创建时间线或时间线模板

编辑

创建新的时间线或时间线模板。

使用 timeline 对象的 timelineType 字段来确定是创建时间线还是时间线模板,其中

  • default 创建新的时间线("timelineType": "default"
  • template 创建新的时间线模板("timelineType": "template"

如果您未指定 timelineType 字段,则会创建一个新的时间线。

请求 URL

编辑

POST <kibana host>:<port>/api/timeline

请求正文

编辑

定义时间线或时间线模板查询和时间过滤器的 JSON 对象。

有关时间线对象模式及其对应的 UI 组件的详细信息,请参阅 时间线模式

名称 类型 描述 必需

timeline

timeline

时间线对象,定义了搜索条件和时间范围。唯一必需的字段是 title

当您创建时间线模板时,请提供以下字段以便您可以轻松 导入模板更新

  • templateTimelineId:唯一标识符(UUID,仅用于时间线模板)
  • templateTimelineVersion:模板版本号(仅用于时间线模板)

timelineId

字符串

如果提供,则对于新的时间线或模板,必须为 null

version

字符串

如果提供,则对于新的时间线或模板,必须为 null

示例请求

编辑

示例 1

创建一个新的时间线。

POST api/timeline
{
  "timeline": {
    "columns": [
      {
        "id": "@timestamp"
      },
      {
        "id": "user.name"
      },
      {
        "id": "event.category"
      },
      {
        "id": "event.action"
      },
      {
        "id": "host.name"
      }
    ],
    "dataProviders": [ 
      {
        "and": [
          {
            "name": "event.category",
            "enabled": true,
            "excluded": false,
            "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d11",
            "queryMatch": {
              "field": "event.category",
              "value": "process",
              "operator": ":"
            }
          },
          {
            "name": "user.name",
            "enabled": true,
            "excluded": false,
            "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d12",
            "queryMatch": {
              "field": "user.name",
              "value": "SYSTEM",
              "operator": ":"
            }
          }
        ],
        "enabled": true,
        "excluded": false,
        "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d13",
        "name": "host.os.platform",
        "queryMatch": {
          "field": "host.os.platform",
          "value": "windows",
          "operator": ":"
        }
      }
    ],
    "dateRange": {
      "end": 1594005719000,
      "start": 1593832919000
    },
    "description": "Gets Windows system processes from all hosts",
    "title": "Windows system processes"
  }
}

为了确保时间线在 UI 中正确显示,请在所有 dataProviders 对象中指定以下字段

  • and(可以为空)
  • name
  • enabled
  • excluded
  • id
  • queryMatch

    • field
    • value
    • operator

示例 2

创建一个新的时间线模板

POST api/timeline
{
  "timeline": {
    "columns": [
      {
        "id": "@timestamp"
      },
      {
        "id": "user.name"
      },
      {
        "id": "event.category"
      },
      {
        "id": "event.action"
      },
      {
        "id": "host.name"
      }
    ],
    "dataProviders": [
      {
        "and": [
          {
            "name": "event.category",
            "enabled": true,
            "excluded": false,
            "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d21",
            "queryMatch": {
              "field": "event.category",
              "operator": ":",
              "value": "process" 
            }
          },
          {
            "name": "user.name",
            "enabled": true,
            "excluded": false,
            "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d22",
            "queryMatch": {
              "field": "user.name",
              "operator": ":",
              "value": "SYSTEM"
            }
          }
        ],
        "enabled": true,
        "excluded": false,
        "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d23",
        "name": "host.os.platform",
        "queryMatch": {
          "field": "host.os.platform",
          "operator": ":",
          "value": "windows"
        }
      }
    ],
    "dateRange": {
      "end": 1594005719000,
      "start": 1593832919000
    },
    "description": "Template for investigating host events",
    "templateTimelineId": "6acb2c90-a01c-11ea-8e47-5dc21077d10c", 
    "templateTimelineVersion": 1, 
    "timelineType": "template", 
    "title": "Host event template"
  }
}

