Get Timelines or Timeline templates

GET /api/timelines
Api key auth

Get a list of all saved Timelines or Timeline templates.

Query parameters

  • only_user_favorite string | null

    If true, only timelines that are marked as favorites by the user are returned.

    Values are true or false.

  • timeline_type string | null

    The type of Timeline.

    Values are default or template.

  • sort_field string

    The field to sort the timelines by.

    Values are title, description, updated, or created.

  • sort_order string

    Whether to sort the results ascending or descending

    Values are asc or desc.

  • page_size string | null

    How many results should returned at once

  • page_index string | null

    How many pages should be skipped

  • status string | null

    The status of the Timeline.

    Values are active, draft, or immutable.

Responses

  • 200 application/json

    Indicates that the (template) Timelines were found and returned.

    Hide response attributes Show response attributes object
    • customTemplateTimelineCount number

      The amount of custom Timeline templates in the results

    • defaultTimelineCount number

      The amount of default type Timelines in the results

    • elasticTemplateTimelineCount number

      The amount of Elastic's Timeline templates in the results

    • favoriteCount number

      The amount of favorited Timelines

    • templateTimelineCount number

      The amount of Timeline templates in the results

    • timeline array[object] Required
      Hide timeline attributes Show timeline attributes object
      • columns array[object] | null

        The Timeline's columns

        Hide columns attributes Show columns attributes object
        • aggregatable boolean | null
        • category string | null
        • columnHeaderType string | null
        • description string | null
        • example string | null
        • id string | null
        • indexes array[string] | null
        • name string | null
        • placeholder string | null
        • searchable boolean | null
        • type string | null
      • created number | null

        The time the Timeline was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the Timeline.

      • dataProviders array[object] | null

        Object containing query clauses

        Hide dataProviders attributes Show dataProviders attributes object
        • and array[object] | null
          Hide and attributes Show and attributes object
          • enabled boolean | null
          • excluded boolean | null
          • id string | null
          • kqlQuery string | null
          • name string | null
          • queryMatch object | null
            Hide queryMatch attributes Show queryMatch attributes object | null
          • type string | null

            The type of data provider.

            Values are default or template.

        • enabled boolean | null
        • excluded boolean | null
        • id string | null
        • kqlQuery string | null
        • name string | null
        • queryMatch object | null
          Hide queryMatch attributes Show queryMatch attributes object | null
        • type string | null

          The type of data provider.

          Values are default or template.

      • dataViewId string | null

        ID of the Timeline's Data View

      • dateRange object | null

        The Timeline's search period.

        Hide dateRange attributes Show dateRange attributes object | null
      • description string | null

        The Timeline's description

      • eqlOptions object | null

        EQL query that is used in the correlation tab

        Hide eqlOptions attributes Show eqlOptions attributes object | null
      • eventType string | null Deprecated

        Event types displayed in the Timeline

      • excludedRowRendererIds array[string] | null

        A list of row renderers that should not be used when in Event renderers mode

        Values are alert, alerts, auditd, auditd_file, library, netflow, plain, registry, suricata, system, system_dns, system_endgame_process, system_file, system_fim, system_security_event, system_socket, threat_match, or zeek.

      • favorite array[object] | null

        Indicates when and who marked a Timeline as a favorite.

        Hide favorite attributes Show favorite attributes object
        • favoriteDate number | null
        • fullName string | null
        • userName string | null
      • filters array[object] | null

        A list of filters that should be applied to the query

        Hide filters attributes Show filters attributes object
        • exists string | null
        • match_all string | null
        • meta object | null
          Hide meta attributes Show meta attributes object | null
          • alias string | null
          • controlledBy string | null
          • disabled boolean | null
          • field string | null
          • formattedValue string | null
          • index string | null
          • key string | null
          • negate boolean | null
          • params string | null
          • type string | null
          • value string | null
        • missing string | null
        • query string | null
        • range string | null
        • script string | null
      • indexNames array[string] | null

        A list of index names to use in the query (e.g. when the default data view has been modified)

      • kqlMode string | null

        Indicates whether the KQL bar filters the query results or searches for additional results, where:

        • filter: filters query results
        • search: displays additional search results
      • kqlQuery object | null

        KQL bar query.

