github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 17:28:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

[8.18] [Threat Hunting Investigations] Improve API docs for notes/timeline (#213584) (#214528)

Browse source 
# Backport

This will backport the following commits from `main` to `8.18`:
- [[Threat Hunting Investigations] Improve API docs for notes/timeline
(#213584)](https://github.com/elastic/kibana/pull/213584)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Jan
Monschke","email":"jan.monschke@elastic.co"},"sourceCommit":{"committedDate":"2025-03-12T17:55:54Z","message":"[Threat
Hunting Investigations] Improve API docs for notes/timeline
(#213584)\n\n##
Summary\n\n[META\nissue](https://github.com/elastic/security-docs-internal/issues/57)\n\nThis
PR improves the API documentation for timeline/notes/pinned events\nas
per the definition in the meta issue.\n\n### Notes\n#### Timeline API\n-
`eventType`:\n\t- is always set to `all`\n\t- looks like it's been
superseded by dataView?\n\t- I marked it as `deperecated` \n-
`eventIdToNoteIds`:\n- there's a type mismatch between what the frontend
expects and what is\nreturned\n\t- also it does not seem to be used
anymore?\n\t- it needs to be investigated further\n#### Notes API\n-
`GlobalNote`:\n\t- looks like it's not used anymore\n\t- I removed it,
nothing broke\n- `eventIngested`, `eventTimestamp`, `eventDataView` and
`overrideOwner`\nare all not used on the patch note endpoint, I removed
them. The\n`event*` ones I have never seen before to be
honest.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"e3311c516b45999e875b92ff14140a3197babfc6","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Threat
Hunting:Investigations","backport:all-open","v9.1.0"],"title":"[Threat
Hunting Investigations] Improve API docs for
notes/timeline","number":213584,"url":"https://github.com/elastic/kibana/pull/213584","mergeCommit":{"message":"[Threat
Hunting Investigations] Improve API docs for notes/timeline
(#213584)\n\n##
Summary\n\n[META\nissue](https://github.com/elastic/security-docs-internal/issues/57)\n\nThis
PR improves the API documentation for timeline/notes/pinned events\nas
per the definition in the meta issue.\n\n### Notes\n#### Timeline API\n-
`eventType`:\n\t- is always set to `all`\n\t- looks like it's been
superseded by dataView?\n\t- I marked it as `deperecated` \n-
`eventIdToNoteIds`:\n- there's a type mismatch between what the frontend
expects and what is\nreturned\n\t- also it does not seem to be used
anymore?\n\t- it needs to be investigated further\n#### Notes API\n-
`GlobalNote`:\n\t- looks like it's not used anymore\n\t- I removed it,
nothing broke\n- `eventIngested`, `eventTimestamp`, `eventDataView` and
`overrideOwner`\nare all not used on the patch note endpoint, I removed
them. The\n`event*` ones I have never seen before to be
honest.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"e3311c516b45999e875b92ff14140a3197babfc6"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/214261","number":214261,"state":"MERGED","mergeCommit":{"sha":"77caf7c24a7424c52e5b37107768ce3d4ff15bfb","message":"[9.0]
[Threat Hunting Investigations] Improve API docs for notes/timeline
(#213584) (#214261)\n\n# Backport\n\nThis will backport the following
commits from `main` to `9.0`:\n- [[Threat Hunting Investigations]
Improve API docs for
notes/timeline\n(#213584)](https://github.com/elastic/kibana/pull/213584)\n\n\n\n###
Questions ?\nPlease refer to the [Backport
tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\nCo-authored-by:
Jan Monschke
<jan.monschke@elastic.co>"}},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/213584","number":213584,"mergeCommit":{"message":"[Threat
Hunting Investigations] Improve API docs for notes/timeline
(#213584)\n\n##
Summary\n\n[META\nissue](https://github.com/elastic/security-docs-internal/issues/57)\n\nThis
PR improves the API documentation for timeline/notes/pinned events\nas
per the definition in the meta issue.\n\n### Notes\n#### Timeline API\n-
`eventType`:\n\t- is always set to `all`\n\t- looks like it's been
superseded by dataView?\n\t- I marked it as `deperecated` \n-
`eventIdToNoteIds`:\n- there's a type mismatch between what the frontend
expects and what is\nreturned\n\t- also it does not seem to be used
anymore?\n\t- it needs to be investigated further\n#### Notes API\n-
`GlobalNote`:\n\t- looks like it's not used anymore\n\t- I removed it,
nothing broke\n- `eventIngested`, `eventTimestamp`, `eventDataView` and
`overrideOwner`\nare all not used on the patch note endpoint, I removed
them. The\n`event*` ones I have never seen before to be
honest.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"e3311c516b45999e875b92ff14140a3197babfc6"}}]}]
BACKPORT-->
This commit is contained in:
Jan Monschke 2025-03-14 16:39:26 +01:00 committed by GitHub
parent 482eec6598
commit 0fef04ccc6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
24 changed files with 1818 additions and 518 deletions
Download patch file Download diff file Expand all files Collapse all files

369
oas_docs/output/kibana.serverless.yaml
View file

@ -35121,24 +35121,17 @@ paths:
schema:
type: object
properties:
eventDataView:
nullable: true
type: string
eventIngested:
nullable: true
type: string
eventTimestamp:
nullable: true
type: string
note:
$ref: '#/components/schemas/Security_Timeline_API_BareNote'
description: The note to add or update.
noteId:
description: The `savedObjectId` of the note
example: 709f99c6-89b6-4953-9160-35945c8e174e
nullable: true
type: string
overrideOwner:
nullable: true
type: boolean
version:
description: The version of the note
example: WzQ2LDFd
nullable: true
type: string
required:
@ -35551,7 +35544,7 @@ paths:
x-beta: true
/api/pinned_event:
patch:
description: Pin an event to an existing Timeline.
description: Pin/unpin an event to/from an existing Timeline.
operationId: PersistPinnedEventRoute
requestBody:
content:
@ -35560,16 +35553,22 @@ paths:
type: object
properties:
eventId:
description: The `_id` of the associated event for this pinned event.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
type: string
pinnedEventId:
description: The `savedObjectId` of the pinned event you want to unpin.
example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3
nullable: true
type: string
timelineId:
description: The `savedObjectId` of the timeline that you want this pinned event unpinned from.
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
required:
- eventId
- timelineId
description: The pinned event to add or update, along with additional metadata.
description: The pinned event to add or unpin, along with additional metadata.
required: true
responses:
'200':
@ -35577,8 +35576,8 @@ paths:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse'
description: Indicates the event was successfully pinned to the Timeline.
summary: Pin an event
description: Indicates the event was successfully pinned to or unpinned from the Timeline.
summary: Pin/unpin an event
tags:
- Security Timeline API
x-beta: true
@ -37612,11 +37611,17 @@ paths:
type: object
properties:
savedObjectIds:
description: The list of IDs of the Timelines or Timeline templates to delete
example:
- 15c1929b-0af7-42bd-85a8-56e234cc7c4e
items:
type: string
type: array
searchIds:
description: Saved search ids that should be deleted alongside the timelines
description: Saved search IDs that should be deleted alongside the timelines
example:
- 23f3-43g34g322-e5g5hrh6h-45454
- 6ce1b592-84e3-4b4a-9552-f189d4b82075
items:
type: string
type: array
@ -37635,12 +37640,12 @@ paths:
description: Get the details of an existing saved Timeline or Timeline template.
operationId: GetTimeline
parameters:
- description: The ID of the template timeline to retrieve
- description: The `savedObjectId` of the template timeline to retrieve
in: query
name: template_timeline_id
schema:
type: string
- description: The ID of the Timeline to retrieve.
- description: The `savedObjectId` of the Timeline to retrieve.
in: query
name: id
schema:
@ -37667,10 +37672,15 @@ paths:
properties:
timeline:
$ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
description: The timeline object of the Timeline or Timeline template that youre updating.
timelineId:
description: The `savedObjectId` of the Timeline or Timeline template that youre updating.
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
nullable: true
type: string
version:
description: The version of the Timeline or Timeline template that youre updating.
example: WzE0LDFd
nullable: true
type: string
required:
@ -37685,7 +37695,7 @@ paths:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse'
description: Indicates that the draft Timeline was successfully created. In the event the user already has a draft Timeline, the existing draft Timeline is cleared and returned.
description: Indicates that the Timeline was successfully updated.
'405':
content:
application/json; Elastic-Api-Version=2023-10-31:
@ -37693,10 +37703,13 @@ paths:
type: object
properties:
body:
description: The error message
example: update timeline error
type: string
statusCode:
example: 405
type: number
description: Indicates that the user does not have the required access to create a draft Timeline.
description: Indicates that the user does not have the required access to create a Timeline.
summary: Update a Timeline
tags:
- Security Timeline API
@ -37714,14 +37727,20 @@ paths:
$ref: '#/components/schemas/Security_Timeline_API_TimelineStatus'
nullable: true
templateTimelineId:
description: A unique identifier for the Timeline template.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
templateTimelineVersion:
description: Timeline template version number.
example: 12
nullable: true
type: number
timeline:
$ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
timelineId:
description: A unique identifier for the Timeline.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
timelineType:
@ -37748,8 +37767,11 @@ paths:
type: object
properties:
body:
description: The error message
example: update timeline error
type: string
statusCode:
example: 405
type: number
description: Indicates that there was an error in the Timeline creation.
summary: Create a Timeline or Timeline template
@ -37990,6 +38012,7 @@ paths:
properties:
file: {}
isImmutable:
description: Whether the Timeline should be immutable
enum:
- 'true'
- 'false'
@ -38012,10 +38035,11 @@ paths:
type: object
properties:
body:
type: string
id:
description: The error message
example: Invalid file extension
type: string
statusCode:
example: 400
type: number
description: Indicates the import of Timelines was unsuccessful because of an invalid file extension.
'404':
@ -38024,9 +38048,12 @@ paths:
schema:
type: object
properties:
id:
body:
description: The error message
example: Unable to find saved object client
type: string
statusCode:
example: 404
type: number
description: Indicates that we were unable to locate the saved object client necessary to handle the import.
'409':
@ -38036,10 +38063,11 @@ paths:
type: object
properties:
body:
type: string
id:
description: The error message
example: Could not import timelines
type: string
statusCode:
example: 409
type: number
description: Indicates the import of Timelines was unsuccessful.
summary: Import Timelines
@ -38151,24 +38179,28 @@ paths:
name: sort_field
schema:
$ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline'
- in: query
- description: Whether to sort the results `ascending` or `descending`
in: query
name: sort_order
schema:
enum:
- asc
- desc
type: string
- in: query
- description: How many results should returned at once
in: query
name: page_size
schema:
nullable: true
type: string
- in: query
- description: How many pages should be skipped
in: query
name: page_index
schema:
nullable: true
type: string
- in: query
- description: Allows to search for timelines by their title
in: query
name: search
schema:
nullable: true
@ -38186,20 +38218,32 @@ paths:
type: object
properties:
customTemplateTimelineCount:
description: The amount of custom Timeline templates in the results
example: 2
type: number
defaultTimelineCount:
description: The amount of `default` type Timelines in the results
example: 90
type: number
elasticTemplateTimelineCount:
description: The amount of Elastic's Timeline templates in the results
example: 8
type: number
favoriteCount:
description: The amount of favorited Timelines
example: 5
type: number
templateTimelineCount:
description: The amount of Timeline templates in the results
example: 10
type: number
timeline:
items:
$ref: '#/components/schemas/Security_Timeline_API_TimelineResponse'
type: array
totalCount:
description: The total amount of results
