Install prepackaged Timelines

POST /api/timeline/_prepackaged
Api key auth

Install or update prepackaged Timelines.

application/json

Body Required

The Timelines to install or update.

  • prepackagedTimelines array[object] Required
    Hide prepackagedTimelines attributes Show prepackagedTimelines attributes object | null
    • columns array[object] | null

      The Timeline's columns

      Hide columns attributes Show columns attributes object
      • aggregatable boolean | null
      • category string | null
      • columnHeaderType string | null
      • description string | null
      • example string | null
      • id string | null
      • indexes array[string] | null
      • name string | null
      • placeholder string | null
      • searchable boolean | null
      • type string | null
    • created number | null

      The time the Timeline was created, using a 13-digit Epoch timestamp.

    • createdBy string | null

      The user who created the Timeline.

    • dataProviders array[object] | null

      Object containing query clauses

      Hide dataProviders attributes Show dataProviders attributes object
      • and array[object] | null
        Hide and attributes Show and attributes object
        • enabled boolean | null
        • excluded boolean | null
        • id string | null
        • kqlQuery string | null
        • name string | null
        • queryMatch object | null
          Hide queryMatch attributes Show queryMatch attributes object | null
        • type string | null

          The type of data provider.

          Values are default or template.

      • enabled boolean | null
      • excluded boolean | null
      • id string | null
      • kqlQuery string | null
      • name string | null
      • queryMatch object | null
        Hide queryMatch attributes Show queryMatch attributes object | null
      • type string | null

        The type of data provider.

        Values are default or template.

    • dataViewId string | null

      ID of the Timeline's Data View

    • dateRange object | null

      The Timeline's search period.

      Hide dateRange attributes Show dateRange attributes object | null
    • description string | null

      The Timeline's description

    • eqlOptions object | null

      EQL query that is used in the correlation tab

      Hide eqlOptions attributes Show eqlOptions attributes object | null
    • eventType string | null Deprecated

      Event types displayed in the Timeline

    • excludedRowRendererIds array[string] | null

      A list of row renderers that should not be used when in Event renderers mode

      Values are alert, alerts, auditd, auditd_file, library, netflow, plain, registry, suricata, system, system_dns, system_endgame_process, system_file, system_fim, system_security_event, system_socket, threat_match, or zeek.

    • favorite array[object] | null

      Indicates when and who marked a Timeline as a favorite.

      Hide favorite attributes Show favorite attributes object
      • favoriteDate number | null
      • fullName string | null
      • userName string | null
    • filters array[object] | null

      A list of filters that should be applied to the query

      Hide filters attributes Show filters attributes object
      • exists string | null
      • match_all string | null
      • meta object | null
        Hide meta attributes Show meta attributes object | null
        • alias string | null
        • controlledBy string | null
        • disabled boolean | null
        • field string | null
        • formattedValue string | null
        • index string | null
        • key string | null
        • negate boolean | null
        • params string | null
        • type string | null
        • value string | null
      • missing string | null
      • query string | null
      • range string | null
      • script string | null
    • indexNames array[string] | null

      A list of index names to use in the query (e.g. when the default data view has been modified)

    • kqlMode string | null

      Indicates whether the KQL bar filters the query results or searches for additional results, where:

      • filter: filters query results
      • search: displays additional search results
    • kqlQuery object | null

      KQL bar query.

      Hide kqlQuery attribute Show kqlQuery attribute object | null
      • filterQuery object | null
        Hide filterQuery attributes Show filterQuery attributes object | null
        • kuery object | null
          Hide kuery attributes Show kuery attributes object | null
          • expression string | null
          • kind string | null
        • serializedQuery string | null
    • savedQueryId string | null

      The ID of the saved query that might be used in the Query tab

    • savedSearchId string | null

      The ID of the saved search that is used in the ES|QL tab

    • sort object | null | array[object]

      One of:
      Security_Timeline_API_SortObject object | null array-2 array[object] | null

      Object indicating how rows are sorted in the Timeline's grid

      Hide attributes Show attributes object
      • columnId string | null
      • columnType string | null
      • sortDirection string | null
    • status string | null

      The status of the Timeline.

      Values are active, draft, or immutable.

    • templateTimelineId string | null

      A unique ID (UUID) for Timeline templates. For Timelines, the value is null.

    • templateTimelineVersion number | null

      Timeline template version number. For Timelines, the value is null.

    • timelineType string | null

      The type of Timeline.

      Values are default or template.