        Hide kqlQuery attribute Show kqlQuery attribute object | null
        • filterQuery object | null
          Hide filterQuery attributes Show filterQuery attributes object | null
          • kuery object | null
            Hide kuery attributes Show kuery attributes object | null
            • expression string | null
            • kind string | null
          • serializedQuery string | null
      • savedQueryId string | null

        The ID of the saved query that might be used in the Query tab

      • savedSearchId string | null

        The ID of the saved search that is used in the ES|QL tab

      • sort object | null | array[object]

        One of:
        Security_Timeline_API_SortObject object | null array-2 array[object] | null

        Object indicating how rows are sorted in the Timeline's grid

        Hide attributes Show attributes object
        • columnId string | null
        • columnType string | null
        • sortDirection string | null

      • sort object | null | array[object]

        One of:
        Security_Timeline_API_SortObject object | null array-2 array[object] | null

        Object indicating how rows are sorted in the Timeline's grid

        Hide attributes Show attributes object
        • columnId string | null
        • columnType string | null
        • sortDirection string | null
      • status string | null

        The status of the Timeline.

        Values are active, draft, or immutable.

      • templateTimelineId string | null

        A unique ID (UUID) for Timeline templates. For Timelines, the value is null.

      • templateTimelineVersion number | null

        Timeline template version number. For Timelines, the value is null.

      • timelineType string | null

        The type of Timeline.

        Values are default or template.

      • title string | null

        The Timeline's title.

      • updated number | null

        The last time the Timeline was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the Timeline

      • savedObjectId string Required

        The savedObjectId of the Timeline or Timeline template

      • version string Required

        The version of the Timeline or Timeline template

      • eventIdToNoteIds array[object] | null

        A list of all the notes that are associated to this Timeline.

        Hide eventIdToNoteIds attributes Show eventIdToNoteIds attributes object
        • created number | null

          The time the note was created, using a 13-digit Epoch timestamp.

        • createdBy string | null

          The user who created the note.

        • updated number | null

          The last time the note was updated, using a 13-digit Epoch timestamp

        • updatedBy string | null

          The user who last updated the note

        • eventId string | null

          The _id of the associated event for this note.

        • note string | null

          The text of the note

        • timelineId string Required

          The savedObjectId of the Timeline that this note is associated with

        • noteId string Required

          The savedObjectId of the note

        • version string Required

          The version of the note

      • noteIds array[string] | null

        A list of all the ids of notes that are associated to this Timeline.

      • notes array[object] | null

        A list of all the notes that are associated to this Timeline.

        Hide notes attributes Show notes attributes object
        • created number | null

          The time the note was created, using a 13-digit Epoch timestamp.

        • createdBy string | null

          The user who created the note.

        • updated number | null

          The last time the note was updated, using a 13-digit Epoch timestamp

        • updatedBy string | null

          The user who last updated the note

        • eventId string | null

          The _id of the associated event for this note.

        • note string | null

          The text of the note

        • timelineId string Required

          The savedObjectId of the Timeline that this note is associated with

        • noteId string Required

          The savedObjectId of the note

        • version string Required

          The version of the note

      • pinnedEventIds array[string] | null

        A list of all the ids of pinned events that are associated to this Timeline.

      • pinnedEventsSaveObject array[object] | null

        A list of all the pinned events that are associated to this Timeline.

        Hide pinnedEventsSaveObject attributes Show pinnedEventsSaveObject attributes object
        • created number | null

          The time the pinned event was created, using a 13-digit Epoch timestamp.

        • createdBy string | null

          The user who created the pinned event.

        • updated number | null

          The last time the pinned event was updated, using a 13-digit Epoch timestamp

        • updatedBy string | null

          The user who last updated the pinned event

        • eventId string Required

          The _id of the associated event for this pinned event.

        • timelineId string Required

          The savedObjectId of the timeline that this pinned event is associated with

        • pinnedEventId string Required

          The savedObjectId of this pinned event

        • version string Required

          The version of this pinned event

    • totalCount number Required

      The total amount of results
  • 400 application:json

    Bad request. The user supplied invalid data.

    Hide response attributes Show response attributes object
    • body string

      The error message

    • statusCode number
GET /api/timelines 
curl \
 --request GET 'https://<KIBANA_URL>/api/timelines' \
 --header "Authorization: $API_KEY"