example: 100
type: number
required:
- timeline
@ -38212,8 +38256,11 @@ paths:
type: object
properties:
body:
description: The error message
example: get timeline error
type: string
statusCode:
example: 405
type: number
description: Bad request. The user supplied invalid data.
summary: Get Timelines or Timeline templates
@ -52992,52 +53039,42 @@ components:
- orphan
type: string
Security_Timeline_API_BareNote:
type: object
properties:
created:
nullable: true
type: number
createdBy:
nullable: true
type: string
eventId:
nullable: true
type: string
note:
nullable: true
type: string
timelineId:
type: string
updated:
nullable: true
type: number
updatedBy:
nullable: true
type: string
required:
- timelineId
allOf:
- $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata'
- type: object
properties:
eventId:
description: The `_id` of the associated event for this note.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
nullable: true
type: string
note:
description: The text of the note
example: This is an example text
nullable: true
type: string
timelineId:
description: The `savedObjectId` of the Timeline that this note is associated with
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
required:
- timelineId
Security_Timeline_API_BarePinnedEvent:
type: object
properties:
created:
nullable: true
type: number
createdBy:
nullable: true
type: string
eventId:
type: string
timelineId:
type: string
updated:
nullable: true
type: number
updatedBy:
nullable: true
type: string
required:
- eventId
- timelineId
allOf:
- $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata'
- type: object
properties:
eventId:
description: The `_id` of the associated event for this pinned event.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
type: string
timelineId:
description: The `savedObjectId` of the timeline that this pinned event is associated with
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
required:
- eventId
- timelineId
Security_Timeline_API_ColumnHeaderResult:
type: object
properties:
@ -53130,7 +53167,7 @@ components:
$ref: '#/components/schemas/Security_Timeline_API_DataProviderType'
nullable: true
Security_Timeline_API_DataProviderType:
description: The type of data provider to create. Valid values are `default` and `template`.
description: The type of data provider.
enum:
- default
- template
@ -53164,6 +53201,10 @@ components:
- savedObjectId
- version
Security_Timeline_API_FavoriteTimelineResult:
description: Indicates when and who marked a Timeline as a favorite.
example:
favoriteDate: 1741337636741
userName: elastic
type: object
properties:
favoriteDate:
@ -53176,6 +53217,16 @@ components:
nullable: true
type: string
Security_Timeline_API_FilterTimelineResult:
example:
meta:
alias: Custom filter name
disabled: false
index: .alerts-security.alerts-default,logs-*
key: '@timestamp'
negate: false,
type: exists
value: exists
query: '{"exists":{"field":"@timestamp"}}'
type: object
properties:
exists:
@ -53249,26 +53300,41 @@ components:
type: object
properties:
errors:
description: The list of failed Timeline imports
items:
type: object
properties:
error:
description: The error containing the reason why the timeline could not be imported
type: object
properties:
message:
description: The reason why the timeline could not be imported
example: Malformed JSON
type: string
status_code:
description: The HTTP status code of the error
example: 400
type: number
id:
description: The ID of the timeline that failed to import
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
type: string
type: array
success:
description: Indicates whether any of the Timelines were successfully imports
type: boolean
success_count:
description: The amount of successfully imported/updated Timelines
example: 99
type: number
timelines_installed:
description: The amount of successfully installed Timelines
example: 80
type: number
timelines_updated:
description: The amount of successfully updated Timelines
example: 19
type: number
Security_Timeline_API_ImportTimelines:
allOf:
@ -53308,18 +53374,46 @@ components:
- type: object
properties:
noteId:
description: The `savedObjectId` of the note
example: 709f99c6-89b6-4953-9160-35945c8e174e
type: string
version:
description: The version of the note
example: WzQ2LDFd
type: string
required:
- noteId
- version
Security_Timeline_API_NoteCreatedAndUpdatedMetadata:
type: object
properties:
created:
description: The time the note was created, using a 13-digit Epoch timestamp.
example: 1587468588922
nullable: true
type: number
createdBy:
description: The user who created the note.
example: casetester
nullable: true
type: string
updated:
description: The last time the note was updated, using a 13-digit Epoch timestamp
example: 1741344876825
nullable: true
type: number
updatedBy:
description: The user who last updated the note
example: casetester
nullable: true
type: string
Security_Timeline_API_PersistPinnedEventResponse:
oneOf:
- $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent'
- type: object
properties:
unpinned:
description: Indicates whether the event was successfully unpinned
type: boolean
required:
- unpinned
@ -53331,12 +53425,39 @@ components:
- type: object
properties:
pinnedEventId:
description: The `savedObjectId` of this pinned event
example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3
type: string
version:
description: The version of this pinned event
example: WzQ2LDFe
type: string
required:
- pinnedEventId
- version
Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata:
type: object
properties:
created:
description: The time the pinned event was created, using a 13-digit Epoch timestamp.
example: 1587468588922
nullable: true
type: number
createdBy:
description: The user who created the pinned event.
example: casetester
nullable: true
type: string
updated:
description: The last time the pinned event was updated, using a 13-digit Epoch timestamp
example: 1741344876825
nullable: true
type: number
updatedBy:
description: The user who last updated the pinned event
example: casetester
nullable: true
type: string
Security_Timeline_API_QueryMatchResult:
type: object
properties:
@ -53382,6 +53503,7 @@ components:
required:
- note
Security_Timeline_API_RowRendererId:
description: Identifies the available row renderers
enum:
- alert
- alerts
@ -53423,25 +53545,51 @@ components:
type: object
properties:
columns:
description: The Timeline's columns
example:
- columnHeaderType: not-filtered
id: '@timestamp'
- columnHeaderType: not-filtered
id: event.category
items:
$ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult'
nullable: true
type: array
created:
description: The time the Timeline was created, using a 13-digit Epoch timestamp.
example: 1587468588922
nullable: true
type: number
createdBy:
description: The user who created the Timeline.
example: casetester
nullable: true
type: string
dataProviders:
description: Object containing query clauses
example:
- enabled: true
excluded: false
id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b
name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b
queryMatch:
field: _id,
operator: ':'
value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,
items:
$ref: '#/components/schemas/Security_Timeline_API_DataProviderResult'
nullable: true
type: array
dataViewId:
description: ID of the Timeline's Data View
example: security-solution-default
nullable: true
type: string
dateRange:
description: The Timeline's search period.
example:
end: 1587456479201
start: 1587370079200
nullable: true
type: object
properties:
@ -53458,9 +53606,17 @@ components:
- nullable: true
type: number
description:
description: The Timeline's description
example: Investigating exposure of CVE XYZ
nullable: true
type: string
eqlOptions:
description: EQL query that is used in the correlation tab
example:
eventCategoryField: event.category
query: sequence\n[process where process.name == "sudo"]\n[any where true]
size: 100
timestampField: '@timestamp'
nullable: true
type: object
properties:
@ -53483,9 +53639,13 @@ components:
nullable: true
type: string
eventType:
deprecated: true
description: Event types displayed in the Timeline
example: all
nullable: true
type: string
excludedRowRendererIds:
description: A list of row renderers that should not be used when in `Event renderers` mode
items:
$ref: '#/components/schemas/Security_Timeline_API_RowRendererId'
nullable: true
@ -53496,53 +53656,72 @@ components:
nullable: true
type: array
filters:
description: A list of filters that should be applied to the query
items:
$ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult'
nullable: true
type: array
indexNames:
description: A list of index names to use in the query (e.g. when the default data view has been modified)
example:
- .logs*
items:
type: string
nullable: true
type: array
kqlMode:
description: |-
Indicates whether the KQL bar filters the query results or searches for additional results, where:
* `filter`: filters query results
* `search`: displays additional search results
example: search
nullable: true
type: string
kqlQuery:
$ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult'
nullable: true
savedQueryId:
description: The ID of the saved query that might be used in the Query tab
example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e
nullable: true
type: string
savedSearchId:
description: The ID of the saved search that is used in the ES|QL tab
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
sort:
$ref: '#/components/schemas/Security_Timeline_API_Sort'
nullable: true
status:
enum:
- active
- draft
- immutable
$ref: '#/components/schemas/Security_Timeline_API_TimelineStatus'
nullable: true
type: string
templateTimelineId:
description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
templateTimelineVersion:
description: Timeline template version number. For Timelines, the value is `null`.
example: 12
nullable: true
type: number
timelineType:
$ref: '#/components/schemas/Security_Timeline_API_TimelineType'
nullable: true
title:
description: The Timeline's title.
example: CVE XYZ investigation
nullable: true
type: string
updated:
description: The last time the Timeline was updated, using a 13-digit Epoch timestamp
example: 1741344876825
nullable: true
type: number
updatedBy:
description: The user who last updated the Timeline
example: casetester
nullable: true
type: string
Security_Timeline_API_SavedTimelineWithSavedObjectId:
@ -53551,13 +53730,24 @@ components:
- type: object
properties:
savedObjectId:
description: The `savedObjectId` of the Timeline or Timeline template
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
version:
description: The version of the Timeline or Timeline template
example: WzE0LDFd
type: string
required:
- savedObjectId
- version
Security_Timeline_API_SerializedFilterQueryResult:
description: KQL bar query.
example:
filterQuery: null
kuery:
expression: '_id : *'
kind: kuery
serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}'
type: object
properties:
filterQuery:
@ -53592,6 +53782,10 @@ components:
- created
type: string
Security_Timeline_API_SortObject:
description: Object indicating how rows are sorted in the Timeline's grid
example:
columnId: '@timestamp'
sortDirection: desc
type: object
properties:
columnId:
@ -53610,26 +53804,35 @@ components:
- type: object
properties:
eventIdToNoteIds:
description: A list of all the notes that are associated to this Timeline.
items:
$ref: '#/components/schemas/Security_Timeline_API_Note'
nullable: true
type: array
noteIds:
description: A list of all the ids of notes that are associated to this Timeline.
example:
- 709f99c6-89b6-4953-9160-35945c8e174e
items:
type: string
nullable: true
type: array
notes:
description: A list of all the notes that are associated to this Timeline.
items:
$ref: '#/components/schemas/Security_Timeline_API_Note'
nullable: true
type: array
pinnedEventIds:
description: A list of all the ids of pinned events that are associated to this Timeline.
example:
- 983f99c6-89b6-4953-9160-35945c8a194f
items:
type: string
nullable: true
type: array
pinnedEventsSaveObject:
description: A list of all the pinned events that are associated to this Timeline.
items:
$ref: '#/components/schemas/Security_Timeline_API_PinnedEvent'
nullable: true
@ -53672,14 +53875,14 @@ components:
- savedObjectId
- version
Security_Timeline_API_TimelineStatus:
description: The status of the timeline. Valid values are `active`, `draft`, and `immutable`.
description: The status of the Timeline.
enum:
- active
- draft
- immutable
type: string
Security_Timeline_API_TimelineType:
description: The type of timeline to create. Valid values are `default` and `template`.
description: The type of Timeline.
enum:
- default
- template