    • title string | null

      The Timeline's title.

    • updated number | null

      The last time the Timeline was updated, using a 13-digit Epoch timestamp

    • updatedBy string | null

      The user who last updated the Timeline

    • eventIdToNoteIds array[object] | null
      Hide eventIdToNoteIds attributes Show eventIdToNoteIds attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        The _id of the associated event for this note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline that this note is associated with

      • noteId string Required

        The savedObjectId of the note

      • version string Required

        The version of the note

    • noteIds array[string] | null
    • notes array[object] | null
      Hide notes attributes Show notes attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        The _id of the associated event for this note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline that this note is associated with

      • noteId string Required

        The savedObjectId of the note

      • version string Required

        The version of the note

    • pinnedEventIds array[string] | null
    • pinnedEventsSaveObject array[object] | null
      Hide pinnedEventsSaveObject attributes Show pinnedEventsSaveObject attributes object
      • created number | null

        The time the pinned event was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the pinned event.

      • updated number | null

        The last time the pinned event was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the pinned event

      • eventId string Required

        The _id of the associated event for this pinned event.

      • timelineId string Required

        The savedObjectId of the timeline that this pinned event is associated with

      • pinnedEventId string Required

        The savedObjectId of this pinned event

      • version string Required

        The version of this pinned event

    • savedObjectId string Required
    • version string Required
  • timelinesToInstall array[object] Required
    Hide timelinesToInstall attributes Show timelinesToInstall attributes object | null
    • columns array[object] | null

      The Timeline's columns

      Hide columns attributes Show columns attributes object
      • aggregatable boolean | null
      • category string | null
      • columnHeaderType string | null
      • description string | null
      • example string | null
      • id string | null
      • indexes array[string] | null
      • name string | null
      • placeholder string | null
      • searchable boolean | null
      • type string | null
    • created number | null

      The time the Timeline was created, using a 13-digit Epoch timestamp.

    • createdBy string | null

      The user who created the Timeline.

    • dataProviders array[object] | null

      Object containing query clauses

      Hide dataProviders attributes Show dataProviders attributes object
      • and array[object] | null
        Hide and attributes Show and attributes object
        • enabled boolean | null
        • excluded boolean | null
        • id string | null
        • kqlQuery string | null
        • name string | null
        • queryMatch object | null
          Hide queryMatch attributes Show queryMatch attributes object | null
        • type string | null

          The type of data provider.

          Values are default or template.

      • enabled boolean | null
      • excluded boolean | null
      • id string | null
      • kqlQuery string | null
      • name string | null
      • queryMatch object | null
        Hide queryMatch attributes Show queryMatch attributes object | null
      • type string | null

        The type of data provider.

        Values are default or template.

    • dataViewId string | null

      ID of the Timeline's Data View

    • dateRange object | null

      The Timeline's search period.

      Hide dateRange attributes Show dateRange attributes object | null
    • description string | null

      The Timeline's description

    • eqlOptions object | null

      EQL query that is used in the correlation tab

      Hide eqlOptions attributes Show eqlOptions attributes object | null
    • eventType string | null Deprecated

      Event types displayed in the Timeline

    • excludedRowRendererIds array[string] | null

      A list of row renderers that should not be used when in Event renderers mode

      Values are alert, alerts, auditd, auditd_file, library, netflow, plain, registry, suricata, system, system_dns, system_endgame_process, system_file, system_fim, system_security_event, system_socket, threat_match, or zeek.

    • favorite array[object] | null

      Indicates when and who marked a Timeline as a favorite.

      Hide favorite attributes Show favorite attributes object
      • favoriteDate number | null
      • fullName string | null
      • userName string | null
    • filters array[object] | null

      A list of filters that should be applied to the query

      Hide filters attributes Show filters attributes object
      • exists string | null
      • match_all string | null
      • meta object | null
        Hide meta attributes Show meta attributes object | null
        • alias string | null
        • controlledBy string | null
        • disabled boolean | null
        • field string | null
        • formattedValue string | null
        • index string | null
        • key string | null
        • negate boolean | null
        • params string | null
        • type string | null
        • value string | null
      • missing string | null
      • query string | null
      • range string | null
      • script string | null
    • indexNames array[string] | null

      A list of index names to use in the query (e.g. when the default data view has been modified)

    • kqlMode string | null

      Indicates whether the KQL bar filters the query results or searches for additional results, where:

      • filter: filters query results
      • search: displays additional search results
    • kqlQuery object | null

      KQL bar query.

