POST /api/timeline/_prepackaged
Api key auth

Spaces method and path for this operation:

post /s/{space_id}/api/timeline/_prepackaged

Refer to Spaces for more information.

Install or update prepackaged Timelines.

application/json

Body Required

The Timelines to install or update.

  • prepackagedTimelines array[object] Required
    Hide prepackagedTimelines attributes Show prepackagedTimelines attributes object
    • columns array[object] | null

      The Timeline's columns

      Hide columns attributes Show columns attributes object
      • aggregatable boolean | null
      • category string | null
      • columnHeaderType string | null
      • description string | null
      • example string | null
      • id string | null
      • indexes array[string] | null
      • name string | null
      • placeholder string | null
      • searchable boolean | null
      • type string | null
    • created number | null

      The time the Timeline was created, using a 13-digit Epoch timestamp.

    • createdBy string | null

      The user who created the Timeline.

    • dataProviders array[object] | null

      Object containing query clauses

      Hide dataProviders attributes Show dataProviders attributes object
      • and array[object] | null
        Hide and attributes Show and attributes object
        • enabled boolean | null
        • excluded boolean | null
        • id string | null
        • kqlQuery string | null
        • name string | null
        • queryMatch object
          Hide queryMatch attributes Show queryMatch attributes object
        • type string

          The type of data provider.

          Values are default or template.

      • enabled boolean | null
      • excluded boolean | null
      • id string | null
      • kqlQuery string | null
      • name string | null
      • queryMatch object
        Hide queryMatch attributes Show queryMatch attributes object
      • type string

        The type of data provider.

        Values are default or template.

    • dataViewId string | null

      ID of the Timeline's Data View

    • dateRange object | null

      The Timeline's search period.

      Hide dateRange attributes Show dateRange attributes object | null
    • description string | null

      The Timeline's description

    • eqlOptions object | null

      EQL query that is used in the correlation tab

      Hide eqlOptions attributes Show eqlOptions attributes object | null
    • eventType string | null Deprecated

      Event types displayed in the Timeline

    • excludedRowRendererIds array[string] | null

      A list of row renderers that should not be used when in Event renderers mode

      Values are alert, alerts, auditd, auditd_file, library, netflow, plain, registry, suricata, system, system_dns, system_endgame_process, system_file, system_fim, system_security_event, system_socket, threat_match, or zeek.

    • favorite array[object] | null
      Hide favorite attributes Show favorite attributes object

      Indicates when and who marked a Timeline as a favorite.

      • favoriteDate number | null
      • fullName string | null
      • userName string | null
    • filters array[object] | null

      A list of filters that should be applied to the query

      Hide filters attributes Show filters attributes object
      • exists string | null
      • match_all string | null
      • meta object | null
        Hide meta attributes Show meta attributes object | null
        • alias string | null
        • controlledBy string | null
        • disabled boolean | null
        • field string | null
        • formattedValue string | null
        • index string | null
        • key string | null
        • negate boolean | null
        • params string | null
        • type string | null
        • value string | null
      • missing string | null
      • query string | null
      • range string | null
      • script string | null
    • indexNames array[string] | null

      A list of index names to use in the query (e.g. when the default data view has been modified)

    • kqlMode string | null

      Indicates whether the KQL bar filters the query results or searches for additional results, where:

      • filter: filters query results
      • search: displays additional search results
    • kqlQuery object

      KQL bar query.

      Hide kqlQuery attribute Show kqlQuery attribute object
      • filterQuery object | null
        Hide filterQuery attributes Show filterQuery attributes object | null
        • kuery object | null
          Hide kuery attributes Show kuery attributes object | null
          • expression string | null
          • kind string | null
        • serializedQuery string | null
    • savedQueryId string | null

      The ID of the saved query that might be used in the Query tab

    • savedSearchId string | null

      The ID of the saved search that is used in the ES|QL tab

    • sort object | array[object]

      One of:
      Security_Timeline_API_SortObject object array-2 array[object]
      Hide attributes Show attributes object

      Object indicating how rows are sorted in the Timeline's grid

      • columnId string | null
      • columnType string | null
      • sortDirection string | null
    • status string

      The status of the Timeline.

      Values are active, draft, or immutable.

    • templateTimelineId string | null

      A unique ID (UUID) for Timeline templates. For Timelines, the value is null.

    • templateTimelineVersion number | null

      Timeline template version number. For Timelines, the value is null.