368
oas_docs/output/kibana.yaml
View file

@ -18663,24 +18663,17 @@ paths:
schema:
type: object
properties:
eventDataView:
nullable: true
type: string
eventIngested:
nullable: true
type: string
eventTimestamp:
nullable: true
type: string
note:
$ref: '#/components/schemas/Security_Timeline_API_BareNote'
description: The note to add or update.
noteId:
description: The `savedObjectId` of the note
example: 709f99c6-89b6-4953-9160-35945c8e174e
nullable: true
type: string
overrideOwner:
nullable: true
type: boolean
version:
description: The version of the note
example: WzQ2LDFd
nullable: true
type: string
required:
@ -19088,7 +19081,7 @@ paths:
- Security Osquery API
/api/pinned_event:
patch:
description: Pin an event to an existing Timeline.
description: Pin/unpin an event to/from an existing Timeline.
operationId: PersistPinnedEventRoute
requestBody:
content:
@ -19097,16 +19090,22 @@ paths:
type: object
properties:
eventId:
description: The `_id` of the associated event for this pinned event.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
type: string
pinnedEventId:
description: The `savedObjectId` of the pinned event you want to unpin.
example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3
nullable: true
type: string
timelineId:
description: The `savedObjectId` of the timeline that you want this pinned event unpinned from.
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
required:
- eventId
- timelineId
description: The pinned event to add or update, along with additional metadata.
description: The pinned event to add or unpin, along with additional metadata.
required: true
responses:
'200':
@ -19124,8 +19123,8 @@ paths:
- persistPinnedEventOnTimeline
required:
- data
description: Indicates the event was successfully pinned to the Timeline.
summary: Pin an event
description: Indicates the event was successfully pinned to or unpinned from the Timeline.
summary: Pin/unpin an event
tags:
- Security Timeline API
/api/risk_score/engine/dangerously_delete_data:
@ -22054,11 +22053,17 @@ paths:
type: object
properties:
savedObjectIds:
description: The list of IDs of the Timelines or Timeline templates to delete
example:
- 15c1929b-0af7-42bd-85a8-56e234cc7c4e
items:
type: string
type: array
searchIds:
description: Saved search ids that should be deleted alongside the timelines
description: Saved search IDs that should be deleted alongside the timelines
example:
- 23f3-43g34g322-e5g5hrh6h-45454
- 6ce1b592-84e3-4b4a-9552-f189d4b82075
items:
type: string
type: array
@ -22090,12 +22095,12 @@ paths:
description: Get the details of an existing saved Timeline or Timeline template.
operationId: GetTimeline
parameters:
- description: The ID of the template timeline to retrieve
- description: The `savedObjectId` of the template timeline to retrieve
in: query
name: template_timeline_id
schema:
type: string
- description: The ID of the Timeline to retrieve.
- description: The `savedObjectId` of the Timeline to retrieve.
in: query
name: id
schema:
@ -22134,10 +22139,15 @@ paths:
properties:
timeline:
$ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
description: The timeline object of the Timeline or Timeline template that youre updating.
timelineId:
description: The `savedObjectId` of the Timeline or Timeline template that youre updating.
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
nullable: true
type: string
version:
description: The version of the Timeline or Timeline template that youre updating.
example: WzE0LDFd
nullable: true
type: string
required:
@ -22152,7 +22162,7 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse'
description: Indicates that the draft Timeline was successfully created. In the event the user already has a draft Timeline, the existing draft Timeline is cleared and returned.
description: Indicates that the Timeline was successfully updated.
'405':
content:
application/json:
@ -22160,10 +22170,13 @@ paths:
type: object
properties:
body:
description: The error message
example: update timeline error
type: string
statusCode:
example: 405
type: number
description: Indicates that the user does not have the required access to create a draft Timeline.
description: Indicates that the user does not have the required access to create a Timeline.
summary: Update a Timeline
tags:
- Security Timeline API
@ -22180,14 +22193,20 @@ paths:
$ref: '#/components/schemas/Security_Timeline_API_TimelineStatus'
nullable: true
templateTimelineId:
description: A unique identifier for the Timeline template.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
templateTimelineVersion:
description: Timeline template version number.
example: 12
nullable: true
type: number
timeline:
$ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
timelineId:
description: A unique identifier for the Timeline.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
timelineType:
@ -22214,8 +22233,11 @@ paths:
type: object
properties:
body:
description: The error message
example: update timeline error
type: string
statusCode:
example: 405
type: number
description: Indicates that there was an error in the Timeline creation.
summary: Create a Timeline or Timeline template
@ -22460,6 +22482,7 @@ paths:
properties:
file: {}
isImmutable:
description: Whether the Timeline should be immutable
enum:
- 'true'
- 'false'
@ -22482,10 +22505,11 @@ paths:
type: object
properties:
body:
type: string
id:
description: The error message
example: Invalid file extension
type: string
statusCode:
example: 400
type: number
description: Indicates the import of Timelines was unsuccessful because of an invalid file extension.
'404':
@ -22494,9 +22518,12 @@ paths:
schema:
type: object
properties:
id:
body:
description: The error message
example: Unable to find saved object client
type: string
statusCode:
example: 404
type: number
description: Indicates that we were unable to locate the saved object client necessary to handle the import.
'409':
@ -22506,10 +22533,11 @@ paths:
type: object
properties:
body:
type: string
id:
description: The error message
example: Could not import timelines
type: string
statusCode:
example: 409
type: number
description: Indicates the import of Timelines was unsuccessful.
summary: Import Timelines
@ -22626,24 +22654,28 @@ paths:
name: sort_field
schema:
$ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline'
- in: query
- description: Whether to sort the results `ascending` or `descending`
in: query
name: sort_order
schema:
enum:
- asc
- desc
type: string
- in: query
- description: How many results should returned at once
in: query
name: page_size
schema:
nullable: true
type: string
- in: query
- description: How many pages should be skipped
in: query
name: page_index
schema:
nullable: true
type: string
- in: query
- description: Allows to search for timelines by their title
in: query
name: search
schema:
nullable: true
@ -22661,20 +22693,32 @@ paths:
type: object
properties:
customTemplateTimelineCount:
description: The amount of custom Timeline templates in the results
example: 2
type: number
defaultTimelineCount:
description: The amount of `default` type Timelines in the results
example: 90
type: number
elasticTemplateTimelineCount:
description: The amount of Elastic's Timeline templates in the results
example: 8
type: number
favoriteCount:
description: The amount of favorited Timelines
example: 5
type: number
templateTimelineCount:
description: The amount of Timeline templates in the results
example: 10
type: number
timeline:
items:
$ref: '#/components/schemas/Security_Timeline_API_TimelineResponse'
type: array
totalCount:
description: The total amount of results
example: 100
type: number
required:
- timeline
@ -22687,8 +22731,11 @@ paths:
type: object
properties:
body:
description: The error message
example: get timeline error
type: string
statusCode:
example: 405
type: number
description: Bad request. The user supplied invalid data.
summary: Get Timelines or Timeline templates
@ -41961,52 +42008,42 @@ components:
- orphan
type: string
Security_Timeline_API_BareNote:
type: object
properties:
created:
nullable: true
type: number
createdBy:
nullable: true
type: string
eventId:
nullable: true
type: string
note:
nullable: true
type: string
timelineId:
type: string
updated:
nullable: true
type: number
updatedBy:
nullable: true
type: string
required:
- timelineId
allOf:
- $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata'
- type: object
properties:
eventId:
description: The `_id` of the associated event for this note.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
nullable: true
type: string
note:
description: The text of the note
example: This is an example text
nullable: true
type: string
timelineId:
description: The `savedObjectId` of the Timeline that this note is associated with
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
required:
- timelineId
Security_Timeline_API_BarePinnedEvent:
type: object
properties:
created:
nullable: true
type: number
createdBy:
nullable: true
type: string
eventId:
type: string
timelineId:
type: string
updated:
nullable: true
type: number
updatedBy:
nullable: true
type: string
required:
- eventId
- timelineId
allOf:
- $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata'
- type: object
properties:
eventId:
description: The `_id` of the associated event for this pinned event.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
type: string
timelineId:
description: The `savedObjectId` of the timeline that this pinned event is associated with
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
required:
- eventId
- timelineId
Security_Timeline_API_ColumnHeaderResult:
type: object
properties:
@ -42099,7 +42136,7 @@ components:
$ref: '#/components/schemas/Security_Timeline_API_DataProviderType'
nullable: true
Security_Timeline_API_DataProviderType:
description: The type of data provider to create. Valid values are `default` and `template`.
description: The type of data provider.
enum:
- default
- template
@ -42139,6 +42176,10 @@ components:
- savedObjectId
- version
Security_Timeline_API_FavoriteTimelineResult:
description: Indicates when and who marked a Timeline as a favorite.
example:
favoriteDate: 1741337636741
userName: elastic
type: object
properties:
favoriteDate:
@ -42151,6 +42192,16 @@ components:
nullable: true
type: string
Security_Timeline_API_FilterTimelineResult:
example:
meta:
alias: Custom filter name
disabled: false
index: .alerts-security.alerts-default,logs-*
key: '@timestamp'
negate: false,
type: exists
value: exists
query: '{"exists":{"field":"@timestamp"}}'
type: object
properties:
exists:
@ -42224,26 +42275,41 @@ components:
type: object
properties:
errors:
description: The list of failed Timeline imports
items:
type: object
properties:
error:
description: The error containing the reason why the timeline could not be imported
type: object
properties:
message:
description: The reason why the timeline could not be imported
example: Malformed JSON
type: string
status_code:
description: The HTTP status code of the error
example: 400
type: number
id:
description: The ID of the timeline that failed to import
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
type: string
type: array
success:
description: Indicates whether any of the Timelines were successfully imports
type: boolean
success_count:
description: The amount of successfully imported/updated Timelines
example: 99
type: number
timelines_installed:
description: The amount of successfully installed Timelines
example: 80
type: number
timelines_updated:
description: The amount of successfully updated Timelines
example: 19
type: number
Security_Timeline_API_ImportTimelines:
allOf:
@ -42283,12 +42349,39 @@ components:
- type: object
properties:
noteId:
description: The `savedObjectId` of the note
example: 709f99c6-89b6-4953-9160-35945c8e174e
type: string
version:
description: The version of the note
example: WzQ2LDFd
type: string
required:
- noteId
- version
Security_Timeline_API_NoteCreatedAndUpdatedMetadata:
type: object
properties:
created:
description: The time the note was created, using a 13-digit Epoch timestamp.
example: 1587468588922
nullable: true
type: number
createdBy:
description: The user who created the note.
example: casetester
nullable: true
type: string
updated:
description: The last time the note was updated, using a 13-digit Epoch timestamp
example: 1741344876825
nullable: true
type: number
updatedBy:
description: The user who last updated the note
example: casetester
nullable: true
type: string
Security_Timeline_API_PersistPinnedEventResponse:
oneOf:
- allOf:
@ -42319,8 +42412,12 @@ components:
- type: object
properties:
pinnedEventId:
description: The `savedObjectId` of this pinned event
example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3
type: string
version:
description: The version of this pinned event
example: WzQ2LDFe
type: string
required:
- pinnedEventId
@ -42334,6 +42431,29 @@ components:
type: string
required:
- code
Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata:
type: object
properties:
created:
description: The time the pinned event was created, using a 13-digit Epoch timestamp.
example: 1587468588922
nullable: true
type: number
createdBy:
description: The user who created the pinned event.
example: casetester
nullable: true
type: string
updated:
description: The last time the pinned event was updated, using a 13-digit Epoch timestamp
example: 1741344876825
nullable: true
type: number
updatedBy:
description: The user who last updated the pinned event
example: casetester
nullable: true
type: string
Security_Timeline_API_QueryMatchResult:
type: object
properties:
@ -42385,6 +42505,7 @@ components:
- message
- note
Security_Timeline_API_RowRendererId:
description: Identifies the available row renderers
enum:
- alert
- alerts
@ -42426,25 +42547,51 @@ components:
type: object
properties:
columns:
description: The Timeline's columns
example:
- columnHeaderType: not-filtered
id: '@timestamp'
- columnHeaderType: not-filtered
id: event.category
items:
$ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult'
nullable: true
type: array
created:
description: The time the Timeline was created, using a 13-digit Epoch timestamp.
example: 1587468588922
nullable: true
type: number
createdBy:
description: The user who created the Timeline.
example: casetester
nullable: true
type: string
dataProviders:
description: Object containing query clauses
example:
- enabled: true
excluded: false
id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b
name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b
queryMatch:
field: _id,
operator: ':'
value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,
items:
$ref: '#/components/schemas/Security_Timeline_API_DataProviderResult'
nullable: true
type: array
dataViewId:
description: ID of the Timeline's Data View
example: security-solution-default
nullable: true
type: string
dateRange:
description: The Timeline's search period.
example:
end: 1587456479201
start: 1587370079200
nullable: true
type: object
properties:
@ -42461,9 +42608,17 @@ components:
- nullable: true
type: number
description:
description: The Timeline's description
example: Investigating exposure of CVE XYZ
nullable: true
type: string
eqlOptions:
description: EQL query that is used in the correlation tab
example:
eventCategoryField: event.category
query: sequence\n[process where process.name == "sudo"]\n[any where true]
size: 100
timestampField: '@timestamp'
nullable: true
type: object
properties:
@ -42486,9 +42641,13 @@ components:
nullable: true
type: string
eventType:
deprecated: true
description: Event types displayed in the Timeline
example: all
nullable: true
type: string
excludedRowRendererIds:
description: A list of row renderers that should not be used when in `Event renderers` mode
items:
$ref: '#/components/schemas/Security_Timeline_API_RowRendererId'
nullable: true
@ -42499,53 +42658,72 @@ components:
nullable: true
type: array
filters:
description: A list of filters that should be applied to the query
items:
$ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult'
nullable: true
type: array
indexNames:
description: A list of index names to use in the query (e.g. when the default data view has been modified)
example:
- .logs*
items:
type: string
nullable: true
type: array
kqlMode:
description: |-
Indicates whether the KQL bar filters the query results or searches for additional results, where:
* `filter`: filters query results
* `search`: displays additional search results
example: search
nullable: true
type: string
kqlQuery:
$ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult'
nullable: true
savedQueryId:
description: The ID of the saved query that might be used in the Query tab
example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e
nullable: true
type: string
savedSearchId:
description: The ID of the saved search that is used in the ES|QL tab
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
sort:
$ref: '#/components/schemas/Security_Timeline_API_Sort'
nullable: true
status:
enum:
- active
- draft
- immutable
$ref: '#/components/schemas/Security_Timeline_API_TimelineStatus'
nullable: true
type: string
templateTimelineId:
description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
templateTimelineVersion:
description: Timeline template version number. For Timelines, the value is `null`.
example: 12
nullable: true
type: number
timelineType:
$ref: '#/components/schemas/Security_Timeline_API_TimelineType'
nullable: true
title:
description: The Timeline's title.
example: CVE XYZ investigation
nullable: true
type: string
updated:
description: The last time the Timeline was updated, using a 13-digit Epoch timestamp
example: 1741344876825
nullable: true
type: number
updatedBy:
description: The user who last updated the Timeline
example: casetester
nullable: true
type: string
Security_Timeline_API_SavedTimelineWithSavedObjectId:
@ -42554,13 +42732,24 @@ components:
- type: object
properties:
savedObjectId:
description: The `savedObjectId` of the Timeline or Timeline template
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
version:
description: The version of the Timeline or Timeline template
example: WzE0LDFd
type: string
required:
- savedObjectId
- version
Security_Timeline_API_SerializedFilterQueryResult:
description: KQL bar query.
example:
filterQuery: null
kuery:
expression: '_id : *'
kind: kuery
serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}'
type: object
properties:
filterQuery:
@ -42595,6 +42784,10 @@ components:
- created
type: string
Security_Timeline_API_SortObject:
description: Object indicating how rows are sorted in the Timeline's grid
example:
columnId: '@timestamp'
sortDirection: desc
type: object
properties:
columnId:
@ -42613,26 +42806,35 @@ components:
- type: object
properties:
eventIdToNoteIds:
description: A list of all the notes that are associated to this Timeline.
items:
$ref: '#/components/schemas/Security_Timeline_API_Note'
nullable: true
type: array
noteIds:
description: A list of all the ids of notes that are associated to this Timeline.
example:
- 709f99c6-89b6-4953-9160-35945c8e174e
items:
type: string
nullable: true
type: array
notes:
description: A list of all the notes that are associated to this Timeline.
items:
$ref: '#/components/schemas/Security_Timeline_API_Note'
nullable: true
type: array
pinnedEventIds:
description: A list of all the ids of pinned events that are associated to this Timeline.
example:
- 983f99c6-89b6-4953-9160-35945c8a194f
items:
type: string
nullable: true
type: array
pinnedEventsSaveObject:
description: A list of all the pinned events that are associated to this Timeline.
items:
$ref: '#/components/schemas/Security_Timeline_API_PinnedEvent'
nullable: true
@ -42675,14 +42877,14 @@ components:
- savedObjectId
- version
Security_Timeline_API_TimelineStatus:
description: The status of the timeline. Valid values are `active`, `draft`, and `immutable`.
description: The status of the Timeline.
enum:
- active
- draft
- immutable
type: string
Security_Timeline_API_TimelineType:
description: The type of timeline to create. Valid values are `default` and `template`.
description: The type of Timeline.
enum:
- default
- template

2
x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts
View file

@ -1942,7 +1942,7 @@ finalize it.
.catch(catchAxiosErrorFormatAndThrow);
}
/**
* Pin an event to an existing Timeline.
* Pin/unpin an event to/from an existing Timeline.
*/
async persistPinnedEventRoute(props: PersistPinnedEventRouteProps) {
this.log.info(`${new Date().toISOString()} Calling API PersistPinnedEventRoute`);

11
x-pack/solutions/security/plugins/security_solution/common/api/timeline/create_timelines/create_timelines_route.gen.ts
View file

@ -27,9 +27,18 @@ export type CreateTimelinesRequestBody = z.infer<typeof CreateTimelinesRequestBo
export const CreateTimelinesRequestBody = z.object({
timeline: SavedTimeline,
status: TimelineStatus.nullable().optional(),
timelineId: z.string().nullable().optional(),
/**
* A unique identifier for the Timeline template.
*/
templateTimelineId: z.string().nullable().optional(),
/**
* Timeline template version number.
*/
templateTimelineVersion: z.number().nullable().optional(),
/**
* A unique identifier for the Timeline.
*/
timelineId: z.string().nullable().optional(),
timelineType: TimelineType.nullable().optional(),
version: z.string().nullable().optional(),
});

15
x-pack/solutions/security/plugins/security_solution/common/api/timeline/create_timelines/create_timelines_route.schema.yaml
View file

@ -29,15 +29,21 @@ paths:
status:
$ref: '../model/components.schema.yaml#/components/schemas/TimelineStatus'
nullable: true
timelineId:
type: string
nullable: true
templateTimelineId:
type: string
nullable: true
description: A unique identifier for the Timeline template.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
templateTimelineVersion:
type: number
nullable: true
description: Timeline template version number.
example: 12
timelineId:
type: string
nullable: true
description: A unique identifier for the Timeline.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
timelineType:
$ref: '../model/components.schema.yaml#/components/schemas/TimelineType'
nullable: true
@ -60,5 +66,8 @@ paths:
properties:
body:
type: string
description: The error message
example: update timeline error
statusCode:
type: number
example: 405

5
x-pack/solutions/security/plugins/security_solution/common/api/timeline/delete_timelines/delete_timelines_route.gen.ts
View file

@ -18,9 +18,12 @@ import { z } from '@kbn/zod';
export type DeleteTimelinesRequestBody = z.infer<typeof DeleteTimelinesRequestBody>;
export const DeleteTimelinesRequestBody = z.object({
/**
* The list of IDs of the Timelines or Timeline templates to delete
*/
savedObjectIds: z.array(z.string()),
/**
* Saved search ids that should be deleted alongside the timelines
* Saved search IDs that should be deleted alongside the timelines
*/
searchIds: z.array(z.string()).optional(),
});

8
x-pack/solutions/security/plugins/security_solution/common/api/timeline/delete_timelines/delete_timelines_route.schema.yaml
View file

@ -28,11 +28,17 @@ paths:
type: array
items:
type: string
description: The list of IDs of the Timelines or Timeline templates to delete
example:
- '15c1929b-0af7-42bd-85a8-56e234cc7c4e'
searchIds:
type: array
description: Saved search ids that should be deleted alongside the timelines
description: Saved search IDs that should be deleted alongside the timelines
items:
type: string
example:
- 23f3-43g34g322-e5g5hrh6h-45454
- 6ce1b592-84e3-4b4a-9552-f189d4b82075
responses:
'200':
description: Indicates the Timeline was successfully deleted.

