Investigate events in Timeline

Investigate events and complex threats in your network.

Use Timeline as your workspace for investigations and threat hunting. You can add alerts from multiple indices to a Timeline to facilitate advanced investigations.

You can drag or send fields of interest to a Timeline to create the desired query. For example, you can add fields from tables and histograms on the Overview, Alerts, Hosts, and Network pages, as well as from other Timelines. Alternatively, you can add a query directly in Timeline by expanding the query builder and clicking + Add field.

In addition to Timelines, you can create and attach Timeline templates to detection rules. Timeline templates allow you to define the source event fields used when you investigate alerts in Timeline. You can select whether the fields use predefined values or values retrieved from the alert. For more information, refer to Create Timeline templates.

Create new or open existing Timeline

To make a new Timeline, choose one of the following:

  • Go to the Timelines page (InvestigationsTimelines), then click Create new Timeline.
  • Go to the Timeline bar (which is at the bottom of most pages), click the button, then click Create new Timeline.
  • From an open Timeline or Timeline template, click NewNew Timeline.

To open an existing Timeline, choose one of the following:

  • Go to the Timelines page, then click a Timeline's title.
  • Go to the Timeline bar, click the button, then click Open Timeline.
  • From an open Timeline or Timeline template, click Open, then select the appropriate Timeline.

To avoid losing your changes, you must save the Timeline before moving to a different Elastic Security app page. If you change an existing Timeline, you can use the Save as new timeline toggle to make a new copy of the Timeline, without overwriting the original one.

Tip

Click the star icon () to favorite your Timeline and quickly find it later.

View and refine Timeline results

You can select whether Timeline displays detection alerts and other raw events, or just alerts. By default, Timeline displays both raw events and alerts. To hide raw events and display alerts only, click Data view to the left of the KQL query bar, then select Show only detection alerts.

Inspect an event or alert

To further inspect an event or detection alert, click the View details button. A flyout with event or alert details appears.

Configure Timeline event context and display

Many types of events automatically appear in preconfigured views that provide relevant contextual information, called Event Renderers. You can display and turn them on or off with the Settings menu in the upper left corner of the results pane:

The example above displays the Flow event renderer, which highlights the movement of data between its source and destination. If you see a particular part of the rendered event that interests you, you can drag it up to the drop zone below the query bar for further investigation.

You can also modify a Timeline's display in other ways:

  • Add, remove, reorder, or resize columns
  • Create runtime fields and display them in the Timeline
  • View the Timeline in full screen mode
  • Add or delete notes on individual events
  • Add or delete investigation notes on the entire Timeline
  • Pin interesting events to the Timeline

Use the Timeline query builder

Expand the query builder by clicking the query builder button () to the right of the KQL query bar. Drop in fields to build a query that filters Timeline results. The fields' relative placement specifies their logical relationships: horizontally adjacent filters use AND, while vertically adjacent filters use OR.

Tip

Collapse the query builder and provide more space for Timeline results by clicking the query builder button ().

Edit existing filters

Click a filter to access additional operations such as Add filter, Clear all, Load saved query, and more:

Here are examples of various types of filters:

Field with value
Filters for events with the specified field value:
Field exists
Filters for events containing the specified field:
Exclude results
Filters for events that do not contain the specified field value (field with value filter) or the specified field (field exists filter):
Temporarily disable
The filter is not used in the query until it is enabled again:
Filter for field present
Converts a field with value filter to a field exists filter.

Note

When you convert a Timeline template to a Timeline, some fields may be disabled. For more information, refer to Timeline template legend.

Attach Timeline to a case

To attach a Timeline to a new or existing case, open it, click Attach to case in the upper right corner, then select either Attach to new case or Attach to existing case.

To learn more about cases, refer to Cases.

Manage existing Timelines

You can view, duplicate, export, delete, and create templates from existing Timelines:

  1. Go to InvestigationsTimelines.
  2. Click the All actions menu in the desired row, then select an action:
  • Create template from timeline (refer to Create Timeline templates)
  • Duplicate timeline
  • Export selected (refer to Export and import Timelines)
  • Delete selected
  • Create query rule from timeline (only available if the Timeline contains a KQL query)
  • Create EQL rule from timeline (only available if the Timeline contains an EQL query)

Tip

To perform an action on multiple Timelines, first select the Timelines, then select an action from the Bulk actions menu.

Export and import Timelines

You can export and import Timelines, which enables you to share Timelines from one Elastic Security instance to another. Exported Timelines are saved as .ndjson files.

To export Timelines:

  • Go to InvestigationsTimelines.
  • Either click the All actions menu in the relevant row and select Export selected, or select multiple Timelines and then click Bulk actionsExport selected.

To import Timelines:

  • Click Import, then select or drag and drop the relevant .ndjson file.

    Note

    Multiple Timeline objects are delimited with newlines.

Filter Timeline results with EQL

Use the Correlation tab to investigate Timeline results with EQL queries.

When forming EQL queries, you can write a basic query to return a list of events and alerts. Or, you can create sequences of EQL queries to view matched, ordered events across multiple event categories. Sequence queries are useful for identifying and predicting related events. They can also provide a more complete picture of potential adversary behavior in your environment, which you can use to create or update rules and detection alerts.

The following image shows what matched ordered events look like in the Timeline table. Events that belong to the same sequence are matched together in groups and shaded red or blue. Matched events are also ordered from oldest to newest in each sequence.

From the Correlation tab, you can also do the following:

  • Specify the date and time range that you want to investigate.
  • Reorder the columns and choose which fields to display.
  • Choose a data view and whether to show detection alerts only.

Use ES|QL to investigate events

The Elasticsearch Query Language (ES|QL) provides a powerful way to filter, transform, and analyze event data stored in Elasticsearch. ES|QL queries use "pipes" to manipulate and transform data in a step-by-step fashion. This approach allows you to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis.

You can use ES|QL in Timeline by opening the ES|QL tab. From there, you can:

  • Write an ES|QL query to explore your events. For example, start with the following query, then iterate on it to tailor your results:

    FROM .alerts-security.alerts-default,apm-*-transaction*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,traces-apm*,winlogbeat-*,-*elastic-cloud-logs-*
    | LIMIT 10
    | KEEP @timestamp, message, event.category, event.action, host.name, source.ip, destination.ip, user.name

    This query does the following:

    • It starts by querying documents within the Security alert index (.alerts-security.alerts-default) and indices specified in the Security data view.

    • Then, the query limits the output to the top 10 results.

    • Finally, it keeps the default Timeline fields (@timestamp, message, event.category, event.action, host.name, source.ip, destination.ip, and user.name) in the output.

      Tip

      When querying indices that tend to be large (for example, logs-*), performance can be impacted by the number of fields returned in the output. To optimize performance, we recommend using the KEEP command to specify fields that you want returned. For example, add the clause KEEP @timestamp, user.name to the end of your query to specify that you only want the @timestamp and user.name fields returned.

    Note

    An error message displays when the query bar is empty.

  • Click the help icon () on the far right side of the query editor to open the in-product reference documentation for all ES|QL commands and functions.

  • Visualize query results using Discover functionality.

Additional ES|QL resources

To get started using ES|QL, read the tutorial for using ES|QL in Kibana. Much of the functionality available in Kibana is also available in Timeline.

To find examples of using ES|QL for threat hunting, check out our blog.

On this page