    • timelineType string

      The type of Timeline.

      Values are default or template.

    • title string | null

      The Timeline's title.

    • updated number | null

      The last time the Timeline was updated, using a 13-digit Epoch timestamp

    • updatedBy string | null

      The user who last updated the Timeline

    • eventIdToNoteIds array[object] | null
      Hide eventIdToNoteIds attributes Show eventIdToNoteIds attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        Elasticsearch document _id for the event or alert this note refers to. Same value as the documentIds query parameter when fetching notes via GET /api/note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline this note belongs to (not the note's own ID).

      • noteId string Required

        The savedObjectId of the note

      • version string Required

        The version of the note

    • noteIds array[string] | null
    • notes array[object] | null
      Hide notes attributes Show notes attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        Elasticsearch document _id for the event or alert this note refers to. Same value as the documentIds query parameter when fetching notes via GET /api/note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline this note belongs to (not the note's own ID).

      • noteId string Required

        The savedObjectId of the note

      • version string Required

        The version of the note

    • pinnedEventIds array[string] | null
    • pinnedEventsSaveObject array[object] | null
      Hide pinnedEventsSaveObject attributes Show pinnedEventsSaveObject attributes object
      • created number | null

        The time the pinned event was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the pinned event.

      • updated number | null

        The last time the pinned event was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the pinned event

      • eventId string Required

        The _id of the associated event for this pinned event.

      • timelineId string Required

        The savedObjectId of the timeline that this pinned event is associated with

      • pinnedEventId string Required

        The savedObjectId of this pinned event

      • version string Required

        The version of this pinned event

    • savedObjectId string Required
    • version string Required
  • timelinesToInstall array[object] Required
    Hide timelinesToInstall attributes Show timelinesToInstall attributes object
    • columns array[object] | null

      The Timeline's columns

      Hide columns attributes Show columns attributes object
      • aggregatable boolean | null
      • category string | null
      • columnHeaderType string | null
      • description string | null
      • example string | null
      • id string | null
      • indexes array[string] | null
      • name string | null
      • placeholder string | null
      • searchable boolean | null
      • type string | null
    • created number | null

      The time the Timeline was created, using a 13-digit Epoch timestamp.

    • createdBy string | null

      The user who created the Timeline.

    • dataProviders array[object] | null

      Object containing query clauses

      Hide dataProviders attributes Show dataProviders attributes object
      • and array[object] | null
        Hide and attributes Show and attributes object
        • enabled boolean | null
        • excluded boolean | null
        • id string | null
        • kqlQuery string | null
        • name string | null
        • queryMatch object
          Hide queryMatch attributes Show queryMatch attributes object
        • type string

          The type of data provider.

          Values are default or template.

      • enabled boolean | null
      • excluded boolean | null
      • id string | null
      • kqlQuery string | null
      • name string | null
      • queryMatch object
        Hide queryMatch attributes Show queryMatch attributes object
      • type string

        The type of data provider.

        Values are default or template.

    • dataViewId string | null

      ID of the Timeline's Data View

    • dateRange object | null

      The Timeline's search period.

      Hide dateRange attributes Show dateRange attributes object | null
    • description string | null

      The Timeline's description

    • eqlOptions object | null

      EQL query that is used in the correlation tab

      Hide eqlOptions attributes Show eqlOptions attributes object | null
    • eventType string | null Deprecated

      Event types displayed in the Timeline

    • excludedRowRendererIds array[string] | null

      A list of row renderers that should not be used when in Event renderers mode

      Values are alert, alerts, auditd, auditd_file, library, netflow, plain, registry, suricata, system, system_dns, system_endgame_process, system_file, system_fim, system_security_event, system_socket, threat_match, or zeek.

    • favorite array[object] | null
      Hide favorite attributes Show favorite attributes object

      Indicates when and who marked a Timeline as a favorite.

      • favoriteDate number | null
      • fullName string | null
      • userName string | null
    • filters array[object] | null

      A list of filters that should be applied to the query

      Hide filters attributes Show filters attributes object
      • exists string | null
      • match_all string | null
      • meta object | null
        Hide meta attributes Show meta attributes object | null
        • alias string | null
        • controlledBy string | null
        • disabled boolean | null
        • field string | null
        • formattedValue string | null
        • index string | null
        • key string | null
        • negate boolean | null
        • params string | null
        • type string | null
        • value string | null
      • missing string | null
      • query string | null
      • range string | null
      • script string | null
    • indexNames array[string] | null

      A list of index names to use in the query (e.g. when the default data view has been modified)

    • kqlMode string | null

      Indicates whether the KQL bar filters the query results or searches for additional results, where:

      • filter: filters query results
      • search: displays additional search results
    • kqlQuery object

      KQL bar query.