      Hide kqlQuery attribute Show kqlQuery attribute object | null
      • filterQuery object | null
        Hide filterQuery attributes Show filterQuery attributes object | null
        • kuery object | null
          Hide kuery attributes Show kuery attributes object | null
          • expression string | null
          • kind string | null
        • serializedQuery string | null
    • savedQueryId string | null

      The ID of the saved query that might be used in the Query tab

    • savedSearchId string | null

      The ID of the saved search that is used in the ES|QL tab

    • sort object | null | array[object]

      One of:
      Security_Timeline_API_SortObject object | null array-2 array[object] | null

      Object indicating how rows are sorted in the Timeline's grid

      Hide attributes Show attributes object
      • columnId string | null
      • columnType string | null
      • sortDirection string | null
    • status string | null

      The status of the Timeline.

      Values are active, draft, or immutable.

    • templateTimelineId string | null

      A unique ID (UUID) for Timeline templates. For Timelines, the value is null.

    • templateTimelineVersion number | null

      Timeline template version number. For Timelines, the value is null.

    • timelineType string | null

      The type of Timeline.

      Values are default or template.

    • title string | null

      The Timeline's title.

    • updated number | null

      The last time the Timeline was updated, using a 13-digit Epoch timestamp

    • updatedBy string | null

      The user who last updated the Timeline

    • eventNotes array[object] | null Required
      Hide eventNotes attributes Show eventNotes attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        The _id of the associated event for this note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline that this note is associated with

    • globalNotes array[object] | null Required
      Hide globalNotes attributes Show globalNotes attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        The _id of the associated event for this note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline that this note is associated with

    • pinnedEventIds array[string] | null Required
    • savedObjectId string | null Required
    • version string | null Required
  • timelinesToUpdate array[object] Required
    Hide timelinesToUpdate attributes Show timelinesToUpdate attributes object | null
    • columns array[object] | null

      The Timeline's columns

      Hide columns attributes Show columns attributes object
      • aggregatable boolean | null
      • category string | null
      • columnHeaderType string | null
      • description string | null
      • example string | null
      • id string | null
      • indexes array[string] | null
      • name string | null
      • placeholder string | null
      • searchable boolean | null
      • type string | null
    • created number | null

      The time the Timeline was created, using a 13-digit Epoch timestamp.

    • createdBy string | null

      The user who created the Timeline.

    • dataProviders array[object] | null

      Object containing query clauses

      Hide dataProviders attributes Show dataProviders attributes object
      • and array[object] | null
        Hide and attributes Show and attributes object
        • enabled boolean | null
        • excluded boolean | null
        • id string | null
        • kqlQuery string | null
        • name string | null
        • queryMatch object | null
          Hide queryMatch attributes Show queryMatch attributes object | null
        • type string | null

          The type of data provider.

          Values are default or template.

      • enabled boolean | null
      • excluded boolean | null
      • id string | null
      • kqlQuery string | null
      • name string | null
      • queryMatch object | null
        Hide queryMatch attributes Show queryMatch attributes object | null
      • type string | null

        The type of data provider.

        Values are default or template.

    • dataViewId string | null

      ID of the Timeline's Data View

    • dateRange object | null

      The Timeline's search period.

      Hide dateRange attributes Show dateRange attributes object | null
    • description string | null

      The Timeline's description

    • eqlOptions object | null

      EQL query that is used in the correlation tab

      Hide eqlOptions attributes Show eqlOptions attributes object | null
    • eventType string | null Deprecated

      Event types displayed in the Timeline

    • excludedRowRendererIds array[string] | null

      A list of row renderers that should not be used when in Event renderers mode

      Values are alert, alerts, auditd, auditd_file, library, netflow, plain, registry, suricata, system, system_dns, system_endgame_process, system_file, system_fim, system_security_event, system_socket, threat_match, or zeek.

    • favorite array[object] | null

      Indicates when and who marked a Timeline as a favorite.

      Hide favorite attributes Show favorite attributes object
      • favoriteDate number | null
      • fullName string | null
      • userName string | null
    • filters array[object] | null

      A list of filters that should be applied to the query

      Hide filters attributes Show filters attributes object
      • exists string | null
      • match_all string | null
      • meta object | null
        Hide meta attributes Show meta attributes object | null
        • alias string | null
        • controlledBy string | null
        • disabled boolean | null
        • field string | null
        • formattedValue string | null
        • index string | null
        • key string | null
        • negate boolean | null
        • params string | null
        • type string | null
        • value string | null
      • missing string | null
      • query string | null
      • range string | null
      • script string | null
    • indexNames array[string] | null

      A list of index names to use in the query (e.g. when the default data view has been modified)

    • kqlMode string | null

      Indicates whether the KQL bar filters the query results or searches for additional results, where:

      • filter: filters query results
      • search: displays additional search results
    • kqlQuery object | null

      KQL bar query.