4
x-pack/solutions/security/plugins/security_solution/common/api/timeline/get_timeline/get_timeline_route.gen.ts
View file

@ -21,11 +21,11 @@ import { TimelineResponse } from '../model/components.gen';
export type GetTimelineRequestQuery = z.infer<typeof GetTimelineRequestQuery>;
export const GetTimelineRequestQuery = z.object({
/**
* The ID of the template timeline to retrieve
* The `savedObjectId` of the template timeline to retrieve
*/
template_timeline_id: z.string().optional(),
/**
* The ID of the Timeline to retrieve.
* The `savedObjectId` of the Timeline to retrieve.
*/
id: z.string().optional(),
});

4
x-pack/solutions/security/plugins/security_solution/common/api/timeline/get_timeline/get_timeline_route.schema.yaml
View file

@ -20,12 +20,12 @@ paths:
name: template_timeline_id
schema:
type: string
description: The ID of the template timeline to retrieve
description: The `savedObjectId` of the template timeline to retrieve
- in: query
name: id
schema:
type: string
description: The ID of the Timeline to retrieve.
description: The `savedObjectId` of the Timeline to retrieve.
responses:
'200':
description: Indicates that the (template) Timeline was found and returned.

30
x-pack/solutions/security/plugins/security_solution/common/api/timeline/get_timelines/get_timelines_route.gen.ts
View file

@ -31,9 +31,21 @@ export const GetTimelinesRequestQuery = z.object({
only_user_favorite: z.enum(['true', 'false']).nullable().optional(),
timeline_type: TimelineType.nullable().optional(),
sort_field: SortFieldTimeline.optional(),
/**
* Whether to sort the results `ascending` or `descending`
*/
sort_order: z.enum(['asc', 'desc']).optional(),
/**
* How many results should returned at once
*/
page_size: z.string().nullable().optional(),
/**
* How many pages should be skipped
*/
page_index: z.string().nullable().optional(),
/**
* Allows to search for timelines by their title
*/
search: z.string().nullable().optional(),
status: TimelineStatus.nullable().optional(),
});
@ -42,10 +54,28 @@ export type GetTimelinesRequestQueryInput = z.input<typeof GetTimelinesRequestQu
export type GetTimelinesResponse = z.infer<typeof GetTimelinesResponse>;
export const GetTimelinesResponse = z.object({
timeline: z.array(TimelineResponse),
/**
* The total amount of results
*/
totalCount: z.number(),
/**
* The amount of `default` type Timelines in the results
*/
defaultTimelineCount: z.number().optional(),
/**
* The amount of Timeline templates in the results
*/
templateTimelineCount: z.number().optional(),
/**
* The amount of favorited Timelines
*/
favoriteCount: z.number().optional(),
/**
* The amount of Elastic's Timeline templates in the results
*/
elasticTemplateTimelineCount: z.number().optional(),
/**
* The amount of custom Timeline templates in the results
*/
customTemplateTimelineCount: z.number().optional(),
});

24
x-pack/solutions/security/plugins/security_solution/common/api/timeline/get_timelines/get_timelines_route.schema.yaml
View file

@ -36,6 +36,7 @@ paths:
$ref: '../model/components.schema.yaml#/components/schemas/SortFieldTimeline'
- in: query
name: sort_order
description: Whether to sort the results `ascending` or `descending`
schema:
type: string
enum:
@ -43,16 +44,19 @@ paths:
- desc
- in: query
name: page_size
description: How many results should returned at once
schema:
nullable: true
type: string
- in: query
name: page_index
description: How many pages should be skipped
schema:
nullable: true
type: string
- in: query
name: search
description: Allows to search for timelines by their title
schema:
nullable: true
type: string
@ -68,10 +72,7 @@ paths:
application/json:
schema:
type: object
required: [
timeline,
totalCount,
]
required: [timeline, totalCount]
properties:
timeline:
type: array
@ -79,16 +80,28 @@ paths:
$ref: '../model/components.schema.yaml#/components/schemas/TimelineResponse'
totalCount:
type: number
description: The total amount of results
example: 100
defaultTimelineCount:
type: number
description: The amount of `default` type Timelines in the results
example: 90
templateTimelineCount:
type: number
description: The amount of Timeline templates in the results
example: 10
favoriteCount:
type: number
description: The amount of favorited Timelines
example: 5
elasticTemplateTimelineCount:
type: number
description: The amount of Elastic's Timeline templates in the results
example: 8
customTemplateTimelineCount:
type: number
description: The amount of custom Timeline templates in the results
example: 2
'400':
description: Bad request. The user supplied invalid data.
content:
@ -98,5 +111,8 @@ paths:
properties:
body:
type: string
description: The error message
example: get timeline error
statusCode:
type: number
example: 405

3
x-pack/solutions/security/plugins/security_solution/common/api/timeline/import_timelines/import_timelines_route.gen.ts
View file

@ -20,6 +20,9 @@ import { ImportTimelineResult } from '../model/components.gen';
export type ImportTimelinesRequestBody = z.infer<typeof ImportTimelinesRequestBody>;
export const ImportTimelinesRequestBody = z.object({
/**
* Whether the Timeline should be immutable
*/
isImmutable: z.enum(['true', 'false']).optional(),
file: z.unknown(),
});

16
x-pack/solutions/security/plugins/security_solution/common/api/timeline/import_timelines/import_timelines_route.schema.yaml
View file

@ -29,6 +29,7 @@ paths:
enum:
- 'true'
- 'false'
description: Whether the Timeline should be immutable
file: {}
responses:
'200':
@ -45,12 +46,13 @@ paths:
schema:
type: object
properties:
id:
type: string
body:
type: string
description: The error message
example: Invalid file extension
statusCode:
type: number
example: 400
'404':
description: Indicates that we were unable to locate the saved object client necessary to handle the import.
@ -59,10 +61,13 @@ paths:
schema:
type: object
properties:
id:
body:
type: string
description: The error message
example: Unable to find saved object client
statusCode:
type: number
example: 404
'409':
description: Indicates the import of Timelines was unsuccessful.
content:
@ -70,9 +75,10 @@ paths:
schema:
type: object
properties:
id:
type: string
body:
type: string
description: The error message
example: Could not import timelines
statusCode:
type: number
example: 409

264
x-pack/solutions/security/plugins/security_solution/common/api/timeline/model/components.gen.ts
View file

@ -17,7 +17,7 @@
import { z } from '@kbn/zod';
/**
* The type of timeline to create. Valid values are `default` and `template`.
* The type of Timeline.
*/
export type TimelineType = z.infer<typeof TimelineType>;
export const TimelineType = z.enum(['default', 'template']);
@ -25,7 +25,7 @@ export type TimelineTypeEnum = typeof TimelineType.enum;
export const TimelineTypeEnum = TimelineType.enum;
/**
* The type of data provider to create. Valid values are `default` and `template`.
* The type of data provider.
*/
export type DataProviderType = z.infer<typeof DataProviderType>;
export const DataProviderType = z.enum(['default', 'template']);
@ -87,6 +87,9 @@ export const DataProviderResult = z.object({
type: DataProviderType.nullable().optional(),
});
/**
* Identifies the available row renderers
*/
export type RowRendererId = z.infer<typeof RowRendererId>;
export const RowRendererId = z.enum([
'alert',
@ -111,6 +114,9 @@ export const RowRendererId = z.enum([
export type RowRendererIdEnum = typeof RowRendererId.enum;
export const RowRendererIdEnum = RowRendererId.enum;
/**
* Indicates when and who marked a Timeline as a favorite.
*/
export type FavoriteTimelineResult = z.infer<typeof FavoriteTimelineResult>;
export const FavoriteTimelineResult = z.object({
fullName: z.string().nullable().optional(),
@ -144,6 +150,9 @@ export const FilterTimelineResult = z.object({
script: z.string().nullable().optional(),
});
/**
* KQL bar query.
*/
export type SerializedFilterQueryResult = z.infer<typeof SerializedFilterQueryResult>;
export const SerializedFilterQueryResult = z.object({
filterQuery: z
@ -161,6 +170,9 @@ export const SerializedFilterQueryResult = z.object({
.optional(),
});
/**
* Object indicating how rows are sorted in the Timeline's grid
*/
export type SortObject = z.infer<typeof SortObject>;
export const SortObject = z.object({
columnId: z.string().nullable().optional(),
@ -171,13 +183,39 @@ export const SortObject = z.object({
export type Sort = z.infer<typeof Sort>;
export const Sort = z.union([SortObject, z.array(SortObject)]);
/**
* The status of the Timeline.
*/
export type TimelineStatus = z.infer<typeof TimelineStatus>;
export const TimelineStatus = z.enum(['active', 'draft', 'immutable']);
export type TimelineStatusEnum = typeof TimelineStatus.enum;
export const TimelineStatusEnum = TimelineStatus.enum;
export type SavedTimeline = z.infer<typeof SavedTimeline>;
export const SavedTimeline = z.object({
/**
* The Timeline's columns
*/
columns: z.array(ColumnHeaderResult).nullable().optional(),
/**
* The time the Timeline was created, using a 13-digit Epoch timestamp.
*/
created: z.number().nullable().optional(),
/**
* The user who created the Timeline.
*/
createdBy: z.string().nullable().optional(),
/**
* Object containing query clauses
*/
dataProviders: z.array(DataProviderResult).nullable().optional(),
/**
* ID of the Timeline's Data View
*/
dataViewId: z.string().nullable().optional(),
/**
* The Timeline's search period.
*/
dateRange: z
.object({
end: z.union([z.string().nullable(), z.number().nullable()]).optional(),
@ -185,7 +223,13 @@ export const SavedTimeline = z.object({
})
.nullable()
.optional(),
/**
* The Timeline's description
*/
description: z.string().nullable().optional(),
/**
* EQL query that is used in the correlation tab
*/
eqlOptions: z
.object({
eventCategoryField: z.string().nullable().optional(),
@ -196,66 +240,175 @@ export const SavedTimeline = z.object({
})
.nullable()
.optional(),
/**
* Event types displayed in the Timeline
*/
eventType: z.string().nullable().optional(),
/**
* A list of row renderers that should not be used when in `Event renderers` mode
*/
excludedRowRendererIds: z.array(RowRendererId).nullable().optional(),
favorite: z.array(FavoriteTimelineResult).nullable().optional(),
/**
* A list of filters that should be applied to the query
*/
filters: z.array(FilterTimelineResult).nullable().optional(),
/**
* Indicates whether the KQL bar filters the query results or searches for additional results, where:
* `filter`: filters query results
* `search`: displays additional search results
*/
kqlMode: z.string().nullable().optional(),
kqlQuery: SerializedFilterQueryResult.nullable().optional(),
/**
* A list of index names to use in the query (e.g. when the default data view has been modified)
*/
indexNames: z.array(z.string()).nullable().optional(),
/**
* The ID of the saved search that is used in the ES|QL tab
*/
savedSearchId: z.string().nullable().optional(),
/**
* The ID of the saved query that might be used in the Query tab
*/
savedQueryId: z.string().nullable().optional(),
sort: Sort.nullable().optional(),
status: z.enum(['active', 'draft', 'immutable']).nullable().optional(),
status: TimelineStatus.nullable().optional(),
/**
* The Timeline's title.
*/
title: z.string().nullable().optional(),
/**
* A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`.
*/
templateTimelineId: z.string().nullable().optional(),
/**
* Timeline template version number. For Timelines, the value is `null`.
*/
templateTimelineVersion: z.number().nullable().optional(),
timelineType: TimelineType.nullable().optional(),
/**
* The last time the Timeline was updated, using a 13-digit Epoch timestamp
*/
updated: z.number().nullable().optional(),
/**
* The user who last updated the Timeline
*/
updatedBy: z.string().nullable().optional(),
});
export type SavedTimelineWithSavedObjectId = z.infer<typeof SavedTimelineWithSavedObjectId>;
export const SavedTimelineWithSavedObjectId = SavedTimeline.merge(
z.object({
/**
* The `savedObjectId` of the Timeline or Timeline template
*/
savedObjectId: z.string(),
/**
* The version of the Timeline or Timeline template
*/
version: z.string(),
})
);
export type BareNote = z.infer<typeof BareNote>;
export const BareNote = z.object({
eventId: z.string().nullable().optional(),
note: z.string().nullable().optional(),
timelineId: z.string(),
export type NoteCreatedAndUpdatedMetadata = z.infer<typeof NoteCreatedAndUpdatedMetadata>;
export const NoteCreatedAndUpdatedMetadata = z.object({
/**
* The time the note was created, using a 13-digit Epoch timestamp.
*/
created: z.number().nullable().optional(),
/**
* The user who created the note.
*/
createdBy: z.string().nullable().optional(),
/**
* The last time the note was updated, using a 13-digit Epoch timestamp
*/
updated: z.number().nullable().optional(),
/**
* The user who last updated the note
*/
updatedBy: z.string().nullable().optional(),
});
export type BareNote = z.infer<typeof BareNote>;
export const BareNote = NoteCreatedAndUpdatedMetadata.merge(
z.object({
/**
* The `_id` of the associated event for this note.
*/
eventId: z.string().nullable().optional(),
/**
* The text of the note
*/
note: z.string().nullable().optional(),
/**
* The `savedObjectId` of the Timeline that this note is associated with
*/
timelineId: z.string(),
})
);
export type Note = z.infer<typeof Note>;
export const Note = BareNote.merge(
z.object({
/**
* The `savedObjectId` of the note
*/
noteId: z.string(),
/**
* The version of the note
*/
version: z.string(),
})
);
export type BarePinnedEvent = z.infer<typeof BarePinnedEvent>;
export const BarePinnedEvent = z.object({
eventId: z.string(),
timelineId: z.string(),
export type PinnedEventCreatedAndUpdatedMetadata = z.infer<
typeof PinnedEventCreatedAndUpdatedMetadata
>;
export const PinnedEventCreatedAndUpdatedMetadata = z.object({
/**
* The time the pinned event was created, using a 13-digit Epoch timestamp.
*/
created: z.number().nullable().optional(),
/**
* The user who created the pinned event.
*/
createdBy: z.string().nullable().optional(),
/**
* The last time the pinned event was updated, using a 13-digit Epoch timestamp
*/
updated: z.number().nullable().optional(),
/**
* The user who last updated the pinned event
*/
updatedBy: z.string().nullable().optional(),
});
export type BarePinnedEvent = z.infer<typeof BarePinnedEvent>;
export const BarePinnedEvent = PinnedEventCreatedAndUpdatedMetadata.merge(
z.object({
/**
* The `_id` of the associated event for this pinned event.
*/
eventId: z.string(),
/**
* The `savedObjectId` of the timeline that this pinned event is associated with
*/
timelineId: z.string(),
})
);
export type PinnedEvent = z.infer<typeof PinnedEvent>;
export const PinnedEvent = BarePinnedEvent.merge(
z.object({
/**
* The `savedObjectId` of this pinned event
*/
pinnedEventId: z.string(),
/**
* The version of this pinned event
*/
version: z.string(),
})
);
@ -263,10 +416,25 @@ export const PinnedEvent = BarePinnedEvent.merge(
export type TimelineResponse = z.infer<typeof TimelineResponse>;
export const TimelineResponse = SavedTimeline.merge(SavedTimelineWithSavedObjectId).merge(
z.object({
/**
* A list of all the notes that are associated to this Timeline.
*/
eventIdToNoteIds: z.array(Note).nullable().optional(),
/**
* A list of all the notes that are associated to this Timeline.
*/
notes: z.array(Note).nullable().optional(),
/**
* A list of all the ids of notes that are associated to this Timeline.
*/
noteIds: z.array(z.string()).nullable().optional(),
/**
* A list of all the ids of pinned events that are associated to this Timeline.
*/
pinnedEventIds: z.array(z.string()).nullable().optional(),
/**
* A list of all the pinned events that are associated to this Timeline.
*/
pinnedEventsSaveObject: z.array(PinnedEvent).nullable().optional(),
})
);
@ -327,27 +495,22 @@ export const PersistTimelineResponse = z.object({
});
export type BareNoteWithoutExternalRefs = z.infer<typeof BareNoteWithoutExternalRefs>;
export const BareNoteWithoutExternalRefs = z.object({
eventId: z.string().nullable().optional(),
note: z.string().nullable().optional(),
timelineId: z.string().nullable().optional(),
created: z.number().nullable().optional(),
createdBy: z.string().nullable().optional(),
updated: z.number().nullable().optional(),
updatedBy: z.string().nullable().optional(),
});
export type GlobalNote = z.infer<typeof GlobalNote>;
export const GlobalNote = z.object({
noteId: z.string().optional(),
version: z.string().optional(),
note: z.string().optional(),
timelineId: z.string().optional(),
created: z.number().optional(),
createdBy: z.string().optional(),
updated: z.number().optional(),
updatedBy: z.string().optional(),
});
export const BareNoteWithoutExternalRefs = NoteCreatedAndUpdatedMetadata.merge(
z.object({
/**
* The `_id` of the associated event for this note.
*/
eventId: z.string().nullable().optional(),
/**
* The text of the note
*/
note: z.string().nullable().optional(),
/**
* The `savedObjectId` of the timeline that this note is associated with
*/
timelineId: z.string().optional(),
})
);
/**
* The field to sort the timelines by.
@ -362,14 +525,6 @@ export const SortDirection = z.enum(['asc', 'desc']);
export type SortDirectionEnum = typeof SortDirection.enum;
export const SortDirectionEnum = SortDirection.enum;
/**
* The status of the timeline. Valid values are `active`, `draft`, and `immutable`.
*/
export type TimelineStatus = z.infer<typeof TimelineStatus>;
export const TimelineStatus = z.enum(['active', 'draft', 'immutable']);
export type TimelineStatusEnum = typeof TimelineStatus.enum;
export const TimelineStatusEnum = TimelineStatus.enum;
export type ImportTimelines = z.infer<typeof ImportTimelines>;
export const ImportTimelines = SavedTimeline.merge(
z.object({
@ -383,17 +538,44 @@ export const ImportTimelines = SavedTimeline.merge(
export type ImportTimelineResult = z.infer<typeof ImportTimelineResult>;
export const ImportTimelineResult = z.object({
/**
* Indicates whether any of the Timelines were successfully imports
*/
success: z.boolean().optional(),
/**
* The amount of successfully imported/updated Timelines
*/
success_count: z.number().optional(),
/**
* The amount of successfully installed Timelines
*/
timelines_installed: z.number().optional(),
/**
* The amount of successfully updated Timelines
*/
timelines_updated: z.number().optional(),
/**
* The list of failed Timeline imports
*/
errors: z
.array(
z.object({
/**
* The ID of the timeline that failed to import
*/
id: z.string().optional(),
/**
* The error containing the reason why the timeline could not be imported
*/
error: z
.object({
/**
* The reason why the timeline could not be imported
*/
message: z.string().optional(),
/**
* The HTTP status code of the error
*/
status_code: z.number().optional(),
})
.optional(),