为了确保时间线模板在 UI 中正确显示,即使在时间线中调查警报时被替换,也要指定 value 字段。

模板 UUID。

模板版本号。

要创建模板,timelineType 字段值必须为 template

示例 3

创建使用 kqlQuery 对象(UI 中的 KQL 栏)的时间线模板,以确保在时间线中调查警报时仅显示 Windows 警报

POST api/timeline
{
  "timeline": {
    "columns": [
      {
        "id": "@timestamp"
      },
      {
        "id": "user.name"
      },
      {
        "id": "event.category"
      },
      {
        "id": "event.action"
      },
      {
        "id": "host.name"
      }
    ],
    "dataProviders": [
      {
        "and": [
          {
            "enabled": true,
            "excluded": false,
            "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d31",
            "name": "user.name",
            "queryMatch": {
              "field": "user.name",
              "operator": ":",
              "value": "SYSTEM"
            }
          }
        ],
        "enabled": true,
        "excluded": false,
        "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d32",
        "name": "event.category",
        "queryMatch": {
          "field": "event.category",
          "operator": ":",
          "value": "process"
        }
      }
    ],
    "dateRange": {
      "end": 1594005719000,
      "start": 1593832919000
    },
    "description": "Template for investigating Windows events",
    "kqlMode": "filter",
    "kqlQuery": {
      "filterQuery": {
        "kuery": {
          "expression": "host.os.platform : windows",
          "kind": "kuery"
        }
      }
    },
    "templateTimelineId": "6f9a3480-bf4f-11ea-9fcd-ed4e5fd0dcd1",
    "templateTimelineVersion": 1,
    "timelineType": "template",
    "title": "Windows event template"
  }
}

响应代码

编辑
200
指示调用成功。

响应负载

编辑

带有唯一 savedObjectId 及其 version 的 JSON 时间线对象。

示例 1

时间线响应负载

{
  "data": {
    "persistTimeline": {
      "code": 200,
      "message": "success",
      "timeline": {
        "savedObjectId": "7f069820-bf57-11ea-9fcd-ed4e5fd0dcd1",
        "version": "WzQwMiwxXQ==",
        "columns": [
          {
            "id": "@timestamp"
          },
          {
            "id": "user.name"
          },
          {
            "id": "event.category"
          },
          {
            "id": "event.action"
          },
          {
            "id": "host.name"
          }
        ],
        "dataProviders": [
          {
            "and": [
              {
                "name": "event.category",
                "enabled": true,
                "excluded": false,
                "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d41",
                "queryMatch": {
                  "field": "event.category",
                  "value": "process",
                  "operator": ":"
                }
              },
              {
                "name": "user.name",
                "enabled": true,
                "excluded": false,
                "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d42",
                "queryMatch": {
                  "field": "user.name",
                  "value": "SYSTEM",
                  "operator": ":"
                }
              }
            ],
            "enabled": true,
            "excluded": false,
            "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d43",
            "name": "host.os.platform",
            "queryMatch": {
              "field": "host.os.platform",
              "value": "windows",
              "operator": ":"
            }
          }
        ],
        "dateRange": {
          "end": 1594005719000,
          "start": 1593832919000
        },
        "description": "Gets Windows system processes from all hosts",
        "title": "Windows system processes",
        "created": 1594019310069,
        "createdBy": "elastic",
        "updated": 1594019310069,
        "updatedBy": "elastic",
        "timelineType": "default",
        "status": "active"
      }
    }
  }
}

示例 2

时间线模板响应负载

{
  "data": {
    "persistTimeline": {
      "code": 200,
      "message": "success",
      "timeline": {
        "savedObjectId": "75b6cf30-bf82-11ea-9fcd-ed4e5fd0dcd1",
        "version": "WzQ4MiwxXQ==",
        "columns": [
          {
            "id": "@timestamp"
          },
          {
            "id": "user.name"
          },
          {
            "id": "event.category"
          },
          {
            "id": "event.action"
          },
          {
            "id": "host.name"
          }
        ],
        "dataProviders": [
          {
            "and": [
              {
                "enabled": true,
                "excluded": false,
                "id": "timeline-1-43112bd4-3081-491c-b973-605cce4c5f14",
                "name": "user.name",
                "queryMatch": {
                  "field": "user.name",
                  "operator": ":",
                  "value": "SYSTEM"
                }
              }
            ],
            "enabled": true,
            "excluded": false,
            "id": "timeline-1-43112bd4-3081-491c-b973-605cce4c5f15",
            "name": "event.category",
            "queryMatch": {
              "field": "event.category",
              "operator": ":",
              "value": "process"
            }
          }
        ],
        "dateRange": {
          "end": 1594005719000,
          "start": 1593832919000
        },
        "description": "Template for investigating Windows events",
        "kqlMode": "filter",
        "kqlQuery": {
          "filterQuery": {
            "kuery": {
              "expression": "host.os.platform : windows",
              "kind": "kuery"
            }
          }
        },
        "templateTimelineId": "6f9a3480-bf4f-11ea-9fcd-ed4e5fd0dcd1",
        "templateTimelineVersion": 1,
        "timelineType": "template",
        "title": "Windows event template",
        "created": 1594037762797,
        "createdBy": "elastic",
        "updated": 1594037762797,
        "updatedBy": "elastic",
        "status": "active"
      }
    }
  }
}