Investigate events in Timeline

edit

Investigate events in Timeline

edit

Use Timeline as your workspace for investigations and threat hunting. Data from multiple indices can be added to a Timeline, which enables investigating complex threats.

You can drag or send items of interest to Timeline to create the query you need to investigate an alert or event. You can add items from tables and histograms on the Overview, Alerts, Hosts, and Network pages, as well as from within a Timeline itself. Additionally, you can add a query directly in Timeline (click + Add field).

timeline ui updated

Timelines are responsive, and they persist as you move through the Elastic Security app collecting data. Auto-saving ensures that the results of your investigation are available for review by other analysts and incident response teams. To record and share your findings with others, attach your Timeline to a case.

An untitled Timeline is saved as a draft. To attach a Timeline to a case, you must give it a title.

In addition to Timelines, you can create and attach Timeline templates to detection rules. Timeline templates allow you to define the source event fields used when you investigate a detections alert in Timeline. You can select whether the fields use predefined values or values retrieved from the alert. For more information, see About Timeline templates.

View and refine Timeline results

edit

Using the drop-down options by the KQL bar, you can select whether alerts, other raw events, or both are displayed in the Timeline.

Configure Timeline event context and display

edit

Many events in Timeline are presented in easy-to-follow rendered views that include relevant contextual information. These views are called Event Renderers, and they can be configured via the Settings icon in the upper left corner of the result’s pane:

timeline ui renderer

The example above displays a flow event renderer. If you see a particular item that interests you, you can drag it to the dropzone for further investigation.

Other display options include:

  • View in full screen mode
  • Add, remove, reorder, and resize columns
  • Add notes to individual events
  • Add investigation notes for the entire Timeline
  • Pin interesting events in the Timeline

Narrow or expand your KQL query

edit

You can specify logical AND and OR operations with an item’s placement in the drop area. Multiple horizontal filters use AND logic, vertical filters use OR.

Edit existing filters

edit

Click a filter to access additional operations such as exclude, temporarily disable, or delete items from the query:

timeline ui filter options

This is how the filters appear in the UI:

Field with value

Filters for events with the specified field value:

timeline filter value
Field exists

Filters for events containing the specified field:

timeline field exists
Exclude results

Filters for events that do not contain the specified field value (field with value filter) or the specified field (field exists filter):

timeline filter exclude
Temporarily disable

The filter is not used in the query until it is enabled again:

timeline disable filter
Filter for field present
Converts a field with value filter to a field exists filter.

When you convert a Timeline template to a Timeline, some fields may be disabled. For more information, see Timeline template legend.

Attach Timeline to a case

edit

To attach a Timeline to a new or existing case, open it, click Attach to case in the upper right corner, then select one of these:

  • Attach to new case
  • Attach to existing case…​

For more information about cases, see Cases.

Manage existing Timelines

edit

You can view, duplicate, export, delete, and create templates from existing Timelines:

  1. Go to InvestigateTimelines.
  2. Click the All actions icon in the relevant row, then select the appropriate action:

To perform the same action on multiple Timelines, select the Timelines and then the required action from the Bulk actions menu.

Export and import Timelines

edit

You can export and import Timelines, which enables you to share Timelines from one Kibana space or instance to another. Exported Timelines are saved as .ndjson files.

  1. Go to InvestigateTimelines.
  2. To export Timelines, do one of the following:

    • To export one Timeline, click the All actions icon in the relevant row and then select Export selected.
    • To export multiple Timelines, select all the required Timelines and then click Bulk actionsExport selected.
  3. To import Timelines, click Import, then select or drag and drop the Timeline ndjson file.

    Each Timeline object in the file must be represented in a single line. Multiple Timeline objects are delimited with newlines.

Filter Timeline Results with EQL

edit

Use the Correlation tab to investigate Timeline results with EQL queries.

When forming EQL queries, you can write a basic query to return a list of events and alerts. Or, you can create sequences of EQL queries to view matched, ordered events across multiple event categories. Sequence queries are useful for identifying and predicting related events. They can also provide a more complete picture of potential adversary behavior in your environment, which you can use to create or update rules and detection alerts.

The following image shows what matched ordered events look like in the Timeline table. Events that belong to the same sequence are matched together in groups and shaded red or blue. Matched events are also ordered from oldest to newest in each sequence.

correlation tab eql query

From the Correlation tab, you can also do the following:

  • Specify the date and time range that you want to investigate.
  • Reorder the columns and choose which fields to display.
  • Choose whether you want to see all data sources (the default selection), only events, only detection alerts, or a custom data source. Custom data sources might include Kibana index patterns.