timeline schema

Author: Ben Skelker

docs/siem/reference/timeline-schema.asciidoc

@@ -6,42 +6,186 @@
 |==============================================
 |Name |Type |Description
 
-|`columns` |Object[] |The timeline's displayed columns.
-|`created` |Float |The time the timeline was created, using a
-13-digit Epoch timestamp.
+|`columns` |<<col-obj, columns[]>> |The timeline columns displayed in the UI.
+|`created` |Float |The time the timeline was created, using a 13-digit Epoch
+timestamp.
 |`createdBy` |String |The user who created the timeline.
-|`dataProviders` |Object[] |The dropzone query.
+|`dataProviders` |<<dataProvider-obj, dataProviders[]>> |The dropzone query
+that determines which events are displayed in the timeline.???
 |`dateRange` |Object |The timeline's range.
 |`description` |String |The timeline's description.
-|`eventNotes` |Object[] |Notes added to specific events in the timeline.
+|`eventNotes` |<<eventNotes-obj, eventNotes[]>> |Notes added to specific
+events in the timeline.
 |`eventType` |String a|Event types displayed in the timeline, which can be:
 
 * `all`: all events
 * `raw`: raw events only
 * `signal`: signals only
 
-|`favorite` |Object[] |Indicates who and marked a timeline as a favorite.
-|`filters` |Object[] |Filters used in addition to the dropzone query.
-|`globalNotes` |Object[] |Notes added to the timeline.
-|`kqlMode` |String a|Indicates whether the dropzone queries are filtered (`and`) or additional search results are displayed (`or`), can be:
+|`favorite` |<<favorite-obj, favorite[]>> |Indicates who marked a timeline as a
+favorite, and at what time.
+|`filters` |<<filters-obj, filters[]>> |Filters used in addition to the
+dropzone query. ???
+|`globalNotes` |<<globalNotes-obj, Object[]>> |Notes added to the timeline.
+|`kqlMode` |String a|Indicates whether the KQL bar filters or searches the
+dropzone query, where:
 
 * `filter`: filters dropzone query results
 * `search`: displays additional search results
 
-|`kqlQuery` |Object |Indicates whether additional filters use KQL or Lucene
-queries.
-|`pinnedEventIds` |Object[] |Pinned row IDs.
-|`savedObjectId` |String |Saved object ID.
+|`kqlQuery` |<<kqlQuery-obj, kqlQuery>> |Object describing the KQL bar query.
+|`pinnedEventIds` |pinnedEventIds[] |Object containing the IDs of pinned
+events.
+|`savedObjectId` |String |The timeline's saved object ID.
 |`savedQueryId` |String |If used, the saved query ID used to filter or search
 dropzone query results.
-|`sort` |Object |Indicates how rows are sorted in the result's grid.
-|`status` |String |Ben: ???
-|`templateTimelineId` |Ben: ??? |
-|`templateTimelineVersion` |Ben: ??? |
-|`timelineType` |String |Ben: ????
+|`sort` |sort a|Object indicating how rows are sorted in the timeline's grid:
+
+* `columnId` (string): The ID of the column used to sort results.
+* `sortDirection` (string): The sort direction, which can be either `desc` or
+`asc`.
+
+|`status` |String |: ???
+|`templateTimelineId` |String |: ???
+|`templateTimelineVersion` |Integer |: ???
+|`timelineType` |String a|Indicates whether the timeline is a template or not,
+where:
+
+* `default`: Indicates a timeline used to actively investigate events.
+* `template`: Indicates a timeline template used with detection rules for
+displaying alerts in Timeline.
+
 |`title` |String |The timeline's title.
-|`updated` |Float |The last time the timeline was last updated, using a
+|`updated` |Float |The last time the timeline was updated, using a
 13-digit Epoch timestamp.
 |`updatedBy` |String |The user who last updated the timeline.
 |`version` |String |The timeline's version.
 |==============================================
+
+[[col-obj]]
+[discrete]
+==== columns object
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|`aggregatable` |Boolean |???
+|`category` |String |???
+|`columnHeaderType` |String |???
+|`description` |String |???
+|`example` |String |???
+|`indexes` |String |???
+|`id` |String |???
+|`name` |String |???
+|`placeholder` |String |???
+|`searchable` |Boolean |???
+|`type` |String |???
+|==============================================
+
+[[dataProvider-obj]]
+[discrete]
+==== dataProviders object
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|`id` |String |???
+|`name` |String |???
+|`enabled` |Boolean |???
+|`excluded` |Boolean |???
+|`kqlQuery` |String |???
+|`queryMatch` |QueryMatchInput |???
+|`and` |dataProviders |???
+|==============================================
+
+[[eventNotes-obj]]
+[discrete]
+==== eventNotes object
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|`created` |Float |The time the note was created, using a 13-digit Epoch
+timestamp.
+|`createdBy` |String |The user who added the note.
+|`eventId` |String |The ID of the event to which the note was added.
+|`note` |String |The note's text.
+|`noteId` |String |The note's ID
+|`timelineId` |String |The ID of the timeline to which the note was added.
+|`updated` |Float |The last time the note was updated, using a
+13-digit Epoch timestamp.
+|`updatedBy` |String |The user who last updated the note.
+|`version` |String |The note's version.
+|==============================================
+
+[[favorite-obj]]
+[discrete]
+==== favorite object
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|`favoriteDate` |Float |The time the timeline was marked as a favorite.
+|`fullName` |String |The full name of the user who marked the timeline as
+a favorite.
+|`keySearch` |String |???
+|`userName` |String |The {kib} username of the user who marked the
+timeline as a favorite.
+|==============================================
+
+[[filters-obj]]
+[discrete]
+==== filters object
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|`exists` |String |???
+|`meta` |FilterMetaTimelineInput |???
+|`match_all` |String |???
+|`missing` |String |???
+|`query` |String |???
+|`range` |String |???
+|`script` |String |???
+|==============================================
+
+[[globalNotes-obj]]
+[discrete]
+==== globalNotes object
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|`created` |Float |The time the note was created, using a 13-digit Epoch
+timestamp.
+|`createdBy` |String |The user who added the note.
+|`note` |String |The note's text.
+|`noteId` |String |The note's ID
+|`timelineId` |String |The ID of the timeline to which the note was added.
+|`updated` |Float |The last time the note was updated, using a
+13-digit Epoch timestamp.
+|`updatedBy` |String |The user who last updated the note.
+|`version` |String |The note's version.
+|==============================================
+
+[[kqlQuery-obj]]
+[discrete]
+==== kqlQuery object
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|`filterQuery` |filterQuery a|Object containing query details:
+
+* `kuery`: Object containing the query's statements and type:
+** `expression`(string): The query's statements.
+** `kind` (string): The type of query, which can be `kuery` or `lucene`.
+* `serializedQuery` (string): The query represented in JSON format.
+|==============================================