Playing a bit with SIEM App and wondering where are Timeline stored and how to possibly control their retention?
Don't seem to find any godd system index candidates for this...
Playing a bit with SIEM App and wondering where are Timeline stored and how to possibly control their retention?
Don't seem to find any godd system index candidates for this...
Hi stefws,
The Timeline is stored as part of the saved objects API and will be part of your .kibana
index with the other saved objects such as saved queries. The retention time is going to be what that index retention time is which by default should be forever, unless someone has manually changed it.
At the moment you can view the objects outside the UI with either the Kibana REST API directly and something like CURL:
https://www.elastic.co/guide/en/kibana/master/saved-objects-api.html
Or if you're curious to take a look and have access to the .kibana
index from dev tools you can query it as well. It is stored as these saved object types:
siem-ui-timeline
siem-ui-timeline-note
siem-ui-timeline-pinned-event
Example filter query to see object types:
GET /.kibana-*/_search
{
"query": {
"term" : { "type": "siem-ui-timeline" }
}
}
or if your Kibana is locked down to where only REST is allowed to view your saved objects then it would be a CURL GET like this:
GET ${KIBANA_URL}/api/saved_objects/_find?type=siem-ui-timeline
@Frank_Hassanabad Thanks for the info. It would properly be a good idea not to store such in .kibana but rather a specific .siem-timeline index so data can be managed separately and avoid to bloat .kibana too much ImHO.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.