      Hide kqlQuery attribute Show kqlQuery attribute object
      • filterQuery object | null
        Hide filterQuery attributes Show filterQuery attributes object | null
        • kuery object | null
          Hide kuery attributes Show kuery attributes object | null
          • expression string | null
          • kind string | null
        • serializedQuery string | null
    • savedQueryId string | null

      The ID of the saved query that might be used in the Query tab

    • savedSearchId string | null

      The ID of the saved search that is used in the ES|QL tab

    • sort object | array[object]

      One of:
      Security_Timeline_API_SortObject object array-2 array[object]
      Hide attributes Show attributes object

      Object indicating how rows are sorted in the Timeline's grid

      • columnId string | null
      • columnType string | null
      • sortDirection string | null
    • status string

      The status of the Timeline.

      Values are active, draft, or immutable.

    • templateTimelineId string | null

      A unique ID (UUID) for Timeline templates. For Timelines, the value is null.

    • templateTimelineVersion number | null

      Timeline template version number. For Timelines, the value is null.

    • timelineType string

      The type of Timeline.

      Values are default or template.

    • title string | null

      The Timeline's title.

    • updated number | null

      The last time the Timeline was updated, using a 13-digit Epoch timestamp

    • updatedBy string | null

      The user who last updated the Timeline

    • eventNotes array[object] | null Required
      Hide eventNotes attributes Show eventNotes attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        Elasticsearch document _id for the event or alert this note refers to. Same value as the documentIds query parameter when fetching notes via GET /api/note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline this note belongs to (not the note's own ID).

    • globalNotes array[object] | null Required
      Hide globalNotes attributes Show globalNotes attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        Elasticsearch document _id for the event or alert this note refers to. Same value as the documentIds query parameter when fetching notes via GET /api/note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline this note belongs to (not the note's own ID).

    • pinnedEventIds array[string] | null Required
    • savedObjectId string | null Required
    • version string | null Required
  • timelinesToUpdate array[object] Required
    Hide timelinesToUpdate attributes Show timelinesToUpdate attributes object
    • columns array[object] | null

      The Timeline's columns

      Hide columns attributes Show columns attributes object
      • aggregatable boolean | null
      • category string | null
      • columnHeaderType string | null
      • description string | null
      • example string | null
      • id string | null
      • indexes array[string] | null
      • name string | null
      • placeholder string | null
      • searchable boolean | null
      • type string | null
    • created number | null

      The time the Timeline was created, using a 13-digit Epoch timestamp.

    • createdBy string | null

      The user who created the Timeline.

    • dataProviders array[object] | null

      Object containing query clauses

      Hide dataProviders attributes Show dataProviders attributes object
      • and array[object] | null
        Hide and attributes Show and attributes object
        • enabled boolean | null
        • excluded boolean | null
        • id string | null
        • kqlQuery string | null
        • name string | null
        • queryMatch object
          Hide queryMatch attributes Show queryMatch attributes object
        • type string

          The type of data provider.

          Values are default or template.

      • enabled boolean | null
      • excluded boolean | null
      • id string | null
      • kqlQuery string | null
      • name string | null
      • queryMatch object
        Hide queryMatch attributes Show queryMatch attributes object
      • type string

        The type of data provider.

        Values are default or template.

    • dataViewId string | null

      ID of the Timeline's Data View

    • dateRange object | null

      The Timeline's search period.

      Hide dateRange attributes Show dateRange attributes object | null
    • description string | null

      The Timeline's description

    • eqlOptions object | null

      EQL query that is used in the correlation tab

      Hide eqlOptions attributes Show eqlOptions attributes object | null
    • eventType string | null Deprecated

      Event types displayed in the Timeline

    • excludedRowRendererIds array[string] | null

      A list of row renderers that should not be used when in Event renderers mode

      Values are alert, alerts, auditd, auditd_file, library, netflow, plain, registry, suricata, system, system_dns, system_endgame_process, system_file, system_fim, system_security_event, system_socket, threat_match, or zeek.