289
x-pack/solutions/security/plugins/security_solution/common/api/timeline/model/components.schema.yaml
View file

@ -12,7 +12,7 @@ components:
- template
# enum default value is temporarily unsupported by the code generator
# default: default
description: The type of timeline to create. Valid values are `default` and `template`.
description: The type of Timeline.
DataProviderType:
type: string
enum:
@ -20,7 +20,7 @@ components:
- template
# enum default value is temporarily unsupported by the code generator
# default: default
description: The type of data provider to create. Valid values are `default` and `template`.
description: The type of data provider.
TemplateTimelineType:
type: string
enum:
@ -35,23 +35,46 @@ components:
nullable: true
items:
$ref: '#/components/schemas/ColumnHeaderResult'
description: The Timeline's columns
example:
- columnHeaderType: 'not-filtered'
id: '@timestamp'
- columnHeaderType: 'not-filtered'
id: 'event.category'
created:
type: number
nullable: true
description: The time the Timeline was created, using a 13-digit Epoch timestamp.
example: 1587468588922
createdBy:
type: string
nullable: true
description: The user who created the Timeline.
example: casetester
dataProviders:
type: array
nullable: true
description: Object containing query clauses
items:
$ref: '#/components/schemas/DataProviderResult'
example:
- enabled: true
excluded: false
id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b
name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b
queryMatch:
field: _id,
value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,
operator: ':'
dataViewId:
type: string
nullable: true
description: ID of the Timeline's Data View
example: security-solution-default
dateRange:
type: object
nullable: true
description: The Timeline's search period.
properties:
end:
oneOf:
@ -65,12 +88,23 @@ components:
nullable: true
- type: number
nullable: true
example:
start: 1587370079200
end: 1587456479201
description:
type: string
nullable: true
description: The Timeline's description
example: Investigating exposure of CVE XYZ
eqlOptions:
type: object
nullable: true
description: EQL query that is used in the correlation tab
example:
eventCategoryField: 'event.category'
query: 'sequence\n[process where process.name == "sudo"]\n[any where true]'
size: 100
timestampField: '@timestamp'
properties:
eventCategoryField:
type: string
@ -93,9 +127,13 @@ components:
eventType:
type: string
nullable: true
description: Event types displayed in the Timeline
example: all
deprecated: true
excludedRowRendererIds:
type: array
nullable: true
description: A list of row renderers that should not be used when in `Event renderers` mode
items:
$ref: '#/components/schemas/RowRendererId'
favorite:
@ -106,53 +144,72 @@ components:
filters:
type: array
nullable: true
description: A list of filters that should be applied to the query
items:
$ref: '#/components/schemas/FilterTimelineResult'
kqlMode:
type: string
nullable: true
example: search
description: >-
Indicates whether the KQL bar filters the query results or searches for additional results, where:
* `filter`: filters query results
* `search`: displays additional search results
kqlQuery:
nullable: true
$ref: '#/components/schemas/SerializedFilterQueryResult'
indexNames:
type: array
nullable: true
description: A list of index names to use in the query (e.g. when the default data view has been modified)
example:
- '.logs*'
items:
type: string
savedSearchId:
type: string
description: The ID of the saved search that is used in the ES|QL tab
nullable: true
example: '6ce1b592-84e3-4b4a-9552-f189d4b82075'
savedQueryId:
type: string
nullable: true
description: The ID of the saved query that might be used in the Query tab
example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e
sort:
nullable: true
$ref: '#/components/schemas/Sort'
status:
type: string
nullable: true
enum:
- active
- draft
- immutable
$ref: '#/components/schemas/TimelineStatus'
title:
type: string
nullable: true
description: "The Timeline's title."
example: CVE XYZ investigation
templateTimelineId:
type: string
nullable: true
description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
templateTimelineVersion:
type: number
nullable: true
description: Timeline template version number. For Timelines, the value is `null`.
example: 12
timelineType:
nullable: true
$ref: '#/components/schemas/TimelineType'
updated:
type: number
nullable: true
description: The last time the Timeline was updated, using a 13-digit Epoch timestamp
example: 1741344876825
updatedBy:
type: string
nullable: true
description: The user who last updated the Timeline
example: casetester
SavedTimelineWithSavedObjectId:
allOf:
- $ref: '#/components/schemas/SavedTimeline'
@ -161,8 +218,12 @@ components:
properties:
savedObjectId:
type: string
example: '15c1929b-0af7-42bd-85a8-56e234cc7c4e'
description: The `savedObjectId` of the Timeline or Timeline template
version:
type: string
example: 'WzE0LDFd'
description: The version of the Timeline or Timeline template
TimelineResponse:
allOf:
- $ref: '#/components/schemas/SavedTimeline'
@ -172,26 +233,35 @@ components:
eventIdToNoteIds:
type: array
nullable: true
description: A list of all the notes that are associated to this Timeline.
items:
$ref: '#/components/schemas/Note'
notes:
type: array
nullable: true
description: A list of all the notes that are associated to this Timeline.
items:
$ref: '#/components/schemas/Note'
noteIds:
type: array
nullable: true
description: A list of all the ids of notes that are associated to this Timeline.
items:
type: string
example:
- 709f99c6-89b6-4953-9160-35945c8e174e
pinnedEventIds:
type: array
nullable: true
description: A list of all the ids of pinned events that are associated to this Timeline.
items:
type: string
example:
- 983f99c6-89b6-4953-9160-35945c8a194f
pinnedEventsSaveObject:
type: array
nullable: true
description: A list of all the pinned events that are associated to this Timeline.
items:
$ref: '#/components/schemas/PinnedEvent'
ResolvedTimeline:
@ -371,54 +441,68 @@ components:
type:
$ref: '#/components/schemas/DataProviderType'
nullable: true
NoteCreatedAndUpdatedMetadata:
type: object
properties:
created:
type: number
nullable: true
description: The time the note was created, using a 13-digit Epoch timestamp.
example: 1587468588922
createdBy:
type: string
nullable: true
description: The user who created the note.
example: casetester
updated:
type: number
nullable: true
description: The last time the note was updated, using a 13-digit Epoch timestamp
example: 1741344876825
updatedBy:
type: string
nullable: true
description: The user who last updated the note
example: casetester
BareNoteWithoutExternalRefs:
type: object
properties:
eventId:
type: string
nullable: true
note:
type: string
nullable: true
timelineId:
type: string
nullable: true
created:
type: number
nullable: true
createdBy:
type: string
nullable: true
updated:
type: number
nullable: true
updatedBy:
type: string
nullable: true
allOf:
- $ref: '#/components/schemas/NoteCreatedAndUpdatedMetadata'
- type: object
properties:
eventId:
type: string
nullable: true
description: The `_id` of the associated event for this note.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
note:
type: string
nullable: true
description: The text of the note
example: This is an example text
timelineId:
type: string
description: The `savedObjectId` of the timeline that this note is associated with
example: '15c1929b-0af7-42bd-85a8-56e234cc7c4e'
BareNote:
type: object
required: [timelineId]
properties:
eventId:
type: string
nullable: true
note:
type: string
nullable: true
timelineId:
type: string
created:
type: number
nullable: true
createdBy:
type: string
nullable: true
updated:
type: number
nullable: true
updatedBy:
type: string
nullable: true
allOf:
- $ref: '#/components/schemas/NoteCreatedAndUpdatedMetadata'
- type: object
required: [timelineId]
properties:
eventId:
type: string
nullable: true
description: The `_id` of the associated event for this note.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
note:
type: string
nullable: true
description: The text of the note
example: This is an example text
timelineId:
type: string
description: The `savedObjectId` of the Timeline that this note is associated with
example: '15c1929b-0af7-42bd-85a8-56e234cc7c4e'
Note:
allOf:
- $ref: '#/components/schemas/BareNote'
@ -427,27 +511,12 @@ components:
properties:
noteId:
type: string
description: The `savedObjectId` of the note
example: 709f99c6-89b6-4953-9160-35945c8e174e
version:
type: string
GlobalNote:
type: object
properties:
noteId:
type: string
version:
type: string
note:
type: string
timelineId:
type: string
created:
type: number
createdBy:
type: string
updated:
type: number
updatedBy:
type: string
description: The version of the note
example: WzQ2LDFd
RowRendererId:
type: string
enum:
@ -469,8 +538,10 @@ components:
- system_socket
- threat_match
- zeek
description: Identifies the available row renderers
FavoriteTimelineResult:
type: object
description: Indicates when and who marked a Timeline as a favorite.
properties:
fullName:
type: string
@ -481,6 +552,9 @@ components:
favoriteDate:
type: number
nullable: true
example:
userName: elastic
favoriteDate: 1741337636741
FilterTimelineResult:
type: object
properties:
@ -539,8 +613,19 @@ components:
script:
type: string
nullable: true
example:
query: '{"exists":{"field":"@timestamp"}}'
meta:
alias: 'Custom filter name'
disabled: false
index: '.alerts-security.alerts-default,logs-*'
key: '@timestamp'
negate: false,
type: exists
value: exists
SerializedFilterQueryResult:
type: object
description: KQL bar query.
properties:
filterQuery:
type: object
@ -559,26 +644,49 @@ components:
serializedQuery:
type: string
nullable: true
BarePinnedEvent:
example:
filterQuery:
kuery:
kind: kuery
expression: '_id : *'
serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}'
PinnedEventCreatedAndUpdatedMetadata:
type: object
required: [eventId, timelineId]
properties:
eventId:
type: string
timelineId:
type: string
created:
type: number
nullable: true
description: The time the pinned event was created, using a 13-digit Epoch timestamp.
example: 1587468588922
createdBy:
type: string
nullable: true
description: The user who created the pinned event.
example: casetester
updated:
type: number
nullable: true
description: The last time the pinned event was updated, using a 13-digit Epoch timestamp
example: 1741344876825
updatedBy:
type: string
nullable: true
description: The user who last updated the pinned event
example: casetester
BarePinnedEvent:
allOf:
- $ref: '#/components/schemas/PinnedEventCreatedAndUpdatedMetadata'
- type: object
required: [eventId, timelineId]
properties:
eventId:
type: string
description: The `_id` of the associated event for this pinned event.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
timelineId:
type: string
description: The `savedObjectId` of the timeline that this pinned event is associated with
example: '15c1929b-0af7-42bd-85a8-56e234cc7c4e'
PinnedEvent:
allOf:
- $ref: '#/components/schemas/BarePinnedEvent'
@ -587,8 +695,12 @@ components:
properties:
pinnedEventId:
type: string
description: The `savedObjectId` of this pinned event
example: '10r1929b-0af7-42bd-85a8-56e234f98h2f3'
version:
type: string
description: The version of this pinned event
example: WzQ2LDFe
Sort:
oneOf:
- $ref: '#/components/schemas/SortObject'
@ -607,6 +719,10 @@ components:
sortDirection:
type: string
nullable: true
description: Object indicating how rows are sorted in the Timeline's grid
example:
sortDirection: desc
columnId: '@timestamp'
SortFieldTimeline:
type: string
description: The field to sort the timelines by.
@ -622,13 +738,13 @@ components:
- desc
TimelineStatus:
type: string
description: The status of the Timeline.
enum:
- active
- draft
- immutable
# enum default value is temporarily unsupported by the code generator
# default: draft
description: The status of the timeline. Valid values are `active`, `draft`, and `immutable`.
ImportTimelines:
allOf:
- $ref: '#/components/schemas/SavedTimeline'
@ -696,26 +812,41 @@ components:
properties:
success:
type: boolean
description: Indicates whether any of the Timelines were successfully imports
success_count:
type: number
description: The amount of successfully imported/updated Timelines
example: 99
timelines_installed:
type: number
description: The amount of successfully installed Timelines
example: 80
timelines_updated:
type: number
description: The amount of successfully updated Timelines
example: 19
errors:
description: The list of failed Timeline imports
type: array
items:
type: object
properties:
id:
type: string
description: The ID of the timeline that failed to import
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
error:
type: object
description: The error containing the reason why the timeline could not be imported
properties:
message:
type: string
description: The reason why the timeline could not be imported
example: Malformed JSON
status_code:
type: number
description: The HTTP status code of the error
example: 400
TimelineErrorResponse:
oneOf:
- type: object