      Hide kqlQuery attribute Show kqlQuery attribute object | null
      • filterQuery object | null
        Hide filterQuery attributes Show filterQuery attributes object | null
        • kuery object | null
          Hide kuery attributes Show kuery attributes object | null
          • expression string | null
          • kind string | null
        • serializedQuery string | null
    • savedQueryId string | null

      The ID of the saved query that might be used in the Query tab

    • savedSearchId string | null

      The ID of the saved search that is used in the ES|QL tab

    • sort object | null | array[object]

      One of:
      Security_Timeline_API_SortObject object | null array-2 array[object] | null

      Object indicating how rows are sorted in the Timeline's grid

      Hide attributes Show attributes object
      • columnId string | null
      • columnType string | null
      • sortDirection string | null
    • status string | null

      The status of the Timeline.

      Values are active, draft, or immutable.

    • templateTimelineId string | null

      A unique ID (UUID) for Timeline templates. For Timelines, the value is null.

    • templateTimelineVersion number | null

      Timeline template version number. For Timelines, the value is null.

    • timelineType string | null

      The type of Timeline.

      Values are default or template.

    • title string | null

      The Timeline's title.

    • updated number | null

      The last time the Timeline was updated, using a 13-digit Epoch timestamp

    • updatedBy string | null

      The user who last updated the Timeline

    • eventNotes array[object] | null Required
      Hide eventNotes attributes Show eventNotes attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        The _id of the associated event for this note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline that this note is associated with

    • globalNotes array[object] | null Required
      Hide globalNotes attributes Show globalNotes attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        The _id of the associated event for this note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline that this note is associated with

    • pinnedEventIds array[string] | null Required
    • savedObjectId string | null Required
    • version string | null Required

Responses

  • 200 application/json

    Indicates the installation of prepackaged Timelines was successful.

    Hide response attributes Show response attributes object
    • errors array[object]

      The list of failed Timeline imports

      Hide errors attributes Show errors attributes object
      • error object

        The error containing the reason why the timeline could not be imported

        Hide error attributes Show error attributes object
        • message string

          The reason why the timeline could not be imported

        • status_code number

          The HTTP status code of the error

      • id string

        The ID of the timeline that failed to import

    • success boolean

      Indicates whether any of the Timelines were successfully imports

    • success_count number

      The amount of successfully imported/updated Timelines

    • timelines_installed number

      The amount of successfully installed Timelines

    • timelines_updated number

      The amount of successfully updated Timelines
  • 500 application:json

    Indicates the installation of prepackaged Timelines was unsuccessful.

