When performing critical security investigations and threat hunts using Elastic Security, the Timeline feature is always by your side as a workspace for investigations and threat hunting. Drilling down into an event is as simple as dragging and dropping to create the query you need to investigate an alert or event.
Persisting as you move throughout the Elastic Security app, you can add items from tables and histograms on the Overview, Detections, Hosts, and Network pages — as well as from within the Timeline itself. A Timeline can collect data from multiple indices to empower investigation of complex threats. Auto-saving ensures that the results of your investigation are available for review by other analysts and incident response teams.
Timeline templates, on the other hand, filter out potentially noisy alerts generated by rules, and are important to ensure all team members are looking at potential threats through the same lens.
Elastic Security now supports exporting Timelines and Timeline templates from one Kibana Space or instance to another, enabling easy sharing and more effective collaboration between team members.
Sharing a Timeline
To share a Timeline, navigate to the Timelines tab, select one or more Timelines, then select Bulk actions > Export selected.
From here, an ndjson file is downloaded. In the ndjson file below, we can see that each Timeline in the file is represented in a single, minified line containing the required information for creating a Timeline. View the reference of each field.
Now that we have a model of our Timeline, we can also create a Timeline by importing an ndjson file. Before importing the ndjson file, edit it in a text editor and replace savedObjectId with an empty string, which is the reference used to check whether the Timeline exists or not. If leaving the existing savedObjectId results in a failure, the Security app assumes you are updating the existing Timeline. However, if updating the Timeline by importing an ndjson file is not supported; use the Kibana UI instead.
Sharing a Timeline template
You can share a Timeline template by exporting and importing it using the same method described above. The Timeline template model is the same as a Timeline, but the filters can be different, as explained in our documentation.
The templates displayed above with a disabled checkbox are prebuilt Elastic templates. While you cannot edit or export these, you can still duplicate them to customize your needs by creating a custom template that you can edit and export.
Creating a new template by importing an ndjson file follows the same procedure as importing a Timeline. The only difference is that you can update a template by importing an ndjson file, whereas this function is not supported to update a Timeline. Update the template you just exported in a text editor, leaving savedObjectId with the same value. Then, find the templateTimelineVersion field and bump the numeric number manually. This is to confirm the change and avoid any failure.
Ready to start sharing Timelines and Timeline templates with your team members? Learn more by visiting our Elastic Security documentation.