9
x-pack/solutions/security/plugins/security_solution/common/api/timeline/patch_timelines/patch_timeline_route.gen.ts
View file

@ -20,8 +20,17 @@ import { SavedTimeline, PersistTimelineResponse } from '../model/components.gen'
export type PatchTimelineRequestBody = z.infer<typeof PatchTimelineRequestBody>;
export const PatchTimelineRequestBody = z.object({
/**
* The `savedObjectId` of the Timeline or Timeline template that youre updating.
*/
timelineId: z.string().nullable(),
/**
* The version of the Timeline or Timeline template that youre updating.
*/
version: z.string().nullable(),
/**
* The timeline object of the Timeline or Timeline template that youre updating.
*/
timeline: SavedTimeline,
});
export type PatchTimelineRequestBodyInput = z.input<typeof PatchTimelineRequestBody>;

12
x-pack/solutions/security/plugins/security_solution/common/api/timeline/patch_timelines/patch_timeline_route.schema.yaml
View file

@ -24,20 +24,25 @@ paths:
timelineId:
type: string
nullable: true
example: '15c1929b-0af7-42bd-85a8-56e234cc7c4e'
description: The `savedObjectId` of the Timeline or Timeline template that youre updating.
version:
type: string
nullable: true
example: 'WzE0LDFd'
description: The version of the Timeline or Timeline template that youre updating.
timeline:
$ref: '../model/components.schema.yaml#/components/schemas/SavedTimeline'
description: The timeline object of the Timeline or Timeline template that youre updating.
responses:
'200':
description: Indicates that the draft Timeline was successfully created. In the event the user already has a draft Timeline, the existing draft Timeline is cleared and returned.
description: Indicates that the Timeline was successfully updated.
content:
application/json:
schema:
$ref: '../model/components.schema.yaml#/components/schemas/PersistTimelineResponse'
'405':
description: Indicates that the user does not have the required access to create a draft Timeline.
description: Indicates that the user does not have the required access to create a Timeline.
content:
application/json:
schema:
@ -45,5 +50,8 @@ paths:
properties:
body:
type: string
description: The error message
example: update timeline error
statusCode:
type: number
example: 405

13
x-pack/solutions/security/plugins/security_solution/common/api/timeline/persist_note/persist_note_route.gen.ts
View file

@ -27,13 +27,18 @@ export const ResponseNote = z.object({
export type PersistNoteRouteRequestBody = z.infer<typeof PersistNoteRouteRequestBody>;
export const PersistNoteRouteRequestBody = z.object({
/**
* The note to add or update.
*/
note: BareNote,
overrideOwner: z.boolean().nullable().optional(),
/**
* The `savedObjectId` of the note
*/
noteId: z.string().nullable().optional(),
/**
* The version of the note
*/
version: z.string().nullable().optional(),
eventIngested: z.string().nullable().optional(),
eventTimestamp: z.string().nullable().optional(),
eventDataView: z.string().nullable().optional(),
});
export type PersistNoteRouteRequestBodyInput = z.input<typeof PersistNoteRouteRequestBody>;

17
x-pack/solutions/security/plugins/security_solution/common/api/timeline/persist_note/persist_note_route.schema.yaml
View file

@ -26,24 +26,17 @@ paths:
properties:
note:
$ref: '../model/components.schema.yaml#/components/schemas/BareNote'
overrideOwner:
type: boolean
nullable: true
description: The note to add or update.
noteId:
type: string
nullable: true
description: The `savedObjectId` of the note
example: 709f99c6-89b6-4953-9160-35945c8e174e
version:
type: string
nullable: true
eventIngested:
type: string
nullable: true
eventTimestamp:
type: string
nullable: true
eventDataView:
type: string
nullable: true
description: The version of the note
example: WzQ2LDFd
responses:
'200':
description: Indicates the note was successfully created.

13
x-pack/solutions/security/plugins/security_solution/common/api/timeline/pinned_events/pinned_events_route.gen.ts
View file

@ -10,7 +10,7 @@
* This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
*
* info:
* title: Elastic Security - Timeline - Pinned Event API
* title: Elastic Security - Timeline - pinned event API
* version: 2023-10-31
*/
@ -32,9 +32,18 @@ export const PersistPinnedEventResponse = z.union([
export type PersistPinnedEventRouteRequestBody = z.infer<typeof PersistPinnedEventRouteRequestBody>;
export const PersistPinnedEventRouteRequestBody = z.object({
/**
* The `_id` of the associated event for this pinned event.
*/
eventId: z.string(),
pinnedEventId: z.string().nullable().optional(),
/**
* The `savedObjectId` of the timeline that you want this pinned event unpinned from.
*/
timelineId: z.string(),
/**
* The `savedObjectId` of the pinned event you want to unpin.
*/
pinnedEventId: z.string().nullable().optional(),
});
export type PersistPinnedEventRouteRequestBodyInput = z.input<
typeof PersistPinnedEventRouteRequestBody

20
x-pack/solutions/security/plugins/security_solution/common/api/timeline/pinned_events/pinned_events_route.schema.yaml
View file

@ -1,6 +1,6 @@
openapi: 3.0.0
info:
title: Elastic Security - Timeline - Pinned Event API
title: Elastic Security - Timeline - pinned event API
version: '2023-10-31'
externalDocs:
url: https://www.elastic.co/guide/en/security/current/_pin_an_event_to_an_existing_timeline.html
@ -11,12 +11,12 @@ paths:
x-labels: [serverless, ess]
x-codegen-enabled: true
operationId: PersistPinnedEventRoute
summary: Pin an event
description: Pin an event to an existing Timeline.
summary: Pin/unpin an event
description: Pin/unpin an event to/from an existing Timeline.
tags:
- access:securitySolution
requestBody:
description: The pinned event to add or update, along with additional metadata.
description: The pinned event to add or unpin, along with additional metadata.
required: true
content:
application/json:
@ -26,14 +26,20 @@ paths:
properties:
eventId:
type: string
description: The `_id` of the associated event for this pinned event.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
timelineId:
type: string
description: The `savedObjectId` of the timeline that you want this pinned event unpinned from.
example: '15c1929b-0af7-42bd-85a8-56e234cc7c4e'
pinnedEventId:
type: string
nullable: true
timelineId:
type: string
description: The `savedObjectId` of the pinned event you want to unpin.
example: '10r1929b-0af7-42bd-85a8-56e234f98h2f3'
responses:
'200':
description: Indicates the event was successfully pinned to the Timeline.
description: Indicates the event was successfully pinned to or unpinned from the Timeline.
content:
application/json:
schema:

419
x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_timeline_api_2023_10_31.bundled.schema.yaml
View file

