370079200},"description":"Investigating exposure of CVE XYZ","eqlOptions":{"size":100,"query":"sequence\\n[process where process.name == \"sudo\"]\\n[any where true]","timestampField":"@timestamp","eventCategoryField":"event.category"},"eventType":"all","excludedRowRendererIds":["alert"],"favorite":[{"userName":"elastic","favoriteDate":1741337636741}],"filters":[{"meta":{"key":"@timestamp","type":"exists","alias":"Custom filter name","index":".alerts-security.alerts-default,logs-*","value":"exists","negate":"false,","disabled":false},"query":"{\"exists\":{\"field\":\"@timestamp\"}}"}],"indexNames":[".logs*"],"kqlMode":"search","kqlQuery":{"kuery":{"kind":"kuery","expression":"_id : *"},"filterQuery":null,"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"},"savedQueryId":"c7b16904-02d7-4f32-b8f2-cc20f9625d6e","savedSearchId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","sort":{"columnId":"@timestamp","sortDirection":"desc"},"status":"active","templateTimelineId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","templateTimelineVersion":12,"timelineType":"default","title":"CVE XYZ investigation","updated":1741344876825,"updatedBy":"casetester","eventIdToNoteIds":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","noteId":"709f99c6-89b6-4953-9160-35945c8e174e","version":"WzQ2LDFd"}],"noteIds":["string"],"notes":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","noteId":"709f99c6-89b6-4953-9160-35945c8e174e","version":"WzQ2LDFd"}],"pinnedEventIds":["string"],"pinnedEventsSaveObject":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","pinnedEventId":"10r1929b-0af7-42bd-85a8-56e234f98h2f3","version":"WzQ2LDFe"}],"savedObjectId":"string","version":"string"}],"timelinesToInstall":[{"columns":[{"id":"@timestamp","columnHeaderType":"not-filtered"},{"id":"event.category","columnHeaderType":"not-filtered"}],"created":1587468588922,"createdBy":"casetester","dataProviders":[{"id":"id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","name":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","enabled":true,"excluded":false,"queryMatch":{"field":"_id,","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,","operator":":"}}],"dataViewId":"security-solution-default","dateRange":{"end":1587456479201,"start":1587370079200},"description":"Investigating exposure of CVE XYZ","eqlOptions":{"size":100,"query":"sequence\\n[process where process.name == \"sudo\"]\\n[any where true]","timestampField":"@timestamp","eventCategoryField":"event.category"},"eventType":"all","excludedRowRendererIds":["alert"],"favorite":[{"userName":"elastic","favoriteDate":1741337636741}],"filters":[{"meta":{"key":"@timestamp","type":"exists","alias":"Custom filter name","index":".alerts-security.alerts-default,logs-*","value":"exists","negate":"false,","disabled":false},"query":"{\"exists\":{\"field\":\"@timestamp\"}}"}],"indexNames":[".logs*"],"kqlMode":"search","kqlQuery":{"kuery":{"kind":"kuery","expression":"_id : *"},"filterQuery":null,"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"},"savedQueryId":"c7b16904-02d7-4f32-b8f2-cc20f9625d6e","savedSearchId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","sort":{"columnId":"@timestamp","sortDirection":"desc"},"status":"active","templateTimelineId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","templateTimelineVersion":12,"timelineType":"default","title":"CVE XYZ investigation","updated":1741344876825,"updatedBy":"casetester","eventNotes":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}],"globalNotes":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}],"pinnedEventIds":["string"],"savedObjectId":"string","version":"string"}],"timelinesToUpdate":[{"columns":[{"id":"@timestamp","columnHeaderType":"not-filtered"},{"id":"event.category","columnHeaderType":"not-filtered"}],"created":1587468588922,"createdBy":"casetester","dataProviders":[{"id":"id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","name":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","enabled":true,"excluded":false,"queryMatch":{"field":"_id,","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,","operator":":"}}],"dataViewId":"security-solution-default","dateRange":{"end":1587456479201,"start":1587370079200},"description":"Investigating exposure of CVE XYZ","eqlOptions":{"size":100,"query":"sequence\\n[process where process.name == \"sudo\"]\\n[any where true]","timestampField":"@timestamp","eventCategoryField":"event.category"},"eventType":"all","excludedRowRendererIds":["alert"],"favorite":[{"userName":"elastic","favoriteDate":1741337636741}],"filters":[{"meta":{"key":"@timestamp","type":"exists","alias":"Custom filter name","index":".alerts-security.alerts-default,logs-*","value":"exists","negate":"false,","disabled":false},"query":"{\"exists\":{\"field\":\"@timestamp\"}}"}],"indexNames":[".logs*"],"kqlMode":"search","kqlQuery":{"kuery":{"kind":"kuery","expression":"_id : *"},"filterQuery":null,"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"},"savedQueryId":"c7b16904-02d7-4f32-b8f2-cc20f9625d6e","savedSearchId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","sort":{"columnId":"@timestamp","sortDirection":"desc"},"status":"active","templateTimelineId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","templateTimelineVersion":12,"timelineType":"default","title":"CVE XYZ investigation","updated":1741344876825,"updatedBy":"casetester","eventNotes":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}],"globalNotes":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}],"pinnedEventIds":["string"],"savedObjectId":"string","version":"string"}]}'