    Hide response attributes Show response attributes object
    • body string
    • statusCode number
POST /api/timeline/_prepackaged 
curl \
 --request POST 'https://<KIBANA_URL>/api/timeline/_prepackaged' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"prepackagedTimelines":[{"columns":[{"id":"@timestamp","columnHeaderType":"not-filtered"},{"id":"event.category","columnHeaderType":"not-filtered"}],"created":1587468588922,"createdBy":"casetester","dataProviders":[{"id":"id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","name":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","enabled":true,"excluded":false,"queryMatch":{"field":"_id,","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,","operator":":"}}],"dataViewId":"security-solution-default","dateRange":{"end":1587456479201,"start":1587370079200},"description":"Investigating exposure of CVE XYZ","eqlOptions":{"size":100,"query":"sequence\\n[process where process.name == \"sudo\"]\\n[any where true]","timestampField":"@timestamp","eventCategoryField":"event.category"},"eventType":"all","excludedRowRendererIds":["alert"],"favorite":[{"userName":"elastic","favoriteDate":1741337636741}],"filters":[{"meta":{"key":"@timestamp","type":"exists","alias":"Custom filter name","index":".alerts-security.alerts-default,logs-*","value":"exists","negate":"false,","disabled":false},"query":"{\"exists\":{\"field\":\"@timestamp\"}}"}],"indexNames":[".logs*"],"kqlMode":"search","kqlQuery":{"kuery":{"kind":"kuery","expression":"_id : *"},"filterQuery":null,"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"},"savedQueryId":"c7b16904-02d7-4f32-b8f2-cc20f9625d6e","savedSearchId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","sort":{"columnId":"@timestamp","sortDirection":"desc"},"status":"active","templateTimelineId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","templateTimelineVersion":12,"timelineType":"default","title":"CVE XYZ investigation","updated":1741344876825,"updatedBy":"casetester","eventIdToNoteIds":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","noteId":"709f99c6-89b6-4953-9160-35945c8e174e","version":"WzQ2LDFd"}],"noteIds":["string"],"notes":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","noteId":"709f99c6-89b6-4953-9160-35945c8e174e","version":"WzQ2LDFd"}],"pinnedEventIds":["string"],"pinnedEventsSaveObject":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","pinnedEventId":"10r1929b-0af7-42bd-85a8-56e234f98h2f3","version":"WzQ2LDFe"}],"savedObjectId":"string","version":"string"}],"timelinesToInstall":[{"columns":[{"id":"@timestamp","columnHeaderType":"not-filtered"},{"id":"event.category","columnHeaderType":"not-filtered"}],"created":1587468588922,"createdBy":"casetester","dataProviders":[{"id":"id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","name":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","enabled":true,"excluded":false,"queryMatch":{"field":"_id,","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,","operator":":"}}],"dataViewId":"security-solution-default","dateRange":{"end":1587456479201,"start":1587370079200},"description":"Investigating exposure of CVE XYZ","eqlOptions":{"size":100,"query":"sequence\\n[process where process.name == \"sudo\"]\\n[any where true]","timestampField":"@timestamp","eventCategoryField":"event.category"},"eventType":"all","excludedRowRendererIds":["alert"],"favorite":[{"userName":"elastic","favoriteDate":1741337636741}],"filters":[{"meta":{"key":"@timestamp","type":"exists","alias":"Custom filter name","index":".alerts-security.alerts-default,logs-*","value":"exists","negate":"false,","disabled":false},"query":"{\"exists\":{\"field\":\"@timestamp\"}}"}],"indexNames":[".logs*"],"kqlMode":"search","kqlQuery":{"kuery":{"kind":"kuery","expression":"_id : *"},"filterQuery":null,"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"},"savedQueryId":"c7b16904-02d7-4f32-b8f2-cc20f9625d6e","savedSearchId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","sort":{"columnId":"@timestamp","sortDirection":"desc"},"status":"active","templateTimelineId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","templateTimelineVersion":12,"timelineType":"default","title":"CVE XYZ investigation","updated":1741344876825,"updatedBy":"casetester","eventNotes":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}],"globalNotes":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}],"pinnedEventIds":["string"],"savedObjectId":"string","version":"string"}],"timelinesToUpdate":[{"columns":[{"id":"@timestamp","columnHeaderType":"not-filtered"},{"id":"event.category","columnHeaderType":"not-filtered"}],"created":1587468588922,"createdBy":"casetester","dataProviders":[{"id":"id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","name":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","enabled":true,"excluded":false,"queryMatch":{"field":"_id,","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,","operator":":"}}],"dataViewId":"security-solution-default","dateRange":{"end":1587456479201,"start":1587370079200},"description":"Investigating exposure of CVE XYZ","eqlOptions":{"size":100,"query":"sequence\\n[process where process.name == \"sudo\"]\\n[any where true]","timestampField":"@timestamp","eventCategoryField":"event.category"},"eventType":"all","excludedRowRendererIds":["alert"],"favorite":[{"userName":"elastic","favoriteDate":1741337636741}],"filters":[{"meta":{"key":"@timestamp","type":"exists","alias":"Custom filter name","index":".alerts-security.alerts-default,logs-*","value":"exists","negate":"false,","disabled":false},"query":"{\"exists\":{\"field\":\"@timestamp\"}}"}],"indexNames":[".logs*"],"kqlMode":"search","kqlQuery":{"kuery":{"kind":"kuery","expression":"_id : *"},"filterQuery":null,"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"},"savedQueryId":"c7b16904-02d7-4f32-b8f2-cc20f9625d6e","savedSearchId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","sort":{"columnId":"@timestamp","sortDirection":"desc"},"status":"active","templateTimelineId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","templateTimelineVersion":12,"timelineType":"default","title":"CVE XYZ investigation","updated":1741344876825,"updatedBy":"casetester","eventNotes":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}],"globalNotes":[{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}],"pinnedEventIds":["string"],"savedObjectId":"string","version":"string"}]}'