@ -128,24 +128,17 @@ paths:
schema:
type: object
properties:
eventDataView:
nullable: true
type: string
eventIngested:
nullable: true
type: string
eventTimestamp:
nullable: true
type: string
note:
$ref: '#/components/schemas/BareNote'
description: The note to add or update.
noteId:
description: The `savedObjectId` of the note
example: 709f99c6-89b6-4953-9160-35945c8e174e
nullable: true
type: string
overrideOwner:
nullable: true
type: boolean
version:
description: The version of the note
example: WzQ2LDFd
nullable: true
type: string
required:
@ -175,7 +168,7 @@ paths:
- 'access:securitySolution'
/api/pinned_event:
patch:
description: Pin an event to an existing Timeline.
description: Pin/unpin an event to/from an existing Timeline.
operationId: PersistPinnedEventRoute
requestBody:
content:
@ -184,16 +177,24 @@ paths:
type: object
properties:
eventId:
description: The `_id` of the associated event for this pinned event.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
type: string
pinnedEventId:
description: The `savedObjectId` of the pinned event you want to unpin.
example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3
nullable: true
type: string
timelineId:
description: >-
The `savedObjectId` of the timeline that you want this
pinned event unpinned from.
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
required:
- eventId
- timelineId
description: 'The pinned event to add or update, along with additional metadata.'
description: 'The pinned event to add or unpin, along with additional metadata.'
required: true
responses:
'200':
@ -211,8 +212,10 @@ paths:
- persistPinnedEventOnTimeline
required:
- data
description: Indicates the event was successfully pinned to the Timeline.
summary: Pin an event
description: >-
Indicates the event was successfully pinned to or unpinned from the
Timeline.
summary: Pin/unpin an event
tags:
- Security Timeline API
- 'access:securitySolution'
@ -227,13 +230,21 @@ paths:
type: object
properties:
savedObjectIds:
description: >-
The list of IDs of the Timelines or Timeline templates to
delete
example:
- 15c1929b-0af7-42bd-85a8-56e234cc7c4e
items:
type: string
type: array
searchIds:
description: >-
Saved search ids that should be deleted alongside the
Saved search IDs that should be deleted alongside the
timelines
example:
- 23f3-43g34g322-e5g5hrh6h-45454
- 6ce1b592-84e3-4b4a-9552-f189d4b82075
items:
type: string
type: array
@ -266,12 +277,12 @@ paths:
description: Get the details of an existing saved Timeline or Timeline template.
operationId: GetTimeline
parameters:
- description: The ID of the template timeline to retrieve
- description: The `savedObjectId` of the template timeline to retrieve
in: query
name: template_timeline_id
schema:
type: string
- description: The ID of the Timeline to retrieve.
- description: The `savedObjectId` of the Timeline to retrieve.
in: query
name: id
schema:
@ -314,10 +325,21 @@ paths:
properties:
timeline:
$ref: '#/components/schemas/SavedTimeline'
description: >-
The timeline object of the Timeline or Timeline template
that youre updating.
timelineId:
description: >-
The `savedObjectId` of the Timeline or Timeline template
that youre updating.
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
nullable: true
type: string
version:
description: >-
The version of the Timeline or Timeline template that youre
updating.
example: WzE0LDFd
nullable: true
type: string
required:
@ -332,10 +354,7 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/PersistTimelineResponse'
description: >-
Indicates that the draft Timeline was successfully created. In the
event the user already has a draft Timeline, the existing draft
Timeline is cleared and returned.
description: Indicates that the Timeline was successfully updated.
'405':
content:
application/json:
@ -343,12 +362,15 @@ paths:
type: object
properties:
body:
description: The error message
example: update timeline error
type: string
statusCode:
example: 405
type: number
description: >-
Indicates that the user does not have the required access to create
a draft Timeline.
a Timeline.
summary: Update a Timeline
tags:
- Security Timeline API
@ -366,14 +388,20 @@ paths:
$ref: '#/components/schemas/TimelineStatus'
nullable: true
templateTimelineId:
description: A unique identifier for the Timeline template.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
templateTimelineVersion:
description: Timeline template version number.
example: 12
nullable: true
type: number
timeline:
$ref: '#/components/schemas/SavedTimeline'
timelineId:
description: A unique identifier for the Timeline.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
timelineType:
@ -402,8 +430,11 @@ paths:
type: object
properties:
body:
description: The error message
example: update timeline error
type: string
statusCode:
example: 405
type: number
description: Indicates that there was an error in the Timeline creation.
summary: Create a Timeline or Timeline template
@ -677,6 +708,7 @@ paths:
properties:
file: {}
isImmutable:
description: Whether the Timeline should be immutable
enum:
- 'true'
- 'false'
@ -699,10 +731,11 @@ paths:
type: object
properties:
body:
type: string
id:
description: The error message
example: Invalid file extension
type: string
statusCode:
example: 400
type: number
description: >-
Indicates the import of Timelines was unsuccessful because of an
@ -713,9 +746,12 @@ paths:
schema:
type: object
properties:
id:
body:
description: The error message
example: Unable to find saved object client
type: string
statusCode:
example: 404
type: number
description: >-
Indicates that we were unable to locate the saved object client
@ -727,10 +763,11 @@ paths:
type: object
properties:
body:
type: string
id:
description: The error message
example: Could not import timelines
type: string
statusCode:
example: 409
type: number
description: Indicates the import of Timelines was unsuccessful.
summary: Import Timelines
@ -854,24 +891,28 @@ paths:
name: sort_field
schema:
$ref: '#/components/schemas/SortFieldTimeline'
- in: query
- description: Whether to sort the results `ascending` or `descending`
in: query
name: sort_order
schema:
enum:
- asc
- desc
type: string
- in: query
- description: How many results should returned at once
in: query
name: page_size
schema:
nullable: true
type: string
- in: query
- description: How many pages should be skipped
in: query
name: page_index
schema:
nullable: true
type: string
- in: query
- description: Allows to search for timelines by their title
in: query
name: search
schema:
nullable: true
@ -889,20 +930,32 @@ paths:
type: object
properties:
customTemplateTimelineCount:
description: The amount of custom Timeline templates in the results
example: 2
type: number
defaultTimelineCount:
description: The amount of `default` type Timelines in the results
example: 90
type: number
elasticTemplateTimelineCount:
description: The amount of Elastic's Timeline templates in the results
example: 8
type: number
favoriteCount:
description: The amount of favorited Timelines
example: 5
type: number
templateTimelineCount:
description: The amount of Timeline templates in the results
example: 10
type: number
timeline:
items:
$ref: '#/components/schemas/TimelineResponse'
type: array
totalCount:
description: The total amount of results
example: 100
type: number
required:
- timeline
@ -915,8 +968,11 @@ paths:
type: object
properties:
body:
description: The error message
example: get timeline error
type: string
statusCode:
example: 405
type: number
description: Bad request. The user supplied invalid data.
summary: Get Timelines or Timeline templates
@ -935,52 +991,46 @@ components:
- orphan
type: string
BareNote:
type: object
properties:
created:
nullable: true
type: number
createdBy:
nullable: true
type: string
eventId:
nullable: true
type: string
note:
nullable: true
type: string
timelineId:
type: string
updated:
nullable: true
type: number
updatedBy:
nullable: true
type: string
required:
- timelineId
allOf:
- $ref: '#/components/schemas/NoteCreatedAndUpdatedMetadata'
- type: object
properties:
eventId:
description: The `_id` of the associated event for this note.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
nullable: true
type: string
note:
description: The text of the note
example: This is an example text
nullable: true
type: string
timelineId:
description: >-
The `savedObjectId` of the Timeline that this note is associated
with
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
required:
- timelineId
BarePinnedEvent:
type: object
properties:
created:
nullable: true
type: number
createdBy:
nullable: true
type: string
eventId:
type: string
timelineId:
type: string
updated:
nullable: true
type: number
updatedBy:
nullable: true
type: string
required:
- eventId
- timelineId
allOf:
- $ref: '#/components/schemas/PinnedEventCreatedAndUpdatedMetadata'
- type: object
properties:
eventId:
description: The `_id` of the associated event for this pinned event.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
type: string
timelineId:
description: >-
The `savedObjectId` of the timeline that this pinned event is
associated with
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
required:
- eventId
- timelineId
ColumnHeaderResult:
type: object
properties:
@ -1073,9 +1123,7 @@ components:
$ref: '#/components/schemas/DataProviderType'
nullable: true
DataProviderType:
description: >-
The type of data provider to create. Valid values are `default` and
`template`.
description: The type of data provider.
enum:
- default
- template
@ -1115,6 +1163,10 @@ components:
- savedObjectId
- version
FavoriteTimelineResult:
description: Indicates when and who marked a Timeline as a favorite.
example:
favoriteDate: 1741337636741
userName: elastic
type: object
properties:
favoriteDate:
@ -1127,6 +1179,16 @@ components:
nullable: true
type: string
FilterTimelineResult:
example:
meta:
alias: Custom filter name
disabled: false
index: '.alerts-security.alerts-default,logs-*'
key: '@timestamp'
negate: 'false,'
type: exists
value: exists
query: '{"exists":{"field":"@timestamp"}}'
type: object
properties:
exists:
@ -1200,26 +1262,43 @@ components:
type: object
properties:
errors:
description: The list of failed Timeline imports
items:
type: object
properties:
error:
description: >-
The error containing the reason why the timeline could not be
imported
type: object
properties:
message:
description: The reason why the timeline could not be imported
example: Malformed JSON
type: string
status_code:
description: The HTTP status code of the error
example: 400
type: number
id:
description: The ID of the timeline that failed to import
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
type: string
type: array
success:
description: Indicates whether any of the Timelines were successfully imports
type: boolean
success_count:
description: The amount of successfully imported/updated Timelines
example: 99
type: number
timelines_installed:
description: The amount of successfully installed Timelines
example: 80
type: number
timelines_updated:
description: The amount of successfully updated Timelines
example: 19
type: number
ImportTimelines:
allOf:
@ -1259,12 +1338,39 @@ components:
- type: object
properties:
noteId:
description: The `savedObjectId` of the note
example: 709f99c6-89b6-4953-9160-35945c8e174e
type: string
version:
description: The version of the note
example: WzQ2LDFd
type: string
required:
- noteId
- version
NoteCreatedAndUpdatedMetadata:
type: object
properties:
created:
description: 'The time the note was created, using a 13-digit Epoch timestamp.'
example: 1587468588922
nullable: true
type: number
createdBy:
description: The user who created the note.
example: casetester
nullable: true
type: string
updated:
description: 'The last time the note was updated, using a 13-digit Epoch timestamp'
example: 1741344876825
nullable: true
type: number
updatedBy:
description: The user who last updated the note
example: casetester
nullable: true
type: string
PersistPinnedEventResponse:
oneOf:
- allOf:
@ -1295,8 +1401,12 @@ components:
- type: object
properties:
pinnedEventId:
description: The `savedObjectId` of this pinned event
example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3
type: string
version:
description: The version of this pinned event
example: WzQ2LDFe
type: string
required:
- pinnedEventId
@ -1310,6 +1420,33 @@ components:
type: string
required:
- code
PinnedEventCreatedAndUpdatedMetadata:
type: object
properties:
created:
description: >-
The time the pinned event was created, using a 13-digit Epoch
timestamp.
example: 1587468588922
nullable: true
type: number
createdBy:
description: The user who created the pinned event.
example: casetester
nullable: true
type: string
updated:
description: >-
The last time the pinned event was updated, using a 13-digit Epoch
timestamp
example: 1741344876825
nullable: true
type: number
updatedBy:
description: The user who last updated the pinned event
example: casetester
nullable: true
type: string
QueryMatchResult:
type: object
properties:
@ -1361,6 +1498,7 @@ components:
- message
- note
RowRendererId:
description: Identifies the available row renderers
enum:
- alert
- alerts
@ -1402,25 +1540,53 @@ components:
type: object
properties:
columns:
description: The Timeline's columns
example:
- columnHeaderType: not-filtered
id: '@timestamp'
- columnHeaderType: not-filtered
id: event.category
items:
$ref: '#/components/schemas/ColumnHeaderResult'
nullable: true
type: array
created:
description: 'The time the Timeline was created, using a 13-digit Epoch timestamp.'
example: 1587468588922
nullable: true
type: number
createdBy:
description: The user who created the Timeline.
example: casetester
nullable: true
type: string
dataProviders:
description: Object containing query clauses
example:
- enabled: true
excluded: false
id: >-
id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b
name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b
queryMatch:
field: '_id,'
operator: ':'
value: >-
d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,
items:
$ref: '#/components/schemas/DataProviderResult'
nullable: true
type: array
dataViewId:
description: ID of the Timeline's Data View
example: security-solution-default
nullable: true
type: string
dateRange:
description: The Timeline's search period.
example:
end: 1587456479201
start: 1587370079200
nullable: true
type: object
properties:
@ -1437,9 +1603,17 @@ components:
- nullable: true
type: number
description:
description: The Timeline's description
example: Investigating exposure of CVE XYZ
nullable: true
type: string
eqlOptions:
description: EQL query that is used in the correlation tab
example:
eventCategoryField: event.category
query: 'sequence\n[process where process.name == "sudo"]\n[any where true]'
size: 100
timestampField: '@timestamp'
nullable: true
type: object
properties:
@ -1462,9 +1636,15 @@ components:
nullable: true
type: string
eventType:
deprecated: true
description: Event types displayed in the Timeline
example: all
nullable: true
type: string
excludedRowRendererIds:
description: >-
A list of row renderers that should not be used when in `Event
renderers` mode
items:
$ref: '#/components/schemas/RowRendererId'
nullable: true
@ -1475,53 +1655,81 @@ components:
nullable: true
type: array
filters:
description: A list of filters that should be applied to the query
items:
$ref: '#/components/schemas/FilterTimelineResult'
nullable: true
type: array
indexNames:
description: >-
A list of index names to use in the query (e.g. when the default
data view has been modified)
example:
- .logs*
items:
type: string
nullable: true
type: array
kqlMode:
description: >-
Indicates whether the KQL bar filters the query results or searches
for additional results, where:
* `filter`: filters query results
* `search`: displays additional search results
example: search
nullable: true
type: string
kqlQuery:
$ref: '#/components/schemas/SerializedFilterQueryResult'
nullable: true
savedQueryId:
description: The ID of the saved query that might be used in the Query tab
example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e
nullable: true
type: string
savedSearchId:
description: The ID of the saved search that is used in the ES|QL tab
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
sort:
$ref: '#/components/schemas/Sort'
nullable: true
status:
enum:
- active
- draft
- immutable
$ref: '#/components/schemas/TimelineStatus'
nullable: true
type: string
templateTimelineId:
description: >-
A unique ID (UUID) for Timeline templates. For Timelines, the value
is `null`.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
templateTimelineVersion:
description: >-
Timeline template version number. For Timelines, the value is
`null`.
example: 12
nullable: true
type: number
timelineType:
$ref: '#/components/schemas/TimelineType'
nullable: true
title:
description: The Timeline's title.
example: CVE XYZ investigation
nullable: true
type: string
updated:
description: >-
The last time the Timeline was updated, using a 13-digit Epoch
timestamp
example: 1741344876825
nullable: true
type: number
updatedBy:
description: The user who last updated the Timeline
example: casetester
nullable: true
type: string
SavedTimelineWithSavedObjectId:
@ -1530,13 +1738,25 @@ components:
- type: object
properties:
savedObjectId:
description: The `savedObjectId` of the Timeline or Timeline template
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
version:
description: The version of the Timeline or Timeline template
example: WzE0LDFd
type: string
required:
- savedObjectId
- version
SerializedFilterQueryResult:
description: KQL bar query.
example:
filterQuery: null
kuery:
expression: '_id : *'
kind: kuery
serializedQuery: >-
{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}
type: object
properties:
filterQuery:
@ -1571,6 +1791,10 @@ components:
- created
type: string
SortObject:
description: Object indicating how rows are sorted in the Timeline's grid
example:
columnId: '@timestamp'
sortDirection: desc
type: object
properties:
columnId:
@ -1589,26 +1813,41 @@ components:
- type: object
properties:
eventIdToNoteIds:
description: A list of all the notes that are associated to this Timeline.
items:
$ref: '#/components/schemas/Note'
nullable: true
type: array
noteIds:
description: >-
A list of all the ids of notes that are associated to this
Timeline.
example:
- 709f99c6-89b6-4953-9160-35945c8e174e
items:
type: string
nullable: true
type: array
notes:
description: A list of all the notes that are associated to this Timeline.
items:
$ref: '#/components/schemas/Note'
nullable: true
type: array
pinnedEventIds:
description: >-
A list of all the ids of pinned events that are associated to
this Timeline.
example:
- 983f99c6-89b6-4953-9160-35945c8a194f
items:
type: string
nullable: true
type: array
pinnedEventsSaveObject:
description: >-
A list of all the pinned events that are associated to this
Timeline.
items:
$ref: '#/components/schemas/PinnedEvent'
nullable: true
@ -1651,18 +1890,14 @@ components:
- savedObjectId
- version
TimelineStatus:
description: >-
The status of the timeline. Valid values are `active`, `draft`, and
`immutable`.
description: The status of the Timeline.
enum:
- active
- draft
- immutable
type: string
TimelineType:
description: >-
The type of timeline to create. Valid values are `default` and
`template`.
description: The type of Timeline.
enum:
- default
- template

419
x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_timeline_api_2023_10_31.bundled.schema.yaml
View file