    • favorite array[object] | null
      Hide favorite attributes Show favorite attributes object

      Indicates when and who marked a Timeline as a favorite.

      • favoriteDate number | null
      • fullName string | null
      • userName string | null
    • filters array[object] | null

      A list of filters that should be applied to the query

      Hide filters attributes Show filters attributes object
      • exists string | null
      • match_all string | null
      • meta object | null
        Hide meta attributes Show meta attributes object | null
        • alias string | null
        • controlledBy string | null
        • disabled boolean | null
        • field string | null
        • formattedValue string | null
        • index string | null
        • key string | null
        • negate boolean | null
        • params string | null
        • type string | null
        • value string | null
      • missing string | null
      • query string | null
      • range string | null
      • script string | null
    • indexNames array[string] | null

      A list of index names to use in the query (e.g. when the default data view has been modified)

    • kqlMode string | null

      Indicates whether the KQL bar filters the query results or searches for additional results, where:

      • filter: filters query results
      • search: displays additional search results
    • kqlQuery object

      KQL bar query.

      Hide kqlQuery attribute Show kqlQuery attribute object
      • filterQuery object | null
        Hide filterQuery attributes Show filterQuery attributes object | null
        • kuery object | null
          Hide kuery attributes Show kuery attributes object | null
          • expression string | null
          • kind string | null
        • serializedQuery string | null
    • savedQueryId string | null

      The ID of the saved query that might be used in the Query tab

    • savedSearchId string | null

      The ID of the saved search that is used in the ES|QL tab

    • sort object | array[object]

      One of:
      Security_Timeline_API_SortObject object array-2 array[object]
      Hide attributes Show attributes object

      Object indicating how rows are sorted in the Timeline's grid

      • columnId string | null
      • columnType string | null
      • sortDirection string | null
    • status string

      The status of the Timeline.

      Values are active, draft, or immutable.

    • templateTimelineId string | null

      A unique ID (UUID) for Timeline templates. For Timelines, the value is null.

    • templateTimelineVersion number | null

      Timeline template version number. For Timelines, the value is null.

    • timelineType string

      The type of Timeline.

      Values are default or template.

    • title string | null

      The Timeline's title.

    • updated number | null

      The last time the Timeline was updated, using a 13-digit Epoch timestamp

    • updatedBy string | null

      The user who last updated the Timeline

    • eventNotes array[object] | null Required
      Hide eventNotes attributes Show eventNotes attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        Elasticsearch document _id for the event or alert this note refers to. Same value as the documentIds query parameter when fetching notes via GET /api/note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline this note belongs to (not the note's own ID).

    • globalNotes array[object] | null Required
      Hide globalNotes attributes Show globalNotes attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        Elasticsearch document _id for the event or alert this note refers to. Same value as the documentIds query parameter when fetching notes via GET /api/note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline this note belongs to (not the note's own ID).

    • pinnedEventIds array[string] | null Required
    • savedObjectId string | null Required
    • version string | null Required

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • errors array[object]

      The list of failed Timeline imports

      Hide errors attributes Show errors attributes object
      • error object

        The error containing the reason why the timeline could not be imported

        Hide error attributes Show error attributes object
        • message string

          The reason why the timeline could not be imported

        • status_code number

          The HTTP status code of the error

      • id string

        The ID of the timeline that failed to import

    • success boolean

      Indicates whether any of the Timelines were successfully imports

    • success_count number

      The amount of successfully imported/updated Timelines

    • timelines_installed number

      The amount of successfully installed Timelines

    • timelines_updated number

      The amount of successfully updated Timelines
  • 500 application/json

    Indicates the installation of prepackaged Timelines was unsuccessful.

    Hide response attributes Show response attributes object
    • body string
    • statusCode number
POST /api/timeline/_prepackaged 
curl \
 --request POST 'https://<KIBANA_URL>/api/timeline/_prepackaged' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"prepackagedTimelines":[],"timelinesToInstall":[],"timelinesToUpdate":[]}'
Request example 
{
  "prepackagedTimelines": [],
  "timelinesToInstall": [],
  "timelinesToUpdate": []
}
Response examples (200) 
{
  "errors": [],
  "success": true,
  "success_count": 10,
  "timelines_installed": 8,
  "timelines_updated": 2
}
Response examples (500) 
{
  "body": "Internal error",
  "statusCode": 500
}