@ -128,24 +128,17 @@ paths:
schema:
type: object
properties:
eventDataView:
nullable: true
type: string
eventIngested:
nullable: true
type: string
eventTimestamp:
nullable: true
type: string
note:
$ref: '#/components/schemas/BareNote'
description: The note to add or update.
noteId:
description: The `savedObjectId` of the note
example: 709f99c6-89b6-4953-9160-35945c8e174e
nullable: true
type: string
overrideOwner:
nullable: true
type: boolean
version:
description: The version of the note
example: WzQ2LDFd
nullable: true
type: string
required:
@ -175,7 +168,7 @@ paths:
- 'access:securitySolution'
/api/pinned_event:
patch:
description: Pin an event to an existing Timeline.
description: Pin/unpin an event to/from an existing Timeline.
operationId: PersistPinnedEventRoute
requestBody:
content:
@ -184,16 +177,24 @@ paths:
type: object
properties:
eventId:
description: The `_id` of the associated event for this pinned event.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
type: string
pinnedEventId:
description: The `savedObjectId` of the pinned event you want to unpin.
example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3
nullable: true
type: string
timelineId:
description: >-
The `savedObjectId` of the timeline that you want this
pinned event unpinned from.
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
required:
- eventId
- timelineId
description: 'The pinned event to add or update, along with additional metadata.'
description: 'The pinned event to add or unpin, along with additional metadata.'
required: true
responses:
'200':
@ -211,8 +212,10 @@ paths:
- persistPinnedEventOnTimeline
required:
- data
description: Indicates the event was successfully pinned to the Timeline.
summary: Pin an event
description: >-
Indicates the event was successfully pinned to or unpinned from the
Timeline.
summary: Pin/unpin an event
tags:
- Security Timeline API
- 'access:securitySolution'
@ -227,13 +230,21 @@ paths:
type: object
properties:
savedObjectIds:
description: >-
The list of IDs of the Timelines or Timeline templates to
delete
example:
- 15c1929b-0af7-42bd-85a8-56e234cc7c4e
items:
type: string
type: array
searchIds:
description: >-
Saved search ids that should be deleted alongside the
Saved search IDs that should be deleted alongside the
timelines
example:
- 23f3-43g34g322-e5g5hrh6h-45454
- 6ce1b592-84e3-4b4a-9552-f189d4b82075
items:
type: string
type: array
@ -266,12 +277,12 @@ paths:
description: Get the details of an existing saved Timeline or Timeline template.
operationId: GetTimeline
parameters:
- description: The ID of the template timeline to retrieve
- description: The `savedObjectId` of the template timeline to retrieve
in: query
name: template_timeline_id
schema:
type: string
- description: The ID of the Timeline to retrieve.
- description: The `savedObjectId` of the Timeline to retrieve.
in: query
name: id
schema:
@ -314,10 +325,21 @@ paths:
properties:
timeline:
$ref: '#/components/schemas/SavedTimeline'
description: >-
The timeline object of the Timeline or Timeline template
that youre updating.
timelineId:
description: >-
The `savedObjectId` of the Timeline or Timeline template
that youre updating.
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
nullable: true
type: string
version:
description: >-
The version of the Timeline or Timeline template that youre
updating.
example: WzE0LDFd
nullable: true
type: string
required:
@ -332,10 +354,7 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/PersistTimelineResponse'
description: >-
Indicates that the draft Timeline was successfully created. In the
event the user already has a draft Timeline, the existing draft
Timeline is cleared and returned.
description: Indicates that the Timeline was successfully updated.
'405':
content:
application/json:
@ -343,12 +362,15 @@ paths:
type: object
properties:
body:
description: The error message
example: update timeline error
type: string
statusCode:
example: 405
type: number
description: >-
Indicates that the user does not have the required access to create
a draft Timeline.
a Timeline.
summary: Update a Timeline
tags:
- Security Timeline API
@ -366,14 +388,20 @@ paths:
$ref: '#/components/schemas/TimelineStatus'
nullable: true
templateTimelineId:
description: A unique identifier for the Timeline template.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
templateTimelineVersion:
description: Timeline template version number.
example: 12
nullable: true
type: number
timeline:
$ref: '#/components/schemas/SavedTimeline'
timelineId:
description: A unique identifier for the Timeline.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
timelineType:
@ -402,8 +430,11 @@ paths:
type: object
properties:
body:
description: The error message
example: update timeline error
type: string
statusCode:
example: 405
type: number
description: Indicates that there was an error in the Timeline creation.
summary: Create a Timeline or Timeline template
@ -677,6 +708,7 @@ paths:
properties:
file: {}
isImmutable:
description: Whether the Timeline should be immutable
enum:
- 'true'
- 'false'
@ -699,10 +731,11 @@ paths:
type: object
properties:
body:
type: string
id:
description: The error message
example: Invalid file extension
type: string
statusCode:
example: 400
type: number
description: >-
Indicates the import of Timelines was unsuccessful because of an
@ -713,9 +746,12 @@ paths:
schema:
type: object
properties:
id:
body:
description: The error message
example: Unable to find saved object client
type: string
statusCode:
example: 404
type: number
description: >-
Indicates that we were unable to locate the saved object client
@ -727,10 +763,11 @@ paths:
type: object
properties:
body:
type: string
id:
description: The error message
example: Could not import timelines
type: string
statusCode:
example: 409
type: number
description: Indicates the import of Timelines was unsuccessful.
summary: Import Timelines
@ -854,24 +891,28 @@ paths:
name: sort_field
schema:
$ref: '#/components/schemas/SortFieldTimeline'
- in: query
- description: Whether to sort the results `ascending` or `descending`
in: query
name: sort_order
schema:
enum:
- asc
- desc
type: string
- in: query
- description: How many results should returned at once
in: query
name: page_size
schema:
nullable: true
type: string
- in: query
- description: How many pages should be skipped
in: query
name: page_index
schema:
nullable: true
type: string
- in: query
- description: Allows to search for timelines by their title
in: query
name: search
schema:
nullable: true
@ -889,20 +930,32 @@ paths:
type: object
properties:
customTemplateTimelineCount:
description: The amount of custom Timeline templates in the results
example: 2
type: number
defaultTimelineCount:
description: The amount of `default` type Timelines in the results
example: 90
type: number
elasticTemplateTimelineCount:
description: The amount of Elastic's Timeline templates in the results
example: 8
type: number
favoriteCount:
description: The amount of favorited Timelines
example: 5
type: number
templateTimelineCount:
description: The amount of Timeline templates in the results
example: 10
type: number
timeline:
items:
$ref: '#/components/schemas/TimelineResponse'
type: array
totalCount:
description: The total amount of results
example: 100
type: number
required:
- timeline
@ -915,8 +968,11 @@ paths:
type: object
properties:
body:
description: The error message
example: get timeline error
type: string
statusCode:
example: 405
type: number
description: Bad request. The user supplied invalid data.
summary: Get Timelines or Timeline templates
@ -935,52 +991,46 @@ components:
- orphan
type: string
BareNote:
type: object
properties:
created:
nullable: true
type: number
createdBy:
nullable: true
type: string
eventId:
nullable: true
type: string
note:
nullable: true
type: string
timelineId:
type: string
updated:
nullable: true
type: number
updatedBy:
nullable: true
type: string
required:
- timelineId
allOf:
- $ref: '#/components/schemas/NoteCreatedAndUpdatedMetadata'
- type: object
properties:
eventId:
description: The `_id` of the associated event for this note.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
nullable: true
type: string
note:
description: The text of the note
example: This is an example text
nullable: true
type: string
timelineId:
description: >-
The `savedObjectId` of the Timeline that this note is associated
with
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
required:
- timelineId
BarePinnedEvent:
type: object
properties:
created:
nullable: true
type: number
createdBy:
nullable: true
type: string
eventId:
type: string
timelineId:
type: string
updated:
nullable: true
type: number
updatedBy:
nullable: true
type: string
required:
- eventId
- timelineId
allOf:
- $ref: '#/components/schemas/PinnedEventCreatedAndUpdatedMetadata'
- type: object
properties:
eventId:
description: The `_id` of the associated event for this pinned event.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
type: string
timelineId:
description: >-
The `savedObjectId` of the timeline that this pinned event is
associated with
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
required:
- eventId
- timelineId
ColumnHeaderResult:
type: object
properties:
@ -1073,9 +1123,7 @@ components:
$ref: '#/components/schemas/DataProviderType'
nullable: true
DataProviderType:
description: >-
The type of data provider to create. Valid values are `default` and
`template`.
description: The type of data provider.
enum:
- default
- template
@ -1115,6 +1163,10 @@ components:
- savedObjectId
- version
FavoriteTimelineResult:
description: Indicates when and who marked a Timeline as a favorite.
example:
favoriteDate: 1741337636741
userName: elastic
type: object
properties:
favoriteDate:
@ -1127,6 +1179,16 @@ components:
nullable: true
type: string
FilterTimelineResult:
example:
meta:
alias: Custom filter name
disabled: false
index: '.alerts-security.alerts-default,logs-*'
key: '@timestamp'
negate: 'false,'
type: exists
value: exists
query: '{"exists":{"field":"@timestamp"}}'
type: object
properties:
exists:
@ -1200,26 +1262,43 @@ components:
type: object
properties:
errors:
description: The list of failed Timeline imports
items:
type: object
properties:
error:
description: >-
The error containing the reason why the timeline could not be
imported
type: object
properties:
message:
description: The reason why the timeline could not be imported
example: Malformed JSON
type: string
status_code:
description: The HTTP status code of the error
example: 400
type: number
id:
description: The ID of the timeline that failed to import
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
type: string
type: array
success:
description: Indicates whether any of the Timelines were successfully imports
type: boolean
success_count:
description: The amount of successfully imported/updated Timelines
example: 99
type: number
timelines_installed:
description: The amount of successfully installed Timelines
example: 80
type: number
timelines_updated:
description: The amount of successfully updated Timelines
example: 19
type: number
ImportTimelines:
allOf:
@ -1259,12 +1338,39 @@ components:
- type: object
properties:
noteId:
description: The `savedObjectId` of the note
example: 709f99c6-89b6-4953-9160-35945c8e174e
type: string
version:
description: The version of the note
example: WzQ2LDFd
type: string
required:
- noteId
- version
NoteCreatedAndUpdatedMetadata:
type: object
properties:
created:
description: 'The time the note was created, using a 13-digit Epoch timestamp.'
example: 1587468588922
nullable: true
type: number
createdBy:
description: The user who created the note.
example: casetester
nullable: true
type: string
updated:
description: 'The last time the note was updated, using a 13-digit Epoch timestamp'
example: 1741344876825
nullable: true
type: number
updatedBy:
description: The user who last updated the note
example: casetester
nullable: true
type: string
PersistPinnedEventResponse:
oneOf:
- allOf:
@ -1295,8 +1401,12 @@ components:
- type: object
properties:
pinnedEventId:
description: The `savedObjectId` of this pinned event
example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3
type: string
version:
description: The version of this pinned event
example: WzQ2LDFe
type: string
required:
- pinnedEventId
@ -1310,6 +1420,33 @@ components:
type: string
required:
- code
PinnedEventCreatedAndUpdatedMetadata:
type: object
properties:
created:
description: >-
The time the pinned event was created, using a 13-digit Epoch
timestamp.
example: 1587468588922
nullable: true
type: number
createdBy:
description: The user who created the pinned event.
example: casetester
nullable: true
type: string
updated:
description: >-
The last time the pinned event was updated, using a 13-digit Epoch
timestamp
example: 1741344876825
nullable: true
type: number
updatedBy:
description: The user who last updated the pinned event
example: casetester
nullable: true
type: string
QueryMatchResult:
type: object
properties:
@ -1361,6 +1498,7 @@ components:
- message
- note
RowRendererId:
description: Identifies the available row renderers
enum:
- alert
- alerts
@ -1402,25 +1540,53 @@ components:
type: object
properties:
columns:
description: The Timeline's columns
example:
- columnHeaderType: not-filtered
id: '@timestamp'
- columnHeaderType: not-filtered
id: event.category
items:
$ref: '#/components/schemas/ColumnHeaderResult'
nullable: true
type: array
created:
description: 'The time the Timeline was created, using a 13-digit Epoch timestamp.'
example: 1587468588922
nullable: true
type: number
createdBy:
description: The user who created the Timeline.
example: casetester
nullable: true
type: string
dataProviders:
description: Object containing query clauses
example:
- enabled: true
excluded: false
id: >-
id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b
name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b
queryMatch:
field: '_id,'
operator: ':'
value: >-
d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,
items:
$ref: '#/components/schemas/DataProviderResult'
nullable: true
type: array
dataViewId:
description: ID of the Timeline's Data View
example: security-solution-default
nullable: true
type: string
dateRange:
description: The Timeline's search period.
example:
end: 1587456479201
start: 1587370079200
nullable: true
type: object
properties:
@ -1437,9 +1603,17 @@ components:
- nullable: true
type: number
description:
description: The Timeline's description
example: Investigating exposure of CVE XYZ
nullable: true
type: string
eqlOptions:
description: EQL query that is used in the correlation tab
example:
eventCategoryField: event.category
query: 'sequence\n[process where process.name == "sudo"]\n[any where true]'
size: 100
timestampField: '@timestamp'
nullable: true
type: object
properties:
@ -1462,9 +1636,15 @@ components:
nullable: true
type: string
eventType:
deprecated: true
description: Event types displayed in the Timeline
example: all
nullable: true
type: string
excludedRowRendererIds:
description: >-
A list of row renderers that should not be used when in `Event
renderers` mode
items:
$ref: '#/components/schemas/RowRendererId'
nullable: true
@ -1475,53 +1655,81 @@ components:
nullable: true
type: array
filters:
description: A list of filters that should be applied to the query
items:
$ref: '#/components/schemas/FilterTimelineResult'
nullable: true
type: array
indexNames:
description: >-
A list of index names to use in the query (e.g. when the default
data view has been modified)
example:
- .logs*
items:
type: string
nullable: true
type: array
kqlMode:
description: >-
Indicates whether the KQL bar filters the query results or searches
for additional results, where:
* `filter`: filters query results
* `search`: displays additional search results
example: search
nullable: true
type: string
kqlQuery:
$ref: '#/components/schemas/SerializedFilterQueryResult'
nullable: true
savedQueryId:
description: The ID of the saved query that might be used in the Query tab
example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e
nullable: true
type: string
savedSearchId:
description: The ID of the saved search that is used in the ES|QL tab
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
sort:
$ref: '#/components/schemas/Sort'
nullable: true
status:
enum:
- active
- draft
- immutable
$ref: '#/components/schemas/TimelineStatus'
nullable: true
type: string
templateTimelineId:
description: >-
A unique ID (UUID) for Timeline templates. For Timelines, the value
is `null`.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
templateTimelineVersion:
description: >-
Timeline template version number. For Timelines, the value is
`null`.
example: 12
nullable: true
type: number
timelineType:
$ref: '#/components/schemas/TimelineType'
nullable: true
title:
description: The Timeline's title.
example: CVE XYZ investigation
nullable: true
type: string
updated:
description: >-
The last time the Timeline was updated, using a 13-digit Epoch
timestamp
example: 1741344876825
nullable: true
type: number
updatedBy:
description: The user who last updated the Timeline
example: casetester
nullable: true
type: string
SavedTimelineWithSavedObjectId:
@ -1530,13 +1738,25 @@ components:
- type: object
properties:
savedObjectId:
description: The `savedObjectId` of the Timeline or Timeline template
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
version:
description: The version of the Timeline or Timeline template
example: WzE0LDFd
type: string
required:
- savedObjectId
- version
SerializedFilterQueryResult:
description: KQL bar query.
example:
filterQuery: null
kuery:
expression: '_id : *'
kind: kuery
serializedQuery: >-
{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}
type: object
properties:
filterQuery:
@ -1571,6 +1791,10 @@ components:
- created
type: string
SortObject:
description: Object indicating how rows are sorted in the Timeline's grid
example:
columnId: '@timestamp'
sortDirection: desc
type: object
properties:
columnId:
@ -1589,26 +1813,41 @@ components:
- type: object
properties:
eventIdToNoteIds:
description: A list of all the notes that are associated to this Timeline.
items:
$ref: '#/components/schemas/Note'
nullable: true
type: array
noteIds:
description: >-
A list of all the ids of notes that are associated to this
Timeline.
example:
- 709f99c6-89b6-4953-9160-35945c8e174e
items:
type: string
nullable: true
type: array
notes:
description: A list of all the notes that are associated to this Timeline.
items:
$ref: '#/components/schemas/Note'
nullable: true
type: array
pinnedEventIds:
description: >-
A list of all the ids of pinned events that are associated to
this Timeline.
example:
- 983f99c6-89b6-4953-9160-35945c8a194f
items:
type: string
nullable: true
type: array
pinnedEventsSaveObject:
description: >-
A list of all the pinned events that are associated to this
Timeline.
items:
$ref: '#/components/schemas/PinnedEvent'
nullable: true
@ -1651,18 +1890,14 @@ components:
- savedObjectId
- version
TimelineStatus:
description: >-
The status of the timeline. Valid values are `active`, `draft`, and
`immutable`.
description: The status of the Timeline.
enum:
- active
- draft
- immutable
type: string
TimelineType:
description: >-
The type of timeline to create. Valid values are `default` and
`template`.
description: The type of Timeline.
enum:
- default
- template

2
x-pack/test/api_integration/services/security_solution_api.gen.ts
View file

@ -1342,7 +1342,7 @@ finalize it.
.send(props.body as object);
},
/**
* Pin an event to an existing Timeline.
* Pin/unpin an event to/from an existing Timeline.
*/
persistPinnedEventRoute(props: PersistPinnedEventRouteProps, kibanaSpace: string = 'default') {
return supertest